[Owasp-board] OWASP Staff Needs Technical Assistance
josh.sokol at owasp.org
Mon Apr 18 19:41:27 UTC 2016
Give Matt Tesauro an OWASP Foundation credit card. - He is a former Board
member and a trusted staff member of the Foundation. I see no reason why,
if that makes his job easier, it shouldn't be. Let's rectify that.
Approve funding for up to $200/month (good for 50 GB/month) of PaperTrail
services. - We all know how important logging is and Matt stated it would
make his job easier. This seems like a no brainer.
Approve funding for $20k worth of part-time/contractor System Administrator
resources to aide in managing and securing OWASP's infrastructure.
Matt: Sorry, I didn't mean to misrepresent what you were saying. I realize
that you have that knowledge in your head. The problem is in finding time
to get it out and worked on which turns into a resource issue. Hence,
motion 3 above.
On Mon, Apr 18, 2016 at 2:24 PM, Matt Tesauro <matt.tesauro at owasp.org>
> What the board can do TODAY to help with OWASP IT:
> (1) Approve getting me a credit card for IT purchases. When I need to do
> things like purchase an SSL certificate or other miscellaneous expenses, I
> need to connect with Kate or another staff member to get a CC number or
> have them make the purchase for me. This is plain silly. If you trust me
> enough to have root on your infrastructure, getting me a credit card for IT
> purchase removes unnecessary delays. I'm currently locked out of the IT
> ticketing system because the credit card on file expired and I don't have a
> replacement to use.
> (2) Approve a subscription to Papertrail (https://papertrailapp.com/) or
> equivalent - this would allow us to stream our log files to Papertrail
> where then can be indexed and made easily search-able. When there's
> problems on the wiki, grepping through the daily log files which average ~2
> GB/day is not time effective. Having those logs searchable turns a bunch
> of time grep'ing into a quick search via command-line or web UI. I say
> Papertail only because I'm familiar with its service from when I was at
> Yes, we could setup some opensource thing on Rack's hosting but that's
> just more infrastructure to maintain and pay for. I'd highly recommend
> SaaS where we can find it to keep our sys admin workload as small as
> possible. It will be cheaper overall in 95% of the cases.
> The rest is answered in line below...
> On Mon, Apr 18, 2016 at 11:42 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>> Please see Matt's e-mail below. I'm pulling this into a new thread as I
>> think that Matt is indicating here that he is a limited resource (10 hrs/wk)
> I have always been a limited resource at 10 hours per week. This
> shouldn't be news.
>> and that his current workload, plus workload generated from the proposed
>> Bug Bounty Program, is more than he can handle.
> Incorrect. My point was that I know of more then enough things that need
> attention currently and that, in essence, paying twice for that information
> is not a good use of Foundation resources. I've already been paid and
> under a bug bounty we'd pay again for the same info. Pointless.
> Plus, we are already experiencing destructive testing against the OWASP
> infrastructure without blessing the activity. Why would formalizing this
> reduce this problem? Why not do my suggestion below, get the needed
> updates done THEN start a bounty on the infrastructure. That makes way
> more sense to me.
>> I think that we need to seriously consider opening up another position at
>> OWASP wherein management and security of OWASP's technical assets is a
>> full-time role.
> I'd suggest splitting the current IT workload into more then one part time
> position. There are many activities that require someone with mild Linux
> experience that could be handed off to another contractor. Things like the
> command-line tools for Mailman which aren't exposed via the web interface
> are a great candidate for this off-loading. Much of this was discussed
> during the staff summit but has been tabled due to Paul's recent absence.
> This would free me up to do what I've been working on in between the
> regular maintenance work. I've been 'ansible'-zing much of my OWASP IT
> work when I actually have unconsumed hours left over the weekend. By doing
> this while moving/upgrading the wiki and Mailman infrastructure, we're
> setting up a system which won't repeat or install the manual, time
> intensive practices we've historically employed. They worked OK for our
> former size, but that is no longer the case and I expect OWASP's growth to
>> ---------- Forwarded message ----------
>> From: Matt Tesauro <matt.tesauro at owasp.org>
>> Date: Mon, Apr 18, 2016 at 10:51 AM
>> Subject: Re: [Owasp-board] Initial Funding for OWASP Bug Bounty Program
>> To: Josh Sokol <josh.sokol at owasp.org>
>> Cc: Matt Konda <matt.konda at owasp.org>, OWASP Board List <
>> owasp-board at lists.owasp.org>
>> My thoughts for what they are worth:
>> My understanding was that the scope of this effort was OWASP projects -
>> so that our projects have been vetted and, hopefully, are free from
>> security defects. This seems like a very sensible use of Foundation
>> Pointing the Bug Bounty masses at the OWASP infrastructure, even with the
>> initial triage handled by a 3rd party, is foolish. Why?
>> - I can list the problems with the current infrastructure for you and
>> zero cost. There is very little value in these being rediscovered by random
>> Internet bug hunters.
>> - I've spent the last 3 weekends writing various fail2ban rules to
>> try and stop the dramatic increase in automated crawling (aka pro bono
>> scanning) of the wiki. The wiki, which wasn't running any where near
>> capacity, has been hitting 100% CPU and throwing high load/CPU monitoring
>> alerts from shortly after our 'draft' policy was placed on the OWASP wiki -
>> see https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
>> - It took several iterations to find a rule that adequately blocks
>> punks and lets the staff aka heavy wiki users get things done. During
>> those iterations, several of the staff were temporarily blocked from the
>> wiki by fail2ban.
>> - Ask the staff about how much they liked last week when two
>> instances of some Internet putz fuzzing our Wiki account registration has
>> created a backlog of bogus registrations. Beyond the hundreds of
>> notification emails the staff and I received, we how have a wiki
>> registration system which
>> - Needs to manually have 100's of bogus requests reviewed and
>> - Legit requests are getting lost in the bogus requests
>> - On one occasion, a bogus registration was accidentally confirmed
>> leading to SPAM on the wiki which then needs to be cleaned up wasting more
>> staff time/resources non-productively.
>> I completely agree that bug bounties of our PROJECTS is a great idea.
>> However, until we have an infrastructure that is both more resilient and
>> shored up with the issues we already know about, having the Internet poke
>> at our servers is counter productive. Of late, my 10 hours per week are
>> spent either cleaning up cruft from those that don't realize that wiki page
>> isn't an endorsement to poke at our infrastructure or just routine
>> The opportunity cost of a bug bounty is
>> - Staff work interrupted, delayed or refocused on clean-up that
>> inevitably happens when those with ranges of skills poke at infrastructure.
>> - Fire drills for our Infrastructure rather then planned and focused
>> upgrades across our infrastructure. I'd have much rather used the last 3
>> weeks of my 10 hours to complete setting up a new Mailman instance.
>> Instead, I'm cleaning up messes and answering emails about problems I
>> already know about and have prioritized lower for various reasons. This
>> email is an example of me being diverted from infrastructure enhancing
>> Considering the large difference between my 'day job' pay rate and what
>> OWASP pays me for 10 hours/week and the fact that I have and like my
>> family, I'm loath to spend more then my allotted OWASP time - though I
>> frequently do anyway.
>> </Matt's 2 cents>
>> -- Matt Tesauro
>> OWASP WTE Project Lead
>> http://AppSecLive.org - Community and Download site
>> OWASP OpenStack Security Project Lead
>> On Mon, Apr 18, 2016 at 10:18 AM, Josh Sokol <josh.sokol at owasp.org>
>>> My thinking is that this bounty would be used for the OWASP Foundation
>>> resources. The wiki, conference sites, etc. Projects could participate
>>> with kudos and could self-fund out of their project funds for any bounties
>>> that they would like to pay out. I still need to work on defining those
>>> rules of engagement, but for now we need to come up with an initial deposit
>>> amount that we feel comfortable transferring to BugCrowd to get this
>>> On Mon, Apr 18, 2016 at 10:07 AM, Matt Konda <matt.konda at owasp.org>
>>>> I would support putting some $ behind this. Definitely a bounded small
>>>> initial commitment but $. That will result in better faster feedback IMO.
>>>> I think we need to make sure we think through how it gets used. 90% to
>>>> a smaller lesser known OWASP project and 10% to ZAP for example might be a
>>>> possible problem. Do we have a rule that project committers can't receive
>>>> bounty? :)
>>>> We could start with a few projects and do the kudos approach and match
>>>> funds that those projects want to use.
>>>> I defer to the team that is focused here, just wanted to share my
>>>> On Mon, Apr 18, 2016 at 9:06 AM, Josh Sokol <josh.sokol at owasp.org>
>>>>> Now that we have announced BugCrowd as our bug bounty program
>>>>> platform, it is time to take the next step of figuring out how much of a
>>>>> bounty we want to start with. There is no minimum funding amount (we could
>>>>> do "kudo" bounties if we want) and we can scale the rewards however we
>>>>> would like for different categories. Obviously, money equates to more
>>>>> motivated researchers. BugCrowd's recommendation is to fund the initial
>>>>> pot at $5,000 and go from there. I think we were originally talking about
>>>>> just leveraging a Wall of Fame to start with (ie. "kudos"), but I wanted to
>>>>> see what others thought about it. Should we throw some money into the
>>>>> pot? How much? Your feedback is greatly appreciated.
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board