16:59:39 #startmeeting security 16:59:39 Meeting started Thu Aug 11 16:59:39 2016 UTC and is due to finish in 60 minutes. The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:59:40 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:59:43 hi tmcpeak ! 16:59:43 The meeting name has been set to 'security' 16:59:45 #chair hyakuhei 16:59:46 Current chairs: hyakuhei tmcpeak 16:59:58 hi * 17:00:01 sup y'all 17:00:02 hai! 17:00:03 o/ 17:00:24 hi 17:00:52 howdy 17:00:56 heads up, I'll likely have to split soon 17:00:58 boarding a plane 17:01:26 fancy! 17:01:36 ++ 17:01:46 :D 17:01:49 o/ all 17:01:52 So this is the last IRC meeting before the midcycle which is exciting 17:01:55 oh hai tkelsey 17:02:04 hi hyakuhei :) 17:02:38 As usual we have an agenda over here:https://etherpad.openstack.org/p/security-agenda 17:02:43 #link https://etherpad.openstack.org/p/security-agenda 17:02:47 o/ 17:02:54 elmiko: I’m looking at the gerrit groups 17:03:04 do we have security docs core for OSSN ? 17:03:34 #link https://etherpad.openstack.org/p/security-agenda 17:03:34 i /thought/ we did 17:03:35 I’ll have to check the policy for the OSSN gate, 17:03:38 lol 17:03:43 I'm about a minute slower than hykauhei 17:03:46 this web client sucks 17:03:48 elmiko: we have a specific OSSN one 17:03:51 but no-one’s in it 17:03:56 so I’m guessing that’s not right :P 17:04:03 hyakuhei: i thought that was sec-core 17:05:36 yeah, I need to do an audit 17:05:37 honestly, i never worked the levers for the gerrit groups. i know i was able to +2 on ossn, and i thought that was related to sec-core, but not sure about the docs core for ossn 17:06:04 o/ 17:06:08 There’s ways to figure it out, this is all in aid of making lhinds a sec core anyway :) 17:06:13 hey dg____ 17:06:26 sweet, and grats lhinds =) 17:06:32 thx! 17:06:38 good work lhinds 17:06:38 +1, well deserved! 17:06:45 Yupyup 17:07:08 ok, I want to move sec docs up the agenda a bit 17:07:12 #topic Security Docs 17:07:34 So crdotson is new to the group here, he’s just joined my team over at IBM 17:07:39 o/ 17:07:46 Hello everyone! 17:07:48 sweet, welcome crdotson 17:07:51 * crdotson waves 17:07:52 hi crdotson 17:08:02 o/ 17:08:20 Chris might be helping with OSSN/Docs - good security guy, technical writer in a past life, seems like a good guy to have around :) 17:08:22 welcome 17:08:32 awesome ++ 17:08:36 So obviously I especially wanted him to meet elmiko and sicarie 17:08:42 * sicarie waves 17:08:48 nice to meet ya, later o/ 17:08:51 * elmiko giggles 17:08:57 lol 17:09:02 haha 17:09:11 Hey crdotson welcome!! 17:09:15 i keeed 17:09:16 elmiko you're going to attend the midcycle on the big screen again, right 17:09:17 ? 17:09:26 maybe just to say hi 17:09:47 works for me 17:09:48 Now I don’t think its fair to throw crdotson straight into being a docs maintainer but I think we should try to work out what a fast-track to that might be. Starting with OSSNs seems reasonable. 17:09:52 and i'll certainly join any sessions where i can help transition 17:10:06 hyakuhei++ 17:10:13 yeah, OSSN is a good start 17:10:15 fun for the whole family 17:10:17 sounds good! 17:10:23 We’ve only just started talking about it 17:11:00 crdotson maybe have a look at a few reviews on the security docs, maybe fix something obviously dumb so you get used to the horriblness of the workflow 17:11:12 lol 17:11:27 workflow isn't _that_ bad :P 17:11:45 come on dg____, stiff upper lip, it's not *all* bad 17:11:47 Sure, I can do that 17:11:48 It’s ok when you get used to it 17:11:54 crdotson: maybe have a poke around the open bugs here? https://bugs.launchpad.net/ossn 17:12:10 you'll have to get started with launchpad, git if you haven't used it, etc 17:12:19 then you can assign yourself one of the open bugs that looks legit 17:12:23 we also have guidance somewhere... 17:12:34 general docs guidance is pretty good 17:12:57 #link https://wiki.openstack.org/wiki/Security/Security_Note_Process 17:12:59 the RST section in the docs guidance is worth a read too 17:13:28 allright, I gotta roll, hopefully see a bunch of you in Austin! 17:13:38 indeed! 17:13:48 safe flight tmcpeak 17:13:51 Yep, have used git, haven't used launchpad yet. 17:13:57 thank you sir 17:14:04 you have hyakuhei (whose the expert) sitting near you crdotson, but I am also happy to help, having got up to speed over the past few months 17:14:15 Thanks lhinds 17:14:18 s/whose/who is 17:14:20 derp 17:14:35 organisationally we sit close, geographically not so much 17:14:51 ahh, thats the way now 17:15:08 I thought we might have had another west country type :P 17:15:48 heh, kentucky I think 17:16:06 Yep! :) 17:16:23 Seems like we need to get crdotson up to speed then :) if elmiko or sicarie known any low-hanging bugs to address that’d be handy 17:16:37 I’ll take a look 17:16:58 I'm perusing the Doc contributor guide now 17:17:27 yeah, might be nice if we have something light 17:17:53 TBH I’m sure crdotson can find plenty of things he’d want to tweak anyway. 17:18:06 ok, lets get back to our scheduled programming 17:18:27 #topic Syntribos 17:18:45 kewl 17:18:48 cool, so ccneill and I were both out last week at Defcon 17:19:03 fancy! 17:19:15 yep yep, was a good time 17:19:33 but while we were gone, there was a lot of work done on logging, and we were finally able to close out our “remove and replace OpenCAFE” trello card 17:19:40 nice 17:20:03 so if you haven't given Syntribos a run in a while, you might wanna go check it out 17:20:16 we've revamped the CLI a bit to be (we think) muuuuch clearer 17:20:19 unrahul also wrote a fantastic CLI output 17:20:21 thanks to unrahul for the progress bars 17:20:25 and other modifications 17:20:27 it’s real pretty 17:20:36 :D .. 17:20:39 thanks guys! 17:21:12 u guys should check it out.. its not perfect.. but Syntribos looks kinda cool ryt now! 17:21:16 we'll be having a discussion soon about how we can automatically generate syntribos templates for different APIs 17:21:29 if anyone has experience/ideas in that area, reach out to us 17:21:49 e.g. using mitmproxy to log results of functional tests, scraping docs, etc. 17:22:02 oh that’s none-trivial. 17:22:06 yeah :( 17:22:32 burpsuite probably has some discovery stuff ? 17:22:50 too bad we didn't get further with openapi specs for the projects 17:23:05 yeah and we realized documentation doesn't really follow the same conventions either 17:23:15 i would think having an openapi->syntribos template generator would be highly helpful 17:23:26 indeed 17:23:41 plus, could be a good way to reach out to projects as they will most likely be looking at generating these types of docs 17:23:46 in y'all's experience, do OS projects have RAMLs/WADLs/etc? 17:24:07 we had WADLs, but they are being replaced by openapi and possibly a custom format 17:24:11 i.e., is it worth it to support those formats, or should we focus on the "undocumented" approach 17:24:33 I'm not familiar with openAPI, is it something OS-specific? 17:24:34 imo, there is good value to supporting openapi as a format, but probably not worth it for wadl 17:24:42 openapi was formerly swagger 17:24:46 ahhh 17:24:51 these guys? https://openapis.org/ 17:24:55 yes 17:25:23 that has been discussed many many times as a possible replacement for wadl in our api-ref site 17:25:24 well perhaps we'll help convince projects by supporting the spec and saying "you can get free security testing if you do to :)" 17:25:33 there was a ton of work over the last year or so about this 17:25:33 too* 17:25:55 yeah, i think that would be awesome. you may want to reach out to anne gentle and sean dague about it too 17:26:09 cool, will do 17:26:11 at least for ideas about how it impacts the OS landscape 17:26:23 any refs off-hand for OS integration with openapi? 17:26:35 let me look, 1sec 17:26:48 if not no worries, I'll touch base with Anne and Sean 17:27:04 i need to dig up some old specs and whatnot. may take a few 17:27:13 cool, if you wanna ping me after the meeting that would be awexome 17:27:20 ack 17:28:05 Seems like some good leads, certainly something approaching swagger (I mean openapi) would seem to be extremely useful for all involved 17:28:13 ccneill: good starting point, http://specs.openstack.org/openstack/api-wg/guidelines/api-docs.html 17:28:25 shweet, thanks elmiko 17:28:43 That’s not very prescriptive imho 17:28:56 “You should do these things” rather than “This is how to do these things” 17:29:04 yeah, agreed 17:29:13 Good starting point though I guess 17:29:15 there has been a whole debate swirling around this topic for like 2 years now 17:29:17 eh, best practices is better than "do wtf you want!" 17:29:27 at least we have some commonalities 17:29:31 that would be a significant effort ryt.. will that help us in the near term for Syntribos? 17:29:34 given time i can dig up a bunch of reviews and emails that all talk about it 17:29:39 as the spec has been there for a while.. 17:29:42 I’m sure 17:30:23 i would say it's an evolving topic, but has come up many times about how do we represent the apis to developers. if there is a way to standardize that, i imagine it would help syntribos 17:30:31 yep 17:30:36 Yup 17:30:43 honestly I don't care so much that everyone uses ONE API TO RULE THEM ALL 17:30:47 i'm just not sure where the discussion ended up since i have been slowly moving away... 17:30:49 /API/API spec/ 17:30:53 o/ 17:30:58 but at least that they're using /something/ 17:30:58 apologies for tardiness 17:31:02 well, the docs team is certainly interested in that ccneill 17:31:06 RAML, WADL, OAPI, etc. 17:31:38 sure, but I mean to say, we can get wins for Syntribos without convincing the entire barge to do a 360 17:31:47 definitely 17:31:52 i just wanted to bring it up 17:32:11 yep, should be a good starting place for us 17:32:14 thanks! 17:32:43 I think that's about it for Syntribos atm. we'll be doing some docs clean-up soon to get it up-to-date with all our latest changes 17:33:02 cool, OSSN next 17:33:07 #topic OSSN 17:33:16 I don’t have much here, saving it for the midcycle :) 17:33:49 Nothing to new from me, was on leave and still working on the ipv6 > qbr > breach 17:34:01 Did have a look a nkinder 's code as well 17:34:12 the scripts for parsing notes 17:34:19 Yeah that’s interesting stuff 17:34:56 yep, definately is 17:35:37 other then that, I think you have a backlog under embargo(?) still, that I could get stuck into as well 17:35:40 Cool, lhinds are you coming to the midcycle 17:35:54 lhinds: I’ll get you added to the right group for that today :) 17:36:08 unfortunately not hyakuhei , but I will make a push for the next one and should get my way 17:36:19 i will be @ the summit though 17:36:34 and happy to take part remotely (if that's possible?) 17:36:52 Yeah should be possible, elmiko and dg____ both did that last time 17:36:59 oh that would be cool 17:37:09 Excellent 17:37:14 ok, lets move on then 17:37:30 #topic Midcycle 17:37:44 Reminder: #link https://etherpad.openstack.org/p/barbican-security-midcycle-N 17:38:00 hyakuhei say - I wont be at midcycle because of budget constraints 17:38:13 IBM will be picking up breakfast/lunch - I assume we’ll be getting stuff in 17:38:14 hyakuhei will there be remote participation available? 17:38:20 sdake: Absolutely 17:38:36 hyakuhei nice - thanks :) 17:38:43 sorry you can’t be there. it would have been good to have run through the process 17:38:59 I know dg____ has been working on parts of that recently 17:39:06 i'd propose running through the process remotely if possible 17:39:18 if not, or its too lat eto change the agenda, I understand 17:40:27 Seems like we can do a remote process the week after 17:40:46 Doing a remote process the one week we’re mostly in the same place seems a little disjointed. 17:41:04 yup - i hear ya - remote participation in midcycles is rough :) 17:41:23 pehraps we can schedule a couple weeks out - we are under heavy strain with osic testing at present 17:41:29 Yeah we can do that. 17:41:53 cool i'll sync up with you offline on dates 17:41:58 At IBM we’ve been doing some threat modelling work internally that I want to share with dg____ and see how it might affect the openstack process 17:42:04 cheers sdake 17:43:17 hyakuhei great to hear you've been working on that tool, I've been hacking together a bunch of stuff for the guide on this, and we should have the HPE review of Designate hitting the security analysis repo in the next couple of days 17:43:57 Excellent! 17:44:03 dg____++ 17:44:08 hyakuhei: Did I miss that you're working on a threat modeling tool? 17:44:17 it was a typo, should have been too 17:44:36 oh ok... we have one that we're building internally at Cisco 17:44:51 oh awesome! are you able to share any details singlethink? 17:44:52 there's some talk of open sourcing eventually 17:45:13 * singlethink checking 17:45:16 That would be cool 17:45:55 (don't let me hold up the flow of the conversation) 17:46:13 I thnk that was it really :) 17:46:22 ok 17:46:26 I got the thumbs up 17:46:30 Sweet 17:46:39 So... basically dev teams make an arch diagram 17:46:54 think high level system diagram that describes data flows 17:47:18 There are pre-defined types of data flows like "public network connection", "database connection", etc. 17:47:45 Through some massaging and annotation, the tool finds boundaries between different trust domains 17:47:59 Sounds good, I like the idea of it being open sourced so others can add/customize 17:48:00 and alerts the devs to possible threats that need to be mitigated there (primarily drawing from CAPEC) 17:48:31 sounds similar to the manual process we held for kolla at austin summit 17:49:12 yeah... the idea was to try to take the manual process, mash it up with codified domain knowledge about different threats, and give teams an artifact that can evolve over time with their project 17:50:07 I'll mention to the community interest to the manager that's currently in charge over development 17:50:23 release early, release often 17:50:31 sdake: yeah. 17:50:39 What we’ve been doing at IBM is similar too 17:50:53 It's becoming easier to do that here... but it's still a process 17:51:06 Very interesting 17:51:19 +1, sounds very cool 17:51:23 yep +1 17:51:49 Ok, any more on this stuff? 17:52:04 I think we’re onto AOB then 17:52:10 #topic Any other business 17:52:19 sdake where are we at with the Kolla TA? Do you need anything from us? 17:52:23 re kolla TA 17:52:32 Oh yeah, if someone could recommend to me where I should order food from in Austin 17:52:53 dg____ yes - I think our last step taken was to produce a flow diagram 17:52:54 i think hyakuhei did that work 17:53:14 great work hyakuhei, hands on leadership 17:53:16 if I could get access to that diagram, it would help me produce more diagrams for our other 6 types of containers 17:53:24 I think that’s captured in the etherpad. 17:53:33 ok sure, I think I have that somewhere.... 17:53:37 * dg____ plays hold music 17:54:07 #link https://etherpad.openstack.org/p/kolla-newton-summit-threat-analysis 17:54:12 once we have diagrams in place, I'm not sure what the next step is 17:54:22 thanks you beat me to it 17:54:36 sdake the source for the diagrams from the summit are at the bottom of that etherpad 17:54:38 basically a discussion of how things work, based on interpretting the diagrams and discussing the threats to the system 17:54:45 but we can produce documentation from the diagrams and our understanding of what is needed 17:54:46 Which for Kolla are probably quite limited 17:55:08 and post that to the security-analysis repo 17:55:23 and I guess I need to close the loop on the reno feature for threat-analysis repo 17:55:23 I'll do that today 17:55:32 its about a 1 hr job 17:55:40 ok thanks sdake, it'd be great to have that in place when we start looking at this next week 17:55:56 +1 17:55:56 dg____ can't promise to have all diagrams in place by next week 17:56:19 That’s ok, just see what you can managed. The diagram system we use is _very_ quick 17:56:23 but deifnately by the time we have our ta in a few weeks over webex or google hangouts or whatever people want :) 17:56:24 in terms of time invested 17:56:36 yup I'll work on it 17:56:38 sdake no worries 17:56:43 Excellent. 17:57:04 Ok any last minute things? 17:57:18 just a big thanks from kolla for working with us on this :) 17:57:23 VMT is very important to us 17:57:32 Thanks for being our guinea pigs :) 17:57:38 roger that :) 17:57:43 np, we really appricate your cooperation sdake 17:58:13 just one last uestion 17:58:23 do you think we will be able to close this work out before newton concludes? 17:58:38 yes 17:58:41 nice 17:58:45 I’d like to 17:58:45 That should be our goal 17:58:55 +1 17:59:02 hyakuhei ya - if we can't get it done in a cycle, seems like might be too heavyweight 17:59:09 +1 17:59:10 +1 17:59:37 ok, time people! Thanks all! 17:59:37 #endmeeting