[Owasp-board] OWASP Staff Needs Technical Assistance
Jim Manico
jim.manico at owasp.org
Mon Apr 18 19:40:57 UTC 2016
1) Getting you a OWASP Credit Card should be a "no-brainer". Andrew?
What do you think?
2) Papertrail seems righteous. Which plan do you think we will need?
https://papertrailapp.com/plans I'd much rather go pro than some janky
OSS solution for infrastructure security like this....
Thank you Matt!
Aloha,
Jim
On 4/18/16 9:24 AM, Matt Tesauro wrote:
> What the board can do TODAY to help with OWASP IT:
>
> (1) Approve getting me a credit card for IT purchases. When I need to
> do things like purchase an SSL certificate or other miscellaneous
> expenses, I need to connect with Kate or another staff member to get a
> CC number or have them make the purchase for me. This is plain
> silly. If you trust me enough to have root on your infrastructure,
> getting me a credit card for IT purchase removes unnecessary delays.
> I'm currently locked out of the IT ticketing system because the credit
> card on file expired and I don't have a replacement to use.
>
> (2) Approve a subscription to Papertrail (https://papertrailapp.com/)
> or equivalent - this would allow us to stream our log files to
> Papertrail where then can be indexed and made easily search-able.
> When there's problems on the wiki, grepping through the daily log
> files which average ~2 GB/day is not time effective. Having those
> logs searchable turns a bunch of time grep'ing into a quick search via
> command-line or web UI. I say Papertail only because I'm familiar
> with its service from when I was at Rackspace.
>
> Yes, we could setup some opensource thing on Rack's hosting but that's
> just more infrastructure to maintain and pay for. I'd highly
> recommend SaaS where we can find it to keep our sys admin workload as
> small as possible. It will be cheaper overall in 95% of the cases.
>
> The rest is answered in line below...
>
> On Mon, Apr 18, 2016 at 11:42 AM, Josh Sokol <josh.sokol at owasp.org
> <mailto:josh.sokol at owasp.org>> wrote:
>
> Board,
>
> Please see Matt's e-mail below. I'm pulling this into a new
> thread as I think that Matt is indicating here that he is a
> limited resource (10 hrs/wk)
>
>
> I have always been a limited resource at 10 hours per week. This
> shouldn't be news.
>
>
> and that his current workload, plus workload generated from the
> proposed Bug Bounty Program, is more than he can handle.
>
>
> Incorrect. My point was that I know of more then enough things that
> need attention currently and that, in essence, paying twice for that
> information is not a good use of Foundation resources. I've already
> been paid and under a bug bounty we'd pay again for the same info.
> Pointless.
>
> Plus, we are already experiencing destructive testing against the
> OWASP infrastructure without blessing the activity. Why would
> formalizing this reduce this problem? Why not do my suggestion below,
> get the needed updates done THEN start a bounty on the
> infrastructure. That makes way more sense to me.
>
>
> I think that we need to seriously consider opening up another
> position at OWASP wherein management and security of OWASP's
> technical assets is a full-time role.
>
>
> I'd suggest splitting the current IT workload into more then one part
> time position. There are many activities that require someone with
> mild Linux experience that could be handed off to another contractor.
> Things like the command-line tools for Mailman which aren't exposed
> via the web interface are a great candidate for this off-loading.
> Much of this was discussed during the staff summit but has been tabled
> due to Paul's recent absence.
>
> This would free me up to do what I've been working on in between the
> regular maintenance work. I've been 'ansible'-zing much of my OWASP
> IT work when I actually have unconsumed hours left over the weekend.
> By doing this while moving/upgrading the wiki and Mailman
> infrastructure, we're setting up a system which won't repeat or
> install the manual, time intensive practices we've historically
> employed. They worked OK for our former size, but that is no longer
> the case and I expect OWASP's growth to continue.
>
>
>
> ~josh
>
> ---------- Forwarded message ----------
> From: *Matt Tesauro* <matt.tesauro at owasp.org
> <mailto:matt.tesauro at owasp.org>>
> Date: Mon, Apr 18, 2016 at 10:51 AM
> Subject: Re: [Owasp-board] Initial Funding for OWASP Bug Bounty
> Program
> To: Josh Sokol <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>>
> Cc: Matt Konda <matt.konda at owasp.org
> <mailto:matt.konda at owasp.org>>, OWASP Board List
> <owasp-board at lists.owasp.org <mailto:owasp-board at lists.owasp.org>>
>
>
> My thoughts for what they are worth:
>
> My understanding was that the scope of this effort was OWASP
> projects - so that our projects have been vetted and, hopefully,
> are free from security defects. This seems like a very sensible
> use of Foundation resources.
>
> Pointing the Bug Bounty masses at the OWASP infrastructure, even
> with the initial triage handled by a 3rd party, is foolish. Why?
>
> * I can list the problems with the current infrastructure for
> you and zero cost. There is very little value in these being
> rediscovered by random Internet bug hunters.
> * I've spent the last 3 weekends writing various fail2ban rules
> to try and stop the dramatic increase in automated crawling
> (aka pro bono scanning) of the wiki. The wiki, which wasn't
> running any where near capacity, has been hitting 100% CPU and
> throwing high load/CPU monitoring alerts from shortly after
> our 'draft' policy was placed on the OWASP wiki -
> see https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
> o It took several iterations to find a rule that adequately
> blocks punks and lets the staff aka heavy wiki users get
> things done. During those iterations, several of the
> staff were temporarily blocked from the wiki by fail2ban.
> * Ask the staff about how much they liked last week when two
> instances of some Internet putz fuzzing our Wiki account
> registration has created a backlog of bogus registrations.
> Beyond the hundreds of notification emails the staff and I
> received, we how have a wiki registration system which
> o Needs to manually have 100's of bogus requests reviewed
> and deleted
> o Legit requests are getting lost in the bogus requests
> o On one occasion, a bogus registration was accidentally
> confirmed leading to SPAM on the wiki which then needs to
> be cleaned up wasting more staff time/resources
> non-productively.
>
> I completely agree that bug bounties of our PROJECTS is a great
> idea.
>
> However, until we have an infrastructure that is both more
> resilient and shored up with the issues we already know about,
> having the Internet poke at our servers is counter productive. Of
> late, my 10 hours per week are spent either cleaning up cruft from
> those that don't realize that wiki page isn't an endorsement to
> poke at our infrastructure or just routine maintenance.
>
> The opportunity cost of a bug bounty is
>
> * Staff work interrupted, delayed or refocused on clean-up that
> inevitably happens when those with ranges of skills poke at
> infrastructure.
> * Fire drills for our Infrastructure rather then planned and
> focused upgrades across our infrastructure. I'd have much
> rather used the last 3 weeks of my 10 hours to complete
> setting up a new Mailman instance. Instead, I'm cleaning up
> messes and answering emails about problems I already know
> about and have prioritized lower for various reasons. This
> email is an example of me being diverted from infrastructure
> enhancing activities.
>
> Considering the large difference between my 'day job' pay rate and
> what OWASP pays me for 10 hours/week and the fact that I have and
> like my family, I'm loath to spend more then my allotted OWASP
> time - though I frequently do anyway.
>
> </Matt's 2 cents>
>
>
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>
> On Mon, Apr 18, 2016 at 10:18 AM, Josh Sokol <josh.sokol at owasp.org
> <mailto:josh.sokol at owasp.org>> wrote:
>
> My thinking is that this bounty would be used for the OWASP
> Foundation resources. The wiki, conference sites, etc.
> Projects could participate with kudos and could self-fund out
> of their project funds for any bounties that they would like
> to pay out. I still need to work on defining those rules of
> engagement, but for now we need to come up with an initial
> deposit amount that we feel comfortable transferring to
> BugCrowd to get this rolling.
>
> ~josh
>
> On Mon, Apr 18, 2016 at 10:07 AM, Matt Konda
> <matt.konda at owasp.org <mailto:matt.konda at owasp.org>> wrote:
>
> Josh,
>
> I would support putting some $ behind this. Definitely a
> bounded small initial commitment but $. That will result
> in better faster feedback IMO.
>
> I think we need to make sure we think through how it gets
> used. 90% to a smaller lesser known OWASP project and 10%
> to ZAP for example might be a possible problem. Do we
> have a rule that project committers can't receive bounty? :)
>
> We could start with a few projects and do the kudos
> approach and match funds that those projects want to use.
>
> I defer to the team that is focused here, just wanted to
> share my thoughts.
>
> Matt
>
>
> On Mon, Apr 18, 2016 at 9:06 AM, Josh Sokol
> <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>
> Board,
>
> Now that we have announced BugCrowd as our bug bounty
> program platform, it is time to take the next step of
> figuring out how much of a bounty we want to start
> with. There is no minimum funding amount (we could do
> "kudo" bounties if we want) and we can scale the
> rewards however we would like for different
> categories. Obviously, money equates to more
> motivated researchers. BugCrowd's recommendation is
> to fund the initial pot at $5,000 and go from there.
> I think we were originally talking about just
> leveraging a Wall of Fame to start with (ie. "kudos"),
> but I wanted to see what others thought about it.
> Should we throw some money into the pot? How much?
> Your feedback is greatly appreciated.
>
> ~josh
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> <mailto:Owasp-board at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160418/e09161df/attachment-0001.html>
More information about the Owasp-board
mailing list