[Owasp-board] OWASP Staff Needs Technical Assistance

Josh Sokol josh.sokol at owasp.org
Mon Apr 18 19:41:27 UTC 2016


Motion 1:
Give Matt Tesauro an OWASP Foundation credit card. - He is a former Board
member and a trusted staff member of the Foundation.  I see no reason why,
if that makes his job easier, it shouldn't be.  Let's rectify that.

Motion 2:
Approve funding for up to $200/month (good for 50 GB/month) of PaperTrail
services. - We all know how important logging is and Matt stated it would
make his job easier.  This seems like a no brainer.

Motion 3:
Approve funding for $20k worth of part-time/contractor System Administrator
resources to aide in managing and securing OWASP's infrastructure.

Matt: Sorry, I didn't mean to misrepresent what you were saying.  I realize
that you have that knowledge in your head.  The problem is in finding time
to get it out and worked on which turns into a resource issue.  Hence,
motion 3 above.


On Mon, Apr 18, 2016 at 2:24 PM, Matt Tesauro <matt.tesauro at owasp.org>

> What the board can do TODAY to help with OWASP IT:
> (1) Approve getting me a credit card for IT purchases. When I need to do
> things like purchase an SSL certificate or other miscellaneous expenses, I
> need to connect with Kate or another staff member to get a CC number or
> have them make the purchase for me.  This is plain silly.  If you trust me
> enough to have root on your infrastructure, getting me a credit card for IT
> purchase removes unnecessary delays.  I'm currently locked out of the IT
> ticketing system because the credit card on file expired and I don't have a
> replacement to use.
> (2) Approve  a subscription to Papertrail (https://papertrailapp.com/) or
> equivalent - this would allow us to stream our log files to Papertrail
> where then can be indexed and made easily search-able.  When there's
> problems on the wiki, grepping through the daily log files which average ~2
> GB/day is not time effective.  Having those logs searchable turns a bunch
> of time grep'ing into a quick search via command-line or web UI.  I say
> Papertail only because I'm familiar with its service from when I was at
> Rackspace.
> Yes, we could setup some opensource thing on Rack's hosting but that's
> just more infrastructure to maintain and pay for.  I'd highly recommend
> SaaS where we can find it to keep our sys admin workload as small as
> possible.  It will be cheaper overall in 95% of the cases.
> The rest is answered in line below...
> On Mon, Apr 18, 2016 at 11:42 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>> Board,
>> Please see Matt's e-mail below.  I'm pulling this into a new thread as I
>> think that Matt is indicating here that he is a limited resource (10 hrs/wk)
> I have always been a limited resource at 10 hours per week.  This
> shouldn't be news.
>> and that his current workload, plus workload generated from the proposed
>> Bug Bounty Program, is more than he can handle.
> Incorrect.  My point was that I know of more then enough things that need
> attention currently and that, in essence, paying twice for that information
> is not a good use of Foundation resources.  I've already been paid and
> under a bug bounty we'd pay again for the same info.  Pointless.
> Plus, we are already experiencing destructive testing against the OWASP
> infrastructure without blessing the activity.  Why would formalizing this
> reduce this problem?  Why not do my suggestion below, get the needed
> updates done THEN start a bounty on the infrastructure.  That makes way
> more sense to me.
>> I think that we need to seriously consider opening up another position at
>> OWASP wherein management and security of OWASP's technical assets is a
>> full-time role.
> I'd suggest splitting the current IT workload into more then one part time
> position.  There are many activities that require someone with mild Linux
> experience that could be handed off to another contractor.  Things like the
> command-line tools for Mailman which aren't exposed via the web interface
> are a great candidate for this off-loading.  Much of this was discussed
> during the staff summit but has been tabled due to Paul's recent absence.
> This would free me up to do what I've been working on in between the
> regular maintenance work.  I've been 'ansible'-zing much of my OWASP IT
> work when I actually have unconsumed hours left over the weekend.  By doing
> this while moving/upgrading the wiki and Mailman infrastructure, we're
> setting up a system which won't repeat or install the manual, time
> intensive practices we've historically employed.  They worked OK for our
> former size, but that is no longer the case and I expect OWASP's growth to
> continue.
>> ~josh
>> ---------- Forwarded message ----------
>> From: Matt Tesauro <matt.tesauro at owasp.org>
>> Date: Mon, Apr 18, 2016 at 10:51 AM
>> Subject: Re: [Owasp-board] Initial Funding for OWASP Bug Bounty Program
>> To: Josh Sokol <josh.sokol at owasp.org>
>> Cc: Matt Konda <matt.konda at owasp.org>, OWASP Board List <
>> owasp-board at lists.owasp.org>
>> My thoughts for what they are worth:
>> My understanding was that the scope of this effort was OWASP projects -
>> so that our projects have been vetted and, hopefully, are free from
>> security defects.  This seems like a very sensible use of Foundation
>> resources.
>> Pointing the Bug Bounty masses at the OWASP infrastructure, even with the
>> initial triage handled by a 3rd party, is foolish.  Why?
>>    - I can list the problems with the current infrastructure for you and
>>    zero cost. There is very little value in these being rediscovered by random
>>    Internet bug hunters.
>>    - I've spent the last 3 weekends writing various fail2ban rules to
>>    try and stop the dramatic increase in automated crawling (aka pro bono
>>    scanning) of the wiki.  The wiki, which wasn't running any where near
>>    capacity, has been hitting 100% CPU and throwing high load/CPU monitoring
>>    alerts from shortly after our 'draft' policy was placed on the OWASP wiki -
>>    see https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
>>    - It took several iterations to find a rule that adequately blocks
>>       punks and lets the staff aka heavy wiki users get things done.  During
>>       those iterations, several of the staff were temporarily blocked from the
>>       wiki by fail2ban.
>>    - Ask the staff about how much they liked last week when two
>>    instances of some Internet putz fuzzing our Wiki account registration has
>>    created a backlog of bogus registrations.  Beyond the hundreds of
>>    notification emails the staff and I received, we how have a wiki
>>    registration system which
>>       - Needs to manually have 100's of bogus requests reviewed and
>>       deleted
>>       - Legit requests are getting lost in the bogus requests
>>       - On one occasion, a bogus registration was accidentally confirmed
>>       leading to SPAM on the wiki which then needs to be cleaned up wasting more
>>       staff time/resources non-productively.
>> I completely agree that bug bounties of our PROJECTS is a great idea.
>> However, until we have an infrastructure that is both more resilient and
>> shored up with the issues we already know about, having the Internet poke
>> at our servers is counter productive.  Of late, my 10 hours per week are
>> spent either cleaning up cruft from those that don't realize that wiki page
>> isn't an endorsement to poke at our infrastructure or just routine
>> maintenance.
>> The opportunity cost of a bug bounty is
>>    - Staff work interrupted, delayed or refocused on clean-up that
>>    inevitably happens when those with ranges of skills poke at infrastructure.
>>    - Fire drills for our Infrastructure rather then planned and focused
>>    upgrades across our infrastructure.  I'd have much rather used the last 3
>>    weeks of my 10 hours to complete setting up a new Mailman instance.
>>    Instead, I'm cleaning up messes and answering emails about problems I
>>    already know about and have prioritized lower for various reasons.  This
>>    email is an example of me being diverted from infrastructure enhancing
>>    activities.
>> Considering the large difference between my 'day job' pay rate and what
>> OWASP pays me for 10 hours/week and the fact that I have and like my
>> family, I'm loath to spend more then my allotted OWASP time - though I
>> frequently do anyway.
>> </Matt's 2 cents>
>> --
>> -- Matt Tesauro
>> OWASP WTE Project Lead
>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>> http://AppSecLive.org - Community and Download site
>> OWASP OpenStack Security Project Lead
>> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>> On Mon, Apr 18, 2016 at 10:18 AM, Josh Sokol <josh.sokol at owasp.org>
>> wrote:
>>> My thinking is that this bounty would be used for the OWASP Foundation
>>> resources.  The wiki, conference sites, etc.  Projects could participate
>>> with kudos and could self-fund out of their project funds for any bounties
>>> that they would like to pay out.  I still need to work on defining those
>>> rules of engagement, but for now we need to come up with an initial deposit
>>> amount that we feel comfortable transferring to BugCrowd to get this
>>> rolling.
>>> ~josh
>>> On Mon, Apr 18, 2016 at 10:07 AM, Matt Konda <matt.konda at owasp.org>
>>> wrote:
>>>> Josh,
>>>> I would support putting some $ behind this.  Definitely a bounded small
>>>> initial commitment but $.  That will result in better faster feedback IMO.
>>>> I think we need to make sure we think through how it gets used.  90% to
>>>> a smaller lesser known OWASP project and 10% to ZAP for example might be a
>>>> possible problem.  Do we have a rule that project committers can't receive
>>>> bounty?  :)
>>>> We could start with a few projects and do the kudos approach and match
>>>> funds that those projects want to use.
>>>> I defer to the team that is focused here, just wanted to share my
>>>> thoughts.
>>>> Matt
>>>> On Mon, Apr 18, 2016 at 9:06 AM, Josh Sokol <josh.sokol at owasp.org>
>>>> wrote:
>>>>> Board,
>>>>> Now that we have announced BugCrowd as our bug bounty program
>>>>> platform, it is time to take the next step of figuring out how much of a
>>>>> bounty we want to start with.  There is no minimum funding amount (we could
>>>>> do "kudo" bounties if we want) and we can scale the rewards however we
>>>>> would like for different categories.  Obviously, money equates to more
>>>>> motivated researchers.  BugCrowd's recommendation is to fund the initial
>>>>> pot at $5,000 and go from there.  I think we were originally talking about
>>>>> just leveraging a Wall of Fame to start with (ie. "kudos"), but I wanted to
>>>>> see what others thought about it.  Should we throw some money into the
>>>>> pot?  How much?  Your feedback is greatly appreciated.
>>>>> ~josh
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160418/54985670/attachment-0001.html>

More information about the Owasp-board mailing list