18:00:26 <bdpayne> #startmeeting OpenStack Security Group 18:00:27 <openstack> Meeting started Thu Dec 5 18:00:26 2013 UTC and is due to finish in 60 minutes. The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:28 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:00:31 <openstack> The meeting name has been set to 'openstack_security_group' 18:00:40 <bdpayne> Hi OSSG 18:00:43 <bknudson> hi 18:00:45 <bdpayne> Let's start with a rollcall 18:00:53 <bdpayne> #topic rollcall 18:01:01 <joel-coffman> hey 18:01:06 <paulmo> Paul Montgomery, Rackspace (new guy in OSSG from Project Solum) 18:01:21 <bdpayne> welcome paulmo 18:01:38 <paulmo> Thanks; glad to see the great security guide provided. :) 18:02:01 <bdpayne> anyone else here today? 18:02:01 <bknudson> does new project require update to security guide? 18:02:30 <bdpayne> ok, small group today 18:02:31 <paulmo> I'm still reviewing the guide but I suspect Solum may have some addition requirements. 18:02:49 <bdpayne> bknudson I think that's a strong "it depends" 18:02:55 <bdpayne> #topic today's agenda 18:03:08 <nkinder> I'm here 18:03:11 <bdpayne> So I'm recovering from both Thanksgiving and being sick this week :-) 18:03:17 <bdpayne> So I don't have too much news to report 18:03:31 <bdpayne> Anything specific that others would like to discuss today? 18:03:56 <nkinder> I have a few topics. 18:04:14 <bdpayne> nkinder sure, please go ahead and list them here and we can get to them in turn 18:04:23 <nkinder> One quick one is that I have an OSSN ready for a glance issue, but wanted to know if anyone else from OSSG needs to review it 18:04:41 <bdpayne> best to have at least two other people review 18:04:53 <nkinder> The other is an effort to get a cross-project set of security guidelines established. 18:04:55 <bdpayne> just to keep quality high and check for random typos and such 18:05:08 <paulmo> +1 nkinder 18:05:17 <bdpayne> great, I'll add that to the agenda 18:05:25 <bdpayne> anything else? 18:05:41 <nkinder> not from me 18:05:41 <paulmo> I have a few questions but I'm not sure if this is the right forum 18:06:07 <bdpayne> sure, sounds like it's a quiet day... perhaps we can field some questions at the end? 18:06:14 <paulmo> Sure; sounds great! 18:06:15 <bdpayne> we typically run for 30 min 18:06:33 <bdpayne> ok... 18:06:38 <bdpayne> #topic OSSG news 18:06:57 <bdpayne> So the main news I have to report this week is that we have three people signed up to be book editors 18:07:36 <bdpayne> the team is Ben DeBont, Sriram Subramanian and David Mortman 18:07:52 <bdpayne> clearly anyone is encourage to edit the book 18:08:09 <bdpayne> it's as simple as doing a PR against the docbook source for the book 18:08:10 <nkinder> great! Are they dividing up chapters to review? 18:08:31 <bdpayne> but, these three people will be taking the lead on moving foward with the overall improvements to the book 18:08:41 <bdpayne> I'm not sure how they are splitting it up or approaching it 18:08:43 <bknudson> is editing fixing typos or is it also to make content clearer? 18:08:55 <bdpayne> bknudson, all of the above 18:09:28 <elo> nothing on my end… I'll have soem update to the book to publish in the new few weeks 18:09:33 <bdpayne> so I've asked them to take the lead on this, and I'll ask them to check in here at the meetings and on the mailing list periodically 18:10:07 <bdpayne> elo sounds good, perhaps you can sync with the book editing team wrt to your updates 18:10:28 <elo> Will do. 18:10:31 <bknudson> I did submit a few bugs when reading through it 18:10:47 <bdpayne> #topic cross project security guidelines 18:10:51 <bdpayne> take it away nkinder 18:11:37 <nkinder> I'd like to have our group help to establish a set of cross-project security guidelines. 18:11:52 <nkinder> This needs to come from all of the projects as well as us 18:12:17 <nkinder> I floated the idea on the dev list, and there was interest from som eof the Solum folks (one reason paulmo is here) 18:12:33 <nkinder> I've talked with some of the keystone devs as well, and there is interest there. 18:13:01 <nkinder> Basically, I think we need a security representative from each of the core projects so we can brainstorm and come up with the guidelines. 18:13:03 <bdpayne> yeah, this sounds like a good idea 18:13:19 <nkinder> I was going to reach out to the PTLs in their meeting next monday 18:13:19 <bdpayne> perhaps would be a good place to collaborate with some of the OWASP people too? 18:14:05 <nkinder> sure, makes sense 18:14:19 <paulmo> Would the goal be to make security requirements or guidelines? 18:14:47 <nkinder> paulmo: well, eventually a bit of both would be good IMHO 18:14:54 <bdpayne> my take... would be that we start with guidelines 18:15:02 <nkinder> I don't think we're currently really in a position to dictate requirements. 18:15:07 <nkinder> bdpayne: +1 18:15:19 <bdpayne> and then set a low bar with turning some into requirements... complete with CI that enforces it, if possible 18:15:26 <bdpayne> and then slowly dial it up 18:15:32 <paulmo> Sounds like a good plan to me. 18:15:48 <nkinder> If we can get a general consensus from representatives on the projects, it shoudln't be hard to have them be spoken guidelines. 18:15:53 <nkinder> sorry, requirements 18:15:58 <joel-coffman> bdpayne: +1 18:16:17 <bdpayne> so this sounds nice 18:16:25 <bknudson> are these guidelines like the length of keys and ciphers? 18:16:41 <bknudson> validating inputs 18:16:44 <bdpayne> I know that there was some talk about security testing before the summit... might be nice to check in with those guys and see if/how that's coming along 18:17:02 <bdpayne> this could certainly go in many directions 18:17:10 <bdpayne> did you have specific ideas for the guidelines nkinder? 18:17:16 <bknudson> use of random number generators 18:17:18 <nkinder> bknudson: yes, I think that sort of thing, plus general developer best practice (zeroing memory that stores passwords/keys, etc.) 18:17:29 <bknudson> encrypting passwords in Keystone's SQL backend :( 18:17:45 <bdpayne> perhaps examples of good security patterns (and ones to avoid) 18:18:02 <bdpayne> perhaps encouragement to use common security sensitive code (e.g., OSLO rootwrap) 18:18:06 <nkinder> bdpayne: I have ideas about areas that should be addressed, but I expect many folks from the projects will have ideas too. 18:18:09 <bdpayne> stuff like that 18:18:16 <bdpayne> yeah 18:18:34 <bdpayne> so I envision a massive, distributed brainstorm 18:18:34 <paulmo> nkinder: I'm willing to help out on this 18:18:43 <bdpayne> and then perhaps a small team to make sense of it all and make some proposals 18:18:52 <nkinder> paulmo: Great! I have your name down on my list already. :) 18:19:12 <bdpayne> nkinder I'd be willing to help as well 18:19:36 <nkinder> bdpayne: ok, great. Let me see what interest I get from the PTLs next week, and we'll go from there. 18:20:10 <bdpayne> sounds good 18:20:13 <nkinder> This will also help identify areas where things should be improved. 18:20:23 <nkinder> where we don't meet guidelines, etc. 18:20:35 <bdpayne> #topic open discussion / questions 18:20:43 <bdpayne> paulmo you had some questions? 18:20:54 <bdpayne> also, anything else people want to discuss? 18:21:15 <paulmo> Sure! I see that there is a SecurityImpact Gerrit tag, are there any code comment formats for potential security issues that devs can put in their code? 18:21:49 <bdpayne> right now it is just free form 18:21:52 <paulmo> (I'd like the team to be able to mark potential issues for research later while they are coding rather than trying to find them later if possible. Just seeing if there is an OpenStack or OSSG guide for that.) 18:21:53 <bknudson> paulmo: I've never seen one. 18:22:05 <bdpayne> so devs can use the tag, and that sends an email to the openstack-security list 18:22:15 <bdpayne> and then someone from OSSG (ideally) will go to review the code 18:22:25 <bdpayne> so any other details could just be placed as part of the commit msg 18:22:48 <paulmo> Ok, we'll make up a comment tag for Solum and use SecurityImpact for reviews. 18:23:01 <bdpayne> sounds good 18:23:03 <nkinder> bdpayne: It'd be nice to have some way to sign off that the OSSG has reviewed an issue. 18:23:19 <bdpayne> yeah, not sure if gerrit supports that 18:23:41 <paulmo> Next - Has anyone discussed a method of identifying confidential data in Oslo logging? This seems to be a source of credential leaks lately. 18:23:46 <bdpayne> that being "if securityimpact tag, then require +1 from OSSG to merge" 18:24:09 <bdpayne> so there has been an effort lately to cleanup the logs 18:24:20 <bdpayne> this goes beyond oslo and includes pretty much all of the projects 18:24:27 <bdpayne> and by cleanup, I mean remove things like passwords from them 18:24:41 <bknudson> paulmo: there's code in oslo-logging that checks for "password", I think. 18:24:44 <bdpayne> I think that people are generally relying on manual inspection at this point 18:24:52 <paulmo> I would like to find that information. We have a blueprint in solum to try to head this issue off early: https://blueprints.launchpad.net/solum/+spec/logging 18:25:08 <bdpayne> but, yeah, that would be good to automate some more 18:25:25 <bdpayne> it's worth noting that this has been a cause of disagreement 18:25:32 <paulmo> Would this team make recommendations or would I go work with Oslo folks directly? 18:25:46 <bdpayne> I've seen people arguing for having security sensitive stuff (tokens, passwords, etc) in debug level logs 18:25:57 <bdpayne> I personally disagree with that approach, but hey 18:26:04 <bknudson> when keystone is configured for debug it does insecure things. 18:26:49 <bdpayne> paulmo I think that if the security guideance stuff comes together, that could be nice place for this 18:26:59 <nkinder> bdpayne: +1 18:27:04 <paulmo> I was thinking of a boil the frog approach. Mark confidential data (and exceptions, espcially database exceptions) in the log with a tag (basically a list of dictionaries) to hold confidential data. Then filter it on the backend so users don't see it. 18:27:46 <bdpayne> I think I'd need more context to comment on that specific approach 18:27:54 <bdpayne> perhaps a good disucssion for the ML 18:28:18 <paulmo> Yes, sorry, just an elevator pitch. I can discuss more when ready or ML. :) 18:28:19 <bdpayne> any other questions? 18:28:33 <paulmo> I think that is all for now. Thanks for letting me take the floor for so long. 18:28:34 <nkinder> Anyone care to review my OSSN so I can publish it? :) - https://bugs.launchpad.net/ossn/+bug/1226078 18:28:36 <uvirtbot> Launchpad bug 1226078 in ossn "Glance allows user to create images and add other tenants as members (CVE-2013-4354)" [Medium,In progress] 18:28:46 <bdpayne> nkinder I'll take a look later today 18:28:52 <nkinder> bdpayne: thanks 18:29:15 <bdpayne> ok, so that's all for today 18:29:19 <bdpayne> see everyone next week 18:29:26 <bdpayne> #endmeeting