[Owasp-board] OWASP Staff Needs Technical Assistance

Tobias tobias.gondrom at owasp.org
Wed Apr 20 22:22:20 UTC 2016

I would agree.
Could we maybe put this on the board agenda to just record the motions 
and approval there?
Thanks, Tobias

On 18/04/16 21:43, Jim Manico wrote:
> I second all three of these motions.
> - Jim
> On 4/18/16 9:41 AM, Josh Sokol wrote:
>> Board,
>> Motion 1:
>> Give Matt Tesauro an OWASP Foundation credit card. - He is a former 
>> Board member and a trusted staff member of the Foundation.  I see no 
>> reason why, if that makes his job easier, it shouldn't be.  Let's 
>> rectify that.
>> Motion 2:
>> Approve funding for up to $200/month (good for 50 GB/month) of 
>> PaperTrail services. - We all know how important logging is and Matt 
>> stated it would make his job easier.  This seems like a no brainer.
>> Motion 3:
>> Approve funding for $20k worth of part-time/contractor System 
>> Administrator resources to aide in managing and securing OWASP's 
>> infrastructure.
>> Matt: Sorry, I didn't mean to misrepresent what you were saying.  I 
>> realize that you have that knowledge in your head.  The problem is in 
>> finding time to get it out and worked on which turns into a resource 
>> issue.  Hence, motion 3 above.
>> ~josh
>> On Mon, Apr 18, 2016 at 2:24 PM, Matt Tesauro <matt.tesauro at owasp.org 
>> <mailto:matt.tesauro at owasp.org>> wrote:
>>     What the board can do TODAY to help with OWASP IT:
>>     (1) Approve getting me a credit card for IT purchases. When I
>>     need to do things like purchase an SSL certificate or other
>>     miscellaneous expenses, I need to connect with Kate or another
>>     staff member to get a CC number or have them make the purchase
>>     for me.  This is plain silly.  If you trust me enough to have
>>     root on your infrastructure, getting me a credit card for IT
>>     purchase removes unnecessary delays.  I'm currently locked out of
>>     the IT ticketing system because the credit card on file expired
>>     and I don't have a replacement to use.
>>     (2) Approve  a subscription to Papertrail
>>     (https://papertrailapp.com/) or equivalent - this would allow us
>>     to stream our log files to Papertrail where then can be indexed
>>     and made easily search-able.  When there's problems on the wiki,
>>     grepping through the daily log files which average ~2 GB/day is
>>     not time effective.  Having those logs searchable turns a bunch
>>     of time grep'ing into a quick search via command-line or web UI. 
>>     I say Papertail only because I'm familiar with its service from
>>     when I was at Rackspace.
>>     Yes, we could setup some opensource thing on Rack's hosting but
>>     that's just more infrastructure to maintain and pay for.  I'd
>>     highly recommend SaaS where we can find it to keep our sys admin
>>     workload as small as possible.  It will be cheaper overall in 95%
>>     of the cases.
>>     The rest is answered in line below...
>>     On Mon, Apr 18, 2016 at 11:42 AM, Josh Sokol
>>     <josh.sokol at owasp.org> wrote:
>>         Board,
>>         Please see Matt's e-mail below.  I'm pulling this into a new
>>         thread as I think that Matt is indicating here that he is a
>>         limited resource (10 hrs/wk)
>>     I have always been a limited resource at 10 hours per week.  This
>>     shouldn't be news.
>>         and that his current workload, plus workload generated from
>>         the proposed Bug Bounty Program, is more than he can handle.
>>     Incorrect.  My point was that I know of more then enough things
>>     that need attention currently and that, in essence, paying twice
>>     for that information is not a good use of Foundation resources. 
>>     I've already been paid and under a bug bounty we'd pay again for
>>     the same info. Pointless.
>>     Plus, we are already experiencing destructive testing against the
>>     OWASP infrastructure without blessing the activity.  Why would
>>     formalizing this reduce this problem?  Why not do my suggestion
>>     below, get the needed updates done THEN start a bounty on the
>>     infrastructure.  That makes way more sense to me.
>>         I think that we need to seriously consider opening up another
>>         position at OWASP wherein management and security of OWASP's
>>         technical assets is a full-time role.
>>     I'd suggest splitting the current IT workload into more then one
>>     part time position.  There are many activities that require
>>     someone with mild Linux experience that could be handed off to
>>     another contractor.  Things like the command-line tools for
>>     Mailman which aren't exposed via the web interface are a great
>>     candidate for this off-loading.  Much of this was discussed
>>     during the staff summit but has been tabled due to Paul's recent
>>     absence.
>>     This would free me up to do what I've been working on in between
>>     the regular maintenance work.  I've been 'ansible'-zing much of
>>     my OWASP IT work when I actually have unconsumed hours left over
>>     the weekend.  By doing this while moving/upgrading the wiki and
>>     Mailman infrastructure, we're setting up a system which won't
>>     repeat or install the manual, time intensive practices we've
>>     historically employed.  They worked OK for our former size, but
>>     that is no longer the case and I expect OWASP's growth to continue.
>>         ~josh
>>         ---------- Forwarded message ----------
>>         From: *Matt Tesauro* <matt.tesauro at owasp.org>
>>         Date: Mon, Apr 18, 2016 at 10:51 AM
>>         Subject: Re: [Owasp-board] Initial Funding for OWASP Bug
>>         Bounty Program
>>         To: Josh Sokol <josh.sokol at owasp.org>
>>         Cc: Matt Konda <matt.konda at owasp.org>, OWASP Board List
>>         <owasp-board at lists.owasp.org>
>>         My thoughts for what they are worth:
>>         My understanding was that the scope of this effort was OWASP
>>         projects - so that our projects have been vetted and,
>>         hopefully, are free from security defects. This seems like a
>>         very sensible use of Foundation resources.
>>         Pointing the Bug Bounty masses at the OWASP infrastructure,
>>         even with the initial triage handled by a 3rd party, is
>>         foolish.  Why?
>>           * I can list the problems with the current infrastructure
>>             for you and zero cost. There is very little value in
>>             these being rediscovered by random Internet bug hunters.
>>           * I've spent the last 3 weekends writing various fail2ban
>>             rules to try and stop the dramatic increase in automated
>>             crawling (aka pro bono scanning) of the wiki.  The wiki,
>>             which wasn't running any where near capacity, has been
>>             hitting 100% CPU and throwing high load/CPU monitoring
>>             alerts from shortly after our 'draft' policy was placed
>>             on the OWASP wiki - see
>>             https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
>>               o It took several iterations to find a rule that
>>                 adequately blocks punks and lets the staff aka heavy
>>                 wiki users get things done.  During those iterations,
>>                 several of the staff were temporarily blocked from
>>                 the wiki by fail2ban.
>>           * Ask the staff about how much they liked last week when
>>             two instances of some Internet putz fuzzing our Wiki
>>             account registration has created a backlog of bogus
>>             registrations.  Beyond the hundreds of notification
>>             emails the staff and I received, we how have a wiki
>>             registration system which
>>               o Needs to manually have 100's of bogus requests
>>                 reviewed and deleted
>>               o Legit requests are getting lost in the bogus requests
>>               o On one occasion, a bogus registration was
>>                 accidentally confirmed leading to SPAM on the wiki
>>                 which then needs to be cleaned up wasting more staff
>>                 time/resources non-productively.
>>         I completely agree that bug bounties of our PROJECTS is a
>>         great idea.
>>         However, until we have an infrastructure that is both more
>>         resilient and shored up with the issues we already know
>>         about, having the Internet poke at our servers is counter
>>         productive.  Of late, my 10 hours per week are spent either
>>         cleaning up cruft from those that don't realize that wiki
>>         page isn't an endorsement to poke at our infrastructure or
>>         just routine maintenance.
>>         The opportunity cost of a bug bounty is
>>           * Staff work interrupted, delayed or refocused on clean-up
>>             that inevitably happens when those with ranges of skills
>>             poke at infrastructure.
>>           * Fire drills for our Infrastructure rather then planned
>>             and focused upgrades across our infrastructure. I'd have
>>             much rather used the last 3 weeks of my 10 hours to
>>             complete setting up a new Mailman instance. Instead, I'm
>>             cleaning up messes and answering emails about problems I
>>             already know about and have prioritized lower for various
>>             reasons.  This email is an example of me being diverted
>>             from infrastructure enhancing activities.
>>         Considering the large difference between my 'day job' pay
>>         rate and what OWASP pays me for 10 hours/week and the fact
>>         that I have and like my family, I'm loath to spend more then
>>         my allotted OWASP time - though I frequently do anyway.
>>         </Matt's 2 cents>
>>         --
>>         -- Matt Tesauro
>>         OWASP WTE Project Lead
>>         http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>>         http://AppSecLive.org - Community and Download site
>>         OWASP OpenStack Security Project Lead
>>         https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>>         On Mon, Apr 18, 2016 at 10:18 AM, Josh Sokol
>>         <josh.sokol at owasp.org> wrote:
>>             My thinking is that this bounty would be used for the
>>             OWASP Foundation resources. The wiki, conference sites,
>>             etc.  Projects could participate with kudos and could
>>             self-fund out of their project funds for any bounties
>>             that they would like to pay out.  I still need to work on
>>             defining those rules of engagement, but for now we need
>>             to come up with an initial deposit amount that we feel
>>             comfortable transferring to BugCrowd to get this rolling.
>>             ~josh
>>             On Mon, Apr 18, 2016 at 10:07 AM, Matt Konda
>>             <matt.konda at owasp.org> wrote:
>>                 Josh,
>>                 I would support putting some $ behind this.
>>                 Definitely a bounded small initial commitment but $. 
>>                 That will result in better faster feedback IMO.
>>                 I think we need to make sure we think through how it
>>                 gets used.  90% to a smaller lesser known OWASP
>>                 project and 10% to ZAP for example might be a
>>                 possible problem.  Do we have a rule that project
>>                 committers can't receive bounty?  :)
>>                 We could start with a few projects and do the kudos
>>                 approach and match funds that those projects want to use.
>>                 I defer to the team that is focused here, just wanted
>>                 to share my thoughts.
>>                 Matt
>>                 On Mon, Apr 18, 2016 at 9:06 AM, Josh Sokol
>>                 <josh.sokol at owasp.org> wrote:
>>                     Board,
>>                     Now that we have announced BugCrowd as our bug
>>                     bounty program platform, it is time to take the
>>                     next step of figuring out how much of a bounty we
>>                     want to start with.  There is no minimum funding
>>                     amount (we could do "kudo" bounties if we want)
>>                     and we can scale the rewards however we would
>>                     like for different categories. Obviously, money
>>                     equates to more motivated researchers. BugCrowd's
>>                     recommendation is to fund the initial pot at
>>                     $5,000 and go from there.  I think we were
>>                     originally talking about just leveraging a Wall
>>                     of Fame to start with (ie. "kudos"), but I wanted
>>                     to see what others thought about it. Should we
>>                     throw some money into the pot?  How much?  Your
>>                     feedback is greatly appreciated.
>>                     ~josh
>>                     _______________________________________________
>>                     Owasp-board mailing list
>>                     Owasp-board at lists.owasp.org
>>                     https://lists.owasp.org/mailman/listinfo/owasp-board
>>             _______________________________________________
>>             Owasp-board mailing list
>>             Owasp-board at lists.owasp.org
>>             <mailto:Owasp-board at lists.owasp.org>
>>             https://lists.owasp.org/mailman/listinfo/owasp-board
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160421/22d986c4/attachment-0001.html>

More information about the Owasp-board mailing list