17:01:59 <nkinder> #startmeeting openstack security group
17:01:59 <openstack> Meeting started Thu Aug 21 17:01:59 2014 UTC and is due to finish in 60 minutes.  The chair is nkinder. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:02:00 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:02:02 <openstack> The meeting name has been set to 'openstack_security_group'
17:02:17 <malini> Greetings everyone!
17:02:20 <tmcpeak> hey!
17:02:23 <nkinder> #topic rollcall
17:02:24 <sweston> Greetings
17:02:24 <tkelsey> hi all
17:02:28 <nkinder> Hey OSSG folks
17:02:36 <tmcpeak> hey nkinder
17:02:39 <tmcpeak> how it goes?
17:02:49 <nkinder> not bad
17:03:01 <nkinder> hyakuhei_ is unable to make it today
17:03:16 <nkinder> he passes on his apologies
17:03:31 <tkelsey> busy busy man
17:03:40 <shelleearnold007> Good morning
17:03:44 <bdpayne> o/ peeps
17:04:18 <nkinder> we have a number of topics to cover today
17:04:26 <tmcpeak> I've got 3
17:04:47 <nkinder> what topics did others have?
17:04:53 <tmcpeak> ops for the channel, stevedore follow up, qualys follow up
17:05:04 <nkinder> ok, I have stevedore on my list too
17:05:08 <tmcpeak> oh good
17:05:10 * sicarie sneaks in late
17:05:14 <tmcpeak> you take that, I missed last week
17:05:34 <nkinder> also security guide status, ossns, bandit, the security track for the summit
17:05:43 <tmcpeak> cool
17:05:43 <nkinder> so let's dive in
17:05:47 <rlpple> Hi guys
17:05:53 <rlpple> Randy Perryman here
17:06:01 <tmcpeak> hi rlpple
17:06:03 <nkinder> hey rlpple
17:06:05 <nkinder> #topic summit talks
17:06:22 <nkinder> Thanks to everyone who submitted talks for the security track!
17:06:42 <nkinder> The initial voting has been completed, and I expect that results will be sent out in the near future
17:06:55 <tmcpeak> any idea how near future?
17:07:23 <nkinder> tmcpeak: not sure exactly
17:07:27 <nkinder> tmcpeak: I'll try to find out
17:07:33 <tmcpeak> cool
17:07:39 <nkinder> The propsals covered a broad range of topics
17:08:41 <nkinder> There was some "how do I secure things" talks, some threat assesment work, some intrusion detection topics as well
17:09:30 <nkinder> Mixed in were a number of forward looking topics, covering things like barbican, congress, and utilizing projects that are outside of OpenStack right now
17:10:10 <nkinder> overall, I think there were around 45 proposals, so I think we'll have a nice track!
17:10:36 <nkinder> #topic stevedore
17:10:42 <tmcpeak> awesome!
17:10:46 <nkinder> tmcpeak: take it away
17:11:00 <tmcpeak> oh, I don't have anything new
17:11:05 <tmcpeak> meant to synch up with you from last week
17:11:19 <tmcpeak> will start poking through code this week
17:11:23 <tmcpeak> who were the others?
17:11:25 <tmcpeak> mxin?
17:11:27 <tmcpeak> I don't see him
17:11:38 <nkinder> I'd recommend checking last weeks IRC logs.  Basically, nobody has really looked into stevedore it seems.
17:11:48 <tmcpeak> ok, if it's just me, that's fine
17:11:52 <malini> i was supposed to dive in too but nothing attempted yet
17:11:53 <tmcpeak> I'll have status update next week
17:11:58 <tmcpeak> cool
17:12:03 <nkinder> I think there is interest, but nobody has jumped in yet
17:12:17 <nkinder> Basically, there is some level of trust in loading a plugin via stevedore
17:12:19 <tmcpeak> I read through the docs and plan to finish code review before next meeting
17:12:52 <tmcpeak> ok, that's fine
17:12:55 <nkinder> tmcpeak: ok, sounds good.  Anything else on stevedore?
17:12:55 <tmcpeak> we'll revisit next week
17:13:31 <nkinder> #topic ossn
17:13:48 <nkinder> We have a few OSSNs out for review right now.
17:14:01 <nkinder> OSSN-0020 and OSSN-0023 need reviewers
17:14:09 <nkinder> I think they are both close
17:14:28 <nkinder> I don't see shohel around, but he had proposed a OSSN-0024 agains the old repo
17:14:56 <nkinder> #link https://review.openstack.org/113422
17:15:09 <nkinder> That's OSSN-0020 that priti was working on
17:15:13 <tmcpeak> looks like we have one here too: https://bugs.launchpad.net/glance/+bug/1354512
17:15:14 <uvirtbot> Launchpad bug 1354512 in ossn "Anonymous user can download public image through Swift" [Undecided,New]
17:15:24 <nkinder> tmcpeak: yep, that was just opened up today
17:15:49 <nkinder> Stan has this one out for review...
17:15:52 <nkinder> #link https://review.openstack.org/114971
17:16:38 <nkinder> And shohel has this one...
17:16:42 <nkinder> #link https://review.openstack.org/114460
17:16:59 <nkinder> So if anyone has some time to review any of those, it would be appreciated!
17:17:08 <tmcpeak> cool, will do
17:17:17 <tkelsey> will have a look
17:17:23 <malini> will do
17:17:42 <nkinder> #topic security-guide
17:17:54 <nkinder> bdpayne: how are things progressing on the security guide bugs?
17:18:07 <bdpayne> quite well actually
17:18:15 <bdpayne> we are maintaining a pretty good steady state velocity
17:18:21 <bdpayne> with several active contributors
17:18:26 <bdpayne> so thanks to all involved
17:18:37 <nkinder> great!
17:18:39 <bdpayne> I still owe the group some forward direction on the book
17:18:44 <bdpayne> which I am working on :-)
17:18:48 <bdpayne> (I promise!)
17:19:05 <nkinder> bdpayne: You mean in terms of a v2 "roadmap"?
17:19:12 <bdpayne> yes
17:19:18 <bdpayne> I would like to plot the course for that
17:19:31 <bdpayne> and also determine how we manage the book with respect to openstack releases and such
17:20:04 <bdpayne> btw, we are down to 42 bugs against the book atm
17:20:04 <nkinder> bdpayne: that will probably be a good topic to talk about at the Summit too (if we don't figure it all out by then)
17:20:13 <bdpayne> agreed
17:20:20 <bdpayne> hopefully I'm moving forward at least a bit by then
17:20:26 <nkinder> :)
17:20:28 <bdpayne> but the summit is a great place for that
17:20:52 <bdpayne> if others would like to help, you can pluck off a bug from https://bugs.launchpad.net/openstack-manuals/+bugs?field.tag=sec-guide
17:21:00 <bdpayne> plenty of work to be done
17:21:07 <bdpayne> and sometimes writing is a nice change from coding :-)
17:21:20 <bdpayne> ok, that's all that I have on the book today
17:21:27 <nkinder> ok, thanks
17:21:28 <bdpayne> unless others have comments / questions / stuff to add
17:22:03 <nkinder> not from me.  Sounds like good progress on the bugs
17:22:18 <bdpayne> indeed
17:22:30 <nkinder> #topic summit
17:22:44 <nkinder> speaking of the summit, who here is planning on attending?
17:23:13 <malini> Malini -- unsure
17:23:15 <nkinder> If we have an idea of who is going, we can start to think about OSSG items that we plan to accomplish there
17:23:23 <nkinder> I'll be there
17:23:30 <bdpayne> I will be there
17:23:35 <sweston> I will be there as well
17:23:38 <tmcpeak> I'll do my best ;)
17:23:42 <nkinder> I know that hyakuhei_ will be there
17:23:59 <tkelsey> in not sure
17:24:01 <nkinder> shohel proposed a talk, so he must be planning to attend
17:24:13 <nkinder> priti proposed a talk too, so she's in the same boat
17:24:42 <nkinder> stan too
17:24:46 <tmcpeak> I'm pretty sure Priti will be there
17:25:57 <nkinder> ok, well given the above I think that it's safe to assume we can get some coverage of doc and threat modeling efforts at a minimum
17:26:38 <nkinder> tmcpeak: I think trying to get some discussion on the gate tests there could be valuable
17:27:04 <tmcpeak> definitely, I hope that summit/dev talks make it, but if not, I'll be running around trying to get attention
17:27:11 <tmcpeak> I mean attention for the gate tests :P
17:27:44 <nkinder> tmcpeak: It might be worthy of a design session if we have things far enough along at that point.
17:27:57 <tmcpeak> oh yeah, that's what I mean, design session, not dev
17:28:02 <bdpayne> yeah, shooting for a design sessions there makes a lot of sense, IMHO
17:28:18 <tmcpeak> yeah, I'm going to try to get bandit built out with some more tests
17:28:30 <nkinder> Any other summit related topics from anyone before we talk about bandit some more?
17:28:33 <tmcpeak> find some more bugs, and then we can really make a compelling case to why gate tests are useful
17:28:58 <nkinder> ok then...
17:29:02 <nkinder> #topic bandit
17:29:13 <chair6> hi!
17:29:18 <nkinder> chair6: hey
17:29:24 <chair6> i emailed a summary of status to the mailing list last week
17:29:42 <chair6> haven't seen any response, but it's out there and ready for people to write more tests against
17:29:53 <nkinder> Yeah, thanks for sending that out.  I didn't see any replies... :(
17:29:59 <chair6> i plan on doing some when i have time, but would be good if others could contribute
17:30:15 <tmcpeak> chair6: I'm going to do some work on that end
17:30:19 <bknudson> what's the subject of the note?
17:30:26 <tmcpeak> chair6: I've found a couple other subprocess calls we want to check
17:30:45 <tmcpeak> OpenStack has a wrapper on subprocess that most components are probably using, so we should check that call too for starters
17:31:01 <nkinder> I'm planning to look at how we could make it run as a part of the CI (non-voting)
17:31:10 <chair6> tmcpeak .. i saw your comment on that, and did some digging
17:31:13 <nkinder> finding the time to actually do that is a different matter though...
17:31:26 <chair6> there were a few different examples of what you're describingg
17:31:44 <chair6> so i wrote a test that identifies any function call, regardless of name, that includes a shell=True argument
17:31:54 <tmcpeak> flooded in fun?
17:32:21 <tmcpeak> I switched email unfortunately around the exact time you sent it out so I didn't get that ML, can you forward it to me, btw?
17:32:28 <chair6> will do
17:32:59 <tmcpeak> the other thing we might want to look for is eval
17:33:09 <chair6> that's about it though .. i plan to keep working on improving the framework, and building out more tests
17:33:18 <chair6> i'll leave the CI-integration piece to you, nkinder
17:34:38 <nkinder> chair6: ok, sounds good
17:34:39 <bknudson> is bandit going to live in github or get pulled into openstack repo?
17:35:07 <tmcpeak> bknudson: good question
17:35:15 <chair6> i'd like to get it into an openstack repo
17:35:22 <bknudson> I think it would be nice to have gerrit for reviews
17:35:26 <chair6> agreed
17:35:28 <malini> inside oslo would be nice
17:35:53 <nkinder> any other bandit talk?
17:36:09 <nkinder> and +1 on gerrit for bandit tests
17:36:11 <bknudson> can you point me to the check that bandit is doing now?
17:36:30 <bknudson> in github
17:36:32 <chair6> https://github.com/chair6/bandit/tree/master/plugins is where they're defined
17:36:44 <bknudson> chair6: thanks!
17:37:04 <bknudson> neat!
17:37:22 <chair6> want to refactor this at some point, but that's it at the moment :)
17:38:15 <nkinder> #topic open discussion
17:38:28 <nkinder> any other topics from anyone?
17:38:32 <tmcpeak> ops in channel
17:38:45 <tmcpeak> I think it would be useful to get a few: maybe nkinder, bdpayne, hyakuhei_
17:38:54 <tmcpeak> just to keep an eye out for gabriela kind of BS
17:39:04 <bdpayne> yeah, I agree that this would be useful
17:39:12 <nkinder> +1
17:39:20 <bdpayne> I was told that we need to work with one of the general ops types for freenode to get setup
17:39:24 <nkinder> she was back today (with a different number at the end of her nick)
17:39:28 <bdpayne> I just haven't had the time to chase that down yet
17:39:37 <tmcpeak> really? it should have banned by IP
17:39:44 <bdpayne> botnets
17:39:48 <nkinder> tmcpeak: it was banned by name
17:39:49 <bdpayne> lots of ips
17:40:00 <bdpayne> but, yeah, I think it was banned by name
17:40:02 <bknudson> I found the block button in pidgin
17:40:05 <tmcpeak> oh, yeah banned by name doesn't work
17:40:06 <clarkb> bdpayne: we manage ops for the channels you shouldn't need to go to freenode for that
17:40:15 <clarkb> bdpayne: i thought fungi pointed you at the change to make?
17:40:33 <bdpayne> oh, perhaps I misunderstood what fungi was saying
17:40:45 <bdpayne> it sounded like I needed to contact someone to request access
17:40:46 <bknudson> messages to irc should all be signed.
17:41:07 <kai> hi all,
17:41:19 <clarkb> bdpayne: what is the channel name?
17:41:27 <bdpayne> openstack-security
17:41:28 <tmcpeak> #openstack-security
17:41:31 <kai> is there any status update about threat modeling project?
17:42:06 <kai> wanna to join into this project in my free time
17:42:18 <nkinder> kai: There is a separate IRC meeting for that IIRC
17:42:39 <nkinder> kai: but I'm sure your help would be much appreciated there!
17:43:08 <clarkb> yup its maanged so you need to edit https://git.openstack.org/cgit/openstack-infra/config/tree/modules/openstack_project/files/accessbot/channels.yaml to add additional ops
17:43:24 <bdpayne> oh nice, I'll do that shortly
17:43:26 <tmcpeak> clarkb: perfect, thanks!
17:43:27 <bdpayne> thanks clarkb
17:43:31 <clarkb> under the channel name do operators: and a yaml list of ops
17:43:33 <tmcpeak> other thing I had was about qualys
17:43:40 <clarkb> note ops need to be registered with nickserv and identified
17:44:17 <bdpayne> ok
17:44:25 <tmcpeak> sounds good
17:44:55 <chair6> i'm always idling here so happy to take on ops if you need volunteers
17:46:12 <bdpayne> chair6 ok thanks
17:47:01 <nkinder> anything else from anyone?
17:47:06 <tmcpeak> qualys discussion
17:47:55 <tmcpeak> not really qualys, but I'll call it that for lack of a better one word description
17:48:02 <tmcpeak> "Gate testing XSS"
17:48:38 <shelleearnold007> sounds interesting
17:49:20 <tmcpeak> this is in regards to gmurphy's original proposition on the ML to figure out root cause of new XSS bugs
17:49:47 <tmcpeak> one of the Nebula folks seems to have a pretty good grasp on why this was happening and provided a good explanation
17:50:23 <nkinder> tmcpeak: I'm not familiar with qualys
17:50:30 <tmcpeak> but what I was thinking is that we should integrate some integrated XSS automated tool into gate tests
17:50:36 <tmcpeak> qualys is a vulnerability scanner
17:50:53 <bdpayne> yeah, I spoke with Paul about this... he said that the right people could come together and hammer out a lasting solution in a day or two
17:51:02 <nkinder> provided as a service or software?
17:51:20 <tmcpeak> my understanding is service
17:51:32 <nkinder> bdpayne: yeah, that would be a good item to try to get people to hash out at the summit
17:51:37 <tmcpeak> bdpayne: right, so there is the long lasting solution
17:51:58 <nkinder> bdpayne: it sounds like an architectural sort of change, so it would be best to take place early in the dev. cycle
17:52:02 <tmcpeak> bdpayne: but I think there is also room for a gate test here, just to make sure people we don't drift into the same situation again
17:52:17 <tmcpeak> it sounded like the problem is that new devs come on and just fire out code without understanding the correct way to do things
17:52:46 <nkinder> tmcpeak: yeah, but adding gate jobs after cleaning up the code would catch that
17:52:58 <bdpayne> agreed on all accounts
17:53:01 <tmcpeak> nkinder: yeah totally agree
17:53:04 <nkinder> tmcpeak: I think the issue is that the code has bad examples that new devs copy right now
17:53:08 <bknudson> the XSS bugs seem to be poor design decisions
17:53:10 <bdpayne> fix in early in the cycle, have gate tests to avoid it from happening again
17:53:18 <tmcpeak> yep
17:53:28 <bknudson> for example, the table code requires you to set an option to escape the input
17:53:32 <bknudson> rather than escaping the input by default
17:53:37 <nkinder> I don't know if gmurphy is planning on attending the summit (I'll check with him)
17:53:43 <tmcpeak> bknudson: oh really?
17:53:58 <bknudson> tmcpeak: yes, see the latest XSS bug...
17:54:16 <tmcpeak> wow, nice
17:54:17 <bknudson> https://review.openstack.org/#/c/115310/1/openstack_dashboard/dashboards/admin/aggregates/tables.py
17:54:49 <tmcpeak> seems like an easy enough fix if you educate devs
17:54:50 <bknudson> so you have to pass in autoescape=True to escape
17:54:52 <clarkb> so fwiw anyone can propose a new job and run it experimentally against any project
17:55:05 <clarkb> so you could just go do a thing and see how it works, if people like it then you can work on making it gating
17:55:29 <tmcpeak> clarkb: oh cool, I was wondering about that
17:55:47 <bdpayne> would it be appropriate to have a security education session at the dev part of the summit?
17:55:48 <tmcpeak> you know where there is info on how to do that?
17:55:54 <bdpayne> like, security coding best practices for openstack?
17:56:00 <tmcpeak> bdpayne: +1
17:56:17 <nkinder> bdpayne: targeting XSS issues specifically?
17:56:21 <sweston> bdpayne: +1
17:56:25 <bdpayne> well, it could hit on some of that
17:56:29 <nkinder> bdpayne: that seems like a good idea
17:56:30 <bdpayne> but I was thinking more broad
17:56:42 <bdpayne> this whole discussion just got me thinking
17:56:43 <tmcpeak> root wrapper use would probably be pretty useful
17:56:46 <bdpayne> carry on ;-)
17:56:56 <elmiko> as an outside observer, i would definitely attend a security education session at summit
17:57:05 <sicarie> +1
17:57:05 <tmcpeak> elmiko: +1
17:57:10 <bdpayne> cool, good to know
17:57:26 <tmcpeak> bdpayne, bdpayne, bdpayne
17:57:28 <nkinder> ok, that's a good idea for the design sessions if we have a security track
17:57:44 <bdpayne> could also go in a general track or something
17:57:52 <tmcpeak> that actually fits in line perfectly with OSSG mission
17:57:54 <bdpayne> security track at the design sessions... seems unlikely
17:58:00 <nkinder> yeah, a cross-project/general track
17:58:10 <nkinder> whatever track our stuff was in last time
17:58:23 <bdpayne> yeah, the cross-project thingy
17:58:27 <nkinder> ok, we're getting short on time here
17:58:50 <nkinder> anything else before we end the meeting?
17:59:54 <nkinder> ok, thanks all!
17:59:57 <nkinder> #endmeeting