17:01:18 <hyakuhei> #startmeeting Security 17:01:20 <openstack> Meeting started Thu Jun 4 17:01:18 2015 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:01:21 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:01:23 <tmcpeak> o/ 17:01:24 <openstack> The meeting name has been set to 'security' 17:01:24 <tkelsey> o/ 17:01:24 <hyakuhei> o/ 17:01:28 <bknudson> hi 17:01:28 <elmiko> yo/ 17:01:40 <sicarie> o/ 17:01:42 <singlethink> o/ 17:01:45 <michaelxin> o/ 17:02:07 <dwyde> o/ 17:02:12 <mvaldes> o/ 17:02:20 <gmurphy> \o/ 17:02:25 <michaelxin> mvaldes: welcome 17:02:31 <timkennedy> o/ 17:02:34 <chair6> o/ 17:02:40 <dstanek> hiya 17:02:44 <tkelsey> lots of people today :) 17:02:46 <hyakuhei> Popular place to be :) 17:02:53 <warpc__> hi 17:02:55 <michaelxin> cool 17:03:01 <elmiko> hyakuhei: yea, seriously! 17:03:15 <hyakuhei> Ok so agenda wise, lets run through the projects and then see what time we’ve got left for other business 17:03:24 <hyakuhei> sicarie: Can you update on docs? 17:03:30 <sicarie> Sure 17:03:31 <hyakuhei> #topic Security Guide 17:03:48 <sicarie> Current bug list: https://bugs.launchpad.net/openstack/+bugs?field.tag=sec-guide 17:03:56 <mvaldes> michaelxin: thanks 17:04:20 <hyakuhei> Anything stand out as being either a) low hanging fruit or b) really hard where you’d like a SME to help? 17:04:29 <sicarie> We've skipped a few secguide meetings due to the summit, but overall we're doing good work on getting the guide back in shape 17:04:43 <sicarie> Yes - a) should have a tag, I'll pull that in a minue 17:05:08 <sicarie> for b) any reviews on content for the Compute, Networking, and Dashboard chapters would be awesome 17:05:40 <michaelxin> sicarie: do you need help with reviews? 17:05:50 <sicarie> michaelxin: always :) 17:05:55 <elmiko> +1 17:06:02 <sicarie> We did just bring on a new core to the secguide 17:06:06 <sicarie> Congrats to elmiko 17:06:10 <elmiko> \o/ 17:06:12 <sicarie> And thanks for the great review work - please keep it up! 17:06:13 <michaelxin> cong 17:06:19 <tkelsey> awesome 17:06:21 <tmcpeak> congrats elmiko! well deserved 17:06:35 <bknudson> congrats to elmiko 17:06:51 <elmiko> thanks everyone =) 17:07:02 <elmiko> i do have a question about some firewall stuff we talked about 17:07:20 <elmiko> we had mentioned creating some sample firewalld xmls and Ubuntu based helper files 17:07:23 <elmiko> for openstack services 17:07:33 <elmiko> but we hadn't figured out a good place for those to live, any thoughts? 17:07:59 <timkennedy> openstack wiki? 17:08:28 <hyakuhei> Seems we might want them to live in gerrit somewhere 17:08:34 <hyakuhei> so they can be easily vetted/updated 17:08:38 <tkelsey> +1 for versioning 17:08:39 <elmiko> that's a good start, i think we were talking about trying to fit them in the docs somewhere, if it makes sense. 17:08:45 <singlethink> In some project's contrib directory? 17:09:20 <elmiko> the installers manual has a list of all ports, i wonder if we could have an appendix in the sec-guide with this content? 17:09:21 <timkennedy> are the samples going to be maintained code, or just samples? 17:09:29 <sicarie> Yeah, I think those may version interestingly, we might want to link to a repo from the secguide? 17:09:32 <elmiko> i think maintained would be cool 17:09:43 <tkelsey> elmiko: yeah, feels like good appendix material 17:09:45 <timkennedy> then version control and a link in the sec-guide 17:09:55 <michaelxin> +1 for gerrit 17:10:09 <elmiko> awesome, thanks. sicarie we can talk more about it in the next meeting maybe? 17:10:20 <sicarie> elmiko: sounds good 17:10:30 <sicarie> hyakuhei: I think that's about all I had for docs 17:10:35 <hyakuhei> Thanks sicarie 17:10:39 <hyakuhei> #topic OSSN 17:10:51 <hyakuhei> There’s 7 OSSN outstanding atm 17:10:56 <hyakuhei> #link https://bugs.launchpad.net/ossn 17:11:07 <tkelsey> hyakuhei: in review, or needing to be written ? 17:11:13 <hyakuhei> Various states 17:11:18 <tkelsey> kk 17:11:21 <hyakuhei> Four new 17:11:27 <hyakuhei> Hmmm, five 17:11:34 <hyakuhei> Some easy ones, some harder 17:12:28 <elmiko> i could take a swag at one of the easier ones =D 17:12:30 <hyakuhei> If anyone’s looking for a way in to the Security project, these are a great start 17:12:58 <hyakuhei> https://bugs.launchpad.net/ossn/+bug/1451931 looks fairly boilerplate. 17:12:58 <openstack> Launchpad bug 1451931 in OpenStack Security Notes "ironic password config not marked as secret" [Undecided,New] 17:12:58 <michaelxin> I will help one for sure. 17:13:09 <timkennedy> noted 17:13:36 <elmiko> cool 17:13:59 <hyakuhei> ok, next up we’ve got the developer guidance 17:14:04 <hyakuhei> #topic Developer Guidance 17:14:19 <tmcpeak> content wise these are fairly stead state 17:14:25 <hyakuhei> Not much has happened here but I just wanted to thank gmurphy for the work he did to get this ready for the summit 17:14:35 <hyakuhei> #link https://security.openstack.org 17:14:39 <tmcpeak> gmurphy: ++ 17:14:51 <tkelsey> so I have started adding some docs to bandit tests, there was some discussion of overlap between that and the dev guidance 17:14:55 <tmcpeak> have we announced these on the ML? 17:15:12 <hyakuhei> Not formally no, good idea tmcpeak 17:15:24 <tmcpeak> cool 17:15:31 <tmcpeak> gmurphy: is there any way we can access page views on them? 17:15:37 <tmcpeak> to see how used or not they are? 17:15:40 <tkelsey> I intent to keep bandit docs very short and link to all relevant guidance. If any stuff comes out of that that is missing in the guidance stuff I'll start adding it 17:15:53 <hyakuhei> tkelsey: interesting 17:16:03 <tmcpeak> yeah, tkelsey - that's great work 17:16:30 <gmurphy> tmpeak: not currently afaik 17:16:34 <tkelsey> thanks tmcpeak im working up some general docs as well 17:16:42 <hyakuhei> #topic Bandit 17:16:53 <hyakuhei> tkelsey: tmcpeak et al - update? 17:17:01 <tkelsey> i can take that 17:17:14 <tkelsey> we have had a lot of very awesome stuff landing this week :) 17:17:34 <tkelsey> thanks to all who have contributed, we now have python 3 support and a python 3 voting gate test 17:17:45 <hyakuhei> woot 17:17:58 <tmcpeak> sigmavirus24 has been throwing up patches like a madman :) 17:18:00 <tkelsey> the py3 work is from sigmavirus24 :) so shout outs for that 17:18:01 <michaelxin> +1 17:18:03 <bknudson> we need a release of bandit then I can change keystone tox.ini to use py34 instead 17:18:08 <gmurphy> have to say the xml / jenkins stuff is pretty neat. so good stuff whoever wrote that. 17:18:29 <tkelsey> bknudson: noted 17:18:42 <tkelsey> gmurphy: +1 yes it is 17:18:45 <tmcpeak> for those that haven't seen it: http://vdwaa.nl/bandit/python/security/jenkins/openstack-bandit-jenkins-integration/ 17:19:00 <tmcpeak> written by Jelle - who recently contributed Jenkins output support 17:19:14 <tkelsey> oh tmcpeak interesting I hadn't seen that :) 17:19:36 <michaelxin> great 17:19:52 <hyakuhei> excellent. make sure you tell that guy when this gets pinned in a release so he can update his writeup 17:20:06 <tmcpeak> hyakuhei: +1 17:20:28 <tkelsey> so yeah, I think thats the highlights from this week in bandit land, thanks again everyone, we will update people with release plans and so forth as we have the, 17:20:31 <tkelsey> *them 17:20:39 <hyakuhei> #topic Anchor 17:20:59 <hyakuhei> Not much to report here 17:21:21 <hyakuhei> Though I’d like CatHead to be considered for inclusion as a Security project 17:21:21 <tkelsey> Anchor continues to improve, we have had some quality improving patches and a new blacklist validator it in the works 17:21:38 <hyakuhei> #link https://github.com/takac/cathead 17:21:38 <tkelsey> hyakuhei: +1 17:21:54 <hyakuhei> It’s like Certmonger but not horrible. 17:22:41 <hyakuhei> Any objections? 17:23:08 <hyakuhei> Cool 17:23:09 <tkelsey> no objections +lots from me :) I would like to se that happen 17:23:18 <hyakuhei> Me too 17:23:34 <hyakuhei> Ok so that covers everything I was hoping to today 17:23:46 <hyakuhei> #topic Any other business 17:24:07 <elmiko> a followup from last weeks action item, 17:24:09 <tmcpeak> I'm going to be working with Donald Stufft to make some short term improvements to PyPI 17:24:22 <tmcpeak> we're going to get brute force prevention and email notification for package uploads 17:24:23 <tkelsey> tmcpeak: cool :) 17:24:31 <tmcpeak> stay tyned 17:24:34 <tmcpeak> *tuned 17:24:52 <tkelsey> whe aye man, i'll stay tyned :P 17:24:53 <hyakuhei> Excellent 17:25:00 <elmiko> i've been digging into gabbi (https://github.com/cdent/gabbi) as a possible tool to use for fuzzing like servers 17:25:01 <tmcpeak> lol 17:25:11 <michaelxin> i did check https://github.com/cdent/gabbi by grabbing the source code and play with it too. 17:25:13 <hyakuhei> Oh that’s interesting 17:25:21 <michaelxin> elmiko: +1 17:25:34 <tmcpeak> elmiko: awesome 17:25:36 <elmiko> i think it might need some changes to the way it handles tests, as they are all in yaml files now 17:25:51 <tmcpeak> looking forward to messing around with this 17:25:52 <elmiko> but i've been talking with cdent about possible generator types for the test creation 17:26:17 <elmiko> i am curious about the different types of fuzzing we will want, is it going to be mainly url type stuff, or json payloads as well? 17:26:42 <tmcpeak> I'd think both would be awesome 17:26:43 <michaelxin> the check of responses will be interesting and challenging 17:27:01 <hyakuhei> Raw fuzzing won’t get us too far I don’t think 17:27:05 <elmiko> michaelxin: agreed 17:27:12 <michaelxin> it depends on what do we want to make this tool work 17:27:37 <michaelxin> we can make it fuzz randomly like chaos monkey 17:27:57 <elmiko> ok, so i've been looking at how we could create small pieces of python to define the fuzz test we want. i agree with michaelxin, figuring out what type of response we want may be challenging. 17:28:17 <michaelxin> or do we want it to become a smart monkey by telling us what defects it detects. 17:28:51 <elmiko> imo, for each test, if we know the output, then we could start to generate a fuzzed set of inputs and just check them all as it does the testing. 17:29:05 <elmiko> that's how i've been approaching it 17:29:06 <tkelsey> its an interesting area of investigation, maybe we should get something mocked up to kick the tires a bit 17:29:19 <michaelxin> tkelsey: +1 17:29:23 <elmiko> tmcpeak: that sounds good 17:29:25 <tmcpeak> tkelsey: +1, would make it easier to know when we've got what we want 17:29:30 <michaelxin> need spend sometime working on some POC 17:29:36 <elmiko> er, tkelsey sorry 17:30:00 <hyakuhei> As we’re dealing with a predominantely python environment I think we’ll get much more mileage out of something that looks at odd combinations of API requests, oddness in JSON etc 17:30:25 <hyakuhei> Fuzzing logic as apposed to trying to break parsers ala binary fuzzing 17:30:32 <elmiko> when you say "odd combinations...", is that to say like thrashing the server? 17:31:00 <tkelsey> I would imagine things like send responses before requests, that sort of thing 17:31:04 <hyakuhei> Things that are logically incosistent 17:31:06 <michaelxin> That's why it is better to do fuzzy with QA knowledge about the product. 17:31:09 <elmiko> ah, cool 17:31:25 <elmiko> michaelxin: yea, if i do a poc it will most likely be against sahara 17:31:26 <michaelxin> a generic fuzzier does not know much about the project 17:31:39 <michaelxin> elmiko: +1 17:31:46 <tkelsey> that sounds sensible 17:32:23 <elmiko> cool, sounds good to me =) 17:32:57 <hyakuhei> Jolly good. 17:33:07 <hyakuhei> Anything else to discuss today folks ? 17:33:20 <michaelxin> I am good 17:33:29 <hyakuhei> Great! 17:33:33 <tkelsey> nothing from me, other than to say thanks for all the patches this week again :) 17:33:36 <timkennedy> new guy here. 17:33:38 <timkennedy> Tim Kennedy, ops guy with some dev experience. I'm particularly interested in secure multi-tenancy in openstack, and regulatory compliance (FISMA, DIACAP, etc). Hoping to contribute to Openstack security in that direction. 17:33:38 <gmurphy> kind of related to fuzzing - it might be worth looking at which projects aren't using json schema validation e.g https://blueprints.launchpad.net/nova/+spec/v3-api-schema and trying to help them define one? 17:33:44 <timkennedy> hi. nice to meet you all. 17:33:49 <gmurphy> (that spec is complete) 17:33:53 <elmiko> hi timkennedy 17:33:55 <hyakuhei> So one thing to note, I’ll be travelling this time next week so I’ll need someone else to run the meeting please? 17:34:09 <hyakuhei> Hi timkennedy welcome! 17:34:19 <tkelsey> timkennedy: welcome :) I spotted a few reviews coming in from you, thanks! 17:34:26 <hyakuhei> +1 17:34:33 <timkennedy> hi. thanks! 17:34:48 <hyakuhei> ok I think that’s a wrap people. Thank you for joining! 17:34:57 <hyakuhei> #endmeeting