17:01:18 <hyakuhei> #startmeeting Security
17:01:20 <openstack> Meeting started Thu Jun  4 17:01:18 2015 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:01:21 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:01:23 <tmcpeak> o/
17:01:24 <openstack> The meeting name has been set to 'security'
17:01:24 <tkelsey> o/
17:01:24 <hyakuhei> o/
17:01:28 <bknudson> hi
17:01:28 <elmiko> yo/
17:01:40 <sicarie> o/
17:01:42 <singlethink> o/
17:01:45 <michaelxin> o/
17:02:07 <dwyde> o/
17:02:12 <mvaldes> o/
17:02:20 <gmurphy> \o/
17:02:25 <michaelxin> mvaldes: welcome
17:02:31 <timkennedy> o/
17:02:34 <chair6> o/
17:02:40 <dstanek> hiya
17:02:44 <tkelsey> lots of people today :)
17:02:46 <hyakuhei> Popular place to be :)
17:02:53 <warpc__> hi
17:02:55 <michaelxin> cool
17:03:01 <elmiko> hyakuhei: yea, seriously!
17:03:15 <hyakuhei> Ok so agenda wise, lets run through the projects and then see what time we’ve got left for other business
17:03:24 <hyakuhei> sicarie: Can you update on docs?
17:03:30 <sicarie> Sure
17:03:31 <hyakuhei> #topic Security Guide
17:03:48 <sicarie> Current bug list: https://bugs.launchpad.net/openstack/+bugs?field.tag=sec-guide
17:03:56 <mvaldes> michaelxin: thanks
17:04:20 <hyakuhei> Anything stand out as being either a) low hanging fruit or b) really hard where you’d like a SME to help?
17:04:29 <sicarie> We've skipped a few secguide meetings due to the summit, but overall we're doing good work on getting the guide back in shape
17:04:43 <sicarie> Yes - a) should have a tag, I'll pull that in a minue
17:05:08 <sicarie> for b) any reviews on content for the Compute, Networking, and Dashboard chapters would be awesome
17:05:40 <michaelxin> sicarie: do you need help with reviews?
17:05:50 <sicarie> michaelxin: always :)
17:05:55 <elmiko> +1
17:06:02 <sicarie> We did just bring on a new core to the secguide
17:06:06 <sicarie> Congrats to elmiko
17:06:10 <elmiko> \o/
17:06:12 <sicarie> And thanks for the great review work - please keep it up!
17:06:13 <michaelxin> cong
17:06:19 <tkelsey> awesome
17:06:21 <tmcpeak> congrats elmiko! well deserved
17:06:35 <bknudson> congrats to elmiko
17:06:51 <elmiko> thanks everyone =)
17:07:02 <elmiko> i do have a question about some firewall stuff we talked about
17:07:20 <elmiko> we had mentioned creating some sample firewalld xmls and Ubuntu based helper files
17:07:23 <elmiko> for openstack services
17:07:33 <elmiko> but we hadn't figured out a good place for those to live, any thoughts?
17:07:59 <timkennedy> openstack wiki?
17:08:28 <hyakuhei> Seems we might want them to live in gerrit somewhere
17:08:34 <hyakuhei> so they can be easily vetted/updated
17:08:38 <tkelsey> +1 for versioning
17:08:39 <elmiko> that's a good start, i think we were talking about trying to fit them in the docs somewhere, if it makes sense.
17:08:45 <singlethink> In some project's contrib directory?
17:09:20 <elmiko> the installers manual has a list of all ports, i wonder if we could have an appendix in the sec-guide with this content?
17:09:21 <timkennedy> are the samples going to be maintained code, or just samples?
17:09:29 <sicarie> Yeah, I think those may version interestingly, we might want to link to a repo from the secguide?
17:09:32 <elmiko> i think maintained would be cool
17:09:43 <tkelsey> elmiko: yeah, feels like good appendix material
17:09:45 <timkennedy> then version control and a link in the sec-guide
17:09:55 <michaelxin> +1 for gerrit
17:10:09 <elmiko> awesome, thanks. sicarie we can talk more about it in the next meeting maybe?
17:10:20 <sicarie> elmiko: sounds good
17:10:30 <sicarie> hyakuhei: I think that's about all I had for docs
17:10:35 <hyakuhei> Thanks sicarie
17:10:39 <hyakuhei> #topic OSSN
17:10:51 <hyakuhei> There’s 7 OSSN outstanding atm
17:10:56 <hyakuhei> #link https://bugs.launchpad.net/ossn
17:11:07 <tkelsey> hyakuhei: in review, or needing to be written ?
17:11:13 <hyakuhei> Various states
17:11:18 <tkelsey> kk
17:11:21 <hyakuhei> Four new
17:11:27 <hyakuhei> Hmmm, five
17:11:34 <hyakuhei> Some easy ones, some harder
17:12:28 <elmiko> i could take a swag at one of the easier ones =D
17:12:30 <hyakuhei> If anyone’s looking for a way in to the Security project, these are a great start
17:12:58 <hyakuhei> https://bugs.launchpad.net/ossn/+bug/1451931 looks fairly boilerplate.
17:12:58 <openstack> Launchpad bug 1451931 in OpenStack Security Notes "ironic password config not marked as secret" [Undecided,New]
17:12:58 <michaelxin> I will help one for sure.
17:13:09 <timkennedy> noted
17:13:36 <elmiko> cool
17:13:59 <hyakuhei> ok, next up we’ve got the developer guidance
17:14:04 <hyakuhei> #topic Developer Guidance
17:14:19 <tmcpeak> content wise these are fairly stead state
17:14:25 <hyakuhei> Not much has happened here but I just wanted to thank gmurphy for the work he did to get this ready for the summit
17:14:35 <hyakuhei> #link https://security.openstack.org
17:14:39 <tmcpeak> gmurphy: ++
17:14:51 <tkelsey> so I have started adding some docs to bandit tests, there was some discussion of overlap between that and the dev guidance
17:14:55 <tmcpeak> have we announced these on the ML?
17:15:12 <hyakuhei> Not formally no, good idea tmcpeak
17:15:24 <tmcpeak> cool
17:15:31 <tmcpeak> gmurphy: is there any way we can access page views on them?
17:15:37 <tmcpeak> to see how used or not they are?
17:15:40 <tkelsey> I intent to keep bandit docs very short and link to all relevant guidance. If any stuff comes out of that that is missing in the guidance stuff I'll start adding it
17:15:53 <hyakuhei> tkelsey: interesting
17:16:03 <tmcpeak> yeah, tkelsey - that's great work
17:16:30 <gmurphy> tmpeak: not currently afaik
17:16:34 <tkelsey> thanks tmcpeak im working up some general docs as well
17:16:42 <hyakuhei> #topic Bandit
17:16:53 <hyakuhei> tkelsey: tmcpeak et al - update?
17:17:01 <tkelsey> i can take that
17:17:14 <tkelsey> we have had a lot of very awesome stuff landing this week :)
17:17:34 <tkelsey> thanks to all who have contributed, we now have python 3 support and a python 3 voting gate test
17:17:45 <hyakuhei> woot
17:17:58 <tmcpeak> sigmavirus24 has been throwing up patches like a madman :)
17:18:00 <tkelsey> the py3 work is from sigmavirus24 :) so shout outs for that
17:18:01 <michaelxin> +1
17:18:03 <bknudson> we need a release of bandit then I can change keystone tox.ini to use py34 instead
17:18:08 <gmurphy> have to say the xml / jenkins stuff is pretty neat. so good stuff whoever wrote that.
17:18:29 <tkelsey> bknudson: noted
17:18:42 <tkelsey> gmurphy: +1 yes it is
17:18:45 <tmcpeak> for those that haven't seen it: http://vdwaa.nl/bandit/python/security/jenkins/openstack-bandit-jenkins-integration/
17:19:00 <tmcpeak> written by Jelle - who recently contributed Jenkins output support
17:19:14 <tkelsey> oh tmcpeak interesting I hadn't seen that :)
17:19:36 <michaelxin> great
17:19:52 <hyakuhei> excellent. make sure you tell that guy when this gets pinned in a release so he can update his writeup
17:20:06 <tmcpeak> hyakuhei: +1
17:20:28 <tkelsey> so yeah, I think thats the highlights from this week in bandit land, thanks again everyone, we will update people with release plans and so forth as we have the,
17:20:31 <tkelsey> *them
17:20:39 <hyakuhei> #topic Anchor
17:20:59 <hyakuhei> Not much to report here
17:21:21 <hyakuhei> Though I’d like CatHead to be considered for inclusion as a Security project
17:21:21 <tkelsey> Anchor continues to improve, we have had some quality improving patches and a new blacklist validator it in the works
17:21:38 <hyakuhei> #link https://github.com/takac/cathead
17:21:38 <tkelsey> hyakuhei: +1
17:21:54 <hyakuhei> It’s like Certmonger but not horrible.
17:22:41 <hyakuhei> Any objections?
17:23:08 <hyakuhei> Cool
17:23:09 <tkelsey> no objections +lots from me :) I would like to se that happen
17:23:18 <hyakuhei> Me too
17:23:34 <hyakuhei> Ok so that covers everything I was hoping to today
17:23:46 <hyakuhei> #topic Any other business
17:24:07 <elmiko> a followup from last weeks action item,
17:24:09 <tmcpeak> I'm going to be working with Donald Stufft to make some short term improvements to PyPI
17:24:22 <tmcpeak> we're going to get brute force prevention and email notification for package uploads
17:24:23 <tkelsey> tmcpeak: cool :)
17:24:31 <tmcpeak> stay tyned
17:24:34 <tmcpeak> *tuned
17:24:52 <tkelsey> whe aye man, i'll stay tyned :P
17:24:53 <hyakuhei> Excellent
17:25:00 <elmiko> i've been digging into gabbi (https://github.com/cdent/gabbi) as a possible tool to use for fuzzing like servers
17:25:01 <tmcpeak> lol
17:25:11 <michaelxin> i did check https://github.com/cdent/gabbi by grabbing the source code and play with it too.
17:25:13 <hyakuhei> Oh that’s interesting
17:25:21 <michaelxin> elmiko: +1
17:25:34 <tmcpeak> elmiko: awesome
17:25:36 <elmiko> i think it might need some changes to the way it handles tests, as they are all in yaml files now
17:25:51 <tmcpeak> looking forward to messing around with this
17:25:52 <elmiko> but i've been talking with cdent about possible generator types for the test creation
17:26:17 <elmiko> i am curious about the different types of fuzzing we will want, is it going to be mainly url type stuff, or json payloads as well?
17:26:42 <tmcpeak> I'd think both would be awesome
17:26:43 <michaelxin> the check of responses will be interesting and challenging
17:27:01 <hyakuhei> Raw fuzzing won’t get us too far I don’t think
17:27:05 <elmiko> michaelxin: agreed
17:27:12 <michaelxin> it depends on what do we want to make this tool work
17:27:37 <michaelxin> we can make it fuzz randomly like chaos monkey
17:27:57 <elmiko> ok, so i've been looking at how we could create small pieces of python to define the fuzz test we want. i agree with michaelxin, figuring out what type of response we want may be challenging.
17:28:17 <michaelxin> or do we want it to become a smart monkey by telling us what defects it detects.
17:28:51 <elmiko> imo, for each test, if we know the output, then we could start to generate a fuzzed set of inputs and just check them all as it does the testing.
17:29:05 <elmiko> that's how i've been approaching it
17:29:06 <tkelsey> its an interesting area of investigation, maybe we should get something mocked up to kick the tires a bit
17:29:19 <michaelxin> tkelsey: +1
17:29:23 <elmiko> tmcpeak: that sounds good
17:29:25 <tmcpeak> tkelsey: +1, would make it easier to know when we've got what we want
17:29:30 <michaelxin> need spend sometime working on some POC
17:29:36 <elmiko> er, tkelsey sorry
17:30:00 <hyakuhei> As we’re dealing with a predominantely python environment I think we’ll get much more mileage out of something that looks at odd combinations of API requests, oddness in JSON etc
17:30:25 <hyakuhei> Fuzzing logic as apposed to trying to break parsers ala binary fuzzing
17:30:32 <elmiko> when you say "odd combinations...", is that to say like thrashing the server?
17:31:00 <tkelsey> I would imagine things like send responses before requests, that sort of thing
17:31:04 <hyakuhei> Things that are logically incosistent
17:31:06 <michaelxin> That's why it is better to do fuzzy with QA knowledge about the product.
17:31:09 <elmiko> ah, cool
17:31:25 <elmiko> michaelxin: yea, if i do a poc it will most likely be against sahara
17:31:26 <michaelxin> a generic fuzzier does not know much about the project
17:31:39 <michaelxin> elmiko: +1
17:31:46 <tkelsey> that sounds sensible
17:32:23 <elmiko> cool, sounds good to me =)
17:32:57 <hyakuhei> Jolly good.
17:33:07 <hyakuhei> Anything else to discuss today folks ?
17:33:20 <michaelxin> I am good
17:33:29 <hyakuhei> Great!
17:33:33 <tkelsey> nothing from me, other than to say thanks for all the patches this week again :)
17:33:36 <timkennedy> new guy here.
17:33:38 <timkennedy> Tim Kennedy, ops guy with some dev experience. I'm particularly interested in secure multi-tenancy in openstack, and regulatory compliance (FISMA, DIACAP, etc).  Hoping to contribute to Openstack security in that direction.
17:33:38 <gmurphy> kind of related to fuzzing - it might be worth looking at which projects aren't using json schema validation e.g https://blueprints.launchpad.net/nova/+spec/v3-api-schema and trying to help them define one?
17:33:44 <timkennedy> hi.  nice to meet you all.
17:33:49 <gmurphy> (that spec is complete)
17:33:53 <elmiko> hi timkennedy
17:33:55 <hyakuhei> So one thing to note, I’ll be travelling this time next week so I’ll need someone else to run the meeting please?
17:34:09 <hyakuhei> Hi timkennedy welcome!
17:34:19 <tkelsey> timkennedy: welcome :) I spotted a few reviews coming in from you, thanks!
17:34:26 <hyakuhei> +1
17:34:33 <timkennedy> hi.  thanks!
17:34:48 <hyakuhei> ok I think that’s a wrap people. Thank you for joining!
17:34:57 <hyakuhei> #endmeeting