<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    1) Getting you a OWASP Credit Card should be a "no-brainer". Andrew?
    What do you think? <br>
    <br>
    2) Papertrail seems righteous. Which plan do you think we will
    need?  <a class="moz-txt-link-freetext" href="https://papertrailapp.com/plans">https://papertrailapp.com/plans</a> I'd much rather go pro than
    some janky OSS solution for infrastructure security like this....<br>
    <br>
    Thank you Matt!<br>
    <br>
    Aloha,<br>
    Jim<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 4/18/16 9:24 AM, Matt Tesauro wrote:<br>
    </div>
    <blockquote
cite="mid:CALKUk+OT22ZfftkOFZLp9E9ucd4OLHieV-gQ1d=6+iVwN-b61Q@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>What the board can do TODAY to help with OWASP IT:</div>
        <div><br>
        </div>
        <div>(1) Approve getting me a credit card for IT purchases. When
          I need to do things like purchase an SSL certificate or other
          miscellaneous expenses, I need to connect with Kate or another
          staff member to get a CC number or have them make the purchase
          for me.  This is plain silly.  If you trust me enough to have
          root on your infrastructure, getting me a credit card for IT
          purchase removes unnecessary delays.  I'm currently locked out
          of the IT ticketing system because the credit card on file
          expired and I don't have a replacement to use.</div>
        <div><br>
        </div>
        <div>(2) Approve  a subscription to Papertrail (<a
            moz-do-not-send="true" href="https://papertrailapp.com/"><a class="moz-txt-link-freetext" href="https://papertrailapp.com/">https://papertrailapp.com/</a></a>)
          or equivalent - this would allow us to stream our log files to
          Papertrail where then can be indexed and made easily
          search-able.  When there's problems on the wiki, grepping
          through the daily log files which average ~2 GB/day is not
          time effective.  Having those logs searchable turns a bunch of
          time grep'ing into a quick search via command-line or web UI. 
          I say Papertail only because I'm familiar with its service
          from when I was at Rackspace.</div>
        <div><br>
        </div>
        <div>Yes, we could setup some opensource thing on Rack's hosting
          but that's just more infrastructure to maintain and pay for. 
          I'd highly recommend SaaS where we can find it to keep our sys
          admin workload as small as possible.  It will be cheaper
          overall in 95% of the cases.</div>
        <div><br>
        </div>
        The rest is answered in line below...<br>
        <div class="gmail_extra">
          <div>
            <div class="gmail_signature"><br>
            </div>
          </div>
          <div class="gmail_quote">On Mon, Apr 18, 2016 at 11:42 AM,
            Josh Sokol <span dir="ltr"><<a moz-do-not-send="true"
                href="mailto:josh.sokol@owasp.org" target="_blank">josh.sokol@owasp.org</a>></span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
              <div dir="ltr">
                <div>
                  <div>Board,<br>
                    <br>
                  </div>
                  Please see Matt's e-mail below.  I'm pulling this into
                  a new thread as I think that Matt is indicating here
                  that he is a limited resource (10 hrs/wk)</div>
              </div>
            </blockquote>
            <div><br>
            </div>
            <div>I have always been a limited resource at 10 hours per
              week.  This shouldn't be news.</div>
            <div> </div>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
              <div dir="ltr">
                <div> and that his current workload, plus workload
                  generated from the proposed Bug Bounty Program, is
                  more than he can handle.  </div>
              </div>
            </blockquote>
            <div><br>
            </div>
            <div>Incorrect.  My point was that I know of more then
              enough things that need attention currently and that, in
              essence, paying twice for that information is not a good
              use of Foundation resources.  I've already been paid and
              under a bug bounty we'd pay again for the same info. 
              Pointless.</div>
            <div><br>
            </div>
            <div>Plus, we are already experiencing destructive testing
              against the OWASP infrastructure without blessing the
              activity.  Why would formalizing this reduce this
              problem?  Why not do my suggestion below, get the needed
              updates done THEN start a bounty on the infrastructure. 
              That makes way more sense to me.</div>
            <div> </div>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
              <div dir="ltr">
                <div>I think that we need to seriously consider opening
                  up another position at OWASP wherein management and
                  security of OWASP's technical assets is a full-time
                  role.<br>
                </div>
              </div>
            </blockquote>
            <div><br>
            </div>
            <div>I'd suggest splitting the current IT workload into more
              then one part time position.  There are many activities
              that require someone with mild Linux experience that could
              be handed off to another contractor.  Things like the
              command-line tools for Mailman which aren't exposed via
              the web interface are a great candidate for this
              off-loading.  Much of this was discussed during the staff
              summit but has been tabled due to Paul's recent absence.</div>
            <div><br>
            </div>
            <div>This would free me up to do what I've been working on
              in between the regular maintenance work.  I've been
              'ansible'-zing much of my OWASP IT work when I actually
              have unconsumed hours left over the weekend.  By doing
              this while moving/upgrading the wiki and Mailman
              infrastructure, we're setting up a system which won't
              repeat or install the manual, time intensive practices
              we've historically employed.  They worked OK for our
              former size, but that is no longer the case and I expect
              OWASP's growth to continue.</div>
            <div> </div>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
              <div dir="ltr">
                <div><br>
                </div>
                ~josh<br>
                 <br>
                <div>
                  <div>
                    <div>
                      <div class="gmail_quote">---------- Forwarded
                        message ----------<br>
                        From: <b class="gmail_sendername">Matt Tesauro</b>
                        <span dir="ltr"><<a moz-do-not-send="true"
                            href="mailto:matt.tesauro@owasp.org"
                            target="_blank">matt.tesauro@owasp.org</a>></span><br>
                        Date: Mon, Apr 18, 2016 at 10:51 AM<br>
                        Subject: Re: [Owasp-board] Initial Funding for
                        OWASP Bug Bounty Program<br>
                        To: Josh Sokol <<a moz-do-not-send="true"
                          href="mailto:josh.sokol@owasp.org"
                          target="_blank">josh.sokol@owasp.org</a>><br>
                        Cc: Matt Konda <<a moz-do-not-send="true"
                          href="mailto:matt.konda@owasp.org"
                          target="_blank">matt.konda@owasp.org</a>>,
                        OWASP Board List <<a moz-do-not-send="true"
                          href="mailto:owasp-board@lists.owasp.org"
                          target="_blank">owasp-board@lists.owasp.org</a>><br>
                        <br>
                        <br>
                        <div dir="ltr">My thoughts for what they are
                          worth:
                          <div><br>
                          </div>
                          <div>My understanding was that the scope of
                            this effort was OWASP projects - so that our
                            projects have been vetted and, hopefully,
                            are free from security defects.  This seems
                            like a very sensible use of Foundation
                            resources.</div>
                          <div><br>
                          </div>
                          <div>Pointing the Bug Bounty masses at the
                            OWASP infrastructure, even with the initial
                            triage handled by a 3rd party, is foolish. 
                            Why? </div>
                          <div>
                            <ul>
                              <li>I can list the problems with the
                                current infrastructure for you and zero
                                cost. There is very little value in
                                these being rediscovered by random
                                Internet bug hunters. </li>
                              <li>I've spent the last 3 weekends writing
                                various fail2ban rules to try and stop
                                the dramatic increase in automated
                                crawling (aka pro bono scanning) of the
                                wiki.  The wiki, which wasn't running
                                any where near capacity, has been
                                hitting 100% CPU and throwing high
                                load/CPU monitoring alerts from shortly
                                after our 'draft' policy was placed on
                                the OWASP wiki - see <a
                                  moz-do-not-send="true"
                                  href="https://www.owasp.org/index.php/About_OWASP/Bug_Bounty"
                                  target="_blank"><a class="moz-txt-link-freetext" href="https://www.owasp.org/index.php/About_OWASP/Bug_Bounty">https://www.owasp.org/index.php/About_OWASP/Bug_Bounty</a></a><br>
                              </li>
                              <ul>
                                <li>It took several iterations to find a
                                  rule that adequately blocks punks and
                                  lets the staff aka heavy wiki users
                                  get things done.  During those
                                  iterations, several of the staff were
                                  temporarily blocked from the wiki by
                                  fail2ban. </li>
                              </ul>
                              <li>Ask the staff about how much they
                                liked last week when two instances of
                                some Internet putz fuzzing our Wiki
                                account registration has created a
                                backlog of bogus registrations.  Beyond
                                the hundreds of notification emails the
                                staff and I received, we how have a wiki
                                registration system which</li>
                              <ul>
                                <li>Needs to manually have 100's of
                                  bogus requests reviewed and deleted</li>
                                <li>Legit requests are getting lost in
                                  the bogus requests</li>
                                <li>On one occasion, a bogus
                                  registration was accidentally
                                  confirmed leading to SPAM on the wiki
                                  which then needs to be cleaned up
                                  wasting more staff time/resources
                                  non-productively.</li>
                              </ul>
                            </ul>
                            <div>I completely agree that bug bounties of
                              our PROJECTS is a great idea.  </div>
                            <div><br>
                            </div>
                            <div>However, until we have an
                              infrastructure that is both more resilient
                              and shored up with the issues we already
                              know about, having the Internet poke at
                              our servers is counter productive.  Of
                              late, my 10 hours per week are spent
                              either cleaning up cruft from those that
                              don't realize that wiki page isn't an
                              endorsement to poke at our infrastructure
                              or just routine maintenance.</div>
                          </div>
                          <div><br>
                          </div>
                          <div>The opportunity cost of a bug bounty is </div>
                          <div>
                            <ul>
                              <li>Staff work interrupted, delayed or
                                refocused on clean-up that inevitably
                                happens when those with ranges of skills
                                poke at infrastructure.</li>
                              <li>Fire drills for our Infrastructure
                                rather then planned and focused upgrades
                                across our infrastructure.  I'd have
                                much rather used the last 3 weeks of my
                                10 hours to complete setting up a new
                                Mailman instance.  Instead, I'm cleaning
                                up messes and answering emails about
                                problems I already know about and have
                                prioritized lower for various reasons. 
                                This email is an example of me being
                                diverted from infrastructure enhancing
                                activities.</li>
                            </ul>
                            <div>Considering the large difference
                              between my 'day job' pay rate and what
                              OWASP pays me for 10 hours/week and the
                              fact that I have and like my family, I'm
                              loath to spend more then my allotted OWASP
                              time - though I frequently do anyway.</div>
                            <div><br>
                            </div>
                            <div></Matt's 2 cents> </div>
                          </div>
                          <div><br>
                          </div>
                        </div>
                        <div class="gmail_extra"><br clear="all">
                          <div>
                            <div>--<br>
                              -- Matt Tesauro<br>
                              OWASP WTE Project Lead<br>
                              <a moz-do-not-send="true"
                                href="http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project"
                                target="_blank">http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project</a><br>
                              <a moz-do-not-send="true"
                                href="http://AppSecLive.org"
                                target="_blank">http://AppSecLive.org</a>
                              - Community and Download site
                              <div>OWASP OpenStack Security Project Lead
                                <div><a moz-do-not-send="true"
                                    href="https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project"
                                    target="_blank">https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project</a></div>
                              </div>
                            </div>
                          </div>
                          <div>
                            <div>
                              <br>
                              <div class="gmail_quote">On Mon, Apr 18,
                                2016 at 10:18 AM, Josh Sokol <span
                                  dir="ltr"><<a
                                    moz-do-not-send="true"
                                    href="mailto:josh.sokol@owasp.org"
                                    target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:josh.sokol@owasp.org">josh.sokol@owasp.org</a></a>></span>
                                wrote:<br>
                                <blockquote class="gmail_quote"
                                  style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                                  <div dir="ltr">
                                    <div>My thinking is that this bounty
                                      would be used for the OWASP
                                      Foundation resources.  The wiki,
                                      conference sites, etc.  Projects
                                      could participate with kudos and
                                      could self-fund out of their
                                      project funds for any bounties
                                      that they would like to pay out. 
                                      I still need to work on defining
                                      those rules of engagement, but for
                                      now we need to come up with an
                                      initial deposit amount that we
                                      feel comfortable transferring to
                                      BugCrowd to get this rolling.<span><font
                                          color="#888888"><br>
                                          <br>
                                        </font></span></div>
                                    <span><font color="#888888">~josh<br>
                                      </font></span></div>
                                  <div>
                                    <div>
                                      <div class="gmail_extra"><br>
                                        <div class="gmail_quote">On Mon,
                                          Apr 18, 2016 at 10:07 AM, Matt
                                          Konda <span dir="ltr"><<a
                                              moz-do-not-send="true"
                                              href="mailto:matt.konda@owasp.org"
                                              target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:matt.konda@owasp.org">matt.konda@owasp.org</a></a>></span>
                                          wrote:<br>
                                          <blockquote
                                            class="gmail_quote"
                                            style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                                            <div dir="ltr">Josh,
                                              <div><br>
                                              </div>
                                              <div>I would support
                                                putting some $ behind
                                                this.  Definitely a
                                                bounded small initial
                                                commitment but $.  That
                                                will result in better
                                                faster feedback IMO.</div>
                                              <div><br>
                                              </div>
                                              <div>I think we need to
                                                make sure we think
                                                through how it gets
                                                used.  90% to a smaller
                                                lesser known OWASP
                                                project and 10% to ZAP
                                                for example might be a
                                                possible problem.  Do we
                                                have a rule that project
                                                committers can't receive
                                                bounty?  :)</div>
                                              <div><br>
                                              </div>
                                              <div>We could start with a
                                                few projects and do the
                                                kudos approach and match
                                                funds that those
                                                projects want to use.</div>
                                              <div><br>
                                              </div>
                                              <div>I defer to the team
                                                that is focused here,
                                                just wanted to share my
                                                thoughts.</div>
                                              <div><br>
                                              </div>
                                              <div>Matt</div>
                                              <div> </div>
                                            </div>
                                            <div class="gmail_extra"><br>
                                              <div class="gmail_quote">
                                                <div>
                                                  <div>On Mon, Apr 18,
                                                    2016 at 9:06 AM,
                                                    Josh Sokol <span
                                                      dir="ltr"><<a
                                                        moz-do-not-send="true"
href="mailto:josh.sokol@owasp.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:josh.sokol@owasp.org">josh.sokol@owasp.org</a></a>></span>
                                                    wrote:<br>
                                                  </div>
                                                </div>
                                                <blockquote
                                                  class="gmail_quote"
                                                  style="margin:0px 0px
                                                  0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                                                  <div>
                                                    <div>
                                                      <div dir="ltr">
                                                        <div>
                                                          <div>Board,<br>
                                                          <br>
                                                          </div>
                                                          Now that we
                                                          have announced
                                                          BugCrowd as
                                                          our bug bounty
                                                          program
                                                          platform, it
                                                          is time to
                                                          take the next
                                                          step of
                                                          figuring out
                                                          how much of a
                                                          bounty we want
                                                          to start
                                                          with.  There
                                                          is no minimum
                                                          funding amount
                                                          (we could do
                                                          "kudo"
                                                          bounties if we
                                                          want) and we
                                                          can scale the
                                                          rewards
                                                          however we
                                                          would like for
                                                          different
                                                          categories. 
                                                          Obviously,
                                                          money equates
                                                          to more
                                                          motivated
                                                          researchers. 
                                                          BugCrowd's
                                                          recommendation
                                                          is to fund the
                                                          initial pot at
                                                          $5,000 and go
                                                          from there.  I
                                                          think we were
                                                          originally
                                                          talking about
                                                          just
                                                          leveraging a
                                                          Wall of Fame
                                                          to start with
                                                          (ie. "kudos"),
                                                          but I wanted
                                                          to see what
                                                          others thought
                                                          about it. 
                                                          Should we
                                                          throw some
                                                          money into the
                                                          pot?  How
                                                          much?  Your
                                                          feedback is
                                                          greatly
                                                          appreciated.<span><font
color="#888888"><br>
                                                          <br>
                                                          </font></span></div>
                                                        <span><font
                                                          color="#888888">~josh<br>
                                                          </font></span></div>
                                                      <br>
                                                    </div>
                                                  </div>
_______________________________________________<br>
                                                  Owasp-board mailing
                                                  list<br>
                                                  <a
                                                    moz-do-not-send="true"
href="mailto:Owasp-board@lists.owasp.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a></a><br>
                                                  <a
                                                    moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                                                    rel="noreferrer"
                                                    target="_blank"><a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a></a><br>
                                                  <br>
                                                </blockquote>
                                              </div>
                                              <br>
                                            </div>
                                          </blockquote>
                                        </div>
                                        <br>
                                      </div>
                                    </div>
                                  </div>
                                  <br>
_______________________________________________<br>
                                  Owasp-board mailing list<br>
                                  <a moz-do-not-send="true"
                                    href="mailto:Owasp-board@lists.owasp.org"
                                    target="_blank">Owasp-board@lists.owasp.org</a><br>
                                  <a moz-do-not-send="true"
                                    href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                                    rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
                                  <br>
                                </blockquote>
                              </div>
                              <br>
                            </div>
                          </div>
                        </div>
                      </div>
                      <br>
                    </div>
                  </div>
                </div>
              </div>
            </blockquote>
          </div>
          <br>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Owasp-board mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>