[Owasp-board] OWASP Staff Needs Technical Assistance

Matt Tesauro matt.tesauro at owasp.org
Mon Apr 18 19:24:58 UTC 2016

What the board can do TODAY to help with OWASP IT:

(1) Approve getting me a credit card for IT purchases. When I need to do
things like purchase an SSL certificate or other miscellaneous expenses, I
need to connect with Kate or another staff member to get a CC number or
have them make the purchase for me.  This is plain silly.  If you trust me
enough to have root on your infrastructure, getting me a credit card for IT
purchase removes unnecessary delays.  I'm currently locked out of the IT
ticketing system because the credit card on file expired and I don't have a
replacement to use.

(2) Approve  a subscription to Papertrail (https://papertrailapp.com/) or
equivalent - this would allow us to stream our log files to Papertrail
where then can be indexed and made easily search-able.  When there's
problems on the wiki, grepping through the daily log files which average ~2
GB/day is not time effective.  Having those logs searchable turns a bunch
of time grep'ing into a quick search via command-line or web UI.  I say
Papertail only because I'm familiar with its service from when I was at

Yes, we could setup some opensource thing on Rack's hosting but that's just
more infrastructure to maintain and pay for.  I'd highly recommend SaaS
where we can find it to keep our sys admin workload as small as possible.
It will be cheaper overall in 95% of the cases.

The rest is answered in line below...

On Mon, Apr 18, 2016 at 11:42 AM, Josh Sokol <josh.sokol at owasp.org> wrote:

> Board,
> Please see Matt's e-mail below.  I'm pulling this into a new thread as I
> think that Matt is indicating here that he is a limited resource (10 hrs/wk)

I have always been a limited resource at 10 hours per week.  This shouldn't
be news.

> and that his current workload, plus workload generated from the proposed
> Bug Bounty Program, is more than he can handle.

Incorrect.  My point was that I know of more then enough things that need
attention currently and that, in essence, paying twice for that information
is not a good use of Foundation resources.  I've already been paid and
under a bug bounty we'd pay again for the same info.  Pointless.

Plus, we are already experiencing destructive testing against the OWASP
infrastructure without blessing the activity.  Why would formalizing this
reduce this problem?  Why not do my suggestion below, get the needed
updates done THEN start a bounty on the infrastructure.  That makes way
more sense to me.

> I think that we need to seriously consider opening up another position at
> OWASP wherein management and security of OWASP's technical assets is a
> full-time role.

I'd suggest splitting the current IT workload into more then one part time
position.  There are many activities that require someone with mild Linux
experience that could be handed off to another contractor.  Things like the
command-line tools for Mailman which aren't exposed via the web interface
are a great candidate for this off-loading.  Much of this was discussed
during the staff summit but has been tabled due to Paul's recent absence.

This would free me up to do what I've been working on in between the
regular maintenance work.  I've been 'ansible'-zing much of my OWASP IT
work when I actually have unconsumed hours left over the weekend.  By doing
this while moving/upgrading the wiki and Mailman infrastructure, we're
setting up a system which won't repeat or install the manual, time
intensive practices we've historically employed.  They worked OK for our
former size, but that is no longer the case and I expect OWASP's growth to

> ~josh
> ---------- Forwarded message ----------
> From: Matt Tesauro <matt.tesauro at owasp.org>
> Date: Mon, Apr 18, 2016 at 10:51 AM
> Subject: Re: [Owasp-board] Initial Funding for OWASP Bug Bounty Program
> To: Josh Sokol <josh.sokol at owasp.org>
> Cc: Matt Konda <matt.konda at owasp.org>, OWASP Board List <
> owasp-board at lists.owasp.org>
> My thoughts for what they are worth:
> My understanding was that the scope of this effort was OWASP projects - so
> that our projects have been vetted and, hopefully, are free from security
> defects.  This seems like a very sensible use of Foundation resources.
> Pointing the Bug Bounty masses at the OWASP infrastructure, even with the
> initial triage handled by a 3rd party, is foolish.  Why?
>    - I can list the problems with the current infrastructure for you and
>    zero cost. There is very little value in these being rediscovered by random
>    Internet bug hunters.
>    - I've spent the last 3 weekends writing various fail2ban rules to try
>    and stop the dramatic increase in automated crawling (aka pro bono
>    scanning) of the wiki.  The wiki, which wasn't running any where near
>    capacity, has been hitting 100% CPU and throwing high load/CPU monitoring
>    alerts from shortly after our 'draft' policy was placed on the OWASP wiki -
>    see https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
>    - It took several iterations to find a rule that adequately blocks
>       punks and lets the staff aka heavy wiki users get things done.  During
>       those iterations, several of the staff were temporarily blocked from the
>       wiki by fail2ban.
>    - Ask the staff about how much they liked last week when two instances
>    of some Internet putz fuzzing our Wiki account registration has created a
>    backlog of bogus registrations.  Beyond the hundreds of notification emails
>    the staff and I received, we how have a wiki registration system which
>       - Needs to manually have 100's of bogus requests reviewed and
>       deleted
>       - Legit requests are getting lost in the bogus requests
>       - On one occasion, a bogus registration was accidentally confirmed
>       leading to SPAM on the wiki which then needs to be cleaned up wasting more
>       staff time/resources non-productively.
> I completely agree that bug bounties of our PROJECTS is a great idea.
> However, until we have an infrastructure that is both more resilient and
> shored up with the issues we already know about, having the Internet poke
> at our servers is counter productive.  Of late, my 10 hours per week are
> spent either cleaning up cruft from those that don't realize that wiki page
> isn't an endorsement to poke at our infrastructure or just routine
> maintenance.
> The opportunity cost of a bug bounty is
>    - Staff work interrupted, delayed or refocused on clean-up that
>    inevitably happens when those with ranges of skills poke at infrastructure.
>    - Fire drills for our Infrastructure rather then planned and focused
>    upgrades across our infrastructure.  I'd have much rather used the last 3
>    weeks of my 10 hours to complete setting up a new Mailman instance.
>    Instead, I'm cleaning up messes and answering emails about problems I
>    already know about and have prioritized lower for various reasons.  This
>    email is an example of me being diverted from infrastructure enhancing
>    activities.
> Considering the large difference between my 'day job' pay rate and what
> OWASP pays me for 10 hours/week and the fact that I have and like my
> family, I'm loath to spend more then my allotted OWASP time - though I
> frequently do anyway.
> </Matt's 2 cents>
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
> On Mon, Apr 18, 2016 at 10:18 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>> My thinking is that this bounty would be used for the OWASP Foundation
>> resources.  The wiki, conference sites, etc.  Projects could participate
>> with kudos and could self-fund out of their project funds for any bounties
>> that they would like to pay out.  I still need to work on defining those
>> rules of engagement, but for now we need to come up with an initial deposit
>> amount that we feel comfortable transferring to BugCrowd to get this
>> rolling.
>> ~josh
>> On Mon, Apr 18, 2016 at 10:07 AM, Matt Konda <matt.konda at owasp.org>
>> wrote:
>>> Josh,
>>> I would support putting some $ behind this.  Definitely a bounded small
>>> initial commitment but $.  That will result in better faster feedback IMO.
>>> I think we need to make sure we think through how it gets used.  90% to
>>> a smaller lesser known OWASP project and 10% to ZAP for example might be a
>>> possible problem.  Do we have a rule that project committers can't receive
>>> bounty?  :)
>>> We could start with a few projects and do the kudos approach and match
>>> funds that those projects want to use.
>>> I defer to the team that is focused here, just wanted to share my
>>> thoughts.
>>> Matt
>>> On Mon, Apr 18, 2016 at 9:06 AM, Josh Sokol <josh.sokol at owasp.org>
>>> wrote:
>>>> Board,
>>>> Now that we have announced BugCrowd as our bug bounty program platform,
>>>> it is time to take the next step of figuring out how much of a bounty we
>>>> want to start with.  There is no minimum funding amount (we could do "kudo"
>>>> bounties if we want) and we can scale the rewards however we would like for
>>>> different categories.  Obviously, money equates to more motivated
>>>> researchers.  BugCrowd's recommendation is to fund the initial pot at
>>>> $5,000 and go from there.  I think we were originally talking about just
>>>> leveraging a Wall of Fame to start with (ie. "kudos"), but I wanted to see
>>>> what others thought about it.  Should we throw some money into the pot?
>>>> How much?  Your feedback is greatly appreciated.
>>>> ~josh
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160418/20291c31/attachment-0001.html>

More information about the Owasp-board mailing list