[Owasp-board] OWASP Staff Needs Technical Assistance
Jim Manico
jim.manico at owasp.org
Mon Apr 18 19:43:14 UTC 2016
I second all three of these motions.
- Jim
On 4/18/16 9:41 AM, Josh Sokol wrote:
> Board,
>
> Motion 1:
> Give Matt Tesauro an OWASP Foundation credit card. - He is a former
> Board member and a trusted staff member of the Foundation. I see no
> reason why, if that makes his job easier, it shouldn't be. Let's
> rectify that.
>
> Motion 2:
> Approve funding for up to $200/month (good for 50 GB/month) of
> PaperTrail services. - We all know how important logging is and Matt
> stated it would make his job easier. This seems like a no brainer.
>
> Motion 3:
> Approve funding for $20k worth of part-time/contractor System
> Administrator resources to aide in managing and securing OWASP's
> infrastructure.
>
> Matt: Sorry, I didn't mean to misrepresent what you were saying. I
> realize that you have that knowledge in your head. The problem is in
> finding time to get it out and worked on which turns into a resource
> issue. Hence, motion 3 above.
>
> ~josh
>
> On Mon, Apr 18, 2016 at 2:24 PM, Matt Tesauro <matt.tesauro at owasp.org
> <mailto:matt.tesauro at owasp.org>> wrote:
>
> What the board can do TODAY to help with OWASP IT:
>
> (1) Approve getting me a credit card for IT purchases. When I need
> to do things like purchase an SSL certificate or other
> miscellaneous expenses, I need to connect with Kate or another
> staff member to get a CC number or have them make the purchase for
> me. This is plain silly. If you trust me enough to have root on
> your infrastructure, getting me a credit card for IT purchase
> removes unnecessary delays. I'm currently locked out of the IT
> ticketing system because the credit card on file expired and I
> don't have a replacement to use.
>
> (2) Approve a subscription to Papertrail
> (https://papertrailapp.com/) or equivalent - this would allow us
> to stream our log files to Papertrail where then can be indexed
> and made easily search-able. When there's problems on the wiki,
> grepping through the daily log files which average ~2 GB/day is
> not time effective. Having those logs searchable turns a bunch of
> time grep'ing into a quick search via command-line or web UI. I
> say Papertail only because I'm familiar with its service from when
> I was at Rackspace.
>
> Yes, we could setup some opensource thing on Rack's hosting but
> that's just more infrastructure to maintain and pay for. I'd
> highly recommend SaaS where we can find it to keep our sys admin
> workload as small as possible. It will be cheaper overall in 95%
> of the cases.
>
> The rest is answered in line below...
>
> On Mon, Apr 18, 2016 at 11:42 AM, Josh Sokol <josh.sokol at owasp.org
> <mailto:josh.sokol at owasp.org>> wrote:
>
> Board,
>
> Please see Matt's e-mail below. I'm pulling this into a new
> thread as I think that Matt is indicating here that he is a
> limited resource (10 hrs/wk)
>
>
> I have always been a limited resource at 10 hours per week. This
> shouldn't be news.
>
>
> and that his current workload, plus workload generated from
> the proposed Bug Bounty Program, is more than he can handle.
>
>
> Incorrect. My point was that I know of more then enough things
> that need attention currently and that, in essence, paying twice
> for that information is not a good use of Foundation resources.
> I've already been paid and under a bug bounty we'd pay again for
> the same info. Pointless.
>
> Plus, we are already experiencing destructive testing against the
> OWASP infrastructure without blessing the activity. Why would
> formalizing this reduce this problem? Why not do my suggestion
> below, get the needed updates done THEN start a bounty on the
> infrastructure. That makes way more sense to me.
>
>
> I think that we need to seriously consider opening up another
> position at OWASP wherein management and security of OWASP's
> technical assets is a full-time role.
>
>
> I'd suggest splitting the current IT workload into more then one
> part time position. There are many activities that require
> someone with mild Linux experience that could be handed off to
> another contractor. Things like the command-line tools for
> Mailman which aren't exposed via the web interface are a great
> candidate for this off-loading. Much of this was discussed during
> the staff summit but has been tabled due to Paul's recent absence.
>
> This would free me up to do what I've been working on in between
> the regular maintenance work. I've been 'ansible'-zing much of my
> OWASP IT work when I actually have unconsumed hours left over the
> weekend. By doing this while moving/upgrading the wiki and
> Mailman infrastructure, we're setting up a system which won't
> repeat or install the manual, time intensive practices we've
> historically employed. They worked OK for our former size, but
> that is no longer the case and I expect OWASP's growth to continue.
>
>
>
> ~josh
>
> ---------- Forwarded message ----------
> From: *Matt Tesauro* <matt.tesauro at owasp.org
> <mailto:matt.tesauro at owasp.org>>
> Date: Mon, Apr 18, 2016 at 10:51 AM
> Subject: Re: [Owasp-board] Initial Funding for OWASP Bug
> Bounty Program
> To: Josh Sokol <josh.sokol at owasp.org
> <mailto:josh.sokol at owasp.org>>
> Cc: Matt Konda <matt.konda at owasp.org
> <mailto:matt.konda at owasp.org>>, OWASP Board List
> <owasp-board at lists.owasp.org <mailto:owasp-board at lists.owasp.org>>
>
>
> My thoughts for what they are worth:
>
> My understanding was that the scope of this effort was OWASP
> projects - so that our projects have been vetted and,
> hopefully, are free from security defects. This seems like a
> very sensible use of Foundation resources.
>
> Pointing the Bug Bounty masses at the OWASP infrastructure,
> even with the initial triage handled by a 3rd party, is
> foolish. Why?
>
> * I can list the problems with the current infrastructure
> for you and zero cost. There is very little value in these
> being rediscovered by random Internet bug hunters.
> * I've spent the last 3 weekends writing various fail2ban
> rules to try and stop the dramatic increase in automated
> crawling (aka pro bono scanning) of the wiki. The wiki,
> which wasn't running any where near capacity, has been
> hitting 100% CPU and throwing high load/CPU monitoring
> alerts from shortly after our 'draft' policy was placed on
> the OWASP wiki -
> see https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
> o It took several iterations to find a rule that
> adequately blocks punks and lets the staff aka heavy
> wiki users get things done. During those iterations,
> several of the staff were temporarily blocked from the
> wiki by fail2ban.
> * Ask the staff about how much they liked last week when two
> instances of some Internet putz fuzzing our Wiki account
> registration has created a backlog of bogus
> registrations. Beyond the hundreds of notification emails
> the staff and I received, we how have a wiki registration
> system which
> o Needs to manually have 100's of bogus requests
> reviewed and deleted
> o Legit requests are getting lost in the bogus requests
> o On one occasion, a bogus registration was accidentally
> confirmed leading to SPAM on the wiki which then needs
> to be cleaned up wasting more staff time/resources
> non-productively.
>
> I completely agree that bug bounties of our PROJECTS is a
> great idea.
>
> However, until we have an infrastructure that is both more
> resilient and shored up with the issues we already know about,
> having the Internet poke at our servers is counter
> productive. Of late, my 10 hours per week are spent either
> cleaning up cruft from those that don't realize that wiki page
> isn't an endorsement to poke at our infrastructure or just
> routine maintenance.
>
> The opportunity cost of a bug bounty is
>
> * Staff work interrupted, delayed or refocused on clean-up
> that inevitably happens when those with ranges of skills
> poke at infrastructure.
> * Fire drills for our Infrastructure rather then planned and
> focused upgrades across our infrastructure. I'd have much
> rather used the last 3 weeks of my 10 hours to complete
> setting up a new Mailman instance. Instead, I'm cleaning
> up messes and answering emails about problems I already
> know about and have prioritized lower for various
> reasons. This email is an example of me being diverted
> from infrastructure enhancing activities.
>
> Considering the large difference between my 'day job' pay rate
> and what OWASP pays me for 10 hours/week and the fact that I
> have and like my family, I'm loath to spend more then my
> allotted OWASP time - though I frequently do anyway.
>
> </Matt's 2 cents>
>
>
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>
> On Mon, Apr 18, 2016 at 10:18 AM, Josh Sokol
> <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>
> My thinking is that this bounty would be used for the
> OWASP Foundation resources. The wiki, conference sites,
> etc. Projects could participate with kudos and could
> self-fund out of their project funds for any bounties that
> they would like to pay out. I still need to work on
> defining those rules of engagement, but for now we need to
> come up with an initial deposit amount that we feel
> comfortable transferring to BugCrowd to get this rolling.
>
> ~josh
>
> On Mon, Apr 18, 2016 at 10:07 AM, Matt Konda
> <matt.konda at owasp.org <mailto:matt.konda at owasp.org>> wrote:
>
> Josh,
>
> I would support putting some $ behind this.
> Definitely a bounded small initial commitment but $.
> That will result in better faster feedback IMO.
>
> I think we need to make sure we think through how it
> gets used. 90% to a smaller lesser known OWASP
> project and 10% to ZAP for example might be a possible
> problem. Do we have a rule that project committers
> can't receive bounty? :)
>
> We could start with a few projects and do the kudos
> approach and match funds that those projects want to use.
>
> I defer to the team that is focused here, just wanted
> to share my thoughts.
>
> Matt
>
>
> On Mon, Apr 18, 2016 at 9:06 AM, Josh Sokol
> <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>>
> wrote:
>
> Board,
>
> Now that we have announced BugCrowd as our bug
> bounty program platform, it is time to take the
> next step of figuring out how much of a bounty we
> want to start with. There is no minimum funding
> amount (we could do "kudo" bounties if we want)
> and we can scale the rewards however we would like
> for different categories. Obviously, money
> equates to more motivated researchers. BugCrowd's
> recommendation is to fund the initial pot at
> $5,000 and go from there. I think we were
> originally talking about just leveraging a Wall of
> Fame to start with (ie. "kudos"), but I wanted to
> see what others thought about it. Should we throw
> some money into the pot? How much? Your feedback
> is greatly appreciated.
>
> ~josh
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> <mailto:Owasp-board at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> <mailto:Owasp-board at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160418/fcb4f5ef/attachment-0001.html>
More information about the Owasp-board
mailing list