[Owasp-leaders] owasp website
Evin Hernandez
evin.hernandez at gmail.com
Tue Feb 14 16:11:43 UTC 2017
Matt , You are a man after my own heart lol ... I would love to be apart of
your infrastructure committee and help you with all of your deliverable's
as well as innovate for the future of owasp. Lets have a chat when you have
some time.
On Tue, Feb 14, 2017 at 10:48 AM, Matt Tesauro <matt.tesauro at owasp.org>
wrote:
> Evin,
>
> We're on the same page.
>
> You say contributor and I say Project Leader - and if you noticed the
> all-caps call out, I'd love for projects and other contributors to use the
> Virtual Village.
>
> However, www.owasp.org is our public face to the world and gets ~8
> million views per week so it needs to be highly available with little down
> time backed by contractual SLAs. Same for conference sites, and a few
> other bits of our infrastructure that were at Rackspace. Ideally, we'd use
> SaaS for anything that makes sense. Our move from Mailman is from
> self-hosted cloud VM to SaaS. We have a staff of 8 and I'm the only one
> with a technical background. Moving IT to 3rd parties as much as is
> reasonable that are around 24x7x365 just makes sense.
>
> BTW, the $2,000/month was the max Rackspace would reimburse - not the cost
> of getting our stuff hosted. At Rackspace, I purposefully over spec'ed
> the VMs since (1) we had no track record of actual system usage or any
> historical monitoring data and (2) hosting was basically free as long as we
> stayed under $2,000/month.
>
> Actual hosting costs will be significantly less. I just moved a host from
> a $150/month cost to $10/month cost and am well within the historical usage
> pattern for that host.
>
> Cheers!
>
> --
> -- Matt Tesauro
> OWASP AppSec Pipeline Lead
> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
> OWASP WTE Project Lead
> *https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
> <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
> http://AppSecLive.org <http://appseclive.org/> - Community and Download
> site
>
>
> On Tue, Feb 14, 2017 at 8:35 AM, Evin Hernandez <evin.hernandez at owasp.org>
> wrote:
>
>> Matt,
>>
>> Moving to the cloud is great im not in disagreement with that . I believe
>> a hybrid approach would serve owasp better, Some cloud some physical ,
>> Moving to any one of these providers will cost owasp well over 2 grand a
>> month and as a paying member im looking at this as what value is this
>> really providing for me and other paying members. If we want to run our
>> infrastructure as an enterprise we need need to have our customers top of
>> mind which is our paying members and moving our site to one of these
>> platforms Provides me no value as a paying member. In reality its just as
>> site with a bunch of content that any one one of us can host any where for
>> free . As a paying member im looking at what Owasp can do for me when i pay
>> my $50 . I would like some network and compute when i start a project it
>> would be great to automate it , great to have a space to play as well as be
>> secure. We could not do that with amazon or any other cloud provider as
>> the cost would be outrageous. It would be nice to do presentations on how
>> our actual infrastructure is built and secured as an enterprise would. We
>> could scale out to the cloud when needed , but we could also host CTF's at
>> scale and many other things.
>>
>> As we know It begins with how end-user ( contributors ) expectations are
>> evolving. Moving forward i believe our members expect deeper connections
>> with OWASP through software, and as a community and non profit we will be
>> increasingly pressed to differentiate through the software-based services
>> that we would offer. User experience trumps everything, and OWASP must
>> rapidly iterate to satisfy a fast-evolving market. This means IT is more
>> important than ever: it’s no longer a cost-center, but instead is a
>> critical area of innovation. In this context, developers ( our paying
>> Members ) are becoming more important. As owasps starts looking at new
>> technologies and processes like DevOps, agile, Linux containers, and
>> microservices-based applications to speed software development and push
>> features into production ( our projects ) as quickly as possible this is
>> the value we can provide back to our contributors. .
>>
>> instead of the Contributor having to change for the data center, we’re
>> adjusting the data center for the contributor. In doing so, we have a few
>> imperatives:
>>
>> - Build technologies that span the app lifecycle, from the
>> developer’s laptop to the production stack
>> - Help teams manage Cloud-Native apps while maintaining security,
>> performance, and ease-of-use
>> - Participate in the community by building and interfacing with open
>> systems and standards
>>
>> At the end of the day what ever we choose. We should be thinking about
>> what can we provide back to the community when they donate to us. A website
>> that just provides content for free has no value add. The value is in our
>> contributors and what we can give them to keep innovating while moving as
>> fast as the technology changes.
>>
>> I have also attached a pdf on some of the architectural slides on what i
>> was thinking . We should definitely have a conversation with everyone and
>> get their opinions.
>>
>>
>> See comments in Red
>>
>>
>> - *API-driven* - before Rackspace ended the donation, we were writing
>> Ansible to automate deploys and updates to the OWASP wiki and other bits of
>> our infrastructure. One key aspect of that automation is the ability to
>> have a well-established API with client libraries. We had that with the
>> OpenStack implementation that Rack has and we want something similar from
>> our next hosting company. Having the ability to write code that launches
>> resources dynamically is crucial for continuing to mature our
>> infrastructure. Photon does have an API for provisioning but is missing
>> the pieces below.
>>
>>
>>
>> *Photon platform is Purpose-built for cloud native applications with
>> integrated enterprise container infrastructure support, Photon Platform is
>> a fully-API driven, multi-tenant platform, which brings the scale,
>> performance and features previously accessible only to hyper-scale web
>> companies into our own datacenter*
>> *• Simplicity of installation, scale and operationalization *
>> *• Working seamlessly with leading PaaS frameworks*
>> * • Native support for Kubernetes as a Service*
>> * • API driven scale-out control plane optimized for massive scalability *
>> *• Robust and highly-available control plane able to withstand failures *
>> *• Simple-to-use API and CLI tools*
>> * • Enterprise-level security from the point of installation *
>>
>> *• Complete functional coverage for compute, storage, networking,
>> security and operations *
>> *Open source at the core, delivered as a carefully packaged enterprise
>> ready platform *
>> *• Designed for high churn environment *
>> *• Capable of handling large number of concurrent API requests*
>>
>>
>>
>> - *Elastic cloud based* - one of the key differences with cloud vs
>> traditional iron in a rack hosting is the ability to dynamically modify
>> infrastructure resources in an on-demand basis. Anyone that went from
>> traditional provisioning of hardware to dynamic cloud environments
>> understands the fundamental benefits the shift to cloud brings. Currently,
>> we can in minutes and via an API clone VMs, instantiate new VMS, resize VM,
>> etc. Again, Photon can provide elastic resources but not the same breadth
>> of resources available from cloud providers such as compute, object
>> storage, block storage, load balancing, backup (file and VM-based), Lamda,
>> PaaS, etc.
>>
>>
>> *the Platform provides a rich set of IaaS primitives like vms, networks
>> and disks. It also provides a Containers as a Service (CaaS) solution via
>> instant access to production-grade Kubernetes deployments. Lifecycle
>> management of Kubernetes allows for developers to quickly resize, deploy
>> and destroy clusters as needed during their development workflow. Photon
>> additionally delivers services like the Harbor Container Registry on demand
>> and works seamlessly with leading PaaS frameworks *
>>
>> Keep in mind we dont have to use photon platform we can build our own
>> openstack or any other hybrid infrastructure .
>>
>>
>>
>> - *hosting provider* - Rackspace has 24x7x365 support with SLAs.
>> They monitor both host and guests and will move guests if the underlying
>> host become unresponsive or overloaded. The support level we have with
>> Rackspace includes OS patching, outbound SMTP support through Mailgun,
>> multiple support channels (phone, chat, web, email) with SLAs and a host of
>> other services. Any provider we move to will need to match or exceed most
>> of these to be considered. I think the virtual village is an awesome
>> resource but not something that has multiple someones standing by and
>> watching the infrastructure 24x7x365 backed by contractual SLAs. Hosting
>> providers do have that in place.
>>
>> *NYI Provides us these SLA's as i am not in the datacenter or nor do we
>> live near the datacenter to patch , install , upgrade our hosts. We can and
>> should definitely have a conversation around what NYI can do for us as they
>> are willing to provide owasp a place to live with minimal cost. they also
>> have connection into all 3 cloud providers with a direct connection*
>> http://www.nyi.net/solutions/multi-cloud-2/
>>
>> Several people have said that OWASP needs to be run as a business. While
>> we are always going to be a charity following our charitable mission, we
>> should and will run our production infrastructure like any commercial
>> entity would - with non-negotiable requirements backed up by providers with
>> proven track records and SLAs. To that end, the expiration of Rackspace's
>> donation has lead to the following actions taking place:
>> (1) Evaluation of our usage and documentation of current infrastructure
>> need + costs - actual usage over the last 3 months not VM maximums. => DONE
>> (2) Migration of VMs off Rackspace to lower cost commercial providers =>
>> IN PROCESS
>> (3) Repeating the RFP process I did back in 2011 which gained us the
>> Rackspace donation of $2,000 USD per month for nearly 6 years.
>>
>> On Mon, Feb 13, 2017 at 11:09 PM, Matt Tesauro <matt.tesauro at owasp.org>
>> wrote:
>>
>>> Tom and Evin,
>>>
>>> Thank you for your offer to use the Virtual Village for hosting OWASP's
>>> website - I'd also like to see OWASP projects use the resources available
>>> from the Virtual Village to host demo versions of their projects, run build
>>> servers or whatever computing needs our projects may have. I think the
>>> availability of racks with hardware in a significant and robust data
>>> center is a wonderful resource for projects.
>>>
>>> CALL OUT TO PROJECTS - IF YOU NEED COMPUTE RESOURCES, PLEASE CONTACT THE
>>> VIRTUAL VILLAGE PROJECT.
>>> https://www.owasp.org/index.php/OWASP_Virtual_Village_Project
>>>
>>> That said, I'm going to have to politely decline moving the OWASP
>>> infrastructure to the virtual village. There were a couple key
>>> requirements for a new hosting provider for OWASP in that blog post that
>>> don't fit the virtual village, mainly
>>>
>>> "Wherever we end up, it will be an API-driven, elastic cloud based
>>> hosting provider. After years of being on Open Stack, we don't want to
>>> leave a dynamic infrastructure environment."
>>>
>>> The bits in that statement that are crucial are:
>>>
>>> - *API-driven* - before Rackspace ended the donation, we were
>>> writing Ansible to automate deploys and updates to the OWASP wiki and other
>>> bits of our infrastructure. One key aspect of that automation is the
>>> ability to have a well-established API with client libraries. We had that
>>> with the OpenStack implementation that Rack has and we want something
>>> similar from our next hosting company. Having the ability to write code
>>> that launches resources dynamically is crucial for continuing to mature our
>>> infrastructure. Photon does have an API for provisioning but is missing
>>> the pieces below.
>>> - *Elastic cloud based* - one of the key differences with cloud vs
>>> traditional iron in a rack hosting is the ability to dynamically modify
>>> infrastructure resources in an on-demand basis. Anyone that went from
>>> traditional provisioning of hardware to dynamic cloud environments
>>> understands the fundamental benefits the shift to cloud brings. Currently,
>>> we can in minutes and via an API clone VMs, instantiate new VMS, resize VM,
>>> etc. Again, Photon can provide elastic resources but not the same breadth
>>> of resources available from cloud providers such as compute, object
>>> storage, block storage, load balancing, backup (file and VM-based), Lamda,
>>> PaaS, etc.
>>> - *hosting provider* - Rackspace has 24x7x365 support with SLAs.
>>> They monitor both host and guests and will move guests if the underlying
>>> host become unresponsive or overloaded. The support level we have with
>>> Rackspace includes OS patching, outbound SMTP support through Mailgun,
>>> multiple support channels (phone, chat, web, email) with SLAs and a host of
>>> other services. Any provider we move to will need to match or exceed most
>>> of these to be considered. I think the virtual village is an awesome
>>> resource but not something that has multiple someones standing by and
>>> watching the infrastructure 24x7x365 backed by contractual SLAs. Hosting
>>> providers do have that in place.
>>>
>>> Several people have said that OWASP needs to be run as a business.
>>> While we are always going to be a charity following our charitable mission,
>>> we should and will run our production infrastructure like any commercial
>>> entity would - with non-negotiable requirements backed up by providers with
>>> proven track records and SLAs. To that end, the expiration of Rackspace's
>>> donation has lead to the following actions taking place:
>>> (1) Evaluation of our usage and documentation of current infrastructure
>>> need + costs - actual usage over the last 3 months not VM maximums. => DONE
>>> (2) Migration of VMs off Rackspace to lower cost commercial providers =>
>>> IN PROCESS
>>> (3) Repeating the RFP process I did back in 2011 which gained us the
>>> Rackspace donation of $2,000 USD per month for nearly 6 years. The
>>> incomplete short list of providers off the top of my head are
>>>
>>> - Amazon AWS
>>> - Google Cloud
>>> - Microsoft Azure
>>> - Digital Ocean
>>>
>>> Thanks again for your offer - I hope a whole bunch of OWASP projects
>>> take the Virtual Village up on its generous offer.
>>>
>>> Cheers!
>>>
>>> --
>>> -- Matt Tesauro
>>> OWASP AppSec Pipeline Lead
>>> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
>>> OWASP WTE Project Lead
>>> *https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
>>> <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
>>> http://AppSecLive.org <http://appseclive.org/> - Community and Download
>>> site
>>>
>>>
>>> On Mon, Feb 13, 2017 at 8:47 PM, Tom Brennan - OWASP <tomb at owasp.org>
>>> wrote:
>>>
>>>> With a dedicated virtual host or a dedicated box in the OWASP Lab rack
>>>> that would serve the global community well and at no hosting cost to serve
>>>> the static content and the mediawiki and future pages.... this very simple
>>>> purpose OWASP.ORG would be a perfect fit!
>>>>
>>>> They also host many other communities including FreeBSD
>>>>
>>>> Evin can you spin something up as a dev box for the owasp new website
>>>> project and give Matt T and owasp.foundation at owasp.org a root account
>>>> to it. Really would highlight what the Virtual Village Lab is all about
>>>> production and dev for builders, breakers and defenders!
>>>>
>>>> Alcon;
>>>> More info on NYI
>>>> https://www.nyi.net/datacenters/new-york/
>>>>
>>>> re: Blog Post
>>>> https://owasp.blogspot.com/2017/02/owasp-operations-update-f
>>>> or-february.html
>>>>
>>>>
>>>>
>>>> On Mon, Feb 13, 2017 at 8:37 PM, Evin Hernandez <
>>>> evin.hernandez at owasp.org> wrote:
>>>>
>>>>> I was in review of the recent blog post ( OWASP Operations Update for
>>>>> February 2017
>>>>> <https://owasp.blogspot.com/2017/02/owasp-operations-update-for-february.html>
>>>>> )
>>>>>
>>>>> If we are looking for a new hosting provider . We should consider
>>>>> Virtual Village via NYI . They provide us with free power and pipe with no
>>>>> limitations excluding hardware. This would allow the owasp website to be
>>>>> more dynamic as well as provide more insight to what we do on the
>>>>> infrastructure side . Virtual village is currently hosting a few owasp
>>>>> projects and we have done a few ctf's using Security Shepard and others.
>>>>> Virtual village is a mixture of Vmware ESXi and their opensource offering
>>>>> photon controller link below. This is an openstack like api driven
>>>>> infrastructure that uses docker, Mesos , and kubernetes .
>>>>>
>>>>> https://vmware.github.io/photon-controller/
>>>>>
>>>>> If you would like to discuss further ping me anytime
>>>>>
>>>>> Total cost of hosting inside of nyi would just be hardware , licenses
>>>>> and administration everything else would be completely free.
>>>>>
>>>>> --
>>>>> Thank You,
>>>>> Evin Hernandez
>>>>> Owasp NJ chapter leader
>>>>> evin.hernandez at owasp.org
>>>>>
>>>>
>>>>
>>>
>>
>>
>> --
>> Thank You,
>> Evin Hernandez
>> Owasp NJ chapter leader
>> evin.hernandez at owasp.org
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
--
Thank You
Evin Hernandez
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170214/7e20a17d/attachment-0001.html>
More information about the OWASP-Leaders
mailing list