<div dir="ltr">Added these to the agenda.<div><br></div><div>MK</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Apr 20, 2016 at 5:22 PM, Tobias <span dir="ltr"><<a href="mailto:tobias.gondrom@owasp.org" target="_blank">tobias.gondrom@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div>I would agree. <br>
      Could we maybe put this on the board agenda to just record the
      motions and approval there? <br>
      Thanks, Tobias<div><div class="h5"><br>
      <br>
      <br>
      On 18/04/16 21:43, Jim Manico wrote:<br>
    </div></div></div><div><div class="h5">
    <blockquote type="cite">
      
      I second all three of these motions. <br>
      - Jim<br>
      <br>
      <div>On 4/18/16 9:41 AM, Josh Sokol wrote:<br>
      </div>
      <blockquote type="cite">
        <div dir="ltr">
          <div>
            <div>
              <div>
                <div>
                  <div>
                    <div>
                      <div>Board,<br>
                        <br>
                      </div>
                      Motion 1:<br>
                    </div>
                    Give Matt Tesauro an OWASP Foundation credit card. -
                    He is a former Board member and a trusted staff
                    member of the Foundation.  I see no reason why, if
                    that makes his job easier, it shouldn't be.  Let's
                    rectify that.<br>
                    <br>
                  </div>
                  Motion 2:<br>
                </div>
                Approve funding for up to $200/month (good for 50
                GB/month) of PaperTrail services. - We all know how
                important logging is and Matt stated it would make his
                job easier.  This seems like a no brainer.<br>
                <br>
              </div>
              <div>Motion 3:<br>
              </div>
              <div>Approve funding for $20k worth of
                part-time/contractor System Administrator resources to
                aide in managing and securing OWASP's infrastructure.<br>
              </div>
              <div><br>
              </div>
              Matt: Sorry, I didn't mean to misrepresent what you were
              saying.  I realize that you have that knowledge in your
              head.  The problem is in finding time to get it out and
              worked on which turns into a resource issue.  Hence,
              motion 3 above.<br>
            </div>
            <br>
          </div>
          ~josh<br>
        </div>
        <div class="gmail_extra"><br>
          <div class="gmail_quote">On Mon, Apr 18, 2016 at 2:24 PM, Matt
            Tesauro <span dir="ltr"><<a href="mailto:matt.tesauro@owasp.org" target="_blank">matt.tesauro@owasp.org</a>></span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <div dir="ltr">
                <div>What the board can do TODAY to help with OWASP IT:</div>
                <div><br>
                </div>
                <div>(1) Approve getting me a credit card for IT
                  purchases. When I need to do things like purchase an
                  SSL certificate or other miscellaneous expenses, I
                  need to connect with Kate or another staff member to
                  get a CC number or have them make the purchase for
                  me.  This is plain silly.  If you trust me enough to
                  have root on your infrastructure, getting me a credit
                  card for IT purchase removes unnecessary delays.  I'm
                  currently locked out of the IT ticketing system
                  because the credit card on file expired and I don't
                  have a replacement to use.</div>
                <div><br>
                </div>
                <div>(2) Approve  a subscription to Papertrail (<a href="https://papertrailapp.com/" target="_blank">https://papertrailapp.com/</a>)
                  or equivalent - this would allow us to stream our log
                  files to Papertrail where then can be indexed and made
                  easily search-able.  When there's problems on the
                  wiki, grepping through the daily log files which
                  average ~2 GB/day is not time effective.  Having those
                  logs searchable turns a bunch of time grep'ing into a
                  quick search via command-line or web UI.  I say
                  Papertail only because I'm familiar with its service
                  from when I was at Rackspace.</div>
                <div><br>
                </div>
                <div>Yes, we could setup some opensource thing on Rack's
                  hosting but that's just more infrastructure to
                  maintain and pay for.  I'd highly recommend SaaS where
                  we can find it to keep our sys admin workload as small
                  as possible.  It will be cheaper overall in 95% of the
                  cases.</div>
                <div><br>
                </div>
                The rest is answered in line below...<br>
                <div class="gmail_extra">
                  <div>
                    <div><br>
                    </div>
                  </div>
                  <div class="gmail_quote"><span>On Mon, Apr
                      18, 2016 at 11:42 AM, Josh Sokol <span dir="ltr"><<a href="mailto:josh.sokol@owasp.org" target="_blank">josh.sokol@owasp.org</a>></span>
                      wrote:<br>
                    </span>
                    <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                      <div dir="ltr">
                        <div>
                          <div>Board,<br>
                            <br>
                          </div>
                          <span>Please see Matt's e-mail
                            below.  I'm pulling this into a new thread
                            as I think that Matt is indicating here that
                            he is a limited resource (10 hrs/wk)</span></div>
                      </div>
                    </blockquote>
                    <div><br>
                    </div>
                    <div>I have always been a limited resource at 10
                      hours per week.  This shouldn't be news.</div>
                    <span>
                      <div> </div>
                      <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                        <div dir="ltr">
                          <div> and that his current workload, plus
                            workload generated from the proposed Bug
                            Bounty Program, is more than he can handle. 
                          </div>
                        </div>
                      </blockquote>
                      <div><br>
                      </div>
                    </span>
                    <div>Incorrect.  My point was that I know of more
                      then enough things that need attention currently
                      and that, in essence, paying twice for that
                      information is not a good use of Foundation
                      resources.  I've already been paid and under a bug
                      bounty we'd pay again for the same info. 
                      Pointless.</div>
                    <div><br>
                    </div>
                    <div>Plus, we are already experiencing destructive
                      testing against the OWASP infrastructure without
                      blessing the activity.  Why would formalizing this
                      reduce this problem?  Why not do my suggestion
                      below, get the needed updates done THEN start a
                      bounty on the infrastructure.  That makes way more
                      sense to me.</div>
                    <span>
                      <div> </div>
                      <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                        <div dir="ltr">
                          <div>I think that we need to seriously
                            consider opening up another position at
                            OWASP wherein management and security of
                            OWASP's technical assets is a full-time
                            role.<br>
                          </div>
                        </div>
                      </blockquote>
                      <div><br>
                      </div>
                    </span>
                    <div>I'd suggest splitting the current IT workload
                      into more then one part time position.  There are
                      many activities that require someone with mild
                      Linux experience that could be handed off to
                      another contractor.  Things like the command-line
                      tools for Mailman which aren't exposed via the web
                      interface are a great candidate for this
                      off-loading.  Much of this was discussed during
                      the staff summit but has been tabled due to Paul's
                      recent absence.</div>
                    <div><br>
                    </div>
                    <div>This would free me up to do what I've been
                      working on in between the regular maintenance
                      work.  I've been 'ansible'-zing much of my OWASP
                      IT work when I actually have unconsumed hours left
                      over the weekend.  By doing this while
                      moving/upgrading the wiki and Mailman
                      infrastructure, we're setting up a system which
                      won't repeat or install the manual, time intensive
                      practices we've historically employed.  They
                      worked OK for our former size, but that is no
                      longer the case and I expect OWASP's growth to
                      continue.</div>
                    <div>
                      <div>
                        <div> </div>
                        <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                          <div dir="ltr">
                            <div><br>
                            </div>
                            ~josh<br>
                             <br>
                            <div>
                              <div>
                                <div>
                                  <div class="gmail_quote">----------
                                    Forwarded message ----------<br>
                                    From: <b class="gmail_sendername">Matt

                                      Tesauro</b> <span dir="ltr"><<a href="mailto:matt.tesauro@owasp.org" target="_blank">matt.tesauro@owasp.org</a>></span><br>
                                    Date: Mon, Apr 18, 2016 at 10:51 AM<br>
                                    Subject: Re: [Owasp-board] Initial
                                    Funding for OWASP Bug Bounty Program<br>
                                    To: Josh Sokol <<a href="mailto:josh.sokol@owasp.org" target="_blank">josh.sokol@owasp.org</a>><br>
                                    Cc: Matt Konda <<a href="mailto:matt.konda@owasp.org" target="_blank">matt.konda@owasp.org</a>>,

                                    OWASP Board List <<a href="mailto:owasp-board@lists.owasp.org" target="_blank">owasp-board@lists.owasp.org</a>><br>
                                    <br>
                                    <br>
                                    <div dir="ltr">My thoughts for what
                                      they are worth:
                                      <div><br>
                                      </div>
                                      <div>My understanding was that the
                                        scope of this effort was OWASP
                                        projects - so that our projects
                                        have been vetted and, hopefully,
                                        are free from security defects. 
                                        This seems like a very sensible
                                        use of Foundation resources.</div>
                                      <div><br>
                                      </div>
                                      <div>Pointing the Bug Bounty
                                        masses at the OWASP
                                        infrastructure, even with the
                                        initial triage handled by a 3rd
                                        party, is foolish.  Why? </div>
                                      <div>
                                        <ul>
                                          <li>I can list the problems
                                            with the current
                                            infrastructure for you and
                                            zero cost. There is very
                                            little value in these being
                                            rediscovered by random
                                            Internet bug hunters. </li>
                                          <li>I've spent the last 3
                                            weekends writing various
                                            fail2ban rules to try and
                                            stop the dramatic increase
                                            in automated crawling (aka
                                            pro bono scanning) of the
                                            wiki.  The wiki, which
                                            wasn't running any where
                                            near capacity, has been
                                            hitting 100% CPU and
                                            throwing high load/CPU
                                            monitoring alerts from
                                            shortly after our 'draft'
                                            policy was placed on the
                                            OWASP wiki - see <a href="https://www.owasp.org/index.php/About_OWASP/Bug_Bounty" target="_blank">https://www.owasp.org/index.php/About_OWASP/Bug_Bounty</a><br>
                                          </li>
                                          <ul>
                                            <li>It took several
                                              iterations to find a rule
                                              that adequately blocks
                                              punks and lets the staff
                                              aka heavy wiki users get
                                              things done.  During those
                                              iterations, several of the
                                              staff were temporarily
                                              blocked from the wiki by
                                              fail2ban. </li>
                                          </ul>
                                          <li>Ask the staff about how
                                            much they liked last week
                                            when two instances of some
                                            Internet putz fuzzing our
                                            Wiki account registration
                                            has created a backlog of
                                            bogus registrations.  Beyond
                                            the hundreds of notification
                                            emails the staff and I
                                            received, we how have a wiki
                                            registration system which</li>
                                          <ul>
                                            <li>Needs to manually have
                                              100's of bogus requests
                                              reviewed and deleted</li>
                                            <li>Legit requests are
                                              getting lost in the bogus
                                              requests</li>
                                            <li>On one occasion, a bogus
                                              registration was
                                              accidentally confirmed
                                              leading to SPAM on the
                                              wiki which then needs to
                                              be cleaned up wasting more
                                              staff time/resources
                                              non-productively.</li>
                                          </ul>
                                        </ul>
                                        <div>I completely agree that bug
                                          bounties of our PROJECTS is a
                                          great idea.  </div>
                                        <div><br>
                                        </div>
                                        <div>However, until we have an
                                          infrastructure that is both
                                          more resilient and shored up
                                          with the issues we already
                                          know about, having the
                                          Internet poke at our servers
                                          is counter productive.  Of
                                          late, my 10 hours per week are
                                          spent either cleaning up cruft
                                          from those that don't realize
                                          that wiki page isn't an
                                          endorsement to poke at our
                                          infrastructure or just routine
                                          maintenance.</div>
                                      </div>
                                      <div><br>
                                      </div>
                                      <div>The opportunity cost of a bug
                                        bounty is </div>
                                      <div>
                                        <ul>
                                          <li>Staff work interrupted,
                                            delayed or refocused on
                                            clean-up that inevitably
                                            happens when those with
                                            ranges of skills poke at
                                            infrastructure.</li>
                                          <li>Fire drills for our
                                            Infrastructure rather then
                                            planned and focused upgrades
                                            across our infrastructure. 
                                            I'd have much rather used
                                            the last 3 weeks of my 10
                                            hours to complete setting up
                                            a new Mailman instance. 
                                            Instead, I'm cleaning up
                                            messes and answering emails
                                            about problems I already
                                            know about and have
                                            prioritized lower for
                                            various reasons.  This email
                                            is an example of me being
                                            diverted from infrastructure
                                            enhancing activities.</li>
                                        </ul>
                                        <div>Considering the large
                                          difference between my 'day
                                          job' pay rate and what OWASP
                                          pays me for 10 hours/week and
                                          the fact that I have and like
                                          my family, I'm loath to spend
                                          more then my allotted OWASP
                                          time - though I frequently do
                                          anyway.</div>
                                        <div><br>
                                        </div>
                                        <div></Matt's 2 cents> </div>
                                      </div>
                                      <div><br>
                                      </div>
                                    </div>
                                    <div class="gmail_extra"><br clear="all">
                                      <div>
                                        <div>--<br>
                                          -- Matt Tesauro<br>
                                          OWASP WTE Project Lead<br>
                                          <a href="http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project" target="_blank">http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project</a><br>
                                          <a href="http://AppSecLive.org" target="_blank">http://AppSecLive.org</a>
                                          - Community and Download site
                                          <div>OWASP OpenStack Security
                                            Project Lead
                                            <div><a href="https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project" target="_blank">https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project</a></div>
                                          </div>
                                        </div>
                                      </div>
                                      <div>
                                        <div> <br>
                                          <div class="gmail_quote">On
                                            Mon, Apr 18, 2016 at 10:18
                                            AM, Josh Sokol <span dir="ltr"><<a href="mailto:josh.sokol@owasp.org" target="_blank">josh.sokol@owasp.org</a>></span>
                                            wrote:<br>
                                            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                                              <div dir="ltr">
                                                <div>My thinking is that
                                                  this bounty would be
                                                  used for the OWASP
                                                  Foundation resources. 
                                                  The wiki, conference
                                                  sites, etc.  Projects
                                                  could participate with
                                                  kudos and could
                                                  self-fund out of their
                                                  project funds for any
                                                  bounties that they
                                                  would like to pay
                                                  out.  I still need to
                                                  work on defining those
                                                  rules of engagement,
                                                  but for now we need to
                                                  come up with an
                                                  initial deposit amount
                                                  that we feel
                                                  comfortable
                                                  transferring to
                                                  BugCrowd to get this
                                                  rolling.<span><font color="#888888"><br>
                                                      <br>
                                                    </font></span></div>
                                                <span><font color="#888888">~josh<br>
                                                  </font></span></div>
                                              <div>
                                                <div>
                                                  <div class="gmail_extra"><br>
                                                    <div class="gmail_quote">On

                                                      Mon, Apr 18, 2016
                                                      at 10:07 AM, Matt
                                                      Konda <span dir="ltr"><<a href="mailto:matt.konda@owasp.org" target="_blank">matt.konda@owasp.org</a>></span>
                                                      wrote:<br>
                                                      <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                                                        <div dir="ltr">Josh,

                                                          <div><br>
                                                          </div>
                                                          <div>I would
                                                          support
                                                          putting some $
                                                          behind this. 
                                                          Definitely a
                                                          bounded small
                                                          initial
                                                          commitment but
                                                          $.  That will
                                                          result in
                                                          better faster
                                                          feedback IMO.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>I think
                                                          we need to
                                                          make sure we
                                                          think through
                                                          how it gets
                                                          used.  90% to
                                                          a smaller
                                                          lesser known
                                                          OWASP project
                                                          and 10% to ZAP
                                                          for example
                                                          might be a
                                                          possible
                                                          problem.  Do
                                                          we have a rule
                                                          that project
                                                          committers
                                                          can't receive
                                                          bounty?  :)</div>
                                                          <div><br>
                                                          </div>
                                                          <div>We could
                                                          start with a
                                                          few projects
                                                          and do the
                                                          kudos approach
                                                          and match
                                                          funds that
                                                          those projects
                                                          want to use.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>I defer
                                                          to the team
                                                          that is
                                                          focused here,
                                                          just wanted to
                                                          share my
                                                          thoughts.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Matt</div>
                                                          <div> </div>
                                                        </div>
                                                        <div class="gmail_extra"><br>
                                                          <div class="gmail_quote">
                                                          <div>
                                                          <div>On Mon,
                                                          Apr 18, 2016
                                                          at 9:06 AM,
                                                          Josh Sokol <span dir="ltr"><<a href="mailto:josh.sokol@owasp.org" target="_blank">josh.sokol@owasp.org</a>></span>
                                                          wrote:<br>
                                                          </div>
                                                          </div>
                                                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                                                          <div>
                                                          <div>
                                                          <div dir="ltr">
                                                          <div>
                                                          <div>Board,<br>
                                                          <br>
                                                          </div>
                                                          Now that we
                                                          have announced
                                                          BugCrowd as
                                                          our bug bounty
                                                          program
                                                          platform, it
                                                          is time to
                                                          take the next
                                                          step of
                                                          figuring out
                                                          how much of a
                                                          bounty we want
                                                          to start
                                                          with.  There
                                                          is no minimum
                                                          funding amount
                                                          (we could do
                                                          "kudo"
                                                          bounties if we
                                                          want) and we
                                                          can scale the
                                                          rewards
                                                          however we
                                                          would like for
                                                          different
                                                          categories. 
                                                          Obviously,
                                                          money equates
                                                          to more
                                                          motivated
                                                          researchers. 
                                                          BugCrowd's
                                                          recommendation
                                                          is to fund the
                                                          initial pot at
                                                          $5,000 and go
                                                          from there.  I
                                                          think we were
                                                          originally
                                                          talking about
                                                          just
                                                          leveraging a
                                                          Wall of Fame
                                                          to start with
                                                          (ie. "kudos"),
                                                          but I wanted
                                                          to see what
                                                          others thought
                                                          about it. 
                                                          Should we
                                                          throw some
                                                          money into the
                                                          pot?  How
                                                          much?  Your
                                                          feedback is
                                                          greatly
                                                          appreciated.<span><font color="#888888"><br>
                                                          <br>
                                                          </font></span></div>
                                                          <span><font color="#888888">~josh<br>
                                                          </font></span></div>
                                                          <br>
                                                          </div>
                                                          </div>
_______________________________________________<br>
                                                          Owasp-board
                                                          mailing list<br>
                                                          <a href="mailto:Owasp-board@lists.owasp.org" target="_blank">Owasp-board@lists.owasp.org</a><br>
                                                          <a href="https://lists.owasp.org/mailman/listinfo/owasp-board" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
                                                          <br>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                        </div>
                                                      </blockquote>
                                                    </div>
                                                    <br>
                                                  </div>
                                                </div>
                                              </div>
                                              <br>
_______________________________________________<br>
                                              Owasp-board mailing list<br>
                                              <a href="mailto:Owasp-board@lists.owasp.org" target="_blank">Owasp-board@lists.owasp.org</a><br>
                                              <a href="https://lists.owasp.org/mailman/listinfo/owasp-board" rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
                                              <br>
                                            </blockquote>
                                          </div>
                                          <br>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                  <br>
                                </div>
                              </div>
                            </div>
                          </div>
                        </blockquote>
                      </div>
                    </div>
                  </div>
                  <br>
                </div>
              </div>
            </blockquote>
          </div>
          <br>
        </div>
        <br>
        <fieldset></fieldset>
        <br>
        <pre>_______________________________________________
Owasp-board mailing list
<a href="mailto:Owasp-board@lists.owasp.org" target="_blank">Owasp-board@lists.owasp.org</a>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-board" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a>
</pre>
      </blockquote>
      <br>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
Owasp-board mailing list
<a href="mailto:Owasp-board@lists.owasp.org" target="_blank">Owasp-board@lists.owasp.org</a>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-board" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a>
</pre>
    </blockquote>
    <br>
  </div></div></div>

<br>_______________________________________________<br>
Owasp-board mailing list<br>
<a href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-board" rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
<br></blockquote></div><br></div>