User:Mtesauro

From OWASP
Jump to: navigation, search
[edit]

Matt Tesauro is a Senior Product Secuirty Engineer at Rackspace and does DevOps / IT administration for the OWASP Foundation as outlined in the next tab.

Bio: Matt has been involved in the information technology and application development for more than 10 years. He is currently working at Rackspace as the Product Security Engineering Lead for their Cloud products, leading the application security team. Prior to joining Rackspace, Matt spent time as a application security consultant and spent several years as the “appsec guy” at a government agency. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven.

He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, Agile Austin, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil. Matt is currently active with the OpenStack Security Group (OSSG) and a fomer board member of the OWASP Foundation. He is highly involved in many OWASP projects and committees. Matt is the project leader of the |OWASP OpenStack Security project - a project to bring the OpenStack and OWASP communities together.

He has also run the OWASP WTE (Web Testing Environment) since 2008 which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications - all running on Linux (of course). Industry designations include the RHCE, Linux+, Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University.

For more detailed information, please see my public LinkedIn page.

In theory, I work 10 hours per week on OWASP IT administration and sundry tech related issues for OWASP. I tend to exceed that on a regular basis since I want the IT operations side of OWASP to work so well its invisible to the community - but, hey, that's life.


What I work on:

  1. Keeping the OS and software which runs the various OWASP servers up to date
  2. Hardening the various OWASP servers
  3. Keeping up to speed on new software releases, security vulnerabilities and other things impaction IT operations for OWASP
  4. Managing SSL certificates, Domain names and DNS
  5. Documenting existing IT infrastructure, processes and methods of operation
  6. Co-Administration of the Foundation's Google Apps account with several staff memebers
  7. Mail list administration, WordPress updates, installations and hardening
  8. Providing advice and updates to staff/board on various IT issues
  9. Managing the Barracuda Anti-SPAM gateway which filters mail list emails
  10. Setting up and managing the Akamai CDN for the OWASP wiki
  11. Manage backups for all staff laptops


What the IT infrastructure looks like:

  • The OWASP Wiki - aka this site which runs MediaWiki
  • The OWASP Mail list - which runs Mailman version 2.x
  • Various confernece websites depending on the time of year including:
  • Archives of previous conference sites
  • Several minor sites for things like Salesforce integration, redirects or other minor web content


The majority of our infrastructure runs on Rackspace's Cloud infrastructure. For those systems at Rackspace, I provide the following:

  • Create cloud servers as needed for various OWASP initiatives
  • Manage OS and Linux distribution provided updates
  • Manage the updates of additional software installed on the servers (e.g. MediaWiki)
  • Trouble shoot any operational issues
  • Backups of the server
    • Full VM backups on a daily basis
    • File-level backups on a daily basis
    • Database backups on a daily basis
  • Setup monitoring and alerts for performance, availability and system resources (RAM, CPU, disk space, ...)
    • React to monitoring alerts as needed
  • Configure outbound SMTP handling via Smart hosts using Mailgun
  • Conference site specific maintenance
    • Creation of DNS, redirects and conference site setup for each years site
    • Archival of the conference site prior to transitioning to the next years conference
    • Monitoring WordPress admin access plus software and plugin updates


How I prioritize the work:

  1. Current operations issues which impact production
  2. Assisting with time critical requests or changes
  3. Software updates, OS updates and general good IT hygene
  4. Automation of existing processes, installations or hardening steps
  5. Correcting existing weaknesses and non-optimal configurations
  6. New initiatives or services
  7. Gold plating existing services

Gratuitous place to put links to things: