18:01:47 <hyakuhei> #startmeeting OpenStack Security Group 18:01:48 <openstack> Meeting started Thu May 22 18:01:47 2014 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:01:49 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:01:52 <openstack> The meeting name has been set to 'openstack_security_group' 18:02:07 <bknudson> hi 18:02:20 <hyakuhei> Hi bknudson 18:02:29 <tmcpeak> how it goes? 18:02:36 <hyakuhei> Lets go ahead and do a roll-call to get us started 18:02:42 <nkinder> o/ 18:02:52 * hyakuhei is Rob from HP 18:02:56 <hyakuhei> Hey nkinder 18:03:01 <paulmo> Hey all 18:03:03 <hyakuhei> tmcpeak: welcome. 18:03:07 <tmcpeak> thank you! 18:03:15 * tmcpeak is Travis McPeak from Symantec 18:03:34 <nkinder> tmcpeak: hey Travis! 18:03:34 <bknudson> bknudson is Brant Knudson from IBM 18:03:58 <hyakuhei> Ok, so, agenda items for today? 18:04:01 <tmcpeak> hey Nathan, how it goes? 18:04:25 <nkinder> tmcpeak: slowly digging myself out of post-summit backlog :) 18:04:33 <hyakuhei> Hah, I know that feeling ^ 18:04:41 <bknudson> there was a post to mailing list about meeting w/ barbican / keystone at hackerdom 18:04:51 <hyakuhei> So I've got a bunch of stuff to discuss, including the OSSG meetup :) 18:04:52 <bknudson> that would potentially include ossg 18:05:06 <hyakuhei> Lets make than an agenda item 18:05:12 <hyakuhei> So I'd like to talk about: 18:05:15 <hyakuhei> OSSG Meetup 18:05:19 <hyakuhei> Tasks from the last summit 18:05:25 <hyakuhei> The possibility of expanding our scope 18:05:33 <hyakuhei> OSSG Core Reviewers for _other_ projects 18:05:41 <hyakuhei> A few other little bits 18:06:00 <hyakuhei> bknudson: Do you have anything to bring up around TA? 18:06:07 <nkinder> sounds like a full agenda 18:06:19 <bknudson> hyakuhei: no, still recovering from summit 18:06:29 <hyakuhei> Yea, so we can breeze through it but you've prompted me to add one more nkinder 18:06:35 <hyakuhei> Potentially expanding the meeting 18:06:36 <hyakuhei> Ok. 18:06:52 <hyakuhei> #topic OSSG Meetup 18:07:04 <malini1> Greetings 18:07:15 <hyakuhei> At the summit I floated the idea of the OSSG piggy-backing off the Barbican mid-cycle meetup 18:07:39 <hyakuhei> It would be a good opportunity to partake in Barbican design sessions as well as work on small sprints for TA, the book and other projects 18:07:54 <tmcpeak> sounds like a good idea 18:08:21 <hyakuhei> Barbican liked the idea, turns out they are piggybacking off Keystone as well, so all the security/IAM/key mgmt people will be in the same place. That seems like a good thing 18:08:42 <hyakuhei> Ok, theres' more info on the ML if people are interested 18:08:44 <malini1> where will the meeting be? 18:08:50 <nkinder> San Antonio 18:08:52 <nkinder> TX 18:08:53 <Priti> Hi Team, this is Priti from Symantec, joining IRC for the first time, looking forward to be working with you 18:08:54 <hyakuhei> Geekdom in San Antonio 18:09:01 <hyakuhei> Priti: Welcome :) 18:09:02 <nkinder> Hi Priti 18:09:10 <malini1> welcome Priti 18:09:18 <Priti> Thank you !!! 18:09:41 <hyakuhei> Ok, lots to get through so I'll move onto the next point, very excited about this though, there's an interesting opportunity to get a lot done. 18:09:50 <nkinder> I can't make the proposed week for the hackfest, but I can make the week after. I've let the Keystone and Barbican devs know just in case they are OK switching it. 18:10:03 <hyakuhei> #topic OSSG Tasks 18:10:32 <hyakuhei> The summit was great, it's taken a long time but we have the legitimacy we've been seeking. It was the first summit where we had lots of developers coming to us for help 18:11:01 <hyakuhei> There's been suggestions for adding gate jobs, code scanning etc coming from the outside for once 18:11:21 <hyakuhei> Now most of you know we have lots going on but three 'main' projects, TA, OSSN and the Guide 18:12:03 <tmcpeak> what's TA? 18:12:15 <nkinder> threat analysis 18:12:17 <tmcpeak> ahh 18:12:21 <hyakuhei> Each with their own leadership. My question for you all to ponder (email to follow) is if any of you have the time and inclination to step up and take one of our smaller projects (security guidelines, vulnerability feeds etc) and drive it to be another 'big' project 18:12:33 <hyakuhei> Again, I'll followup by email. 18:12:53 <hyakuhei> Mainly I'm excited about how much traction we got at this summit and how many people were talking about security in general 18:12:59 <nkinder> tmcpeak is getting involved with the security/crypto audit 18:13:10 <nkinder> ...starting with glance 18:13:12 <hyakuhei> nkinder: that's great! 18:13:18 <tmcpeak> yep! I'm excited :) 18:13:20 <hyakuhei> thanks tmcpeak 18:13:23 <tmcpeak> thank you 18:13:27 <paulmo> nkinder, professional security recruiter :) 18:13:47 <hyakuhei> Let me know how that goes and what help is required from the OSSG to make it easier :) 18:13:59 <hyakuhei> #topic VMT Metrics 18:14:27 <hyakuhei> We've been asked to help the VMT come up with a sensible set of metrics for demonstrating the impact of a vulnerability in OpenStack 18:14:43 <tmcpeak> what's VMT? 18:14:45 <hyakuhei> Around Essex they stopped mentioning impact in OSSAs at all 18:14:50 <hyakuhei> Vulnerability Management Team 18:14:57 <tmcpeak> ahh ok 18:15:04 <hyakuhei> They're like a CERT for OpenStack, receiving and triaging bugs 18:15:09 <tmcpeak> cool, thank you 18:15:41 <hyakuhei> So if anyone has a favorite vulnerabilty impact rating system (no points for CVSSv2) that doesn't fall on it's ass when applied to virtualized environments, please let me know! 18:16:24 <hyakuhei> #Topic Low hanging fruit 18:16:34 <paulmo> OWASP might be an interesting rating system to look at: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology 18:16:44 <hyakuhei> TY paulmo 18:17:06 <hyakuhei> What basic checks, greps, investigations can we perform to find errors in OpenStack? 18:17:25 <hyakuhei> I know chair6 has been looking at some interesting stuff using the Python AST library 18:17:35 <paulmo> … as part of the gate or standalone tools or both? 18:17:39 <hyakuhei> Grepping for 'cPickle' and 'shell=True' comes to mind 18:17:41 <hyakuhei> Both 18:18:00 <bknudson> we could look for calls to eval 18:18:10 <hyakuhei> OpenStack is so immature I'm willing to bet there's a good effort:reward ratio right now for even basic checks 18:18:18 <paulmo> Look for imports of risky crypto libraries perhaps 18:18:49 <tmcpeak> on that line, I'm working on a little script to automate imports and crypto calls in Python code 18:18:50 <hyakuhei> Ok, so I'd like it if someone took an action to collect these suggestions on the wiki and badger people on the ML for more content 18:18:51 <nkinder> paulmo: tmcpeak has started working on a crypto search tool to help with the audit effort 18:18:57 <tmcpeak> basically a glorified grep against a dictionary file 18:19:08 <hyakuhei> tmcpeak: That sounds incredibly useful. 18:19:09 <tmcpeak> ^ what nkinder said :) 18:19:09 <paulmo> +1 tmcpeak! 18:19:28 <hyakuhei> Ok, so does anyone want to volunteer for this? 18:19:42 <tmcpeak> very basic but it's here in case anybody wants to take a look at it 18:19:44 <tmcpeak> https://github.com/tmcpeak/cryptoAuditor 18:19:44 <hyakuhei> or should we assign it to bdpayne because he's not here ? :D 18:19:58 <tmcpeak> I'd love feedback/suggestions 18:20:19 <hyakuhei> #link https://github.com/tmcpeak/cryptoAuditor Comments and suggestions welcome 18:20:30 <malini1> i volunteer 18:20:43 <hyakuhei> Awesome! Thanks malini1 18:21:29 <hyakuhei> #action malini1 To document the various things we can identify in OpenStack code that could have security impact using only basic tooling. To compile a simle list on the wiki and encourage contributions from other members 18:21:52 <hyakuhei> #topic Developer Security Guidelines 18:22:17 <hyakuhei> The security guidelines really need to be completed so we can use them 18:22:45 <hyakuhei> Core dev's have also asked for a top-10 style checklist they can keep in mind when reviewing commits. 18:22:57 <nkinder> #link https://wiki.openstack.org/wiki/Security/Guidelines 18:22:58 <paulmo> Does everyone in OSSG agree with the high level list? (if this is the one I'm thinking of) 18:23:17 <hyakuhei> paulmo: For the most part yes :) 18:23:25 <paulmo> If we can get consensus in OSSG with the list, then the drilldown pages can be filled in relatively quickly I bet 18:23:34 <hyakuhei> I'd like to split out design decisions from implementation ones but largely it's good 18:23:41 <paulmo> Let's remove or mark any contentious items then 18:23:47 <hyakuhei> It's been outstanding for a while, maybe it'd be better done in a sprint 18:24:11 <nkinder> hyakuhei: yes, a sprint might work well for it 18:24:34 <hyakuhei> #Topic AOB 18:24:43 <tmcpeak> sorry, but what's AOB? 18:24:55 <hyakuhei> Any other business :) 18:24:59 <tmcpeak> ahh :) 18:25:14 <nkinder> malini1 is close to wrapping the one outstanding OSSN 18:25:16 <hyakuhei> OSSG meeting length :: Does anyone want to extend the meeting? 18:25:35 <hyakuhei> yes! excellent work malini1 ! _Not_ an easy one to write up! 18:25:58 <hyakuhei> The process put in place by nkinder is paying dividends in this case 18:26:20 <paulmo> One item on logging… what is the general consensus of this group about asking developers to mark confidential data up front in the code to prevent admins from trying to filter out passwords and such on the backend log databases and such? 18:26:22 <nkinder> malini1: just a few more minor suggestions in there, then it's ready IMHO 18:26:47 <nkinder> hyakuhei: extending the meeting to 1h would be useful I think 18:26:56 <malini1> malini1 -- :-( major goof up on that OSSN .. hopefully I improve on next one 18:27:01 <hyakuhei> paulmo: The earlier confidential data can be identified the better imho 18:27:04 <paulmo> (sorry, to prevent admins from having to continuously hunt down log data that shouldn't be in plain text or logged at all) 18:27:15 <nkinder> hyakuhei: we would then have time to hash out things like the security guidelines right here 18:27:21 <hyakuhei> It then becomes a matter of policy 18:27:24 <hyakuhei> nkinder: +1 18:27:58 <hyakuhei> It does mean that's an 8pm finish for me (worlds smallest violin) 18:28:06 <bknudson> paulmo: if the logs contain passwords / auth tokens somebody here will likely open a bug and we'll have to fix it 18:28:08 <paulmo> We created a class in Solum to identify confidentiality of pieces of log information… perhaps this group could look at it and give input. 18:28:18 <nkinder> hyakuhei: we can find a different timeslot too 18:28:26 <paulmo> It ties into oslo log and everything. 18:28:32 <nkinder> hyakuhei: oh, one other topic that was brought up at the summit was creating our own IRC channel 18:28:40 <hyakuhei> True, there are more official meeting channels now so that could work 18:28:55 <hyakuhei> nkinder: Yes - I have no opposition to trying that 18:29:05 <hyakuhei> Thoughts @all? 18:29:09 <malini1> +1 to move timeslot to make it convenient 18:29:11 <tmcpeak> yeah, why not? 18:29:34 <hyakuhei> #action hyakuhei to look at moving to a 1 hour meeting and finding a better meeting slot 18:30:02 <tmcpeak> I like the own IRC channel idea too 18:30:12 <malini1> i like the 30 min but 1 hr is fine with out-of-school if we have less any day 18:30:26 <paulmo> #ossg is available :) 18:30:51 <nkinder> paulmo: I think we should prefix it with "openstack-" to be in line with the other channels 18:31:03 <paulmo> Ah, not sure about policy… whatever is fine with me :) 18:31:15 <hyakuhei> Ok I'll follow up on the ML regarding an IRC channel I guess. 18:31:26 <hyakuhei> That's time people - any last minute emergencies to bring up? 18:31:33 <paulmo> I'm hanging in #openstack-ossg just in case 18:31:33 <bknudson> thanks! 18:31:43 <hyakuhei> Thanks everyone! 18:31:47 <hyakuhei> #endmeeting