#openstack-meeting log

18:01:12 <bdpayne> #startmeeting OpenStack Security Group
18:01:12 <clarkb> the first endmeeting was a few second early :)
18:01:13 <openstack> Meeting started Thu Oct 10 18:01:12 2013 UTC and is due to finish in 60 minutes.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:01:14 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:01:17 <openstack> The meeting name has been set to 'openstack_security_group'
18:01:26 <bdpayne> Hi security group!
18:01:35 <joel-coffman> hello
18:01:50 <malini1> Greetings!
18:02:07 <bdpayne> I'd like to continue talking about the summit today
18:02:14 <bdpayne> And get updates on any work in progress
18:02:19 <bdpayne> Anything else on people's minds?
18:02:27 <n41902> hi
18:02:36 <sdague> #endmeeting
18:02:53 <sdague> oh, someone else managed it :)
18:02:55 <joel-coffman> not from me
18:03:12 <bdpayne> ok, let's start with wip
18:03:22 <bdpayne> #topic Work In Progress
18:03:54 <bdpayne> On my end, the folks at White Hat Security have offered to do a free security assessment of Horizon
18:04:14 <bdpayne> they have tools that will perform a scan, and then they do some human analysis to weed out false positives and such
18:04:45 <joel-coffman> what kind of scan?
18:04:48 <bdpayne> Since the OpenStack folk are still working on standing up a reference implementation, I'll be working with White Hat to use a Nebula installation for the scanning
18:05:07 <bdpayne> basically the can scan web services for a variety of security issues
18:05:13 <bdpayne> I'm still flushing out the details
18:05:28 <joel-coffman> oh, that sounds good
18:05:45 <bdpayne> they can't do REST APIs, aparently
18:05:48 <bdpayne> so it will be just Horizon
18:05:54 <bdpayne> but that's still useful
18:05:58 <malini1> bdpayne: your scan checklist will be a juicy addition for the security guide
18:06:32 <bdpayne> checklist?
18:06:40 <thomasbiege2> do we have a list do test cases they use? (I didn't follow the thread to be honest)
18:06:56 <malini1> is not "flushing out the details" a checklist?
18:07:02 <bdpayne> oh I see
18:07:11 <bdpayne> yeah, I'll need to learn more about what they are doing
18:07:21 <bdpayne> I do not currently know all of their test cases
18:07:30 <thomasbiege2> ok
18:07:39 <bdpayne> I would think that the security guide may be improved if there's a deployment option that can mitigate problems better
18:07:41 <thomasbiege2> test coverage could also be interesting
18:07:54 <bdpayne> so we'll see how this goes
18:08:03 <bdpayne> but I just wanted to let people know that this was starting to take shape
18:08:12 <thomasbiege2> cool
18:08:26 <malini1> absolutely cool
18:08:28 <salv-orlando> [
18:08:29 <salv-orlando> .
18:08:34 <bdpayne> Any other ongoing projects people would llke to discuss?
18:08:36 <bdpayne> slides?
18:08:44 <bdpayne> dev work?
18:08:47 <bdpayne> new blueprints?
18:09:20 <joel-coffman> quiet from our end right now
18:09:27 <malini1> sorry: my WIP -- edits on guide and slides -- no further progress. looks this way till Dec
18:09:29 <salv-orlando> sorry guys. Those two messages were brought to you by my kitten.
18:09:47 <bdpayne> np on the kitten issue
18:09:49 <bdpayne> :-)
18:10:25 <bdpayne> #topic Summit Planning
18:10:41 <elo> hi. little late...
18:10:46 <bdpayne> So I shared this previously
18:10:47 <bdpayne> https://docs.google.com/spreadsheet/ccc?key=0AqnzHH5YYzZvdHM0R042U0t5LTNXWFp1MlB2VHpCZmc&usp=sharing#gid=0
18:10:49 <bdpayne> hi elo
18:11:20 <bdpayne> Still need to go through the dev sessions once those are flushed out
18:11:30 <bdpayne> I'd also like to have an OSSG gathering at the summit
18:11:41 <bdpayne> For those that are attending, any preferences on when that takes place?
18:12:19 <joel-coffman> not from me
18:12:28 <malini1> no preference from me
18:12:44 <elo> thursday/friday I'm not available for a few hour due to sessions that I'm helping out on
18:12:55 <bdpayne> ok, I'm leaning towards finding a long lunch one day
18:13:00 <malini1> i submitted a geo-tagging design session and blueprint
18:13:10 <bdpayne> I'll review the schedule and try to find a time with minimal potential conflicts
18:13:36 <bdpayne> malini1 interesting
18:13:45 <bdpayne> feel free to add any dev sessions of interest to the wiki
18:13:54 <bdpayne> s/wiki/google doc/
18:14:06 <bdpayne> even at this stage, without knowing what is accepted there
18:14:10 <joel-coffman> link to the blueprint?
18:14:13 <bdpayne> would be good to start tracking stuff
18:14:32 <malini1> will do, but it may be rejected
18:14:37 <bdpayne> of course
18:14:55 <bdpayne> So, a few more words on the summit...
18:15:17 <bdpayne> I view the summit as an opportunity to (1) reflect on how we've done over the past 6 months, and (2) plan for the next 6 months
18:15:47 <bdpayne> I'd like to discuss both of these items at the OSSG meeting at the summit
18:15:57 <malini1> i think for next summit we should aim for a workshop, 1-2 hours on securiing and openstack implementation
18:16:06 <bdpayne> But, some prep between now and then could make that discussion more fruitful
18:16:22 <bdpayne> malini1 perfect
18:16:33 <bdpayne> so, yeah, I was going to ask for ideas / goals / etc for the upcoming 6 months
18:16:46 <malini1> Absolutely, like your Nebula reference impl and what makes it secure
18:16:53 <bdpayne> basically, where would you like to see OSSG heading
18:17:31 <bdpayne> yeah, that would be interesting
18:17:48 <bdpayne> any other ideas?
18:18:01 <bdpayne> surely there's plenty of ways that OSSG can improve / have more influence / etc
18:18:35 <malini1> I thin OSSG is gaining momentum with the guide, the OSSNs and being a crosscutting entity across the OS projects, but have to be more vocal, kind of establish ourselves such that people come to us "please take a look" type thing
18:18:53 <bdpayne> yeah
18:19:05 <bdpayne> I think that will come with more specific involvement in each project
18:19:30 <bdpayne> we could really benefit from having people just dig in and get involved in the various projects
18:20:03 <bdpayne> ok, well the key take away here is to really think about this topic
18:20:04 <joel-coffman> agreed, it's difficult to review code for security issues when unfamiliar with the context
18:20:10 <bdpayne> I'd like to have a good discussion on it at the summit
18:20:22 <bdpayne> specifically:
18:20:30 <malini1> for one thing, coming from Intel and TXT land, at the very least I have to be savvy setting it up, its limitations (like its OK for VMMs, but not yet for bare metal, so we are not yet there for TXT for the openstack service nodes)
18:20:31 <bdpayne> * What are the problems / areas we can improve
18:20:33 <joel-coffman> or contribute security-related bug fixes
18:20:40 <bdpayne> * What are specific things we can do to improve
18:21:17 <bdpayne> #topic Other business
18:21:26 <bdpayne> So that's all that I have for today… anything else on people's minds?
18:22:15 <bdpayne> Hearing none, I guess we're all done here
18:22:20 <malini1> would be nice to research "known holes" and share with each other. For instance security wrt to SR-IOV
18:22:39 <bdpayne> ah…
18:22:42 <bdpayne> agreed
18:23:26 <bdpayne> malini1 on a similar topic, I'd be interested in more information on Intel SGX
18:23:48 <malini1> :-) Will learn more and get back to you on it.
18:24:21 <malini1> anything specific
18:24:31 <bdpayne> clearly it's new, not out yet, but I think it may have a role to play for securing nodes
18:24:31 <malini1> can even bug developers
18:25:07 <bdpayne> specifically, I'm curious if this could be used to protect a security agent on a host that then uses memory introspection techniques to monitor the host and, perhaps, the VMs / containers on that host
18:25:32 <bdpayne> and, if it can, then I'd like to play with engineering samples :-)
18:25:43 <malini1> on a separate note, I am relishing the many flavors of the word "TEAM", for it it means making things possible, achieving things, because we leverage each others strengths
18:25:55 <malini1> OK, that is an action item for me.
18:26:00 <bdpayne> cool, thanks
18:26:31 <bdpayne> for those not interested in SGX, check out the Intel presentations here https://sites.google.com/site/haspworkshop2013/workshop-program
18:26:40 <bdpayne> s/interested/ familiar/ :-)
18:27:13 <bdpayne> ok, then I think we're really done here
18:27:16 <bdpayne> thanks everyone
18:27:18 <bdpayne> cya next time
18:27:22 <thomasbiege2> bye
18:27:25 <joel-coffman> cheers
18:27:25 <randy_perryman> bye
18:27:40 <malini1> bye
18:27:45 <bdpayne> #endmeeting