[Owasp-board] OWASP Staff Needs Technical Assistance

Jim Manico jim.manico at owasp.org
Mon Apr 18 19:43:14 UTC 2016

I second all three of these motions.
- Jim

On 4/18/16 9:41 AM, Josh Sokol wrote:
> Board,
> Motion 1:
> Give Matt Tesauro an OWASP Foundation credit card. - He is a former
> Board member and a trusted staff member of the Foundation.  I see no
> reason why, if that makes his job easier, it shouldn't be.  Let's
> rectify that.
> Motion 2:
> Approve funding for up to $200/month (good for 50 GB/month) of
> PaperTrail services. - We all know how important logging is and Matt
> stated it would make his job easier.  This seems like a no brainer.
> Motion 3:
> Approve funding for $20k worth of part-time/contractor System
> Administrator resources to aide in managing and securing OWASP's
> infrastructure.
> Matt: Sorry, I didn't mean to misrepresent what you were saying.  I
> realize that you have that knowledge in your head.  The problem is in
> finding time to get it out and worked on which turns into a resource
> issue.  Hence, motion 3 above.
> ~josh
> On Mon, Apr 18, 2016 at 2:24 PM, Matt Tesauro <matt.tesauro at owasp.org
> <mailto:matt.tesauro at owasp.org>> wrote:
>     What the board can do TODAY to help with OWASP IT:
>     (1) Approve getting me a credit card for IT purchases. When I need
>     to do things like purchase an SSL certificate or other
>     miscellaneous expenses, I need to connect with Kate or another
>     staff member to get a CC number or have them make the purchase for
>     me.  This is plain silly.  If you trust me enough to have root on
>     your infrastructure, getting me a credit card for IT purchase
>     removes unnecessary delays.  I'm currently locked out of the IT
>     ticketing system because the credit card on file expired and I
>     don't have a replacement to use.
>     (2) Approve  a subscription to Papertrail
>     (https://papertrailapp.com/) or equivalent - this would allow us
>     to stream our log files to Papertrail where then can be indexed
>     and made easily search-able.  When there's problems on the wiki,
>     grepping through the daily log files which average ~2 GB/day is
>     not time effective.  Having those logs searchable turns a bunch of
>     time grep'ing into a quick search via command-line or web UI.  I
>     say Papertail only because I'm familiar with its service from when
>     I was at Rackspace.
>     Yes, we could setup some opensource thing on Rack's hosting but
>     that's just more infrastructure to maintain and pay for.  I'd
>     highly recommend SaaS where we can find it to keep our sys admin
>     workload as small as possible.  It will be cheaper overall in 95%
>     of the cases.
>     The rest is answered in line below...
>     On Mon, Apr 18, 2016 at 11:42 AM, Josh Sokol <josh.sokol at owasp.org
>     <mailto:josh.sokol at owasp.org>> wrote:
>         Board,
>         Please see Matt's e-mail below.  I'm pulling this into a new
>         thread as I think that Matt is indicating here that he is a
>         limited resource (10 hrs/wk)
>     I have always been a limited resource at 10 hours per week.  This
>     shouldn't be news.
>         and that his current workload, plus workload generated from
>         the proposed Bug Bounty Program, is more than he can handle. 
>     Incorrect.  My point was that I know of more then enough things
>     that need attention currently and that, in essence, paying twice
>     for that information is not a good use of Foundation resources. 
>     I've already been paid and under a bug bounty we'd pay again for
>     the same info.  Pointless.
>     Plus, we are already experiencing destructive testing against the
>     OWASP infrastructure without blessing the activity.  Why would
>     formalizing this reduce this problem?  Why not do my suggestion
>     below, get the needed updates done THEN start a bounty on the
>     infrastructure.  That makes way more sense to me.
>         I think that we need to seriously consider opening up another
>         position at OWASP wherein management and security of OWASP's
>         technical assets is a full-time role.
>     I'd suggest splitting the current IT workload into more then one
>     part time position.  There are many activities that require
>     someone with mild Linux experience that could be handed off to
>     another contractor.  Things like the command-line tools for
>     Mailman which aren't exposed via the web interface are a great
>     candidate for this off-loading.  Much of this was discussed during
>     the staff summit but has been tabled due to Paul's recent absence.
>     This would free me up to do what I've been working on in between
>     the regular maintenance work.  I've been 'ansible'-zing much of my
>     OWASP IT work when I actually have unconsumed hours left over the
>     weekend.  By doing this while moving/upgrading the wiki and
>     Mailman infrastructure, we're setting up a system which won't
>     repeat or install the manual, time intensive practices we've
>     historically employed.  They worked OK for our former size, but
>     that is no longer the case and I expect OWASP's growth to continue.
>         ~josh
>         ---------- Forwarded message ----------
>         From: *Matt Tesauro* <matt.tesauro at owasp.org
>         <mailto:matt.tesauro at owasp.org>>
>         Date: Mon, Apr 18, 2016 at 10:51 AM
>         Subject: Re: [Owasp-board] Initial Funding for OWASP Bug
>         Bounty Program
>         To: Josh Sokol <josh.sokol at owasp.org
>         <mailto:josh.sokol at owasp.org>>
>         Cc: Matt Konda <matt.konda at owasp.org
>         <mailto:matt.konda at owasp.org>>, OWASP Board List
>         <owasp-board at lists.owasp.org <mailto:owasp-board at lists.owasp.org>>
>         My thoughts for what they are worth:
>         My understanding was that the scope of this effort was OWASP
>         projects - so that our projects have been vetted and,
>         hopefully, are free from security defects.  This seems like a
>         very sensible use of Foundation resources.
>         Pointing the Bug Bounty masses at the OWASP infrastructure,
>         even with the initial triage handled by a 3rd party, is
>         foolish.  Why? 
>           * I can list the problems with the current infrastructure
>             for you and zero cost. There is very little value in these
>             being rediscovered by random Internet bug hunters. 
>           * I've spent the last 3 weekends writing various fail2ban
>             rules to try and stop the dramatic increase in automated
>             crawling (aka pro bono scanning) of the wiki.  The wiki,
>             which wasn't running any where near capacity, has been
>             hitting 100% CPU and throwing high load/CPU monitoring
>             alerts from shortly after our 'draft' policy was placed on
>             the OWASP wiki -
>             see https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
>               o It took several iterations to find a rule that
>                 adequately blocks punks and lets the staff aka heavy
>                 wiki users get things done.  During those iterations,
>                 several of the staff were temporarily blocked from the
>                 wiki by fail2ban. 
>           * Ask the staff about how much they liked last week when two
>             instances of some Internet putz fuzzing our Wiki account
>             registration has created a backlog of bogus
>             registrations.  Beyond the hundreds of notification emails
>             the staff and I received, we how have a wiki registration
>             system which
>               o Needs to manually have 100's of bogus requests
>                 reviewed and deleted
>               o Legit requests are getting lost in the bogus requests
>               o On one occasion, a bogus registration was accidentally
>                 confirmed leading to SPAM on the wiki which then needs
>                 to be cleaned up wasting more staff time/resources
>                 non-productively.
>         I completely agree that bug bounties of our PROJECTS is a
>         great idea.  
>         However, until we have an infrastructure that is both more
>         resilient and shored up with the issues we already know about,
>         having the Internet poke at our servers is counter
>         productive.  Of late, my 10 hours per week are spent either
>         cleaning up cruft from those that don't realize that wiki page
>         isn't an endorsement to poke at our infrastructure or just
>         routine maintenance.
>         The opportunity cost of a bug bounty is 
>           * Staff work interrupted, delayed or refocused on clean-up
>             that inevitably happens when those with ranges of skills
>             poke at infrastructure.
>           * Fire drills for our Infrastructure rather then planned and
>             focused upgrades across our infrastructure.  I'd have much
>             rather used the last 3 weeks of my 10 hours to complete
>             setting up a new Mailman instance.  Instead, I'm cleaning
>             up messes and answering emails about problems I already
>             know about and have prioritized lower for various
>             reasons.  This email is an example of me being diverted
>             from infrastructure enhancing activities.
>         Considering the large difference between my 'day job' pay rate
>         and what OWASP pays me for 10 hours/week and the fact that I
>         have and like my family, I'm loath to spend more then my
>         allotted OWASP time - though I frequently do anyway.
>         </Matt's 2 cents> 
>         --
>         -- Matt Tesauro
>         OWASP WTE Project Lead
>         http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>         http://AppSecLive.org - Community and Download site
>         OWASP OpenStack Security Project Lead
>         https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>         On Mon, Apr 18, 2016 at 10:18 AM, Josh Sokol
>         <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>             My thinking is that this bounty would be used for the
>             OWASP Foundation resources.  The wiki, conference sites,
>             etc.  Projects could participate with kudos and could
>             self-fund out of their project funds for any bounties that
>             they would like to pay out.  I still need to work on
>             defining those rules of engagement, but for now we need to
>             come up with an initial deposit amount that we feel
>             comfortable transferring to BugCrowd to get this rolling.
>             ~josh
>             On Mon, Apr 18, 2016 at 10:07 AM, Matt Konda
>             <matt.konda at owasp.org <mailto:matt.konda at owasp.org>> wrote:
>                 Josh,
>                 I would support putting some $ behind this. 
>                 Definitely a bounded small initial commitment but $. 
>                 That will result in better faster feedback IMO.
>                 I think we need to make sure we think through how it
>                 gets used.  90% to a smaller lesser known OWASP
>                 project and 10% to ZAP for example might be a possible
>                 problem.  Do we have a rule that project committers
>                 can't receive bounty?  :)
>                 We could start with a few projects and do the kudos
>                 approach and match funds that those projects want to use.
>                 I defer to the team that is focused here, just wanted
>                 to share my thoughts.
>                 Matt
>                 On Mon, Apr 18, 2016 at 9:06 AM, Josh Sokol
>                 <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>>
>                 wrote:
>                     Board,
>                     Now that we have announced BugCrowd as our bug
>                     bounty program platform, it is time to take the
>                     next step of figuring out how much of a bounty we
>                     want to start with.  There is no minimum funding
>                     amount (we could do "kudo" bounties if we want)
>                     and we can scale the rewards however we would like
>                     for different categories.  Obviously, money
>                     equates to more motivated researchers.  BugCrowd's
>                     recommendation is to fund the initial pot at
>                     $5,000 and go from there.  I think we were
>                     originally talking about just leveraging a Wall of
>                     Fame to start with (ie. "kudos"), but I wanted to
>                     see what others thought about it.  Should we throw
>                     some money into the pot?  How much?  Your feedback
>                     is greatly appreciated.
>                     ~josh
>                     _______________________________________________
>                     Owasp-board mailing list
>                     Owasp-board at lists.owasp.org
>                     <mailto:Owasp-board at lists.owasp.org>
>                     https://lists.owasp.org/mailman/listinfo/owasp-board
>             _______________________________________________
>             Owasp-board mailing list
>             Owasp-board at lists.owasp.org
>             <mailto:Owasp-board at lists.owasp.org>
>             https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160418/fcb4f5ef/attachment-0001.html>

More information about the Owasp-board mailing list