[Owasp-leaders] owasp website

Evin Hernandez evin.hernandez at owasp.org
Tue Feb 14 14:35:08 UTC 2017


Matt,

Moving to the cloud is great im not in disagreement with that . I believe a
hybrid approach would serve owasp better, Some cloud some physical , Moving
to any one of these providers will cost owasp well over 2 grand a month and
as a paying member im looking at this as what value is this really
providing for me and other paying members. If we want to run our
infrastructure as an enterprise we need need to have our customers top of
mind which is our paying members and moving our site to one of these
platforms Provides me no value as a paying member. In reality its just as
site with a bunch of content that any one one of us can host any where for
free . As a paying member im looking at what Owasp can do for me when i pay
my $50 . I would like some network and compute when i start a project it
would be great to automate it , great to have a space to play as well as be
secure. We could not do that with amazon or any other cloud provider as
 the cost would be outrageous. It would be nice to do presentations on how
our actual infrastructure is built and secured as an enterprise would. We
could scale out to the cloud when needed , but we could also host CTF's at
scale and many other things.

As we know It begins with how end-user ( contributors )  expectations are
evolving. Moving forward i believe our members expect deeper connections
with OWASP  through software, and as a community and non profit we will be
increasingly pressed to differentiate through the software-based services
that we would  offer. User experience trumps everything, and OWASP must
rapidly iterate to satisfy a fast-evolving market. This means IT is more
important than ever: it’s no longer a cost-center, but instead is a
critical area of innovation. In this context, developers ( our paying
Members )  are becoming more important. As owasps starts  looking at new
technologies and processes like DevOps, agile, Linux containers, and
microservices-based applications to speed software development and push
features into production ( our projects ) as quickly as possible this is
the value we can provide back to our contributors. .

instead of the Contributor  having to change for the data center, we’re
adjusting the data center for the contributor. In doing so, we have a few
imperatives:

   - Build technologies that span the app lifecycle, from the developer’s
   laptop to the production stack
   - Help  teams manage Cloud-Native apps while maintaining security,
   performance, and ease-of-use
   - Participate in the community by building and interfacing with open
   systems and standards

At the end of the day what ever we choose. We should be thinking about what
can we provide back to the community when they donate to us. A website that
just provides content for free has no value add. The value is in our
contributors and what we can give them to keep innovating while moving as
fast as the technology changes.

I have also attached a pdf on some of the architectural slides on what i
was thinking . We should definitely have a conversation with everyone and
get their opinions.


See comments in Red


   - *API-driven* - before Rackspace ended the donation, we were writing
   Ansible to automate deploys and updates to the OWASP wiki and other bits of
   our infrastructure.  One key aspect of that automation is the ability to
   have a well-established API with client libraries.  We had that with the
   OpenStack implementation that Rack has and we want something similar from
   our next hosting company.  Having the ability to write code that launches
   resources dynamically is crucial for continuing to mature our
   infrastructure.  Photon does have an API for provisioning but is missing
   the pieces below.



*Photon platform is Purpose-built for cloud native applications with
integrated enterprise container infrastructure support, Photon Platform is
a fully-API driven, multi-tenant platform, which brings the scale,
performance and features previously accessible only to hyper-scale web
companies into our own datacenter*
*• Simplicity of installation, scale and operationalization *
*• Working seamlessly with leading PaaS frameworks*
* • Native support for Kubernetes as a Service*
* • API driven scale-out control plane optimized for massive scalability *
*• Robust and highly-available control plane able to withstand failures *
*• Simple-to-use API and CLI tools*
* • Enterprise-level security from the point of installation *

*• Complete functional coverage for compute, storage, networking, security
and operations *
*Open source at the core, delivered as a carefully packaged enterprise
ready platform *
*• Designed for high churn environment *
*• Capable of handling large number of concurrent API requests*



   - *Elastic cloud based* - one of the key differences with cloud vs
   traditional iron in a rack hosting is the ability to dynamically modify
   infrastructure resources in an on-demand basis.  Anyone that went from
   traditional provisioning of hardware to dynamic cloud environments
   understands the fundamental benefits the shift to cloud brings. Currently,
   we can in minutes and via an API clone VMs, instantiate new VMS, resize VM,
   etc.  Again, Photon can provide elastic resources but not the same breadth
   of resources available from cloud providers such as compute, object
   storage, block storage, load balancing, backup (file and VM-based), Lamda,
   PaaS, etc.


*the Platform provides a rich set of IaaS primitives like vms, networks and
disks. It also provides a Containers as a Service (CaaS) solution via
instant access to production-grade Kubernetes deployments. Lifecycle
management of Kubernetes allows for developers to quickly resize, deploy
and destroy clusters as needed during their development workflow. Photon
additionally delivers services like the Harbor Container Registry on demand
and works seamlessly with leading PaaS frameworks *

Keep in mind we dont have to use photon platform we can build our own
openstack or any other hybrid infrastructure .



   - *hosting provider* - Rackspace has 24x7x365 support with SLAs.  They
   monitor both host and guests and will move guests if the underlying host
   become unresponsive or overloaded.  The support level we have with
   Rackspace includes OS patching, outbound SMTP support through Mailgun,
   multiple support channels (phone, chat, web, email) with SLAs and a host of
   other services.  Any provider we move to will need to match or exceed most
   of these to be considered.  I think the virtual village is an awesome
   resource but not something that has multiple someones standing by and
   watching the infrastructure 24x7x365 backed by contractual SLAs. Hosting
   providers do have that in place.

*NYI Provides us these SLA's as i am not in the datacenter or nor do we
live near the datacenter to patch , install , upgrade our hosts. We can and
should definitely have a conversation around what NYI can do for us as they
are willing to provide owasp a place to live with minimal cost. they also
have connection into all 3 cloud providers with a direct  connection*
http://www.nyi.net/solutions/multi-cloud-2/

Several people have said that OWASP needs to be run as a business.  While
we are always going to be a charity following our charitable mission, we
should and will run our production infrastructure like any commercial
entity would - with non-negotiable requirements backed up by providers with
proven track records and SLAs.  To that end, the expiration of Rackspace's
donation has lead to the following actions taking place:
(1) Evaluation of our usage and documentation of current infrastructure
need + costs - actual usage over the last 3 months not VM maximums. => DONE
(2) Migration of VMs off Rackspace to lower cost commercial providers => IN
PROCESS
(3) Repeating the RFP process I did back in 2011 which gained us the
Rackspace donation of $2,000 USD per month for nearly 6 years.

On Mon, Feb 13, 2017 at 11:09 PM, Matt Tesauro <matt.tesauro at owasp.org>
wrote:

> Tom and Evin,
>
> Thank you for your offer to use the Virtual Village for hosting OWASP's
> website - I'd also like to see OWASP projects use the resources available
> from the Virtual Village to host demo versions of their projects, run build
> servers or whatever computing needs our projects may have.  I think the
> availability of racks  with hardware in a significant and robust data
> center is a wonderful resource for projects.
>
> CALL OUT TO PROJECTS - IF YOU NEED COMPUTE RESOURCES, PLEASE CONTACT THE
> VIRTUAL VILLAGE PROJECT.
>           https://www.owasp.org/index.php/OWASP_Virtual_Village_Project
>
> That said, I'm going to have to politely decline moving the OWASP
> infrastructure to the virtual village.  There were a couple key
> requirements  for a new hosting provider for OWASP in that blog post that
> don't fit the virtual village, mainly
>
> "Wherever we end up, it will be an API-driven, elastic cloud based hosting
> provider.  After years of being on Open Stack, we don't want to leave a
> dynamic infrastructure environment."
>
> The bits in that statement that are crucial are:
>
>    - *API-driven* - before Rackspace ended the donation, we were writing
>    Ansible to automate deploys and updates to the OWASP wiki and other bits of
>    our infrastructure.  One key aspect of that automation is the ability to
>    have a well-established API with client libraries.  We had that with the
>    OpenStack implementation that Rack has and we want something similar from
>    our next hosting company.  Having the ability to write code that launches
>    resources dynamically is crucial for continuing to mature our
>    infrastructure.  Photon does have an API for provisioning but is missing
>    the pieces below.
>    - *Elastic cloud based* - one of the key differences with cloud vs
>    traditional iron in a rack hosting is the ability to dynamically modify
>    infrastructure resources in an on-demand basis.  Anyone that went from
>    traditional provisioning of hardware to dynamic cloud environments
>    understands the fundamental benefits the shift to cloud brings. Currently,
>    we can in minutes and via an API clone VMs, instantiate new VMS, resize VM,
>    etc.  Again, Photon can provide elastic resources but not the same breadth
>    of resources available from cloud providers such as compute, object
>    storage, block storage, load balancing, backup (file and VM-based), Lamda,
>    PaaS, etc.
>    - *hosting provider* - Rackspace has 24x7x365 support with SLAs.  They
>    monitor both host and guests and will move guests if the underlying host
>    become unresponsive or overloaded.  The support level we have with
>    Rackspace includes OS patching, outbound SMTP support through Mailgun,
>    multiple support channels (phone, chat, web, email) with SLAs and a host of
>    other services.  Any provider we move to will need to match or exceed most
>    of these to be considered.  I think the virtual village is an awesome
>    resource but not something that has multiple someones standing by and
>    watching the infrastructure 24x7x365 backed by contractual SLAs. Hosting
>    providers do have that in place.
>
> Several people have said that OWASP needs to be run as a business.  While
> we are always going to be a charity following our charitable mission, we
> should and will run our production infrastructure like any commercial
> entity would - with non-negotiable requirements backed up by providers with
> proven track records and SLAs.  To that end, the expiration of Rackspace's
> donation has lead to the following actions taking place:
> (1) Evaluation of our usage and documentation of current infrastructure
> need + costs - actual usage over the last 3 months not VM maximums. => DONE
> (2) Migration of VMs off Rackspace to lower cost commercial providers =>
> IN PROCESS
> (3) Repeating the RFP process I did back in 2011 which gained us the
> Rackspace donation of $2,000 USD per month for nearly 6 years.  The
> incomplete short list of providers off the top of my head are
>
>    - Amazon AWS
>    - Google Cloud
>    - Microsoft Azure
>    - Digital Ocean
>
> Thanks again for your offer - I hope a whole bunch of OWASP projects take
> the Virtual Village up on its generous offer.
>
> Cheers!
>
> --
> -- Matt Tesauro
> OWASP AppSec Pipeline Lead
> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
> OWASP WTE Project Lead
> *https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
> <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
> http://AppSecLive.org <http://appseclive.org/> - Community and Download
> site
>
>
> On Mon, Feb 13, 2017 at 8:47 PM, Tom Brennan - OWASP <tomb at owasp.org>
> wrote:
>
>> With a dedicated virtual host or a dedicated box in the OWASP Lab rack
>> that would serve the global community well and at no hosting cost to serve
>> the static content and the mediawiki and future pages.... this very simple
>> purpose OWASP.ORG would be a perfect fit!
>>
>> They also host many other communities including FreeBSD
>>
>> Evin can you spin something up as a dev box for the owasp new website
>> project and give Matt T and owasp.foundation at owasp.org a root account to
>> it. Really would highlight what the Virtual Village Lab is all about
>> production and dev for builders, breakers and defenders!
>>
>> Alcon;
>> More info on NYI
>> https://www.nyi.net/datacenters/new-york/
>>
>> re: Blog Post
>> https://owasp.blogspot.com/2017/02/owasp-operations-update-
>> for-february.html
>>
>>
>>
>> On Mon, Feb 13, 2017 at 8:37 PM, Evin Hernandez <evin.hernandez at owasp.org
>> > wrote:
>>
>>> I was in review of the recent blog post ( OWASP Operations Update for
>>> February 2017
>>> <https://owasp.blogspot.com/2017/02/owasp-operations-update-for-february.html>
>>> )
>>>
>>> If we are looking for a new hosting provider . We should consider
>>> Virtual Village via NYI . They provide us with free power  and pipe with no
>>> limitations excluding hardware. This would allow the owasp website to be
>>> more dynamic as well as provide more insight to what we do on the
>>> infrastructure side . Virtual village is currently hosting a few owasp
>>> projects and we have done a few ctf's using Security Shepard and others.
>>> Virtual village is a mixture of Vmware ESXi and their opensource offering
>>> photon controller link below. This is an openstack like api driven
>>> infrastructure that uses docker, Mesos , and kubernetes .
>>>
>>> https://vmware.github.io/photon-controller/
>>>
>>> If you would like to discuss further ping me anytime
>>>
>>> Total cost of hosting inside of nyi would just be hardware , licenses
>>> and administration everything else would be completely free.
>>>
>>> --
>>> Thank You,
>>> Evin Hernandez
>>> Owasp NJ chapter leader
>>> evin.hernandez at owasp.org
>>>
>>
>>
>


-- 
Thank You,
Evin Hernandez
Owasp NJ chapter leader
evin.hernandez at owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170214/860601b2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Owasp infra (1).pdf
Type: application/pdf
Size: 395270 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170214/860601b2/attachment-0001.pdf>


More information about the OWASP-Leaders mailing list