[Owasp-board] OWASP Staff Needs Technical Assistance

Matt Konda matt.konda at owasp.org
Wed Apr 20 22:31:14 UTC 2016


Added these to the agenda.

MK

On Wed, Apr 20, 2016 at 5:22 PM, Tobias <tobias.gondrom at owasp.org> wrote:

> I would agree.
> Could we maybe put this on the board agenda to just record the motions and
> approval there?
> Thanks, Tobias
>
>
>
> On 18/04/16 21:43, Jim Manico wrote:
>
> I second all three of these motions.
> - Jim
>
> On 4/18/16 9:41 AM, Josh Sokol wrote:
>
> Board,
>
> Motion 1:
> Give Matt Tesauro an OWASP Foundation credit card. - He is a former Board
> member and a trusted staff member of the Foundation.  I see no reason why,
> if that makes his job easier, it shouldn't be.  Let's rectify that.
>
> Motion 2:
> Approve funding for up to $200/month (good for 50 GB/month) of PaperTrail
> services. - We all know how important logging is and Matt stated it would
> make his job easier.  This seems like a no brainer.
>
> Motion 3:
> Approve funding for $20k worth of part-time/contractor System
> Administrator resources to aide in managing and securing OWASP's
> infrastructure.
>
> Matt: Sorry, I didn't mean to misrepresent what you were saying.  I
> realize that you have that knowledge in your head.  The problem is in
> finding time to get it out and worked on which turns into a resource
> issue.  Hence, motion 3 above.
>
> ~josh
>
> On Mon, Apr 18, 2016 at 2:24 PM, Matt Tesauro <matt.tesauro at owasp.org>
> wrote:
>
>> What the board can do TODAY to help with OWASP IT:
>>
>> (1) Approve getting me a credit card for IT purchases. When I need to do
>> things like purchase an SSL certificate or other miscellaneous expenses, I
>> need to connect with Kate or another staff member to get a CC number or
>> have them make the purchase for me.  This is plain silly.  If you trust me
>> enough to have root on your infrastructure, getting me a credit card for IT
>> purchase removes unnecessary delays.  I'm currently locked out of the IT
>> ticketing system because the credit card on file expired and I don't have a
>> replacement to use.
>>
>> (2) Approve  a subscription to Papertrail (https://papertrailapp.com/)
>> or equivalent - this would allow us to stream our log files to Papertrail
>> where then can be indexed and made easily search-able.  When there's
>> problems on the wiki, grepping through the daily log files which average ~2
>> GB/day is not time effective.  Having those logs searchable turns a bunch
>> of time grep'ing into a quick search via command-line or web UI.  I say
>> Papertail only because I'm familiar with its service from when I was at
>> Rackspace.
>>
>> Yes, we could setup some opensource thing on Rack's hosting but that's
>> just more infrastructure to maintain and pay for.  I'd highly recommend
>> SaaS where we can find it to keep our sys admin workload as small as
>> possible.  It will be cheaper overall in 95% of the cases.
>>
>> The rest is answered in line below...
>>
>> On Mon, Apr 18, 2016 at 11:42 AM, Josh Sokol <josh.sokol at owasp.org>
>> wrote:
>>
>>> Board,
>>>
>>> Please see Matt's e-mail below.  I'm pulling this into a new thread as I
>>> think that Matt is indicating here that he is a limited resource (10 hrs/wk)
>>>
>>
>> I have always been a limited resource at 10 hours per week.  This
>> shouldn't be news.
>>
>>
>>> and that his current workload, plus workload generated from the proposed
>>> Bug Bounty Program, is more than he can handle.
>>>
>>
>> Incorrect.  My point was that I know of more then enough things that need
>> attention currently and that, in essence, paying twice for that information
>> is not a good use of Foundation resources.  I've already been paid and
>> under a bug bounty we'd pay again for the same info.  Pointless.
>>
>> Plus, we are already experiencing destructive testing against the OWASP
>> infrastructure without blessing the activity.  Why would formalizing this
>> reduce this problem?  Why not do my suggestion below, get the needed
>> updates done THEN start a bounty on the infrastructure.  That makes way
>> more sense to me.
>>
>>
>>> I think that we need to seriously consider opening up another position
>>> at OWASP wherein management and security of OWASP's technical assets is a
>>> full-time role.
>>>
>>
>> I'd suggest splitting the current IT workload into more then one part
>> time position.  There are many activities that require someone with mild
>> Linux experience that could be handed off to another contractor.  Things
>> like the command-line tools for Mailman which aren't exposed via the web
>> interface are a great candidate for this off-loading.  Much of this was
>> discussed during the staff summit but has been tabled due to Paul's recent
>> absence.
>>
>> This would free me up to do what I've been working on in between the
>> regular maintenance work.  I've been 'ansible'-zing much of my OWASP IT
>> work when I actually have unconsumed hours left over the weekend.  By doing
>> this while moving/upgrading the wiki and Mailman infrastructure, we're
>> setting up a system which won't repeat or install the manual, time
>> intensive practices we've historically employed.  They worked OK for our
>> former size, but that is no longer the case and I expect OWASP's growth to
>> continue.
>>
>>
>>>
>>> ~josh
>>>
>>> ---------- Forwarded message ----------
>>> From: Matt Tesauro <matt.tesauro at owasp.org>
>>> Date: Mon, Apr 18, 2016 at 10:51 AM
>>> Subject: Re: [Owasp-board] Initial Funding for OWASP Bug Bounty Program
>>> To: Josh Sokol <josh.sokol at owasp.org>
>>> Cc: Matt Konda <matt.konda at owasp.org>, OWASP Board List <
>>> owasp-board at lists.owasp.org>
>>>
>>>
>>> My thoughts for what they are worth:
>>>
>>> My understanding was that the scope of this effort was OWASP projects -
>>> so that our projects have been vetted and, hopefully, are free from
>>> security defects.  This seems like a very sensible use of Foundation
>>> resources.
>>>
>>> Pointing the Bug Bounty masses at the OWASP infrastructure, even with
>>> the initial triage handled by a 3rd party, is foolish.  Why?
>>>
>>>    - I can list the problems with the current infrastructure for you
>>>    and zero cost. There is very little value in these being rediscovered by
>>>    random Internet bug hunters.
>>>    - I've spent the last 3 weekends writing various fail2ban rules to
>>>    try and stop the dramatic increase in automated crawling (aka pro bono
>>>    scanning) of the wiki.  The wiki, which wasn't running any where near
>>>    capacity, has been hitting 100% CPU and throwing high load/CPU monitoring
>>>    alerts from shortly after our 'draft' policy was placed on the OWASP wiki -
>>>    see https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
>>>    - It took several iterations to find a rule that adequately blocks
>>>       punks and lets the staff aka heavy wiki users get things done.  During
>>>       those iterations, several of the staff were temporarily blocked from the
>>>       wiki by fail2ban.
>>>    - Ask the staff about how much they liked last week when two
>>>    instances of some Internet putz fuzzing our Wiki account registration has
>>>    created a backlog of bogus registrations.  Beyond the hundreds of
>>>    notification emails the staff and I received, we how have a wiki
>>>    registration system which
>>>       - Needs to manually have 100's of bogus requests reviewed and
>>>       deleted
>>>       - Legit requests are getting lost in the bogus requests
>>>       - On one occasion, a bogus registration was accidentally
>>>       confirmed leading to SPAM on the wiki which then needs to be cleaned up
>>>       wasting more staff time/resources non-productively.
>>>
>>> I completely agree that bug bounties of our PROJECTS is a great idea.
>>>
>>> However, until we have an infrastructure that is both more resilient and
>>> shored up with the issues we already know about, having the Internet poke
>>> at our servers is counter productive.  Of late, my 10 hours per week are
>>> spent either cleaning up cruft from those that don't realize that wiki page
>>> isn't an endorsement to poke at our infrastructure or just routine
>>> maintenance.
>>>
>>> The opportunity cost of a bug bounty is
>>>
>>>    - Staff work interrupted, delayed or refocused on clean-up that
>>>    inevitably happens when those with ranges of skills poke at infrastructure.
>>>    - Fire drills for our Infrastructure rather then planned and focused
>>>    upgrades across our infrastructure.  I'd have much rather used the last 3
>>>    weeks of my 10 hours to complete setting up a new Mailman instance.
>>>    Instead, I'm cleaning up messes and answering emails about problems I
>>>    already know about and have prioritized lower for various reasons.  This
>>>    email is an example of me being diverted from infrastructure enhancing
>>>    activities.
>>>
>>> Considering the large difference between my 'day job' pay rate and what
>>> OWASP pays me for 10 hours/week and the fact that I have and like my
>>> family, I'm loath to spend more then my allotted OWASP time - though I
>>> frequently do anyway.
>>>
>>> </Matt's 2 cents>
>>>
>>>
>>> --
>>> -- Matt Tesauro
>>> OWASP WTE Project Lead
>>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>>> http://AppSecLive.org - Community and Download site
>>> OWASP OpenStack Security Project Lead
>>> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>>>
>>> On Mon, Apr 18, 2016 at 10:18 AM, Josh Sokol <josh.sokol at owasp.org>
>>> wrote:
>>>
>>>> My thinking is that this bounty would be used for the OWASP Foundation
>>>> resources.  The wiki, conference sites, etc.  Projects could participate
>>>> with kudos and could self-fund out of their project funds for any bounties
>>>> that they would like to pay out.  I still need to work on defining those
>>>> rules of engagement, but for now we need to come up with an initial deposit
>>>> amount that we feel comfortable transferring to BugCrowd to get this
>>>> rolling.
>>>>
>>>> ~josh
>>>>
>>>> On Mon, Apr 18, 2016 at 10:07 AM, Matt Konda <matt.konda at owasp.org>
>>>> wrote:
>>>>
>>>>> Josh,
>>>>>
>>>>> I would support putting some $ behind this.  Definitely a bounded
>>>>> small initial commitment but $.  That will result in better faster feedback
>>>>> IMO.
>>>>>
>>>>> I think we need to make sure we think through how it gets used.  90%
>>>>> to a smaller lesser known OWASP project and 10% to ZAP for example might be
>>>>> a possible problem.  Do we have a rule that project committers can't
>>>>> receive bounty?  :)
>>>>>
>>>>> We could start with a few projects and do the kudos approach and match
>>>>> funds that those projects want to use.
>>>>>
>>>>> I defer to the team that is focused here, just wanted to share my
>>>>> thoughts.
>>>>>
>>>>> Matt
>>>>>
>>>>>
>>>>> On Mon, Apr 18, 2016 at 9:06 AM, Josh Sokol <josh.sokol at owasp.org>
>>>>> wrote:
>>>>>
>>>>>> Board,
>>>>>>
>>>>>> Now that we have announced BugCrowd as our bug bounty program
>>>>>> platform, it is time to take the next step of figuring out how much of a
>>>>>> bounty we want to start with.  There is no minimum funding amount (we could
>>>>>> do "kudo" bounties if we want) and we can scale the rewards however we
>>>>>> would like for different categories.  Obviously, money equates to more
>>>>>> motivated researchers.  BugCrowd's recommendation is to fund the initial
>>>>>> pot at $5,000 and go from there.  I think we were originally talking about
>>>>>> just leveraging a Wall of Fame to start with (ie. "kudos"), but I wanted to
>>>>>> see what others thought about it.  Should we throw some money into the
>>>>>> pot?  How much?  Your feedback is greatly appreciated.
>>>>>>
>>>>>> ~josh
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>>
>>
>
>
> _______________________________________________
> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
> _______________________________________________
> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160420/3b043e8d/attachment-0001.html>


More information about the Owasp-board mailing list