[Owasp-leaders] owasp website

Matt Tesauro matt.tesauro at owasp.org
Tue Feb 14 15:48:54 UTC 2017


Evin,

We're on the same page.

You say contributor and I say Project Leader - and if you noticed the
all-caps call out, I'd love for projects and other contributors to use the
Virtual Village.

However, www.owasp.org is our public face to the world and gets ~8 million
views per week so it needs to be highly available with little down time
backed by contractual SLAs.  Same for conference sites, and a few other
bits of our infrastructure that were at Rackspace.  Ideally, we'd use SaaS
for anything that makes sense.  Our move from Mailman is from self-hosted
cloud VM to SaaS.  We have a staff of 8 and I'm the only one with a
technical background.  Moving IT to 3rd parties as much as is reasonable
that are around 24x7x365 just makes sense.

BTW, the $2,000/month was the max Rackspace would reimburse - not the cost
of getting our stuff hosted.  At Rackspace, I purposefully over  spec'ed
the VMs since (1) we had no track record of actual system usage or any
historical monitoring data and (2) hosting was basically free as long as we
stayed under $2,000/month.

Actual hosting costs will be significantly less.  I just moved a host from
a $150/month cost to $10/month cost and am well within the historical usage
pattern for that host.

Cheers!

--
-- Matt Tesauro
OWASP AppSec Pipeline Lead
https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
OWASP WTE Project Lead
*https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
<https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
http://AppSecLive.org <http://appseclive.org/> - Community and Download site


On Tue, Feb 14, 2017 at 8:35 AM, Evin Hernandez <evin.hernandez at owasp.org>
wrote:

> Matt,
>
> Moving to the cloud is great im not in disagreement with that . I believe
> a hybrid approach would serve owasp better, Some cloud some physical ,
> Moving to any one of these providers will cost owasp well over 2 grand a
> month and as a paying member im looking at this as what value is this
> really providing for me and other paying members. If we want to run our
> infrastructure as an enterprise we need need to have our customers top of
> mind which is our paying members and moving our site to one of these
> platforms Provides me no value as a paying member. In reality its just as
> site with a bunch of content that any one one of us can host any where for
> free . As a paying member im looking at what Owasp can do for me when i pay
> my $50 . I would like some network and compute when i start a project it
> would be great to automate it , great to have a space to play as well as be
> secure. We could not do that with amazon or any other cloud provider as
>  the cost would be outrageous. It would be nice to do presentations on how
> our actual infrastructure is built and secured as an enterprise would. We
> could scale out to the cloud when needed , but we could also host CTF's at
> scale and many other things.
>
> As we know It begins with how end-user ( contributors )  expectations are
> evolving. Moving forward i believe our members expect deeper connections
> with OWASP  through software, and as a community and non profit we will be
> increasingly pressed to differentiate through the software-based services
> that we would  offer. User experience trumps everything, and OWASP must
> rapidly iterate to satisfy a fast-evolving market. This means IT is more
> important than ever: it’s no longer a cost-center, but instead is a
> critical area of innovation. In this context, developers ( our paying
> Members )  are becoming more important. As owasps starts  looking at new
> technologies and processes like DevOps, agile, Linux containers, and
> microservices-based applications to speed software development and push
> features into production ( our projects ) as quickly as possible this is
> the value we can provide back to our contributors. .
>
> instead of the Contributor  having to change for the data center, we’re
> adjusting the data center for the contributor. In doing so, we have a few
> imperatives:
>
>    - Build technologies that span the app lifecycle, from the developer’s
>    laptop to the production stack
>    - Help  teams manage Cloud-Native apps while maintaining security,
>    performance, and ease-of-use
>    - Participate in the community by building and interfacing with open
>    systems and standards
>
> At the end of the day what ever we choose. We should be thinking about
> what can we provide back to the community when they donate to us. A website
> that just provides content for free has no value add. The value is in our
> contributors and what we can give them to keep innovating while moving as
> fast as the technology changes.
>
> I have also attached a pdf on some of the architectural slides on what i
> was thinking . We should definitely have a conversation with everyone and
> get their opinions.
>
>
> See comments in Red
>
>
>    - *API-driven* - before Rackspace ended the donation, we were writing
>    Ansible to automate deploys and updates to the OWASP wiki and other bits of
>    our infrastructure.  One key aspect of that automation is the ability to
>    have a well-established API with client libraries.  We had that with the
>    OpenStack implementation that Rack has and we want something similar from
>    our next hosting company.  Having the ability to write code that launches
>    resources dynamically is crucial for continuing to mature our
>    infrastructure.  Photon does have an API for provisioning but is missing
>    the pieces below.
>
>
>
> *Photon platform is Purpose-built for cloud native applications with
> integrated enterprise container infrastructure support, Photon Platform is
> a fully-API driven, multi-tenant platform, which brings the scale,
> performance and features previously accessible only to hyper-scale web
> companies into our own datacenter*
> *• Simplicity of installation, scale and operationalization *
> *• Working seamlessly with leading PaaS frameworks*
> * • Native support for Kubernetes as a Service*
> * • API driven scale-out control plane optimized for massive scalability *
> *• Robust and highly-available control plane able to withstand failures *
> *• Simple-to-use API and CLI tools*
> * • Enterprise-level security from the point of installation *
>
> *• Complete functional coverage for compute, storage, networking, security
> and operations *
> *Open source at the core, delivered as a carefully packaged enterprise
> ready platform *
> *• Designed for high churn environment *
> *• Capable of handling large number of concurrent API requests*
>
>
>
>    - *Elastic cloud based* - one of the key differences with cloud vs
>    traditional iron in a rack hosting is the ability to dynamically modify
>    infrastructure resources in an on-demand basis.  Anyone that went from
>    traditional provisioning of hardware to dynamic cloud environments
>    understands the fundamental benefits the shift to cloud brings. Currently,
>    we can in minutes and via an API clone VMs, instantiate new VMS, resize VM,
>    etc.  Again, Photon can provide elastic resources but not the same breadth
>    of resources available from cloud providers such as compute, object
>    storage, block storage, load balancing, backup (file and VM-based), Lamda,
>    PaaS, etc.
>
>
> *the Platform provides a rich set of IaaS primitives like vms, networks
> and disks. It also provides a Containers as a Service (CaaS) solution via
> instant access to production-grade Kubernetes deployments. Lifecycle
> management of Kubernetes allows for developers to quickly resize, deploy
> and destroy clusters as needed during their development workflow. Photon
> additionally delivers services like the Harbor Container Registry on demand
> and works seamlessly with leading PaaS frameworks *
>
> Keep in mind we dont have to use photon platform we can build our own
> openstack or any other hybrid infrastructure .
>
>
>
>    - *hosting provider* - Rackspace has 24x7x365 support with SLAs.  They
>    monitor both host and guests and will move guests if the underlying host
>    become unresponsive or overloaded.  The support level we have with
>    Rackspace includes OS patching, outbound SMTP support through Mailgun,
>    multiple support channels (phone, chat, web, email) with SLAs and a host of
>    other services.  Any provider we move to will need to match or exceed most
>    of these to be considered.  I think the virtual village is an awesome
>    resource but not something that has multiple someones standing by and
>    watching the infrastructure 24x7x365 backed by contractual SLAs. Hosting
>    providers do have that in place.
>
> *NYI Provides us these SLA's as i am not in the datacenter or nor do we
> live near the datacenter to patch , install , upgrade our hosts. We can and
> should definitely have a conversation around what NYI can do for us as they
> are willing to provide owasp a place to live with minimal cost. they also
> have connection into all 3 cloud providers with a direct  connection*
> http://www.nyi.net/solutions/multi-cloud-2/
>
> Several people have said that OWASP needs to be run as a business.  While
> we are always going to be a charity following our charitable mission, we
> should and will run our production infrastructure like any commercial
> entity would - with non-negotiable requirements backed up by providers with
> proven track records and SLAs.  To that end, the expiration of Rackspace's
> donation has lead to the following actions taking place:
> (1) Evaluation of our usage and documentation of current infrastructure
> need + costs - actual usage over the last 3 months not VM maximums. => DONE
> (2) Migration of VMs off Rackspace to lower cost commercial providers =>
> IN PROCESS
> (3) Repeating the RFP process I did back in 2011 which gained us the
> Rackspace donation of $2,000 USD per month for nearly 6 years.
>
> On Mon, Feb 13, 2017 at 11:09 PM, Matt Tesauro <matt.tesauro at owasp.org>
> wrote:
>
>> Tom and Evin,
>>
>> Thank you for your offer to use the Virtual Village for hosting OWASP's
>> website - I'd also like to see OWASP projects use the resources available
>> from the Virtual Village to host demo versions of their projects, run build
>> servers or whatever computing needs our projects may have.  I think the
>> availability of racks  with hardware in a significant and robust data
>> center is a wonderful resource for projects.
>>
>> CALL OUT TO PROJECTS - IF YOU NEED COMPUTE RESOURCES, PLEASE CONTACT THE
>> VIRTUAL VILLAGE PROJECT.
>>           https://www.owasp.org/index.php/OWASP_Virtual_Village_Project
>>
>> That said, I'm going to have to politely decline moving the OWASP
>> infrastructure to the virtual village.  There were a couple key
>> requirements  for a new hosting provider for OWASP in that blog post that
>> don't fit the virtual village, mainly
>>
>> "Wherever we end up, it will be an API-driven, elastic cloud based
>> hosting provider.  After years of being on Open Stack, we don't want to
>> leave a dynamic infrastructure environment."
>>
>> The bits in that statement that are crucial are:
>>
>>    - *API-driven* - before Rackspace ended the donation, we were writing
>>    Ansible to automate deploys and updates to the OWASP wiki and other bits of
>>    our infrastructure.  One key aspect of that automation is the ability to
>>    have a well-established API with client libraries.  We had that with the
>>    OpenStack implementation that Rack has and we want something similar from
>>    our next hosting company.  Having the ability to write code that launches
>>    resources dynamically is crucial for continuing to mature our
>>    infrastructure.  Photon does have an API for provisioning but is missing
>>    the pieces below.
>>    - *Elastic cloud based* - one of the key differences with cloud vs
>>    traditional iron in a rack hosting is the ability to dynamically modify
>>    infrastructure resources in an on-demand basis.  Anyone that went from
>>    traditional provisioning of hardware to dynamic cloud environments
>>    understands the fundamental benefits the shift to cloud brings. Currently,
>>    we can in minutes and via an API clone VMs, instantiate new VMS, resize VM,
>>    etc.  Again, Photon can provide elastic resources but not the same breadth
>>    of resources available from cloud providers such as compute, object
>>    storage, block storage, load balancing, backup (file and VM-based), Lamda,
>>    PaaS, etc.
>>    - *hosting provider* - Rackspace has 24x7x365 support with SLAs.
>>    They monitor both host and guests and will move guests if the underlying
>>    host become unresponsive or overloaded.  The support level we have with
>>    Rackspace includes OS patching, outbound SMTP support through Mailgun,
>>    multiple support channels (phone, chat, web, email) with SLAs and a host of
>>    other services.  Any provider we move to will need to match or exceed most
>>    of these to be considered.  I think the virtual village is an awesome
>>    resource but not something that has multiple someones standing by and
>>    watching the infrastructure 24x7x365 backed by contractual SLAs. Hosting
>>    providers do have that in place.
>>
>> Several people have said that OWASP needs to be run as a business.  While
>> we are always going to be a charity following our charitable mission, we
>> should and will run our production infrastructure like any commercial
>> entity would - with non-negotiable requirements backed up by providers with
>> proven track records and SLAs.  To that end, the expiration of Rackspace's
>> donation has lead to the following actions taking place:
>> (1) Evaluation of our usage and documentation of current infrastructure
>> need + costs - actual usage over the last 3 months not VM maximums. => DONE
>> (2) Migration of VMs off Rackspace to lower cost commercial providers =>
>> IN PROCESS
>> (3) Repeating the RFP process I did back in 2011 which gained us the
>> Rackspace donation of $2,000 USD per month for nearly 6 years.  The
>> incomplete short list of providers off the top of my head are
>>
>>    - Amazon AWS
>>    - Google Cloud
>>    - Microsoft Azure
>>    - Digital Ocean
>>
>> Thanks again for your offer - I hope a whole bunch of OWASP projects take
>> the Virtual Village up on its generous offer.
>>
>> Cheers!
>>
>> --
>> -- Matt Tesauro
>> OWASP AppSec Pipeline Lead
>> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
>> OWASP WTE Project Lead
>> *https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
>> <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
>> http://AppSecLive.org <http://appseclive.org/> - Community and Download
>> site
>>
>>
>> On Mon, Feb 13, 2017 at 8:47 PM, Tom Brennan - OWASP <tomb at owasp.org>
>> wrote:
>>
>>> With a dedicated virtual host or a dedicated box in the OWASP Lab rack
>>> that would serve the global community well and at no hosting cost to serve
>>> the static content and the mediawiki and future pages.... this very simple
>>> purpose OWASP.ORG would be a perfect fit!
>>>
>>> They also host many other communities including FreeBSD
>>>
>>> Evin can you spin something up as a dev box for the owasp new website
>>> project and give Matt T and owasp.foundation at owasp.org a root account
>>> to it. Really would highlight what the Virtual Village Lab is all about
>>> production and dev for builders, breakers and defenders!
>>>
>>> Alcon;
>>> More info on NYI
>>> https://www.nyi.net/datacenters/new-york/
>>>
>>> re: Blog Post
>>> https://owasp.blogspot.com/2017/02/owasp-operations-update-f
>>> or-february.html
>>>
>>>
>>>
>>> On Mon, Feb 13, 2017 at 8:37 PM, Evin Hernandez <
>>> evin.hernandez at owasp.org> wrote:
>>>
>>>> I was in review of the recent blog post ( OWASP Operations Update for
>>>> February 2017
>>>> <https://owasp.blogspot.com/2017/02/owasp-operations-update-for-february.html>
>>>> )
>>>>
>>>> If we are looking for a new hosting provider . We should consider
>>>> Virtual Village via NYI . They provide us with free power  and pipe with no
>>>> limitations excluding hardware. This would allow the owasp website to be
>>>> more dynamic as well as provide more insight to what we do on the
>>>> infrastructure side . Virtual village is currently hosting a few owasp
>>>> projects and we have done a few ctf's using Security Shepard and others.
>>>> Virtual village is a mixture of Vmware ESXi and their opensource offering
>>>> photon controller link below. This is an openstack like api driven
>>>> infrastructure that uses docker, Mesos , and kubernetes .
>>>>
>>>> https://vmware.github.io/photon-controller/
>>>>
>>>> If you would like to discuss further ping me anytime
>>>>
>>>> Total cost of hosting inside of nyi would just be hardware , licenses
>>>> and administration everything else would be completely free.
>>>>
>>>> --
>>>> Thank You,
>>>> Evin Hernandez
>>>> Owasp NJ chapter leader
>>>> evin.hernandez at owasp.org
>>>>
>>>
>>>
>>
>
>
> --
> Thank You,
> Evin Hernandez
> Owasp NJ chapter leader
> evin.hernandez at owasp.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170214/7b7ff3b0/attachment-0001.html>


More information about the OWASP-Leaders mailing list