18:01:00 <bdpayne> #startmeeting OpenStack Security Group 18:01:01 <openstack> Meeting started Thu Apr 17 18:01:00 2014 UTC and is due to finish in 60 minutes. The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:01:02 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:01:04 <openstack> The meeting name has been set to 'openstack_security_group' 18:01:13 <bdpayne> #topic Roll Call 18:01:19 <bdpayne> o/ everyone 18:01:22 <nkinder> o/ 18:01:23 * hyakuhei from HP is here! 18:01:26 <bknudson> bdpayne: hi 18:01:30 <CristianF_> Hi! 18:01:30 <shohel02> o / 18:01:34 <chair6> g'day 18:01:45 <bdpayne> excellent, nice group 18:01:50 <bdpayne> #topic Agenda 18:01:57 <bdpayne> What would people like to discuss today? 18:02:07 <dgraves_> Hi. I’m David Graves, new here. I’ve been running the threat analysis program for HP Public Cloud for three years. 18:02:13 <bknudson> anything but heartbleed 18:02:15 <bdpayne> hi, welcome! 18:02:15 <nkinder> Hi dgraves_ 18:02:24 <hyakuhei> bknudson: what's heartbleed? Sounds scary 18:02:25 <bdpayne> lol... !heartbleed, I can support that 18:02:43 <nkinder> bdpayne: I can give a small update on OSSN publishing 18:02:44 <chair6> still think it should've been called sleepbleed.. 18:02:45 <paulmo> Paul Montgomery here 18:02:57 <hyakuhei> Hey paulmo 18:03:02 <nkinder> hey paulmo 18:03:26 <hyakuhei> I'd like to discuss what the focus of the OSSG should be for the next 6 months 18:03:35 <bdpayne> sounds juicy 18:03:38 <elo1> Eric here... 18:03:45 <elo1> its been awhile.. 18:03:45 <bdpayne> also a brief sync on OSSN-0010 would be good 18:04:13 <bdpayne> ok, so let's get rolling 18:04:28 <bdpayne> I'll leave room at the bottom for additional discussion if people come up with other things 18:04:31 <bdpayne> #topic OSSNs 18:04:41 <bdpayne> So right now I believe the only outstanding OSSN is 10 18:04:49 <nkinder> It's on my list to review today 18:04:54 <bdpayne> great 18:04:59 <bdpayne> the recent changes look good 18:05:03 <bdpayne> just needs one more core review 18:05:05 <nkinder> I've been out at a conference all week, so finally catching up again 18:05:12 <chair6> https://review.openstack.org/#/c/85441/ 18:05:20 <bdpayne> also, do we have the process for publishing a OSSN listed anywhere? 18:05:31 <chair6> ^ for the record .. pretty much beaten to death at this point, so let's get it out 18:05:42 <nkinder> Yes, I have it documented on the wiki (link coming) 18:05:57 <nkinder> chair6: I'm also happy to publish it if you like 18:06:18 <bdpayne> we have lot on the wiki... we should work to make it all easier to find... perhaps organize the content links from a common security landing page 18:06:19 <hyakuhei> I'm happy with 0010 - I've +2'd it but as I work with Jamie, someone else should approve 18:06:23 * bdpayne is just thinking out loud 18:06:34 <nkinder> hyakuhei: I'll do it right after the meeting 18:06:37 <bdpayne> groovy 18:06:38 <hyakuhei> TY! 18:06:42 <chair6> nkinder: sounds good, yours to publish 18:07:03 <nkinder> ok. FYI for the publishing details - https://wiki.openstack.org/wiki/Security/Security_Note_Process 18:07:03 <bdpayne> ok, I'm sure the next topic will be lengthy, so I'll keep us moving along here 18:07:07 <bdpayne> ah, thanks 18:07:14 <hyakuhei> I just realised that https://bugs.launchpad.net/glance/+bug/1271426 is waiting for me to write up 18:07:16 <uvirtbot> Launchpad bug 1271426 in ossn "protected property change not rejected if a subsequent rule match accepts them" [High,Confirmed] 18:07:27 <bdpayne> #topic OSSG Plans for Juno 18:07:41 <bdpayne> hyakuhei take it away ;-) 18:07:46 <hyakuhei> Thanks bdpayne 18:08:03 <hyakuhei> So a little while ago I sent around a work topics email with some 5-6 things that I thought we could look into 18:08:41 <hyakuhei> Since then I've spoken with a bunch of people from the OSSG, and the feeling is that we don't quite have the resource to attack all of these things at once 18:09:13 <nkinder> I think that's pretty accurate 18:09:14 <hyakuhei> We should pick a few to focus on, at the moment I think Security Guide updates / edits - OSSNs and perhaps threat analysis seem like the best candidates. 18:09:39 <bdpayne> yeah, I like that 18:09:44 <bdpayne> specifically, I like those three 18:09:47 <hyakuhei> To that end, if people feel these are good places to focus on and really excel, I'd like to look at having individuals lead each one of those three 18:09:51 <nkinder> +1 18:10:09 <dgraves_> I’d like to start contributing directly to the OpenStack threat analysis project. 18:10:29 <shohel02> welcome david 18:10:33 <nkinder> I've already focused on OSSN stuff, so I'd be happy to lead that area 18:10:33 <bdpayne> I know that we have a 3-person team setup to serve of book editors 18:10:38 <dgraves_> (In the past I was working through others; when a threat analysis review found defects, the HP service team would contribute the fix to OpenStack) 18:10:40 <bdpayne> however, progress has stagnated 18:10:40 <hyakuhei> There's good reasons to do these, they build credability in the OpenStack community and also enable us to get more involved with developers, we need as a group, to get closer to most of the lead devs 18:11:04 <hyakuhei> bdpayne: I'd like to help with the book work but I don't want to lead efforts in that area. 18:11:14 <bdpayne> I am willing to take on leading that and trying to push the book work forward, but would want to sync with those other people first 18:11:37 <shohel02> i would be happy to work/lead in threat analysis work 18:11:38 <hyakuhei> shohel02: you and dgraves_ should probably exchange contact details - I think you've got a bunch to talk about :) 18:11:51 <hyakuhei> bdpayne: makes sense 18:12:01 <shohel02> yes, david we should 18:12:09 <bdpayne> hyakuhei yeah, I don't think you should lead any of the efforts... just leading OSSG will keep you plenty busy ;-) 18:12:19 <hyakuhei> bdpayne: +1 18:12:24 <CristianF_> I would be happy to continue contributing with threat model effort also 18:12:45 <hyakuhei> I'm really keen to see where that goes 18:12:48 <shohel02> +1 for Cristian 18:13:03 <hyakuhei> I also want to make sure that the threat work gets a _lot_ of support from the wider OSSG 18:13:10 <bdpayne> sounds like we have some teams forming here, which is great 18:13:38 <hyakuhei> Great - so I'll follow up with an email about this shortly 18:13:59 <bdpayne> hyakuhei perhaps you could coordinate to get some updates to the security wiki pages with specific pages highlighting the work in each of these areas? 18:14:20 <hyakuhei> That seems like a good idea. 18:14:26 <dgraves_> Shohel, are you the one at Ericsson in Finland? 18:14:36 <shohel02> yes 18:14:39 <hyakuhei> #action hyakuhei to email team-focus stuff 18:15:00 <hyakuhei> #action hyakuhei to update security wiki with this information 18:15:10 <hyakuhei> Someone else take some actions :P 18:15:17 <hyakuhei> So the security guidelines are still outstanding 18:15:26 <hyakuhei> Largely because of the bug that shall not be named. 18:15:38 <bdpayne> #action bdpayne to sync with book editor team and find a path forward 18:17:12 <hyakuhei> Is it worth us doing as we have before, putting together a list of all the security-relevant design sessions? 18:17:38 <hyakuhei> Ideally we want OSSG people in basically all design sessions but we will have to prioritize 18:18:25 <bdpayne> we could certainly do that 18:18:31 <bdpayne> but I'm not sure if people find it useful 18:18:51 <hyakuhei> I don't think I've got much to add - maybe shohel02 can give an update on the Threat work for the wider OSSG ? 18:18:55 <bdpayne> oh, there will be an ossg design session 18:19:02 <hyakuhei> :) 18:19:14 <shohel02> Definately 18:19:15 <bdpayne> we should have a brief summit discussion in this meeting 18:19:28 <bdpayne> #topic Threat Work Update 18:19:33 <bdpayne> first, let's discuss the threat work 18:19:58 <shohel02> Ok, so our ongoing, but we have raised the issue of landing the content 18:20:17 <shohel02> last week sent the email, and i guess more or less it is landing in security guide 18:20:35 <shohel02> what do you guys think 18:20:51 <hyakuhei> I think the guide makes a lot of sense 18:20:53 <bknudson> like in appendix? 18:21:00 <bdpayne> I think that there will be some output from that work that will fit nicely in the guide 18:21:03 <hyakuhei> With OSSN/OSSA for actionable output 18:21:18 <shohel02> yes, 18:21:27 <bdpayne> but we'll probably want to see what the specific content looks like to understand if it is a new section or an appendix or ?? 18:21:45 <hyakuhei> I was wondering what would work best for documented output - chapter sections (one for each services that has a TM) or a wider TM chapter 18:21:57 <hyakuhei> I'm feeling the former, even though that's slightly more work 18:22:02 <shohel02> appendix is a good place, because there will be final report and lot of intermediate report for component analysis 18:22:04 <nkinder> I was thinking one chapter or paper per service 18:22:32 <nkinder> It might be larger than an appendix item IMHO 18:22:48 <bdpayne> we do have chapters on the services now, so it could fit within that chapter potentially, as well 18:22:51 <bdpayne> lots of options 18:22:55 <hyakuhei> It's possible that we are getting ahead of ourselves here, maybe when the output from the first TM is complete, we'll have a better idea for how it will fit 18:23:00 <bdpayne> but I'm happy to work with the threat analysis team to see how that shakes out 18:23:07 <hyakuhei> makes sense bdpayne 18:23:08 <bknudson> I was also thinking put it in with each service... 18:23:09 <bdpayne> yeah, I gree 18:23:20 <bknudson> just looking at the chapters that we have 18:23:33 <shohel02> ok, the second thing is quality control, we are talking last time 18:23:52 <shohel02> now that we have big team i think it will be eaiser 18:24:11 <CristianF_> besides the final output of the threat analysis, how would the tracking/reviews be done? gerrit? 18:24:17 <nkinder> formal reviews through gerrit should help 18:24:35 <nkinder> CristianF_: yes, my vote would be to use gerrit for it 18:24:35 <hyakuhei> So my dream is that this process will evolve to the point that large OpenStack deployers will be using this as their primary threat analysis and just performing delta/satellite reviews for their internal secret sauce. 18:24:46 <hyakuhei> s/using/contributing to/ 18:25:20 <shohel02> +1 18:25:44 <shohel02> regarding the gerrit/ common repo can we start using security guides repo 18:26:06 <shohel02> or what needs to be done from our side 18:26:20 <bdpayne> we should probably discuss offline 18:26:30 <bdpayne> that may not make sense 18:26:39 <bdpayne> but I want to understand more details first 18:27:07 <bknudson> you might want a topic branch that you can work in 18:27:19 <bdpayne> perhaps 18:27:29 <bdpayne> #topic Summit 18:27:43 <bdpayne> I'd like to chat briefly about the summit 18:27:54 <bdpayne> There is an OSSH focused design session this time 18:27:55 <bdpayne> http://summit.openstack.org/cfp/details/230 18:28:00 <bdpayne> please plan to attend 18:28:13 <bdpayne> I'm hoping that this will be a great way to get us talking with some of the various projects 18:28:20 <bdpayne> and for us to coordinate a bit more in person 18:28:31 <hyakuhei> I'm really looking forward to that 18:28:38 <bdpayne> there is, of course, also many security talks at the summit... largely on Monday 18:28:46 <paulmo> Ironically, that site has security warnings :) 18:28:48 <bknudson> I hope it doesn't conflict with another keystone session 18:29:00 <hyakuhei> Nice to not be at the end of the week for once - attrition at the summit is terrible 18:29:04 <bdpayne> yeah, I haven't seen the dev summit schedule yet 18:29:23 <bknudson> only the cross-project sessions have been accepted 18:29:30 <bdpayne> there is also an operators group meeting going on in the unconference that will have a security discussion 18:29:41 <bknudson> otherwise the sessions are still open until the 20th 18:29:49 <bdpayne> I will be involved in leading that discussion 18:30:44 <bdpayne> #topic Open Discussion 18:31:00 <bdpayne> For those in the bay area, you might find this meetup to be interesting 18:31:01 <bdpayne> http://www.meetup.com/openstack/events/173686002/?_af_eid=173686002&_af=event&a=uc1_te 18:31:15 <bdpayne> featuring some great speakers like myself and nkinder :-) 18:31:21 <nkinder> :) 18:31:26 <chair6> on the 'coordinate a bit more' note .. do we have an OSSG irc room that everyone idles away their time in? 18:31:45 <nkinder> chair6: nope. We could use openstack-dev 18:31:47 <bdpayne> we don't have a specific room for that, but I do hang out in openstack-dev and openstack-doc 18:31:54 <shohel02> good idea 18:32:05 <hyakuhei> We probably have enough membership to do that now 18:32:09 <bdpayne> feel free to mention me in there 18:32:16 <chair6> k, just curious .. maybe openstack-sec could come to life one day 18:32:22 <hyakuhei> might be interesting to do that so people have somewhere to drop in 18:32:27 <bdpayne> perhaps 18:32:38 <nkinder> It's nice to have things where others will see thenm though 18:32:39 <bdpayne> sounds like something for hyakuhei to investigate ;-) 18:32:40 <hyakuhei> Dead rooms make me sad on the inside though. 18:32:48 <bdpayne> yeah, this is true 18:32:54 <bdpayne> let's use -dev and see how that goes 18:33:00 <hyakuhei> Ok, I've got to go jump on a call 18:33:08 <paulmo> Just bringing this up again: Anything that can give the OSSG some "teeth" in enforcing security requirements would be a very big help. 18:33:21 <hyakuhei> only problem with -dev is there's no easy way to know who is - or isn't - OSSG 18:33:28 <bdpayne> eh, I think that's ok 18:33:35 <bdpayne> we'll be the people that care about security 18:33:50 <hyakuhei> paulmo: We need more credability and to integrate more tightly with development teams first 18:34:03 <hyakuhei> though I certainly agree with your point. 18:34:03 <bdpayne> yeah, and we are moving in those directions 18:34:05 <paulmo> I'm on a dev team and even I can't get security requirements into my own project. 18:34:13 <bdpayne> but it's slow 18:34:22 <bdpayne> which is just the nature of a big open source community 18:34:40 <hyakuhei> paulmo: mail me and lets talk about that, I'd like to understand your issues 18:34:52 <shohel02> heartbleed+++ probably make more attention , just kidding 18:35:11 <bdpayne> ok, I think that's all we have time for today 18:35:16 <bdpayne> thanks everyone for a productive meeting 18:35:24 <nkinder> thanks! 18:35:28 <bdpayne> #endmeeting