[Owasp-leaders] owasp website

Evin Hernandez evin.hernandez at gmail.com
Tue Feb 14 16:11:43 UTC 2017


Matt , You are a man after my own heart lol ... I would love to be apart of
your infrastructure committee and help you with all of your deliverable's
as well as innovate for the future of owasp. Lets have a chat when you have
some time.

On Tue, Feb 14, 2017 at 10:48 AM, Matt Tesauro <matt.tesauro at owasp.org>
wrote:

> Evin,
>
> We're on the same page.
>
> You say contributor and I say Project Leader - and if you noticed the
> all-caps call out, I'd love for projects and other contributors to use the
> Virtual Village.
>
> However, www.owasp.org is our public face to the world and gets ~8
> million views per week so it needs to be highly available with little down
> time backed by contractual SLAs.  Same for conference sites, and a few
> other bits of our infrastructure that were at Rackspace.  Ideally, we'd use
> SaaS for anything that makes sense.  Our move from Mailman is from
> self-hosted cloud VM to SaaS.  We have a staff of 8 and I'm the only one
> with a technical background.  Moving IT to 3rd parties as much as is
> reasonable that are around 24x7x365 just makes sense.
>
> BTW, the $2,000/month was the max Rackspace would reimburse - not the cost
> of getting our stuff hosted.  At Rackspace, I purposefully over  spec'ed
> the VMs since (1) we had no track record of actual system usage or any
> historical monitoring data and (2) hosting was basically free as long as we
> stayed under $2,000/month.
>
> Actual hosting costs will be significantly less.  I just moved a host from
> a $150/month cost to $10/month cost and am well within the historical usage
> pattern for that host.
>
> Cheers!
>
> --
> -- Matt Tesauro
> OWASP AppSec Pipeline Lead
> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
> OWASP WTE Project Lead
> *https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
> <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
> http://AppSecLive.org <http://appseclive.org/> - Community and Download
> site
>
>
> On Tue, Feb 14, 2017 at 8:35 AM, Evin Hernandez <evin.hernandez at owasp.org>
> wrote:
>
>> Matt,
>>
>> Moving to the cloud is great im not in disagreement with that . I believe
>> a hybrid approach would serve owasp better, Some cloud some physical ,
>> Moving to any one of these providers will cost owasp well over 2 grand a
>> month and as a paying member im looking at this as what value is this
>> really providing for me and other paying members. If we want to run our
>> infrastructure as an enterprise we need need to have our customers top of
>> mind which is our paying members and moving our site to one of these
>> platforms Provides me no value as a paying member. In reality its just as
>> site with a bunch of content that any one one of us can host any where for
>> free . As a paying member im looking at what Owasp can do for me when i pay
>> my $50 . I would like some network and compute when i start a project it
>> would be great to automate it , great to have a space to play as well as be
>> secure. We could not do that with amazon or any other cloud provider as
>>  the cost would be outrageous. It would be nice to do presentations on how
>> our actual infrastructure is built and secured as an enterprise would. We
>> could scale out to the cloud when needed , but we could also host CTF's at
>> scale and many other things.
>>
>> As we know It begins with how end-user ( contributors )  expectations are
>> evolving. Moving forward i believe our members expect deeper connections
>> with OWASP  through software, and as a community and non profit we will be
>> increasingly pressed to differentiate through the software-based services
>> that we would  offer. User experience trumps everything, and OWASP must
>> rapidly iterate to satisfy a fast-evolving market. This means IT is more
>> important than ever: it’s no longer a cost-center, but instead is a
>> critical area of innovation. In this context, developers ( our paying
>> Members )  are becoming more important. As owasps starts  looking at new
>> technologies and processes like DevOps, agile, Linux containers, and
>> microservices-based applications to speed software development and push
>> features into production ( our projects ) as quickly as possible this is
>> the value we can provide back to our contributors. .
>>
>> instead of the Contributor  having to change for the data center, we’re
>> adjusting the data center for the contributor. In doing so, we have a few
>> imperatives:
>>
>>    - Build technologies that span the app lifecycle, from the
>>    developer’s laptop to the production stack
>>    - Help  teams manage Cloud-Native apps while maintaining security,
>>    performance, and ease-of-use
>>    - Participate in the community by building and interfacing with open
>>    systems and standards
>>
>> At the end of the day what ever we choose. We should be thinking about
>> what can we provide back to the community when they donate to us. A website
>> that just provides content for free has no value add. The value is in our
>> contributors and what we can give them to keep innovating while moving as
>> fast as the technology changes.
>>
>> I have also attached a pdf on some of the architectural slides on what i
>> was thinking . We should definitely have a conversation with everyone and
>> get their opinions.
>>
>>
>> See comments in Red
>>
>>
>>    - *API-driven* - before Rackspace ended the donation, we were writing
>>    Ansible to automate deploys and updates to the OWASP wiki and other bits of
>>    our infrastructure.  One key aspect of that automation is the ability to
>>    have a well-established API with client libraries.  We had that with the
>>    OpenStack implementation that Rack has and we want something similar from
>>    our next hosting company.  Having the ability to write code that launches
>>    resources dynamically is crucial for continuing to mature our
>>    infrastructure.  Photon does have an API for provisioning but is missing
>>    the pieces below.
>>
>>
>>
>> *Photon platform is Purpose-built for cloud native applications with
>> integrated enterprise container infrastructure support, Photon Platform is
>> a fully-API driven, multi-tenant platform, which brings the scale,
>> performance and features previously accessible only to hyper-scale web
>> companies into our own datacenter*
>> *• Simplicity of installation, scale and operationalization *
>> *• Working seamlessly with leading PaaS frameworks*
>> * • Native support for Kubernetes as a Service*
>> * • API driven scale-out control plane optimized for massive scalability *
>> *• Robust and highly-available control plane able to withstand failures *
>> *• Simple-to-use API and CLI tools*
>> * • Enterprise-level security from the point of installation *
>>
>> *• Complete functional coverage for compute, storage, networking,
>> security and operations *
>> *Open source at the core, delivered as a carefully packaged enterprise
>> ready platform *
>> *• Designed for high churn environment *
>> *• Capable of handling large number of concurrent API requests*
>>
>>
>>
>>    - *Elastic cloud based* - one of the key differences with cloud vs
>>    traditional iron in a rack hosting is the ability to dynamically modify
>>    infrastructure resources in an on-demand basis.  Anyone that went from
>>    traditional provisioning of hardware to dynamic cloud environments
>>    understands the fundamental benefits the shift to cloud brings. Currently,
>>    we can in minutes and via an API clone VMs, instantiate new VMS, resize VM,
>>    etc.  Again, Photon can provide elastic resources but not the same breadth
>>    of resources available from cloud providers such as compute, object
>>    storage, block storage, load balancing, backup (file and VM-based), Lamda,
>>    PaaS, etc.
>>
>>
>> *the Platform provides a rich set of IaaS primitives like vms, networks
>> and disks. It also provides a Containers as a Service (CaaS) solution via
>> instant access to production-grade Kubernetes deployments. Lifecycle
>> management of Kubernetes allows for developers to quickly resize, deploy
>> and destroy clusters as needed during their development workflow. Photon
>> additionally delivers services like the Harbor Container Registry on demand
>> and works seamlessly with leading PaaS frameworks *
>>
>> Keep in mind we dont have to use photon platform we can build our own
>> openstack or any other hybrid infrastructure .
>>
>>
>>
>>    - *hosting provider* - Rackspace has 24x7x365 support with SLAs.
>>    They monitor both host and guests and will move guests if the underlying
>>    host become unresponsive or overloaded.  The support level we have with
>>    Rackspace includes OS patching, outbound SMTP support through Mailgun,
>>    multiple support channels (phone, chat, web, email) with SLAs and a host of
>>    other services.  Any provider we move to will need to match or exceed most
>>    of these to be considered.  I think the virtual village is an awesome
>>    resource but not something that has multiple someones standing by and
>>    watching the infrastructure 24x7x365 backed by contractual SLAs. Hosting
>>    providers do have that in place.
>>
>> *NYI Provides us these SLA's as i am not in the datacenter or nor do we
>> live near the datacenter to patch , install , upgrade our hosts. We can and
>> should definitely have a conversation around what NYI can do for us as they
>> are willing to provide owasp a place to live with minimal cost. they also
>> have connection into all 3 cloud providers with a direct  connection*
>> http://www.nyi.net/solutions/multi-cloud-2/
>>
>> Several people have said that OWASP needs to be run as a business.  While
>> we are always going to be a charity following our charitable mission, we
>> should and will run our production infrastructure like any commercial
>> entity would - with non-negotiable requirements backed up by providers with
>> proven track records and SLAs.  To that end, the expiration of Rackspace's
>> donation has lead to the following actions taking place:
>> (1) Evaluation of our usage and documentation of current infrastructure
>> need + costs - actual usage over the last 3 months not VM maximums. => DONE
>> (2) Migration of VMs off Rackspace to lower cost commercial providers =>
>> IN PROCESS
>> (3) Repeating the RFP process I did back in 2011 which gained us the
>> Rackspace donation of $2,000 USD per month for nearly 6 years.
>>
>> On Mon, Feb 13, 2017 at 11:09 PM, Matt Tesauro <matt.tesauro at owasp.org>
>> wrote:
>>
>>> Tom and Evin,
>>>
>>> Thank you for your offer to use the Virtual Village for hosting OWASP's
>>> website - I'd also like to see OWASP projects use the resources available
>>> from the Virtual Village to host demo versions of their projects, run build
>>> servers or whatever computing needs our projects may have.  I think the
>>> availability of racks  with hardware in a significant and robust data
>>> center is a wonderful resource for projects.
>>>
>>> CALL OUT TO PROJECTS - IF YOU NEED COMPUTE RESOURCES, PLEASE CONTACT THE
>>> VIRTUAL VILLAGE PROJECT.
>>>           https://www.owasp.org/index.php/OWASP_Virtual_Village_Project
>>>
>>> That said, I'm going to have to politely decline moving the OWASP
>>> infrastructure to the virtual village.  There were a couple key
>>> requirements  for a new hosting provider for OWASP in that blog post that
>>> don't fit the virtual village, mainly
>>>
>>> "Wherever we end up, it will be an API-driven, elastic cloud based
>>> hosting provider.  After years of being on Open Stack, we don't want to
>>> leave a dynamic infrastructure environment."
>>>
>>> The bits in that statement that are crucial are:
>>>
>>>    - *API-driven* - before Rackspace ended the donation, we were
>>>    writing Ansible to automate deploys and updates to the OWASP wiki and other
>>>    bits of our infrastructure.  One key aspect of that automation is the
>>>    ability to have a well-established API with client libraries.  We had that
>>>    with the OpenStack implementation that Rack has and we want something
>>>    similar from our next hosting company.  Having the ability to write code
>>>    that launches resources dynamically is crucial for continuing to mature our
>>>    infrastructure.  Photon does have an API for provisioning but is missing
>>>    the pieces below.
>>>    - *Elastic cloud based* - one of the key differences with cloud vs
>>>    traditional iron in a rack hosting is the ability to dynamically modify
>>>    infrastructure resources in an on-demand basis.  Anyone that went from
>>>    traditional provisioning of hardware to dynamic cloud environments
>>>    understands the fundamental benefits the shift to cloud brings. Currently,
>>>    we can in minutes and via an API clone VMs, instantiate new VMS, resize VM,
>>>    etc.  Again, Photon can provide elastic resources but not the same breadth
>>>    of resources available from cloud providers such as compute, object
>>>    storage, block storage, load balancing, backup (file and VM-based), Lamda,
>>>    PaaS, etc.
>>>    - *hosting provider* - Rackspace has 24x7x365 support with SLAs.
>>>    They monitor both host and guests and will move guests if the underlying
>>>    host become unresponsive or overloaded.  The support level we have with
>>>    Rackspace includes OS patching, outbound SMTP support through Mailgun,
>>>    multiple support channels (phone, chat, web, email) with SLAs and a host of
>>>    other services.  Any provider we move to will need to match or exceed most
>>>    of these to be considered.  I think the virtual village is an awesome
>>>    resource but not something that has multiple someones standing by and
>>>    watching the infrastructure 24x7x365 backed by contractual SLAs. Hosting
>>>    providers do have that in place.
>>>
>>> Several people have said that OWASP needs to be run as a business.
>>> While we are always going to be a charity following our charitable mission,
>>> we should and will run our production infrastructure like any commercial
>>> entity would - with non-negotiable requirements backed up by providers with
>>> proven track records and SLAs.  To that end, the expiration of Rackspace's
>>> donation has lead to the following actions taking place:
>>> (1) Evaluation of our usage and documentation of current infrastructure
>>> need + costs - actual usage over the last 3 months not VM maximums. => DONE
>>> (2) Migration of VMs off Rackspace to lower cost commercial providers =>
>>> IN PROCESS
>>> (3) Repeating the RFP process I did back in 2011 which gained us the
>>> Rackspace donation of $2,000 USD per month for nearly 6 years.  The
>>> incomplete short list of providers off the top of my head are
>>>
>>>    - Amazon AWS
>>>    - Google Cloud
>>>    - Microsoft Azure
>>>    - Digital Ocean
>>>
>>> Thanks again for your offer - I hope a whole bunch of OWASP projects
>>> take the Virtual Village up on its generous offer.
>>>
>>> Cheers!
>>>
>>> --
>>> -- Matt Tesauro
>>> OWASP AppSec Pipeline Lead
>>> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
>>> OWASP WTE Project Lead
>>> *https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
>>> <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
>>> http://AppSecLive.org <http://appseclive.org/> - Community and Download
>>> site
>>>
>>>
>>> On Mon, Feb 13, 2017 at 8:47 PM, Tom Brennan - OWASP <tomb at owasp.org>
>>> wrote:
>>>
>>>> With a dedicated virtual host or a dedicated box in the OWASP Lab rack
>>>> that would serve the global community well and at no hosting cost to serve
>>>> the static content and the mediawiki and future pages.... this very simple
>>>> purpose OWASP.ORG would be a perfect fit!
>>>>
>>>> They also host many other communities including FreeBSD
>>>>
>>>> Evin can you spin something up as a dev box for the owasp new website
>>>> project and give Matt T and owasp.foundation at owasp.org a root account
>>>> to it. Really would highlight what the Virtual Village Lab is all about
>>>> production and dev for builders, breakers and defenders!
>>>>
>>>> Alcon;
>>>> More info on NYI
>>>> https://www.nyi.net/datacenters/new-york/
>>>>
>>>> re: Blog Post
>>>> https://owasp.blogspot.com/2017/02/owasp-operations-update-f
>>>> or-february.html
>>>>
>>>>
>>>>
>>>> On Mon, Feb 13, 2017 at 8:37 PM, Evin Hernandez <
>>>> evin.hernandez at owasp.org> wrote:
>>>>
>>>>> I was in review of the recent blog post ( OWASP Operations Update for
>>>>> February 2017
>>>>> <https://owasp.blogspot.com/2017/02/owasp-operations-update-for-february.html>
>>>>> )
>>>>>
>>>>> If we are looking for a new hosting provider . We should consider
>>>>> Virtual Village via NYI . They provide us with free power  and pipe with no
>>>>> limitations excluding hardware. This would allow the owasp website to be
>>>>> more dynamic as well as provide more insight to what we do on the
>>>>> infrastructure side . Virtual village is currently hosting a few owasp
>>>>> projects and we have done a few ctf's using Security Shepard and others.
>>>>> Virtual village is a mixture of Vmware ESXi and their opensource offering
>>>>> photon controller link below. This is an openstack like api driven
>>>>> infrastructure that uses docker, Mesos , and kubernetes .
>>>>>
>>>>> https://vmware.github.io/photon-controller/
>>>>>
>>>>> If you would like to discuss further ping me anytime
>>>>>
>>>>> Total cost of hosting inside of nyi would just be hardware , licenses
>>>>> and administration everything else would be completely free.
>>>>>
>>>>> --
>>>>> Thank You,
>>>>> Evin Hernandez
>>>>> Owasp NJ chapter leader
>>>>> evin.hernandez at owasp.org
>>>>>
>>>>
>>>>
>>>
>>
>>
>> --
>> Thank You,
>> Evin Hernandez
>> Owasp NJ chapter leader
>> evin.hernandez at owasp.org
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Thank You

Evin Hernandez
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170214/7e20a17d/attachment-0001.html>


More information about the OWASP-Leaders mailing list