[Owasp-leaders] owasp website

Matt Tesauro matt.tesauro at owasp.org
Tue Feb 14 04:09:20 UTC 2017

Tom and Evin,

Thank you for your offer to use the Virtual Village for hosting OWASP's
website - I'd also like to see OWASP projects use the resources available
from the Virtual Village to host demo versions of their projects, run build
servers or whatever computing needs our projects may have.  I think the
availability of racks  with hardware in a significant and robust data
center is a wonderful resource for projects.


That said, I'm going to have to politely decline moving the OWASP
infrastructure to the virtual village.  There were a couple key
requirements  for a new hosting provider for OWASP in that blog post that
don't fit the virtual village, mainly

"Wherever we end up, it will be an API-driven, elastic cloud based hosting
provider.  After years of being on Open Stack, we don't want to leave a
dynamic infrastructure environment."

The bits in that statement that are crucial are:

   - *API-driven* - before Rackspace ended the donation, we were writing
   Ansible to automate deploys and updates to the OWASP wiki and other bits of
   our infrastructure.  One key aspect of that automation is the ability to
   have a well-established API with client libraries.  We had that with the
   OpenStack implementation that Rack has and we want something similar from
   our next hosting company.  Having the ability to write code that launches
   resources dynamically is crucial for continuing to mature our
   infrastructure.  Photon does have an API for provisioning but is missing
   the pieces below.
   - *Elastic cloud based* - one of the key differences with cloud vs
   traditional iron in a rack hosting is the ability to dynamically modify
   infrastructure resources in an on-demand basis.  Anyone that went from
   traditional provisioning of hardware to dynamic cloud environments
   understands the fundamental benefits the shift to cloud brings. Currently,
   we can in minutes and via an API clone VMs, instantiate new VMS, resize VM,
   etc.  Again, Photon can provide elastic resources but not the same breadth
   of resources available from cloud providers such as compute, object
   storage, block storage, load balancing, backup (file and VM-based), Lamda,
   PaaS, etc.
   - *hosting provider* - Rackspace has 24x7x365 support with SLAs.  They
   monitor both host and guests and will move guests if the underlying host
   become unresponsive or overloaded.  The support level we have with
   Rackspace includes OS patching, outbound SMTP support through Mailgun,
   multiple support channels (phone, chat, web, email) with SLAs and a host of
   other services.  Any provider we move to will need to match or exceed most
   of these to be considered.  I think the virtual village is an awesome
   resource but not something that has multiple someones standing by and
   watching the infrastructure 24x7x365 backed by contractual SLAs. Hosting
   providers do have that in place.

Several people have said that OWASP needs to be run as a business.  While
we are always going to be a charity following our charitable mission, we
should and will run our production infrastructure like any commercial
entity would - with non-negotiable requirements backed up by providers with
proven track records and SLAs.  To that end, the expiration of Rackspace's
donation has lead to the following actions taking place:
(1) Evaluation of our usage and documentation of current infrastructure
need + costs - actual usage over the last 3 months not VM maximums. => DONE
(2) Migration of VMs off Rackspace to lower cost commercial providers => IN
(3) Repeating the RFP process I did back in 2011 which gained us the
Rackspace donation of $2,000 USD per month for nearly 6 years.  The
incomplete short list of providers off the top of my head are

   - Amazon AWS
   - Google Cloud
   - Microsoft Azure
   - Digital Ocean

Thanks again for your offer - I hope a whole bunch of OWASP projects take
the Virtual Village up on its generous offer.


-- Matt Tesauro
OWASP AppSec Pipeline Lead
OWASP WTE Project Lead
http://AppSecLive.org <http://appseclive.org/> - Community and Download site

On Mon, Feb 13, 2017 at 8:47 PM, Tom Brennan - OWASP <tomb at owasp.org> wrote:

> With a dedicated virtual host or a dedicated box in the OWASP Lab rack
> that would serve the global community well and at no hosting cost to serve
> the static content and the mediawiki and future pages.... this very simple
> purpose OWASP.ORG would be a perfect fit!
> They also host many other communities including FreeBSD
> Evin can you spin something up as a dev box for the owasp new website
> project and give Matt T and owasp.foundation at owasp.org a root account to
> it. Really would highlight what the Virtual Village Lab is all about
> production and dev for builders, breakers and defenders!
> Alcon;
> More info on NYI
> https://www.nyi.net/datacenters/new-york/
> re: Blog Post
> https://owasp.blogspot.com/2017/02/owasp-operations-
> update-for-february.html
> On Mon, Feb 13, 2017 at 8:37 PM, Evin Hernandez <evin.hernandez at owasp.org>
> wrote:
>> I was in review of the recent blog post ( OWASP Operations Update for
>> February 2017
>> <https://owasp.blogspot.com/2017/02/owasp-operations-update-for-february.html>
>> )
>> If we are looking for a new hosting provider . We should consider Virtual
>> Village via NYI . They provide us with free power  and pipe with no
>> limitations excluding hardware. This would allow the owasp website to be
>> more dynamic as well as provide more insight to what we do on the
>> infrastructure side . Virtual village is currently hosting a few owasp
>> projects and we have done a few ctf's using Security Shepard and others.
>> Virtual village is a mixture of Vmware ESXi and their opensource offering
>> photon controller link below. This is an openstack like api driven
>> infrastructure that uses docker, Mesos , and kubernetes .
>> https://vmware.github.io/photon-controller/
>> If you would like to discuss further ping me anytime
>> Total cost of hosting inside of nyi would just be hardware , licenses and
>> administration everything else would be completely free.
>> --
>> Thank You,
>> Evin Hernandez
>> Owasp NJ chapter leader
>> evin.hernandez at owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170213/fb4b64a4/attachment-0001.html>

More information about the OWASP-Leaders mailing list