[Owasp-board] OWASP Staff Needs Technical Assistance

Jim Manico jim.manico at owasp.org
Mon Apr 18 19:40:57 UTC 2016

1) Getting you a OWASP Credit Card should be a "no-brainer". Andrew?
What do you think?

2) Papertrail seems righteous. Which plan do you think we will need? 
https://papertrailapp.com/plans I'd much rather go pro than some janky
OSS solution for infrastructure security like this....

Thank you Matt!


On 4/18/16 9:24 AM, Matt Tesauro wrote:
> What the board can do TODAY to help with OWASP IT:
> (1) Approve getting me a credit card for IT purchases. When I need to
> do things like purchase an SSL certificate or other miscellaneous
> expenses, I need to connect with Kate or another staff member to get a
> CC number or have them make the purchase for me.  This is plain
> silly.  If you trust me enough to have root on your infrastructure,
> getting me a credit card for IT purchase removes unnecessary delays. 
> I'm currently locked out of the IT ticketing system because the credit
> card on file expired and I don't have a replacement to use.
> (2) Approve  a subscription to Papertrail (https://papertrailapp.com/)
> or equivalent - this would allow us to stream our log files to
> Papertrail where then can be indexed and made easily search-able. 
> When there's problems on the wiki, grepping through the daily log
> files which average ~2 GB/day is not time effective.  Having those
> logs searchable turns a bunch of time grep'ing into a quick search via
> command-line or web UI.  I say Papertail only because I'm familiar
> with its service from when I was at Rackspace.
> Yes, we could setup some opensource thing on Rack's hosting but that's
> just more infrastructure to maintain and pay for.  I'd highly
> recommend SaaS where we can find it to keep our sys admin workload as
> small as possible.  It will be cheaper overall in 95% of the cases.
> The rest is answered in line below...
> On Mon, Apr 18, 2016 at 11:42 AM, Josh Sokol <josh.sokol at owasp.org
> <mailto:josh.sokol at owasp.org>> wrote:
>     Board,
>     Please see Matt's e-mail below.  I'm pulling this into a new
>     thread as I think that Matt is indicating here that he is a
>     limited resource (10 hrs/wk)
> I have always been a limited resource at 10 hours per week.  This
> shouldn't be news.
>     and that his current workload, plus workload generated from the
>     proposed Bug Bounty Program, is more than he can handle. 
> Incorrect.  My point was that I know of more then enough things that
> need attention currently and that, in essence, paying twice for that
> information is not a good use of Foundation resources.  I've already
> been paid and under a bug bounty we'd pay again for the same info. 
> Pointless.
> Plus, we are already experiencing destructive testing against the
> OWASP infrastructure without blessing the activity.  Why would
> formalizing this reduce this problem?  Why not do my suggestion below,
> get the needed updates done THEN start a bounty on the
> infrastructure.  That makes way more sense to me.
>     I think that we need to seriously consider opening up another
>     position at OWASP wherein management and security of OWASP's
>     technical assets is a full-time role.
> I'd suggest splitting the current IT workload into more then one part
> time position.  There are many activities that require someone with
> mild Linux experience that could be handed off to another contractor. 
> Things like the command-line tools for Mailman which aren't exposed
> via the web interface are a great candidate for this off-loading. 
> Much of this was discussed during the staff summit but has been tabled
> due to Paul's recent absence.
> This would free me up to do what I've been working on in between the
> regular maintenance work.  I've been 'ansible'-zing much of my OWASP
> IT work when I actually have unconsumed hours left over the weekend. 
> By doing this while moving/upgrading the wiki and Mailman
> infrastructure, we're setting up a system which won't repeat or
> install the manual, time intensive practices we've historically
> employed.  They worked OK for our former size, but that is no longer
> the case and I expect OWASP's growth to continue.
>     ~josh
>     ---------- Forwarded message ----------
>     From: *Matt Tesauro* <matt.tesauro at owasp.org
>     <mailto:matt.tesauro at owasp.org>>
>     Date: Mon, Apr 18, 2016 at 10:51 AM
>     Subject: Re: [Owasp-board] Initial Funding for OWASP Bug Bounty
>     Program
>     To: Josh Sokol <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>>
>     Cc: Matt Konda <matt.konda at owasp.org
>     <mailto:matt.konda at owasp.org>>, OWASP Board List
>     <owasp-board at lists.owasp.org <mailto:owasp-board at lists.owasp.org>>
>     My thoughts for what they are worth:
>     My understanding was that the scope of this effort was OWASP
>     projects - so that our projects have been vetted and, hopefully,
>     are free from security defects.  This seems like a very sensible
>     use of Foundation resources.
>     Pointing the Bug Bounty masses at the OWASP infrastructure, even
>     with the initial triage handled by a 3rd party, is foolish.  Why? 
>       * I can list the problems with the current infrastructure for
>         you and zero cost. There is very little value in these being
>         rediscovered by random Internet bug hunters. 
>       * I've spent the last 3 weekends writing various fail2ban rules
>         to try and stop the dramatic increase in automated crawling
>         (aka pro bono scanning) of the wiki.  The wiki, which wasn't
>         running any where near capacity, has been hitting 100% CPU and
>         throwing high load/CPU monitoring alerts from shortly after
>         our 'draft' policy was placed on the OWASP wiki -
>         see https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
>           o It took several iterations to find a rule that adequately
>             blocks punks and lets the staff aka heavy wiki users get
>             things done.  During those iterations, several of the
>             staff were temporarily blocked from the wiki by fail2ban. 
>       * Ask the staff about how much they liked last week when two
>         instances of some Internet putz fuzzing our Wiki account
>         registration has created a backlog of bogus registrations. 
>         Beyond the hundreds of notification emails the staff and I
>         received, we how have a wiki registration system which
>           o Needs to manually have 100's of bogus requests reviewed
>             and deleted
>           o Legit requests are getting lost in the bogus requests
>           o On one occasion, a bogus registration was accidentally
>             confirmed leading to SPAM on the wiki which then needs to
>             be cleaned up wasting more staff time/resources
>             non-productively.
>     I completely agree that bug bounties of our PROJECTS is a great
>     idea.  
>     However, until we have an infrastructure that is both more
>     resilient and shored up with the issues we already know about,
>     having the Internet poke at our servers is counter productive.  Of
>     late, my 10 hours per week are spent either cleaning up cruft from
>     those that don't realize that wiki page isn't an endorsement to
>     poke at our infrastructure or just routine maintenance.
>     The opportunity cost of a bug bounty is 
>       * Staff work interrupted, delayed or refocused on clean-up that
>         inevitably happens when those with ranges of skills poke at
>         infrastructure.
>       * Fire drills for our Infrastructure rather then planned and
>         focused upgrades across our infrastructure.  I'd have much
>         rather used the last 3 weeks of my 10 hours to complete
>         setting up a new Mailman instance.  Instead, I'm cleaning up
>         messes and answering emails about problems I already know
>         about and have prioritized lower for various reasons.  This
>         email is an example of me being diverted from infrastructure
>         enhancing activities.
>     Considering the large difference between my 'day job' pay rate and
>     what OWASP pays me for 10 hours/week and the fact that I have and
>     like my family, I'm loath to spend more then my allotted OWASP
>     time - though I frequently do anyway.
>     </Matt's 2 cents> 
>     --
>     -- Matt Tesauro
>     OWASP WTE Project Lead
>     http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>     http://AppSecLive.org - Community and Download site
>     OWASP OpenStack Security Project Lead
>     https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>     On Mon, Apr 18, 2016 at 10:18 AM, Josh Sokol <josh.sokol at owasp.org
>     <mailto:josh.sokol at owasp.org>> wrote:
>         My thinking is that this bounty would be used for the OWASP
>         Foundation resources.  The wiki, conference sites, etc. 
>         Projects could participate with kudos and could self-fund out
>         of their project funds for any bounties that they would like
>         to pay out.  I still need to work on defining those rules of
>         engagement, but for now we need to come up with an initial
>         deposit amount that we feel comfortable transferring to
>         BugCrowd to get this rolling.
>         ~josh
>         On Mon, Apr 18, 2016 at 10:07 AM, Matt Konda
>         <matt.konda at owasp.org <mailto:matt.konda at owasp.org>> wrote:
>             Josh,
>             I would support putting some $ behind this.  Definitely a
>             bounded small initial commitment but $.  That will result
>             in better faster feedback IMO.
>             I think we need to make sure we think through how it gets
>             used.  90% to a smaller lesser known OWASP project and 10%
>             to ZAP for example might be a possible problem.  Do we
>             have a rule that project committers can't receive bounty?  :)
>             We could start with a few projects and do the kudos
>             approach and match funds that those projects want to use.
>             I defer to the team that is focused here, just wanted to
>             share my thoughts.
>             Matt
>             On Mon, Apr 18, 2016 at 9:06 AM, Josh Sokol
>             <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>                 Board,
>                 Now that we have announced BugCrowd as our bug bounty
>                 program platform, it is time to take the next step of
>                 figuring out how much of a bounty we want to start
>                 with.  There is no minimum funding amount (we could do
>                 "kudo" bounties if we want) and we can scale the
>                 rewards however we would like for different
>                 categories.  Obviously, money equates to more
>                 motivated researchers.  BugCrowd's recommendation is
>                 to fund the initial pot at $5,000 and go from there. 
>                 I think we were originally talking about just
>                 leveraging a Wall of Fame to start with (ie. "kudos"),
>                 but I wanted to see what others thought about it. 
>                 Should we throw some money into the pot?  How much? 
>                 Your feedback is greatly appreciated.
>                 ~josh
>                 _______________________________________________
>                 Owasp-board mailing list
>                 Owasp-board at lists.owasp.org
>                 <mailto:Owasp-board at lists.owasp.org>
>                 https://lists.owasp.org/mailman/listinfo/owasp-board
>         _______________________________________________
>         Owasp-board mailing list
>         Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>         https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160418/e09161df/attachment-0001.html>

More information about the Owasp-board mailing list