18:01:47 <hyakuhei> #startmeeting OpenStack Security Group
18:01:48 <openstack> Meeting started Thu May 22 18:01:47 2014 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:01:49 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:01:52 <openstack> The meeting name has been set to 'openstack_security_group'
18:02:07 <bknudson> hi
18:02:20 <hyakuhei> Hi bknudson
18:02:29 <tmcpeak> how it goes?
18:02:36 <hyakuhei> Lets go ahead and do a roll-call to get us started
18:02:42 <nkinder> o/
18:02:52 * hyakuhei is Rob from HP
18:02:56 <hyakuhei> Hey nkinder
18:03:01 <paulmo> Hey all
18:03:03 <hyakuhei> tmcpeak: welcome.
18:03:07 <tmcpeak> thank you!
18:03:15 * tmcpeak is Travis McPeak from Symantec
18:03:34 <nkinder> tmcpeak: hey Travis!
18:03:34 <bknudson> bknudson is Brant Knudson from IBM
18:03:58 <hyakuhei> Ok, so, agenda items for today?
18:04:01 <tmcpeak> hey Nathan, how it goes?
18:04:25 <nkinder> tmcpeak: slowly digging myself out of post-summit backlog :)
18:04:33 <hyakuhei> Hah, I know that feeling ^
18:04:41 <bknudson> there was a post to mailing list about meeting w/ barbican / keystone at hackerdom
18:04:51 <hyakuhei> So I've got a bunch of stuff to discuss, including the OSSG meetup :)
18:04:52 <bknudson> that would potentially include ossg
18:05:06 <hyakuhei> Lets make than an agenda item
18:05:12 <hyakuhei> So I'd like to talk about:
18:05:15 <hyakuhei> OSSG Meetup
18:05:19 <hyakuhei> Tasks from the last summit
18:05:25 <hyakuhei> The possibility of expanding our scope
18:05:33 <hyakuhei> OSSG Core Reviewers for _other_ projects
18:05:41 <hyakuhei> A few other little bits
18:06:00 <hyakuhei> bknudson: Do you have anything to bring up around TA?
18:06:07 <nkinder> sounds like a full agenda
18:06:19 <bknudson> hyakuhei: no, still recovering from summit
18:06:29 <hyakuhei> Yea, so we can breeze through it but you've prompted me to add one more nkinder
18:06:35 <hyakuhei> Potentially expanding the meeting
18:06:36 <hyakuhei> Ok.
18:06:52 <hyakuhei> #topic OSSG Meetup
18:07:04 <malini1> Greetings
18:07:15 <hyakuhei> At the summit I floated the idea of the OSSG piggy-backing off the Barbican mid-cycle meetup
18:07:39 <hyakuhei> It would be a good opportunity to partake in Barbican design sessions as well as work on small sprints for TA, the book and other projects
18:07:54 <tmcpeak> sounds like a good idea
18:08:21 <hyakuhei> Barbican liked the idea, turns out they are piggybacking off Keystone as well, so all the security/IAM/key mgmt people will be in the same place. That seems like a good thing
18:08:42 <hyakuhei> Ok, theres' more info on the ML if people are interested
18:08:44 <malini1> where will the meeting be?
18:08:50 <nkinder> San Antonio
18:08:52 <nkinder> TX
18:08:53 <Priti> Hi Team, this is Priti from Symantec, joining IRC for the first time, looking forward to be working with you
18:08:54 <hyakuhei> Geekdom in San Antonio
18:09:01 <hyakuhei> Priti: Welcome :)
18:09:02 <nkinder> Hi Priti
18:09:10 <malini1> welcome Priti
18:09:18 <Priti> Thank you !!!
18:09:41 <hyakuhei> Ok, lots to get through so I'll move onto the next point, very excited about this though, there's an interesting opportunity to get a lot done.
18:09:50 <nkinder> I can't make the proposed week for the hackfest, but I can make the week after.  I've let the Keystone and Barbican devs know just in case they are OK switching it.
18:10:03 <hyakuhei> #topic OSSG Tasks
18:10:32 <hyakuhei> The summit was great, it's taken a long time but we have the legitimacy we've been seeking. It was the first summit where we had lots of developers coming to us for help
18:11:01 <hyakuhei> There's been suggestions for adding gate jobs, code scanning etc coming from the outside for once
18:11:21 <hyakuhei> Now most of you know we have lots going on but three 'main' projects, TA, OSSN and the Guide
18:12:03 <tmcpeak> what's TA?
18:12:15 <nkinder> threat analysis
18:12:17 <tmcpeak> ahh
18:12:21 <hyakuhei> Each with their own leadership. My question for you all to ponder (email to follow) is if any of you have the time and inclination to step up and take one of our smaller projects (security guidelines, vulnerability feeds etc) and drive it to be another 'big' project
18:12:33 <hyakuhei> Again, I'll followup by email.
18:12:53 <hyakuhei> Mainly I'm excited about how much traction we got at this summit and how many people were talking about security in general
18:12:59 <nkinder> tmcpeak is getting involved with the security/crypto audit
18:13:10 <nkinder> ...starting with glance
18:13:12 <hyakuhei> nkinder: that's great!
18:13:18 <tmcpeak> yep!  I'm excited :)
18:13:20 <hyakuhei> thanks tmcpeak
18:13:23 <tmcpeak> thank you
18:13:27 <paulmo> nkinder, professional security recruiter :)
18:13:47 <hyakuhei> Let me know how that goes and what help is required from the OSSG to make it easier :)
18:13:59 <hyakuhei> #topic VMT Metrics
18:14:27 <hyakuhei> We've been asked to help the VMT come up with a sensible set of metrics for demonstrating the impact of a vulnerability in OpenStack
18:14:43 <tmcpeak> what's VMT?
18:14:45 <hyakuhei> Around Essex they stopped mentioning impact in OSSAs at all
18:14:50 <hyakuhei> Vulnerability Management Team
18:14:57 <tmcpeak> ahh ok
18:15:04 <hyakuhei> They're like a CERT for OpenStack, receiving and triaging bugs
18:15:09 <tmcpeak> cool, thank you
18:15:41 <hyakuhei> So if anyone has a favorite vulnerabilty impact rating system (no points for CVSSv2) that doesn't fall on it's ass when applied to virtualized environments, please let me know!
18:16:24 <hyakuhei> #Topic Low hanging fruit
18:16:34 <paulmo> OWASP might be an interesting rating system to look at: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
18:16:44 <hyakuhei> TY paulmo
18:17:06 <hyakuhei> What basic checks, greps, investigations can we perform to find errors in OpenStack?
18:17:25 <hyakuhei> I know chair6 has been looking at some interesting stuff using the Python AST library
18:17:35 <paulmo> … as part of the gate or standalone tools or both?
18:17:39 <hyakuhei> Grepping for 'cPickle' and 'shell=True' comes to mind
18:17:41 <hyakuhei> Both
18:18:00 <bknudson> we could look for calls to eval
18:18:10 <hyakuhei> OpenStack is so immature I'm willing to bet there's a good effort:reward ratio right now for even basic checks
18:18:18 <paulmo> Look for imports of risky crypto libraries perhaps
18:18:49 <tmcpeak> on that line, I'm working on a little script to automate imports and crypto calls in Python code
18:18:50 <hyakuhei> Ok, so I'd like it if someone took an action to collect these suggestions on the wiki and badger people on the ML for more content
18:18:51 <nkinder> paulmo: tmcpeak has started working on a crypto search tool to help with the audit effort
18:18:57 <tmcpeak> basically a glorified grep against a dictionary file
18:19:08 <hyakuhei> tmcpeak: That sounds incredibly useful.
18:19:09 <tmcpeak> ^ what nkinder said :)
18:19:09 <paulmo> +1 tmcpeak!
18:19:28 <hyakuhei> Ok, so does anyone want to volunteer for this?
18:19:42 <tmcpeak> very basic but it's here in case anybody wants to take a look at it
18:19:44 <tmcpeak> https://github.com/tmcpeak/cryptoAuditor
18:19:44 <hyakuhei> or should we assign it to bdpayne because he's not here ? :D
18:19:58 <tmcpeak> I'd love feedback/suggestions
18:20:19 <hyakuhei> #link https://github.com/tmcpeak/cryptoAuditor Comments and suggestions welcome
18:20:30 <malini1> i volunteer
18:20:43 <hyakuhei> Awesome! Thanks malini1
18:21:29 <hyakuhei> #action malini1 To document the various things we can identify in OpenStack code that could have security impact using only basic tooling. To compile a simle list on the wiki and encourage contributions from other members
18:21:52 <hyakuhei> #topic Developer Security Guidelines
18:22:17 <hyakuhei> The security guidelines really need to be completed so we can use them
18:22:45 <hyakuhei> Core dev's have also asked for a top-10 style checklist they can keep in mind when reviewing commits.
18:22:57 <nkinder> #link https://wiki.openstack.org/wiki/Security/Guidelines
18:22:58 <paulmo> Does everyone in OSSG agree with the high level list?  (if this is the one I'm thinking of)
18:23:17 <hyakuhei> paulmo: For the most part yes :)
18:23:25 <paulmo> If we can get consensus in OSSG with the list, then the drilldown pages can be filled in relatively quickly I bet
18:23:34 <hyakuhei> I'd like to split out design decisions from implementation ones but largely it's good
18:23:41 <paulmo> Let's remove or mark any contentious items then
18:23:47 <hyakuhei> It's been outstanding for a while, maybe it'd be better done in a sprint
18:24:11 <nkinder> hyakuhei: yes, a sprint might work well for it
18:24:34 <hyakuhei> #Topic AOB
18:24:43 <tmcpeak> sorry, but what's AOB?
18:24:55 <hyakuhei> Any other business :)
18:24:59 <tmcpeak> ahh :)
18:25:14 <nkinder> malini1 is close to wrapping the one outstanding OSSN
18:25:16 <hyakuhei> OSSG meeting length :: Does anyone want to extend the meeting?
18:25:35 <hyakuhei> yes! excellent work malini1 ! _Not_ an easy one to write up!
18:25:58 <hyakuhei> The process put in place by nkinder is paying dividends in this case
18:26:20 <paulmo> One item on logging… what is the general consensus of this group about asking developers to mark confidential data up front in the code to prevent admins from trying to filter out passwords and such on the backend log databases and such?
18:26:22 <nkinder> malini1: just a few more minor suggestions in there, then it's ready IMHO
18:26:47 <nkinder> hyakuhei: extending the meeting to 1h would be useful I think
18:26:56 <malini1> malini1 -- :-( major goof up on that OSSN .. hopefully I improve on next one
18:27:01 <hyakuhei> paulmo: The earlier confidential data can be identified the better imho
18:27:04 <paulmo> (sorry, to prevent admins from having to continuously hunt down log data that shouldn't be in plain text or logged at all)
18:27:15 <nkinder> hyakuhei: we would then have time to hash out things like the security guidelines right here
18:27:21 <hyakuhei> It then becomes a matter of policy
18:27:24 <hyakuhei> nkinder: +1
18:27:58 <hyakuhei> It does mean that's an 8pm finish for me (worlds smallest violin)
18:28:06 <bknudson> paulmo: if the logs contain passwords / auth tokens somebody here will likely open a bug and we'll have to fix it
18:28:08 <paulmo> We created a class in Solum to identify confidentiality of pieces of log information… perhaps this group could look at it and give input.
18:28:18 <nkinder> hyakuhei: we can find a different timeslot too
18:28:26 <paulmo> It ties into oslo log and everything.
18:28:32 <nkinder> hyakuhei: oh, one other topic that was brought up at the summit was creating our own IRC channel
18:28:40 <hyakuhei> True, there are more official meeting channels now so that could work
18:28:55 <hyakuhei> nkinder: Yes - I have no opposition to trying that
18:29:05 <hyakuhei> Thoughts @all?
18:29:09 <malini1> +1 to move timeslot to make it convenient
18:29:11 <tmcpeak> yeah, why not?
18:29:34 <hyakuhei> #action hyakuhei to look at moving to a 1 hour meeting and finding a better meeting slot
18:30:02 <tmcpeak> I like the own IRC channel idea too
18:30:12 <malini1> i like the 30 min but 1 hr is fine with out-of-school if we have less any day
18:30:26 <paulmo> #ossg is available :)
18:30:51 <nkinder> paulmo: I think we should prefix it with "openstack-" to be in line with the other channels
18:31:03 <paulmo> Ah, not sure about policy… whatever is fine with me :)
18:31:15 <hyakuhei> Ok I'll follow up on  the ML regarding an IRC channel I guess.
18:31:26 <hyakuhei> That's time people - any last minute emergencies to bring up?
18:31:33 <paulmo> I'm hanging in #openstack-ossg just in case
18:31:33 <bknudson> thanks!
18:31:43 <hyakuhei> Thanks everyone!
18:31:47 <hyakuhei> #endmeeting