17:02:20 <hyakuhei> #startmeeting openstack security group
17:02:21 <openstack> Meeting started Thu Jun 12 17:02:20 2014 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:02:23 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:02:26 <openstack> The meeting name has been set to 'openstack_security_group'
17:02:37 <hyakuhei> So congratulations to everyone who remembered the new time and place!
17:02:47 <nkinder> hi all
17:02:52 <hyakuhei> and many thanks to bdpayne for stepping in to take the meeting last week
17:02:55 <hyakuhei> Roll Call!
17:02:58 <hyakuhei> o/
17:03:05 * tmcpeak Travis McPeak
17:03:08 <bdpayne> o/
17:03:22 <hyakuhei> Small crowd :P
17:03:24 <nkinder> o/
17:03:29 <tmcpeak> what's o/
17:03:38 <bdpayne> (waving hand)
17:03:45 <bdpayne> (or raising hand)
17:03:48 <hyakuhei> It’s what all the cool kids do
17:03:50 <tmcpeak> ahh
17:03:54 <tmcpeak> now I know ;)
17:03:59 <tkelsey> Hello
17:04:08 <hyakuhei> Welcome tkelsey !
17:04:30 <tkelsey> hyakuhei: thanks
17:04:36 <hyakuhei> So as a reminder, we have a whole hour put aside but we’ll give time back if we can
17:04:53 <CristianF> Hi everyone
17:05:01 <hyakuhei> I’d like to speak to threat analysis and to the OSSG meetup - other topics for dicussion?
17:05:04 <hyakuhei> *discussion
17:05:16 * hyakuhei can’t write so gud.
17:05:17 <chair6> 'ello
17:05:22 <nkinder> We can talk about current OSSNs
17:05:30 <bdpayne> I don't have anything else to add to the agenda
17:05:33 <hyakuhei> We most certainly can !
17:05:39 <tmcpeak> I have one topic
17:05:45 <hyakuhei> which is?
17:05:55 <tmcpeak> about maybe getting a blueprint going for this gating addition for security
17:06:05 <hyakuhei> Great
17:06:14 <hyakuhei> Lets start with OSSNs and we’ll come around to gating
17:06:19 <tmcpeak> sounds good
17:06:22 <hyakuhei> #topic OpenStack Security Notes
17:06:31 <hyakuhei> Go ahead nkinder
17:06:58 <nkinder> We have one OSSN our for review right now that tmcpeak has been working on
17:07:06 <hyakuhei> 0017 iirc.
17:07:08 <nkinder> https://review.openstack.org/#/c/99420/
17:07:18 <hyakuhei> Very close to being ready.
17:07:21 <nkinder> So reviews of it would be appreciated
17:07:37 <bdpayne> ahh, sounds good
17:07:39 <tmcpeak> yeah, definitely appreciate feedback
17:07:50 <nkinder> There are two that haven't been picked up yet - https://bugs.launchpad.net/ossn/
17:08:02 <nkinder> I'm planning on picking one up tomorrow if nobody grabs them
17:08:14 <dg_> sorry I'm late people
17:08:16 <hyakuhei> nkinder: I think Stan from my team wants to pick one up
17:08:27 <nkinder> hyakuhei: ok, any preference on which one?
17:08:40 <hyakuhei> I’m not sure, he should be along here shortly.
17:08:48 <nkinder> ok.
17:09:06 <nkinder> So I also sent out a revised OSSN for 0013 this week
17:09:14 <hyakuhei> Thanks for doing that nkinder
17:09:15 <nkinder> That was our first time revising an existing note
17:09:45 <nkinder> From a process standpoint, I felt that it was ideal to point out that it was a revision on the mailing list
17:09:47 <hyakuhei> I think it went as well as you could expect, didn’t see any complaints
17:10:15 <tmcpeak> why did that one have to change again?
17:10:19 <nkinder> I did that by replying to the original OSSN thread and putting "***revision***" in the subject.
17:10:28 <tmcpeak> I vaguely remember something about it but I was brand new at that point
17:10:30 <nkinder> Does that seem like enough to call out the revision to everyone?
17:10:37 <nkinder> tmcpeak: the workaround didnt work
17:10:42 <tmcpeak> ahh
17:10:44 <hyakuhei> tmcpeak: The sample code that we brought over from the LP bug wasn’t tested and it wasn’t correct.
17:10:52 <hyakuhei> Lessons were learned :)
17:11:02 <nkinder> :)
17:11:02 <tmcpeak> excellent
17:11:43 <nkinder> So that's it on OSSNs, though I'd like to continue on publishing automation at the mid-cycle
17:11:53 <hyakuhei> nkinder: great stuff.
17:11:54 <nkinder> It's been falling off of my todo list
17:12:02 <tmcpeak> sounds good
17:12:14 <hyakuhei> viraptor_: will be helping with an OSSN, maybe you and nkinder can work out which ones to take?
17:12:33 <viraptor_> sure, I'll reach out after the meeting
17:12:44 <hyakuhei> tmcpeak: Thank you for the work you’ve done on 0017 - OSSNs are a really nice way we can gain recognition in the community
17:13:05 <tmcpeak> hyakuhei: sure, yeah I had fun with it
17:13:08 <hyakuhei> #topic Gate tests
17:13:13 <tmcpeak> it's cool to dive into a bug and do some testing
17:13:15 <bdpayne> tmcpeak I've asked Paul McMillian to help review OSSN 0017
17:13:22 <hyakuhei> tmcpeak: you’re up :)
17:13:32 <tmcpeak> bdpayne: cool, thank you
17:13:33 <tmcpeak> ok
17:13:36 <tmcpeak> so for gate testing
17:13:54 <tmcpeak> I'd like to clear all hurdles that we might face ahead of time with getting some automated security checking into the gerrit process
17:14:10 <tmcpeak> but I'm still pretty new, so I'm not sure what those hurdles might be
17:14:21 <hyakuhei> +1 I think we need someone to have gone through the process before the group meetup
17:14:25 <tmcpeak> I talked to my manager and he suggested I might be able to get some more legitimacy for the idea by putting up a blueprint
17:14:46 <hyakuhei> I’m not sure that individual gate tests need their own BPs ?
17:15:01 <hyakuhei> Though I have no specifc objection
17:15:02 <tmcpeak> no, not individual gate tests, the whole security gate testing, flag for review concept as a whole
17:15:16 <tmcpeak> one blueprint for automated checking of some instant-security fails, or red flags
17:15:21 <hyakuhei> Ah ok, yes I can see obvious value in that
17:15:24 <bdpayne> we should do a very easy / non-contriversial test change
17:15:27 <bdpayne> and just push that through the system
17:15:32 <nkinder> I think we need non-voting gate tests first
17:15:32 <hyakuhei> +1
17:15:35 <nkinder> bdpayne: +1
17:15:36 <bdpayne> there was some talk of negative testing at the summit
17:15:37 <hyakuhei> Pathfinding is useful
17:15:38 <tmcpeak> it could be as simple as just, when those things come up, automatically request a security reviewer to be added
17:15:41 <bdpayne> I think that this will be well received
17:15:56 <hyakuhei> The most simple thing to flag on is probably shell=True
17:16:01 <chair6> as long as we're very careful about false positives
17:16:17 <bdpayne> for the first change, I'd suggest something that doesn't link in a human, but instead flags some simple issue(s)
17:16:22 <tmcpeak> yeah, false positives would be the biggest concern
17:16:24 <hyakuhei> I think all tests should be info-only, I don’t think we should have -1’s flying around until we’re very confident about detection
17:16:29 <bdpayne> chair6 yes, very true
17:16:45 <tkelsey> hyakuhei: +1 yes, dry run it, as it were
17:16:50 <tmcpeak> what about just recommending adding some reviewers, is that possible?
17:17:07 <hyakuhei> So it’ll be publishing a review to gerrit
17:17:13 <hyakuhei> You can put whatever you want in the review
17:17:17 <hyakuhei> recommend people etc
17:17:17 <tmcpeak> ok cool
17:17:18 <nkinder> tmcpeak: you mean security team reviewers?  That was something we discussed at the summit.
17:17:37 <hyakuhei> Yeah so that’s slightly separate, I’ll speak to the security reviewers thing in a minute perhaps ?
17:17:37 <nkinder> we talked about adding a group as reviewers
17:17:54 <nkinder> yes, it seems separate from gate tests to me too
17:18:01 <hyakuhei> ok cool.
17:18:03 <tmcpeak> my thought was just that when something is detected in automation, it recommends adding a security reviewer
17:18:08 <tmcpeak> but yeah, maybe these are two separate issues
17:18:11 <hyakuhei> So, tmcpeak what do you need help with to move this forward?
17:18:14 <nkinder> let's define gate tests first
17:18:19 <tmcpeak> ok cool
17:18:24 <tmcpeak> so do you think the blueprint would help with this?
17:18:26 <hyakuhei> There are a number of basic ones outlined in the meetup etherpad
17:18:34 <nkinder> it sounds like most of the discussion above is around static analysis (anti-patterns, etc.)
17:18:41 <hyakuhei> tmcpeak: yes
17:18:47 <tmcpeak> I agree with whoever said that we should start with just the most basic one
17:18:51 <tmcpeak> that is least likely to fail
17:18:55 <dg_> tmcpeak good thinking to add a security reviewer if a gate test is failed, easy way of dealing with false positives
17:18:55 <tmcpeak> and see if we can get that going first
17:18:57 <tmcpeak> then add others
17:18:58 <hyakuhei> nkinder: there are some specific gate tests on the etherpad iirc
17:19:13 <hyakuhei> static analysis etc is more an infra/build hook shindig
17:19:16 <dg_> hyakuhei got a link?
17:19:30 <hyakuhei> #link https://etherpad.openstack.org/p/ossg-juno-meetup
17:19:36 <dg_> merci
17:19:55 <tmcpeak> so maybe if anybody has any ideas for the best way to get this going, HMU on IRC, or email me, or I can post a topic on the mailing list about how to get it going
17:20:04 <nkinder> hyakuhei: those are largely all static checks though
17:20:05 <tmcpeak> I just don't have a good enough feel for the community yet for the best way to proceed
17:20:19 <nkinder> the one exception is the permissions issue maybe (depending on how we check it)
17:20:51 <nkinder> If we want to add security gate tests, we should keep a narrow focus and do one thing well as a start
17:21:06 <tmcpeak> aren't we talking about doing static tests though?
17:21:08 <bdpayne> tmcpeak I'd look at the commit history for tempest to see what it looks like to add new tests https://github.com/openstack/tempest/commits/master
17:21:17 <hyakuhei> viraptor_: Do you think you could help tmcpeak through the blueprint process ?
17:21:21 <bdpayne> and then work from there
17:21:31 <hyakuhei> bdpayne: great idea
17:21:32 <nkinder> I'm pretty interested in things like fuzzing and tempest tests
17:21:36 <tmcpeak> bdpayne: +1
17:21:45 <nkinder> static is good too, but has a lot of potential for false positives
17:21:48 <hyakuhei> nkinder: +1 but they’re different to gate tests I think
17:21:57 <viraptor_> hyakuhei: sure
17:21:59 <hyakuhei> nkinder: Agreed, but that’s why the anticipation is they’re info only
17:22:25 <hyakuhei> Hey - you appear to have done $_stupid thing. Read about $_stupid thing here <> and consider making changes and considering this issue during review.
17:22:26 <hyakuhei> etc
17:22:44 <tmcpeak> hyakuhei: yeah, that's along the lines of what I'm thinking
17:22:54 <nkinder> "gate tests" is overloaded, and fuzzing could be done as a gate job.
17:22:58 <tmcpeak> hyakuhei: also consider having nkinder look at <stupid thing>
17:23:10 <hyakuhei> nkinder: Sure, but lets walk before we can run
17:23:11 <nkinder> Static is fine, but let's spell out that we're talking about static analysis only right now
17:23:26 <hyakuhei> Except you’re overloading the term static-analysis :)
17:23:39 <hyakuhei> We’re basically talking about grep/pattern matching here.
17:23:43 <hyakuhei> SA is _far_ more involved
17:23:53 <hyakuhei> Which may be where some of the confusion is coming from
17:23:55 <tmcpeak> I think let's start with one super basic automated pattern matching type test
17:23:57 <nkinder> code analysis vs. run-time
17:24:11 <tmcpeak> Shell=true, or something
17:24:19 <viraptor_> well, the checks listed so far sound very much like the flake/hacking checks - those provide a framework for this kind of work already
17:24:19 <bdpayne> yeah, this can get out of control quickly
17:24:22 <bdpayne> start simple
17:24:24 <hyakuhei> SA always involves intermediate flow modelling, we are just talking about matching paterns etc
17:24:38 <viraptor_> it would be great to just keep them separate even if we're using the same mechanism though
17:25:16 <tmcpeak> also I had another plan to look for new usages of crypto
17:25:30 <tmcpeak> whenever somebody is checking in something that uses any crypto library that wasn't used before, add a security reviewer on it
17:25:35 <tmcpeak> I don't know how that fits in to this
17:25:36 <hyakuhei> Ok great, so as a first step, viraptor_ and tmcpeak will look at how to get a basic warning-producing gate test written up and blueprinted?
17:25:39 <nkinder> viraptor_: it does map to flake/hacking pretty well
17:25:52 <hyakuhei> tmcpeak: wow, I think that’d blow up pretty fast lol
17:26:07 <hyakuhei> Did anyone see the related thread with noloader and others?
17:26:14 <tmcpeak> hopefully people aren't just willy-nilly adding crypto usages all over the place
17:26:23 <hyakuhei> Bascially trying to push for a central crypto implementation in oslo and getting people to use that
17:26:31 <hyakuhei> then detecting divergence is easy
17:26:33 <tmcpeak> oh yeah
17:26:34 <viraptor_> grep ECB -> -1 :)
17:26:53 <hyakuhei> obvious applications for everyone’s friendly pyca cryptography library there
17:27:27 <tmcpeak> ok, so yeah, I'll work with viraptor_ to look into getting a simple blueprint set up to have the most basic security gate test
17:27:28 <hyakuhei> #action viraptor_ and tmcpeak to come up with a basic blueprint for security gate jobs, likely to be info-only to start with and applying only the most basic of tests.
17:27:58 <tmcpeak> cool
17:28:09 <hyakuhei> nkinder: does this sit ok with you? We can add smarter tests where appropriate
17:28:30 <nkinder> Yeah, absolutely.  I just wanted to define simple goals to start with.
17:28:36 <tmcpeak> +1
17:28:41 <hyakuhei> Great, I think we’re all aligned then
17:28:48 <hyakuhei> #topic OSSG Meetup
17:29:02 <bdpayne> FYI... I need to run for another meeting.  I know I own a few sentences about the book effort at the mid-summer meetup.  Beyond that just let me know if there's things I need to do.  I'll check the meeting minutes later.
17:29:15 <tmcpeak> sounds good
17:29:15 <hyakuhei> Thanks bdpayne
17:30:02 <hyakuhei> Ok, a few people have suggested things on the meetup etherpad. Which is great but I need those leading them to add a line describing what they want to achieve so we can sort out the scheduling
17:30:37 <nkinder> hyakuhei: on my list for today
17:30:38 <hyakuhei> nkinder shohel__ I’m looking at you guys :P
17:30:43 <hyakuhei> Wonderful!
17:31:11 <hyakuhei> We had said 3-4 days for this, I’m thinking a solid 4 so people can travel home on the friday and this thing doesn’t eat into two weekends, that ok with people?
17:31:47 <nkinder> hyakuhei: yeah, I'd rather not travel on 2 weekends
17:31:59 <dg_> +1
17:32:05 <hyakuhei> +++1
17:32:10 <nkinder> 4 solid is good with me (M-Th maybe)?
17:32:10 <shohel__> I will add some text and what we want to achieve there
17:32:14 <tmcpeak> +1
17:32:15 <hyakuhei> ok great Monday->Thursday [full days] it is.
17:32:19 <hyakuhei> Thanks shohel__
17:32:31 <dg_> hyakuhei can we not check in for 9 nights this time...
17:32:46 <hyakuhei> Ok, earlier today I sent a call-to-arms regarding Threat Analysis on -dev
17:33:02 <nkinder> hyakuhei: what about hotel info?
17:33:04 <hyakuhei> I’d appreciate it if you guys could comment/+1 to show some cross organisational love on the ML
17:33:13 <hyakuhei> nkinder: You should probably stay in one.
17:33:21 <shohel__> thanks Rob
17:33:22 <nkinder> ok, no cardboard box
17:33:28 <hyakuhei> I’ll send some links to decent hotels in the area, I’ll likely be at the Westin
17:33:39 <hyakuhei> It’s walking distance from $stuff and not overly expensive
17:33:54 <nkinder> is there an HP rate or anything there?
17:34:22 <hyakuhei> We do get a corporate rate, I’ll find out if we can extend the rate to other guests, I’m not 100% sure
17:34:25 <hyakuhei> http://www.westinseattle.com/
17:34:37 <chair6> just say you're from microsoft.. :)
17:34:41 <hyakuhei> It’s a bit dated but I’m a creature of habit, lots of great hotels around there.
17:34:45 <chair6> they get discounts everywhere in this neck of the woods
17:34:58 <tmcpeak> chair6: +1
17:35:00 <hyakuhei> chair6 is your local guide to seattle fyi
17:35:02 <nkinder> chair6: yeah, I contemplated that ;)
17:35:20 <hyakuhei> Ok
17:35:45 <hyakuhei> so shohel__ I know you’ve done a bunch of work on the TA stuff, how do you see the time we’re going to spend on it during the meetup getting used?
17:35:59 <hyakuhei> dg_: You might have some thoughts here too
17:36:17 <shohel__> i think 1 - 2 days
17:36:22 <shohel__> full
17:36:26 <tmcpeak> hyakuhei: I'm eager to get involved with that TA work
17:36:53 <hyakuhei> shohel__: Will this be about the process or test driving the existing process?
17:37:05 <tmcpeak> I guess that brings up a point, are we splitting up into separate sessions, or all involved in one?
17:37:07 <shohel__> i think the process would be simple...
17:37:19 <shohel__> or less time consumig
17:37:25 <hyakuhei> For my part I’d like to see the process adding in some more repeatability steps and formalising a few more bits
17:37:41 <hyakuhei> Things like STRIDE/DREAD - or their alternatives applied to each interconnect etc.
17:37:49 <shohel__> Giving background and analysis would take time
17:37:54 <hyakuhei> Yup
17:37:55 <shohel__> for Keystone
17:38:07 <shohel__> yes, we will follow STRIDE
17:38:09 <hyakuhei> tmcpeak: I’ve asked for a main room and a smaller room
17:38:12 <shohel__> if everyone agrees
17:38:21 <hyakuhei> shohel__: If they dont I’ll beat them.
17:38:31 <tmcpeak> hyakuhei: sounds good
17:38:32 <hyakuhei> I have the bat picked out
17:38:45 <hyakuhei> Ok great, so book stuff is important but bdpayne is afk.
17:38:55 <hyakuhei> Fuzzing is interesting but sriram is afk
17:39:00 <CristianF> shohel: +1
17:39:03 <shohel__> multiple rooms good idea, so multiple session go together
17:39:25 <nkinder> yeah, I can see breakouts for hacking on stuff
17:39:28 <hyakuhei> I think Malini wanted to lead the Anti-Pattern stuff
17:39:44 <hyakuhei> The Seattle office is dotted with various breakout rooms that will probably be available too
17:39:54 <hyakuhei> I need to work out some of those details still
17:40:04 <dg_> hyakuhei sorry was afk, am very interested in the TA stuff
17:40:06 <hyakuhei> nkinder: can you talk about the baseline security review?
17:40:59 <nkinder> hyakuhei: sure.  This is the effort I started here - https://wiki.openstack.org/wiki/Security/Juno
17:41:24 <hyakuhei> What would be the goal of working on this during the meetup ?
17:41:39 <nkinder> hyakuhei: It's reviewing project code to identify used crypto, sensitive data handling, and other security info gathering
17:41:57 <hyakuhei> So its an eyes-on-code affair?
17:42:02 <tmcpeak> oh yeah, I'm working on that for Glance
17:42:08 <hyakuhei> Or a building tooling to identify this stuff?
17:42:10 <nkinder> hyakuhei: I'd like to discuss more about other types of info that should be covered, where the info should really live, and how to make it consumable
17:42:20 <nkinder> tooling is one part (and tmcpeak started on some of that)
17:42:38 <nkinder> but also trying to go through some analysis together or get folks started
17:42:45 <hyakuhei> Ok that makes sense, would this be a better thing to discuss on-list or in person (i.e do you want to get some prep in first) ?
17:42:50 <tmcpeak> yeah, having worked on it, I can attest that tooling would really help
17:43:17 <nkinder> hyakuhei: I think in-person would be ideal, though there are plenty of pointers I can send on list
17:43:33 <hyakuhei> Great stuff :D
17:43:39 <tmcpeak> nkinder: if you would like any help prepping for that, let me know
17:43:48 <hyakuhei> #topic General / Any other business / Gripes
17:44:02 <nkinder> gripes about anything? :)
17:44:42 <tmcpeak> the rent is too damn high
17:44:48 <hyakuhei> I’d like it if we had lots of OSSG branded talks at the summit, that is to say, lots of people driving these security initiatives into the general OpenStack conciousness.
17:44:48 <nkinder> 24 hour days are not enough
17:44:58 <hyakuhei> +1
17:45:08 <hyakuhei> Well I think we are done
17:45:13 <nkinder> hyakuhei: yes, increased exposure would be good
17:45:23 <nkinder> hyakuhei: that might be a great topic for the mid-cycle
17:45:26 <nkinder> brainstorming talks
17:45:43 <nkinder> ...for the 'K' summit
17:46:46 <hyakuhei> +1
17:46:50 <dg_> is the meetup after the submission date for paris then?
17:47:36 <hyakuhei> It will be during the CFP
17:47:55 <tmcpeak> perfect
17:48:06 <tmcpeak> maybe we can have a submit CFP hackathon ;)
17:48:20 <hyakuhei> https://etherpad.openstack.org/p/ossg-juno-meetup updated
17:48:47 <hyakuhei> Ok, any final things before we wrap up?
17:49:17 <hyakuhei> Thank you everyone for a useful meeting, really looking forward to the meet up
17:49:20 <hyakuhei> #endmeeting