18:01:00 #startmeeting OpenStack Security Group 18:01:01 Meeting started Thu Apr 17 18:01:00 2014 UTC and is due to finish in 60 minutes. The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:01:02 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:01:04 The meeting name has been set to 'openstack_security_group' 18:01:13 #topic Roll Call 18:01:19 o/ everyone 18:01:22 o/ 18:01:23 * hyakuhei from HP is here! 18:01:26 bdpayne: hi 18:01:30 Hi! 18:01:30 o / 18:01:34 g'day 18:01:45 excellent, nice group 18:01:50 #topic Agenda 18:01:57 What would people like to discuss today? 18:02:07 Hi. I’m David Graves, new here. I’ve been running the threat analysis program for HP Public Cloud for three years. 18:02:13 anything but heartbleed 18:02:15 hi, welcome! 18:02:15 Hi dgraves_ 18:02:24 bknudson: what's heartbleed? Sounds scary 18:02:25 lol... !heartbleed, I can support that 18:02:43 bdpayne: I can give a small update on OSSN publishing 18:02:44 still think it should've been called sleepbleed.. 18:02:45 Paul Montgomery here 18:02:57 Hey paulmo 18:03:02 hey paulmo 18:03:26 I'd like to discuss what the focus of the OSSG should be for the next 6 months 18:03:35 sounds juicy 18:03:38 Eric here... 18:03:45 its been awhile.. 18:03:45 also a brief sync on OSSN-0010 would be good 18:04:13 ok, so let's get rolling 18:04:28 I'll leave room at the bottom for additional discussion if people come up with other things 18:04:31 #topic OSSNs 18:04:41 So right now I believe the only outstanding OSSN is 10 18:04:49 It's on my list to review today 18:04:54 great 18:04:59 the recent changes look good 18:05:03 just needs one more core review 18:05:05 I've been out at a conference all week, so finally catching up again 18:05:12 https://review.openstack.org/#/c/85441/ 18:05:20 also, do we have the process for publishing a OSSN listed anywhere? 18:05:31 ^ for the record .. pretty much beaten to death at this point, so let's get it out 18:05:42 Yes, I have it documented on the wiki (link coming) 18:05:57 chair6: I'm also happy to publish it if you like 18:06:18 we have lot on the wiki... we should work to make it all easier to find... perhaps organize the content links from a common security landing page 18:06:19 I'm happy with 0010 - I've +2'd it but as I work with Jamie, someone else should approve 18:06:23 * bdpayne is just thinking out loud 18:06:34 hyakuhei: I'll do it right after the meeting 18:06:37 groovy 18:06:38 TY! 18:06:42 nkinder: sounds good, yours to publish 18:07:03 ok. FYI for the publishing details - https://wiki.openstack.org/wiki/Security/Security_Note_Process 18:07:03 ok, I'm sure the next topic will be lengthy, so I'll keep us moving along here 18:07:07 ah, thanks 18:07:14 I just realised that https://bugs.launchpad.net/glance/+bug/1271426 is waiting for me to write up 18:07:16 Launchpad bug 1271426 in ossn "protected property change not rejected if a subsequent rule match accepts them" [High,Confirmed] 18:07:27 #topic OSSG Plans for Juno 18:07:41 hyakuhei take it away ;-) 18:07:46 Thanks bdpayne 18:08:03 So a little while ago I sent around a work topics email with some 5-6 things that I thought we could look into 18:08:41 Since then I've spoken with a bunch of people from the OSSG, and the feeling is that we don't quite have the resource to attack all of these things at once 18:09:13 I think that's pretty accurate 18:09:14 We should pick a few to focus on, at the moment I think Security Guide updates / edits - OSSNs and perhaps threat analysis seem like the best candidates. 18:09:39 yeah, I like that 18:09:44 specifically, I like those three 18:09:47 To that end, if people feel these are good places to focus on and really excel, I'd like to look at having individuals lead each one of those three 18:09:51 +1 18:10:09 I’d like to start contributing directly to the OpenStack threat analysis project. 18:10:29 welcome david 18:10:33 I've already focused on OSSN stuff, so I'd be happy to lead that area 18:10:33 I know that we have a 3-person team setup to serve of book editors 18:10:38 (In the past I was working through others; when a threat analysis review found defects, the HP service team would contribute the fix to OpenStack) 18:10:40 however, progress has stagnated 18:10:40 There's good reasons to do these, they build credability in the OpenStack community and also enable us to get more involved with developers, we need as a group, to get closer to most of the lead devs 18:11:04 bdpayne: I'd like to help with the book work but I don't want to lead efforts in that area. 18:11:14 I am willing to take on leading that and trying to push the book work forward, but would want to sync with those other people first 18:11:37 i would be happy to work/lead in threat analysis work 18:11:38 shohel02: you and dgraves_ should probably exchange contact details - I think you've got a bunch to talk about :) 18:11:51 bdpayne: makes sense 18:12:01 yes, david we should 18:12:09 hyakuhei yeah, I don't think you should lead any of the efforts... just leading OSSG will keep you plenty busy ;-) 18:12:19 bdpayne: +1 18:12:24 I would be happy to continue contributing with threat model effort also 18:12:45 I'm really keen to see where that goes 18:12:48 +1 for Cristian 18:13:03 I also want to make sure that the threat work gets a _lot_ of support from the wider OSSG 18:13:10 sounds like we have some teams forming here, which is great 18:13:38 Great - so I'll follow up with an email about this shortly 18:13:59 hyakuhei perhaps you could coordinate to get some updates to the security wiki pages with specific pages highlighting the work in each of these areas? 18:14:20 That seems like a good idea. 18:14:26 Shohel, are you the one at Ericsson in Finland? 18:14:36 yes 18:14:39 #action hyakuhei to email team-focus stuff 18:15:00 #action hyakuhei to update security wiki with this information 18:15:10 Someone else take some actions :P 18:15:17 So the security guidelines are still outstanding 18:15:26 Largely because of the bug that shall not be named. 18:15:38 #action bdpayne to sync with book editor team and find a path forward 18:17:12 Is it worth us doing as we have before, putting together a list of all the security-relevant design sessions? 18:17:38 Ideally we want OSSG people in basically all design sessions but we will have to prioritize 18:18:25 we could certainly do that 18:18:31 but I'm not sure if people find it useful 18:18:51 I don't think I've got much to add - maybe shohel02 can give an update on the Threat work for the wider OSSG ? 18:18:55 oh, there will be an ossg design session 18:19:02 :) 18:19:14 Definately 18:19:15 we should have a brief summit discussion in this meeting 18:19:28 #topic Threat Work Update 18:19:33 first, let's discuss the threat work 18:19:58 Ok, so our ongoing, but we have raised the issue of landing the content 18:20:17 last week sent the email, and i guess more or less it is landing in security guide 18:20:35 what do you guys think 18:20:51 I think the guide makes a lot of sense 18:20:53 like in appendix? 18:21:00 I think that there will be some output from that work that will fit nicely in the guide 18:21:03 With OSSN/OSSA for actionable output 18:21:18 yes, 18:21:27 but we'll probably want to see what the specific content looks like to understand if it is a new section or an appendix or ?? 18:21:45 I was wondering what would work best for documented output - chapter sections (one for each services that has a TM) or a wider TM chapter 18:21:57 I'm feeling the former, even though that's slightly more work 18:22:02 appendix is a good place, because there will be final report and lot of intermediate report for component analysis 18:22:04 I was thinking one chapter or paper per service 18:22:32 It might be larger than an appendix item IMHO 18:22:48 we do have chapters on the services now, so it could fit within that chapter potentially, as well 18:22:51 lots of options 18:22:55 It's possible that we are getting ahead of ourselves here, maybe when the output from the first TM is complete, we'll have a better idea for how it will fit 18:23:00 but I'm happy to work with the threat analysis team to see how that shakes out 18:23:07 makes sense bdpayne 18:23:08 I was also thinking put it in with each service... 18:23:09 yeah, I gree 18:23:20 just looking at the chapters that we have 18:23:33 ok, the second thing is quality control, we are talking last time 18:23:52 now that we have big team i think it will be eaiser 18:24:11 besides the final output of the threat analysis, how would the tracking/reviews be done? gerrit? 18:24:17 formal reviews through gerrit should help 18:24:35 CristianF_: yes, my vote would be to use gerrit for it 18:24:35 So my dream is that this process will evolve to the point that large OpenStack deployers will be using this as their primary threat analysis and just performing delta/satellite reviews for their internal secret sauce. 18:24:46 s/using/contributing to/ 18:25:20 +1 18:25:44 regarding the gerrit/ common repo can we start using security guides repo 18:26:06 or what needs to be done from our side 18:26:20 we should probably discuss offline 18:26:30 that may not make sense 18:26:39 but I want to understand more details first 18:27:07 you might want a topic branch that you can work in 18:27:19 perhaps 18:27:29 #topic Summit 18:27:43 I'd like to chat briefly about the summit 18:27:54 There is an OSSH focused design session this time 18:27:55 http://summit.openstack.org/cfp/details/230 18:28:00 please plan to attend 18:28:13 I'm hoping that this will be a great way to get us talking with some of the various projects 18:28:20 and for us to coordinate a bit more in person 18:28:31 I'm really looking forward to that 18:28:38 there is, of course, also many security talks at the summit... largely on Monday 18:28:46 Ironically, that site has security warnings :) 18:28:48 I hope it doesn't conflict with another keystone session 18:29:00 Nice to not be at the end of the week for once - attrition at the summit is terrible 18:29:04 yeah, I haven't seen the dev summit schedule yet 18:29:23 only the cross-project sessions have been accepted 18:29:30 there is also an operators group meeting going on in the unconference that will have a security discussion 18:29:41 otherwise the sessions are still open until the 20th 18:29:49 I will be involved in leading that discussion 18:30:44 #topic Open Discussion 18:31:00 For those in the bay area, you might find this meetup to be interesting 18:31:01 http://www.meetup.com/openstack/events/173686002/?_af_eid=173686002&_af=event&a=uc1_te 18:31:15 featuring some great speakers like myself and nkinder :-) 18:31:21 :) 18:31:26 on the 'coordinate a bit more' note .. do we have an OSSG irc room that everyone idles away their time in? 18:31:45 chair6: nope. We could use openstack-dev 18:31:47 we don't have a specific room for that, but I do hang out in openstack-dev and openstack-doc 18:31:54 good idea 18:32:05 We probably have enough membership to do that now 18:32:09 feel free to mention me in there 18:32:16 k, just curious .. maybe openstack-sec could come to life one day 18:32:22 might be interesting to do that so people have somewhere to drop in 18:32:27 perhaps 18:32:38 It's nice to have things where others will see thenm though 18:32:39 sounds like something for hyakuhei to investigate ;-) 18:32:40 Dead rooms make me sad on the inside though. 18:32:48 yeah, this is true 18:32:54 let's use -dev and see how that goes 18:33:00 Ok, I've got to go jump on a call 18:33:08 Just bringing this up again: Anything that can give the OSSG some "teeth" in enforcing security requirements would be a very big help. 18:33:21 only problem with -dev is there's no easy way to know who is - or isn't - OSSG 18:33:28 eh, I think that's ok 18:33:35 we'll be the people that care about security 18:33:50 paulmo: We need more credability and to integrate more tightly with development teams first 18:34:03 though I certainly agree with your point. 18:34:03 yeah, and we are moving in those directions 18:34:05 I'm on a dev team and even I can't get security requirements into my own project. 18:34:13 but it's slow 18:34:22 which is just the nature of a big open source community 18:34:40 paulmo: mail me and lets talk about that, I'd like to understand your issues 18:34:52 heartbleed+++ probably make more attention , just kidding 18:35:11 ok, I think that's all we have time for today 18:35:16 thanks everyone for a productive meeting 18:35:24 thanks! 18:35:28 #endmeeting