This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit


Revision as of 04:02, 11 September 2018 by Mtesauro (talk | contribs) (Updated my profile page on the wiki)

Jump to: navigation, search

Matt Tesauro is the Director of Community and Operations at the OWASP Foundation.

Bio: Matt Tesauro is currently the Director of Community and Operations at the OWASP Foundation.  Prior to his current role, he was a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security.  Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace.  He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security.  Matt is broadly experienced information security professional of 15 years specializing in application and cloud security. He has also presented and provided trainings at various international industry events including DHS Software Assurance Workshop, OpenStack Summit, SANS AppSec Summit, AppSec US, EU and LATAM.  His work has included security consulting, penetration testing, threat modeling, code reviews, training and teaching at the University of Texas and Texas A&M University. He is a former board member of the OWASP Foundation and project lead for OWASP AppSec Pipeline & WTE projects. WTE is a collection of application security testing tools and the AppSec Pipeline project brings lessons from DevOps and Agile into Application Security. He holds two degrees from Texas A&M University and several security and Linux certifications.

For more detailed information, please see my public LinkedIn page.

[Note this is old information from when I was a contractor for the OWASP Foundation]

In theory, I work 10 hours per week on OWASP IT administration and sundry tech related issues for OWASP. I tend to exceed that on a regular basis since I want the IT operations side of OWASP to work so well its invisible to the community - but, hey, that's life.

What I work on:

  1. Keeping the OS and software which runs the various OWASP servers up to date
  2. Hardening the various OWASP servers
  3. Keeping up to speed on new software releases, security vulnerabilities and other things impaction IT operations for OWASP
  4. Managing SSL certificates, Domain names and DNS
  5. Documenting existing IT infrastructure, processes and methods of operation
  6. Co-Administration of the Foundation's Google Apps account with several staff memebers
  7. Mail list administration, WordPress updates, installations and hardening
  8. Providing advice and updates to staff/board on various IT issues
  9. Managing the Barracuda Anti-SPAM gateway which filters mail list emails
  10. Setting up and managing the Akamai CDN for the OWASP wiki
  11. Manage backups for all staff laptops

What the IT infrastructure looks like:

  • The OWASP Wiki - aka this site which runs MediaWiki
  • The OWASP Mail list - which runs Mailman version 2.x
  • Various confernece websites depending on the time of year including:
  • Archives of previous conference sites
  • Several minor sites for things like Salesforce integration, redirects or other minor web content

The majority of our infrastructure runs on Rackspace's Cloud infrastructure. For those systems at Rackspace, I provide the following:

  • Create cloud servers as needed for various OWASP initiatives
  • Manage OS and Linux distribution provided updates
  • Manage the updates of additional software installed on the servers (e.g. MediaWiki)
  • Trouble shoot any operational issues
  • Backups of the server
    • Full VM backups on a daily basis
    • File-level backups on a daily basis
    • Database backups on a daily basis
  • Setup monitoring and alerts for performance, availability and system resources (RAM, CPU, disk space, ...)
    • React to monitoring alerts as needed
  • Configure outbound SMTP handling via Smart hosts using Mailgun
  • Conference site specific maintenance
    • Creation of DNS, redirects and conference site setup for each years site
    • Archival of the conference site prior to transitioning to the next years conference
    • Monitoring WordPress admin access plus software and plugin updates

How I prioritize the work:

  1. Current operations issues which impact production
  2. Assisting with time critical requests or changes
  3. Software updates, OS updates and general good IT hygene
  4. Automation of existing processes, installations or hardening steps
  5. Correcting existing weaknesses and non-optimal configurations
  6. New initiatives or services
  7. Gold plating existing services

Gratuitous place to put links to things: