18:00:02 <bdpayne> #startmeeting OpenStack Security Group
18:00:03 <openstack> Meeting started Thu Feb  6 18:00:02 2014 UTC and is due to finish in 60 minutes.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:04 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:06 <openstack> The meeting name has been set to 'openstack_security_group'
18:00:09 <bdpayne> hi everyone
18:00:14 <bdpayne> #topic Role Call
18:00:17 <bdpayne> o/
18:00:21 <mkoderer> o/
18:00:44 <shohel> o/
18:01:23 <bdpayne> ok, I'm sure that others will join in shortly
18:01:27 <bdpayne> #topic Agenda
18:01:48 <bdpayne> I've been chatting with some people who are interested in discussing security testing this week
18:02:07 <bdpayne> I have a brief update from the book editors
18:02:27 <bdpayne> Anything else to discuss?
18:02:35 <ash|2> Hello everyone. Execuse me please...
18:02:40 <mkoderer> fuzzy testing framework
18:03:02 <bdpayne> great, yes we'll discus the fuzzing testing ideas
18:04:16 <bdpayne> ok, let's get started
18:04:24 <bdpayne> #topic Security Testing and Fuzzing Testing
18:04:37 <bdpayne> mkoderer would you like to introduce what it is that you are working on?
18:04:46 <mkoderer> yep
18:05:05 <mkoderer> I am currently working on a framework to generate negative tests in Tempest
18:05:29 <mkoderer> this framework generates these test out of json schemas
18:05:32 <ash|2> I'm not a developer of Openstack, but I find it very usefull to write here. I'm a student and looking forward for participating in GSoC2014 with OpenStack. I have already found a mentor (Debojyoti Dutta) and we are looking forward for find anyone who could organize this (the administrator). Excuse me - I found it usefull to write here.
18:06:20 <mkoderer> the idea is that I want to discuss is that it would be quite easy to use this for fuzzy testing
18:06:55 <mkoderer> in Tempest we have already stress tests that can run any Tempest test with a certain number of workers
18:07:10 <bdpayne> can you expand what you're doing with the negative tests more specifically?
18:07:22 <mkoderer> bdpayne: sure
18:08:10 <mkoderer> I think when it comes to security testing we need to change somehow the design
18:08:18 <hyakuhei> Sorry, here late.
18:08:42 <mkoderer> my question.. is already somebody working on this topic?
18:09:12 <hyakuhei> mkoderer: what sort of tests? are there example json schema's out there for review?
18:09:13 <bdpayne> so there were some people talking about this last fall
18:09:30 <mkoderer> hyakuhei: https://review.openstack.org/#/c/64733/
18:09:33 <bdpayne> I asked thomas from suse to join us today... not sure if he is here yet
18:09:37 <mkoderer> there are 3 json files in it as example
18:10:36 <mkoderer> bdpayne: ok I saw his blog post about fuzzy testing
18:11:25 <bdpayne> mkoderer so you may be the one working on this at this point :-)
18:11:28 <bdpayne> but we can help
18:11:36 <bdpayne> you said that things need to change for security testing
18:11:45 <bdpayne> what specific work do you believe needs to happen here?
18:11:52 <bdpayne> and what kind of security testing did you have in mind?
18:12:02 <mkoderer> bdpayne: I mean the focus is slightly different as for negative testing
18:12:42 <mkoderer> currently all negative test simply execute and prove if the result value is corect
18:13:20 <mkoderer> I don't think that we need this.. we could simply fire a lot of records and after that have a look if everything is running
18:14:02 <malini1> mkoderer: do you mean like DOS
18:14:20 <mkoderer> malini1: yep possibly
18:15:20 <mkoderer> ok let me finish my negative testing blueprint and I will propose a patch and we could discuss it here
18:15:20 <tristanC> mkoderer: I am curious, are input generated purely randomly or is there some kind of intrumentation ? and also do you think it can also be used to find issues other than service dos ?
18:15:52 <malini1> mkoderer: I like that .. it would also be a stress/performance test then, if we say n records, 2n 4n records etc to see when things break down
18:16:19 <mkoderer> tristanC: currently the negative testing is not really random.. if a integer value is needed it sends a predefined string
18:16:43 <mkoderer> tristanC: but it my plan that I add a lot of generator with different random generators
18:17:12 <mkoderer> malini1: a stress job is already running every night in tempest
18:17:29 <mkoderer> malini1: but only with usual test cases
18:17:38 <tristanC> mkoderer: oh ok. well it's a good idea (fuzzing OS) imo
18:17:59 <mkoderer> ok cool
18:19:51 <malini1> mkoderer: IMHO -- if you detect a negative test that brings down the system, after analysis -- it should be added into regular test suite .. reason: random tests sometimes do not reoccur as easily
18:20:35 <mkoderer> malini1: yes I think the tricky part will be the analysis
18:20:57 <bdpayne> sounds like the next step here is for mkoderer to finish putting together a blueprint
18:21:05 <bdpayne> then we can discuss that as a more concerete set of ideas?
18:21:19 <mkoderer> bdpayne: yes sure
18:21:24 <bdpayne> great, thanks
18:21:34 <bdpayne> please use the mailing list to let us know when that is available
18:21:48 <bdpayne> and feel free to come back here to discuss more at future meetings, too
18:21:57 <bdpayne> any other thoughts on the testing stuff for today?
18:22:37 <bdpayne> #topic General Updates
18:22:47 <bdpayne> So I have a few quite updates to pass along
18:22:57 <bdpayne> I spoke with the book editor team briefly
18:23:07 <bdpayne> sounds like they are all planning to move forward, but simply have not yet
18:23:20 <bdpayne> so we'll stay tuned there
18:23:26 <bdpayne> we also do have some open tickets related to the book
18:23:30 <bknudson> do the edits go through gerrit review?
18:23:33 <bdpayne> tickets to fix some wordings
18:23:40 <bdpayne> yeah, they go through gerrit
18:23:46 <bdpayne> and get reviewed by the doc team
18:23:56 <bknudson> just wonder if they'll need help reviewing
18:23:59 <bdpayne> so if anyone is interested in working on some book edits, let me know
18:24:08 <bdpayne> when we get to that point, they will
18:24:14 <bdpayne> I can send out some emails at that time
18:24:28 <malini1> bdpayne: where are the tickets, i would like to work on it
18:24:32 <bknudson> bdpayne: thanks
18:24:46 <malini1> i have been meaning to put in the glossary references and this will be a good entry point
18:24:48 <bdpayne> I'm also tracking several private security related bugs atm, which all appear to be tracking towards creating OSSNs
18:25:05 <bdpayne> malini1 I will find the tickets, one sec
18:25:20 <bdpayne> so just a heads up that the OSSN authors should have their pens ready ;-)
18:26:10 <bdpayne> Tickets: https://bugs.launchpad.net/horizon/+bug/1118194 and https://bugs.launchpad.net/openstack-manuals/+bug/1243534
18:26:13 <uvirtbot> Launchpad bug 1118194 in openstack-manuals "Security Documentation for Horizon" [Wishlist,Confirmed]
18:26:18 <malini1> :-)
18:26:35 <bdpayne> The Horizon stuff might be best addressed by someone here at Nebula that wrote the initial section there
18:26:43 <bdpayne> but the other one is good to dive into if you want
18:26:44 <annegentle> bdpayne: nice :)
18:27:02 <malini1> sounds good, i shall take the other one
18:27:05 <bdpayne> annegentle I may be slow, but I do get there eventually :-)
18:27:28 <bdpayne> ok, and one final note for this week...
18:27:32 <annegentle> bdpayne: who's your book editor?
18:27:36 * annegentle can be slow too
18:27:49 <bdpayne> Several OSSG members will be at RSA in San Francisco at the end of the month
18:28:00 <bdpayne> if anyone else is planning to come and would like to meet up, just drop me a line
18:28:40 <bdpayne> annegentle The book editors are Sriram Subramanian, David Mortman, and Ben de Bont
18:28:53 <bdpayne> ok, that's all that I have for today
18:28:55 <annegentle> bdpayne: oh are they doing review passes?
18:29:12 <bdpayne> yeah they are trying to improve the clarity and make it a common voice, etc
18:29:20 <bdpayne> also identify areas that need more technical work
18:29:34 <annegentle> bdpayne: nice, that is super helpful
18:29:57 <bdpayne> thanks everyone... have a great week!
18:30:00 <bdpayne> #endmeeting