17:00:50 <tmcpeak> #startmeeting security
17:00:51 <openstack> Meeting started Thu Aug 25 17:00:50 2016 UTC and is due to finish in 60 minutes.  The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:52 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:53 <gmurphy> \o/
17:00:55 <openstack> The meeting name has been set to 'security'
17:00:56 <tmcpeak> #chair hyakuhei
17:01:00 <openstack> Current chairs: hyakuhei tmcpeak
17:01:03 <tkelsey> o/
17:01:09 <hyakuhei> oh hai
17:01:11 <singlethink> o/
17:01:17 <lhinds> hey *
17:01:22 * hyakuhei was busy writing "goals" and lost track of time
17:01:26 <hyakuhei> My life is the bestest!
17:01:38 <tmcpeak> living that dream baby gurl
17:02:25 <unrahul> o/
17:02:37 <tmcpeak> #link https://etherpad.openstack.org/p/security-agenda
17:03:37 <tmcpeak> alright…
17:03:51 <tmcpeak> #topic Midcycle-Recap
17:04:01 <tmcpeak> thanks for everybody that came out to the midcycle
17:04:20 <tkelsey> did you guys solve security?
17:04:23 <tmcpeak> personally I found it very useful, but I'm happy to be corrected
17:04:28 <hyakuhei> Special thanks to Elvin and Fernando for everything they did
17:04:33 <tmcpeak> tkelsey: yeah, and also solved big data!
17:04:36 <tmcpeak> hyakuhei: +1
17:04:40 <tkelsey> nice one :D
17:04:52 <hyakuhei> I thought we got a lot done, we didn't cover as many activities as we have done at previous mid-cycles
17:05:04 <tmcpeak> specifically focused on OSSN and threat modeling
17:05:12 <hyakuhei> Many thanks to all of our first-time attendees too, it was truly great to meet you all
17:05:25 <hyakuhei> unrahul vinaypotluri I see that the OSSN work has continued on :)
17:05:32 <unrahul> same here hyakuhei  :) thank you guys
17:05:53 <tmcpeak> speaking of OSSN, did we get lhinds sworn in yet?
17:05:57 <unrahul> yup intent is to carry the momentum on, so if u guys need ossn mules we are here :D
17:06:01 <lhinds> good work vinaypotluri, not an easy first OSSN by any shot
17:06:07 <tmcpeak> lhinds: +1
17:06:26 <lhinds> tmcpeak / hyakuhei : not sure, how would I determine this?
17:06:31 <hyakuhei> almost
17:06:46 <hyakuhei> so you're core in all the core things I can make you lhinds
17:07:03 <hyakuhei> Turns out that the embargo stuff is controlled by the VMT
17:07:12 <lhinds> thx hyakuhei
17:07:26 <hyakuhei> but fungi +1'd the mail I sent around about pushing you to core-sec so that should be fine
17:07:31 <unrahul> hey hyakuhei  isnt VMT part of the security team?
17:07:39 <hyakuhei> On paper yes
17:07:45 <hyakuhei> but they're autonomous
17:07:54 <hyakuhei> For very good reasons
17:08:28 <tmcpeak> gmurphy: fix this
17:08:33 <unrahul> hyakuhei: hmm.. okay who all are in VMT now, do we have them here for the meeting..?
17:08:34 <hyakuhei> Security PTL has no leverage on the VMT although the relationship is a very effective one, they're basically a law unto themselves :P
17:08:35 <gmurphy> fix what?
17:09:00 <unrahul> hehe.. wildcard :D
17:09:13 <hyakuhei> unrahul they're around, you have to remember they're a small team
17:09:25 <hyakuhei> gmurphy fungi seem to be floating around somewhere
17:09:41 <hyakuhei> It's a very small team, very overworked too so I tend to just flag up if we need them here for something.
17:09:53 <hyakuhei> OSSN are completely separate and under our control
17:09:55 <tmcpeak> gmurphy: we need to get lhinds added to OSSG-coresec
17:10:12 <unrahul> ohh.. got you... may be meet you guys in the next mid cycle or something gmurphy fungi
17:10:16 <hyakuhei> We're specifically talking about promoting lhinds to the Launchpad group that provides early access to security issues
17:10:23 <gmurphy> ok. i think i can do that. if not probably fungi
17:10:26 <unrahul> thanks hyakuhei for the info..
17:10:35 <hyakuhei> https://security.openstack.org ;)
17:10:36 <vinaypotluri> lhinds: thank you :)
17:10:47 <tmcpeak> thanks gmurphy
17:11:14 <tmcpeak> since we're talking OSSN already, let's keep going, then we'll do Syntribos update
17:11:15 <tmcpeak> #topic OSSN
17:11:31 <tmcpeak> I've got a couple embargoed ones I'm working on
17:11:38 <tmcpeak> hyakuhei: as well
17:12:08 <hyakuhei> I'd like to propose that lhinds takes over from nkinder as the OSSN coordinator/leader
17:12:17 <tmcpeak> hyakuhei: I second that
17:12:27 <hyakuhei> nkinder has done amazing work in this space and we will hopefully be able to build on this moving forward
17:12:38 <tmcpeak> let me see if we can get him to join briefly
17:12:55 <tmcpeak> hyakuhei: +1
17:13:09 <tmcpeak> huge part of the reason we have useful notes today
17:13:16 <knangia> I have done working on my OSSN. Could you please review it
17:13:19 <knangia> https://review.openstack.org/#/c/357328/
17:13:19 <hyakuhei> Nathan and I already chatted about it, he doesn't have the cycles to keep ontop of this
17:13:25 <fungi> hyakuhei: unrahul: yeah, i'm around--had just stepped away from the terminal for a few
17:13:27 <fungi> welcome!
17:13:28 <tmcpeak> ahh ok, cool
17:13:36 <hyakuhei> fungi Thanks :)
17:14:05 <tmcpeak> so lhinds you have the interest and bandwidth to be keeper of the notes?
17:14:20 <lhinds> sure!
17:14:22 <hyakuhei> gmurphy just pointed out that with my restored LP access I might be able to level-up lhinds on my own
17:14:26 <tmcpeak> sweet
17:14:35 <tmcpeak> what's restored LP access
17:14:39 <lhinds> I will catch up with nathan to go over the tasks
17:14:42 <tmcpeak> oh right
17:15:06 <tmcpeak> yeah Rob, you're administrator
17:15:09 <tmcpeak> you should be able to do it
17:15:09 <hyakuhei> My expectation is that lhinds will write less OSSN than he has been doing recently and chase more of the people (like me) who should be writing OSSNs, tackling bugs etc.
17:15:22 <tmcpeak> I'm happy with that division of labor
17:15:26 <hyakuhei> Yup, I just got access back (overly-secure-MFA-in-wrong-country-error)
17:15:30 <lhinds> hyakuhei: sounds good to me.
17:15:44 <tmcpeak> we could potentially use a 4th Coresec assuming elmiko won't have time
17:15:44 <unrahul> awesome fungi :) , I am part of the syntribos team ; just wanted to introduce myself.
17:16:01 <lhinds> hey, I have a good topic for the blog as well now
17:16:02 <tmcpeak> maybe wait and see who loves OSSN :D
17:16:12 <lhinds> been trying to think of something, can cover OSSN proces?
17:16:27 <hyakuhei> Excellent idea
17:16:44 <unrahul> +1
17:16:45 <lhinds> will get onto that
17:17:14 <hyakuhei> lhinds you're now in the CoreSec group
17:17:26 <lhinds> w00t!
17:17:30 <tmcpeak> congrats lhinds, well deserved
17:17:32 <hyakuhei> and should be able to access restricted bugs etc
17:17:35 <lhinds> thanks *
17:18:09 <lhinds> oh yeah, that worked
17:18:15 <hyakuhei> Excellent
17:18:24 <hyakuhei> Now no selling secrets for fun or profit
17:18:34 <tmcpeak> well, only exceptional profit
17:18:44 <lhinds> I can't post my BTC address?
17:18:49 <hyakuhei> Next meeting lhinds can take us through the open OSSN etc - that cool ?
17:18:50 <lhinds> (kidding)
17:19:00 <lhinds> hyakuhei: sure
17:19:09 <tmcpeak> sweet
17:19:45 <hyakuhei> ok excellent. knangia if you need more reviewers for your OSSN you could add them directly in gerrit or continue to ping on IRC :)
17:19:46 <hyakuhei> ok, should we roll onto the next topic?
17:19:51 <tmcpeak> yep
17:19:53 <tmcpeak> #topic Syntribos
17:19:57 <tmcpeak> no Charles?
17:20:00 <tmcpeak> unrahul: want to take it?
17:20:03 <unrahul> yup
17:20:15 <unrahul> so we are planning to test a few projects from next week
17:20:25 <unrahul> like keystone, neutron, glance, nova, cinder and swift
17:20:47 <unrahul> we are wrapping up final set of patches and hope to finish it by this week
17:20:51 <tmcpeak> damn, all of them?
17:20:54 <tmcpeak> how'd you do that/
17:21:03 <unrahul> like in 1- 2 months :D
17:21:17 <tmcpeak> ahh
17:21:18 <unrahul> considering we can allot 4 -5 days for each
17:21:40 <unrahul> it would be initial set of testing.. so that we can see if we are able to find some bugs.. at this point mostly will be 500 errors.. but..still.
17:22:25 <unrahul> And we got some feeback from the midcycle on the docs, so have updated them and hopefully setting up syntribos is `less painful` now .. :) https://github.com/openstack/syntribos
17:22:28 <tmcpeak> when you say test do you mean one time or on an automated continual basis?
17:22:46 <unrahul> one time.. each project .. running syntribos against each..
17:23:17 <unrahul> we had run again keystone a week back and got some 500 errors.. and got some feedback on making the tool a lil better
17:23:53 <unrahul> so bascially our idea is to see what the tool can do .. at this stage and also get a lot of feedback from the tests.. that will eventually go into making the tool `smarter`.. i guess
17:24:04 <tmcpeak> awesome
17:24:34 <unrahul> ccneil is working on automating the template generation as well.. which was another feedback.. that we have somehow automate it..
17:25:06 <unrahul> thats it from Syntribos.. for now
17:27:05 <tmcpeak> cool
17:27:19 <tmcpeak> #topic TA
17:27:26 <tmcpeak> so we spent a lot of time on this last week
17:27:31 <hyakuhei> Hmmm. dg isn't here.
17:27:39 <tmcpeak> let me try to fetch him
17:28:49 <hyakuhei> ok well, in the meantime
17:29:16 <hyakuhei> We've been banging away at trying to get TA in OpenStack for a while
17:29:27 <hyakuhei> Recently we rebooted, looking at a more light-weight approach that embodies a lot of what people like tmcpeak dg___ and myself have done in the past
17:29:32 <tmcpeak> dg___: tada!
17:29:34 <dg___> o/ sorry im late guys, RL happened
17:29:37 <tmcpeak> he's appeared
17:29:47 <tmcpeak> dg___: summarize our new security review process we were working on por favor?
17:30:56 <dg___> OK, so the new-new security review process is aiming to be as lightweight as possible, our target is 3 hours, with maybe 60-90minutes of review via a google hangout, and a bunch of prepwork for the reviewer and the PTL of the project being reviewed
17:31:26 <tmcpeak> lol, "a bunch of paperwork"
17:31:32 <tmcpeak> sign me up
17:31:38 <tmcpeak> oh, prepwork
17:31:42 * tmcpeak can't read
17:32:17 <dg___> tl;dr: PTL completes a page describing the architecture of the project, defines the data assets that matter in the system, works with the architect to make sure they have everything
17:32:46 <tmcpeak> we think this approach focuses time spent on potentially useful findings
17:32:52 <tmcpeak> downside is that it does require a security expert
17:33:02 <tmcpeak> this isn't something teams are going to complete by themselves
17:33:14 <dg___> we accept that this wont be a 100% solution, but the law of diminishing returns is very apparent when doing security review work
17:33:46 <hyakuhei> With regards to the work we're doing, that's ok, because it's only for those teams aiming for VMT-Managed tag (or whatever it is)
17:34:10 <hyakuhei> So we created a simple-ish way for diagramming somewhat complex projects : http://i.imgur.com/DPZfxni.png
17:34:30 <hyakuhei> And here's what that's like when applied to Barbican: http://i.imgur.com/hkUVez3.png
17:34:44 <dg___> there will be a section in the security guide describing how to do this and providing guidance for PTLs
17:34:58 <hyakuhei> Props to redrobot who did most of the heavy lifting on this
17:35:05 <dg___> redrobot +1
17:35:23 <tmcpeak> hyakuhei: +1
17:35:47 <tmcpeak> we're still working on it though
17:35:51 <tmcpeak> so stay tuned
17:36:06 <tmcpeak> hyakuhei: what'd you want to do for Kolla?
17:36:09 <tmcpeak> I assume this was you?
17:36:16 <hyakuhei> We got loads done. I'm now convinced for the first time that we'll be able to deliver this more lidely
17:36:32 <tmcpeak> hyakuhei: agreed
17:37:28 <dg___> tmcpeak think we will have a run through of the new new process for kolla once we have the documentation artifacts and barbican review completed
17:37:34 <hyakuhei> *widely
17:37:37 <tmcpeak> ahh ok
17:37:49 <hyakuhei> Yeah they're most of the way but we've moved away from seq diagrams
17:37:59 <dg___> sdake are you here?
17:38:09 <hyakuhei> also with no disrespect to sdake Kolla is a non-typical openstack project
17:38:52 <hyakuhei> As it's a provisioning thing
17:39:03 <tmcpeak> that… may be frustrating for them :)
17:39:09 <tmcpeak> still a DFD should be useful for them as well as us
17:39:23 <tmcpeak> would be very interesting to define assets and threat against those assets the way we've done for Barbican
17:39:37 <hyakuhei> Yeah agreed
17:39:59 <dg___> tmcpeak one of my concerns with the asset-based approach is that it might be ineffective against systems which are used for processing or provisioning or something - we will need to see
17:40:04 <hyakuhei> So this new model is asset oriented which is quite a departure from what we've done before
17:40:20 <tmcpeak> dg___: those systems should be included as an asset, shouldn't they?
17:40:27 <tmcpeak> or at least the token that enables provisioning
17:40:29 <hyakuhei> dg___ That's true. Though I'm confident this will cover 95% of OpenStack stuff quite easily.
17:40:45 <dg___> tmcpeak - probably
17:40:53 <tmcpeak> we can twist it a little bit if needed
17:40:57 <hyakuhei> ++
17:41:00 <tmcpeak> that's why we have security folks working with the teams
17:41:04 <dg___> i suggest we iterate as we need to
17:41:20 <hyakuhei> Learn by doing, rather than spending too much time designing
17:41:31 <dg___> +1
17:41:56 <tmcpeak> allright, move on?
17:42:01 <hyakuhei> yupyup
17:42:11 <tmcpeak> #topic Summit Room Selection
17:42:15 <tmcpeak> we ready to discuss this yet?
17:42:25 <tmcpeak> first of all, who thinks they are likely to attend the summit
17:42:28 <tmcpeak> o/
17:42:51 <hyakuhei> Sorry so yeah
17:42:59 <tmcpeak> probably need to get an idea for security group attendance
17:43:17 <hyakuhei> We have fishbowl and workrooms again
17:43:27 <tmcpeak> nice
17:43:31 <lhinds> tmcpeak: I will be there
17:43:37 <tmcpeak> lhinds: awesome
17:43:45 <tmcpeak> assume security review should happen in a workroom
17:43:51 <lhinds> all week, so intend to be at all sec design sessions
17:44:00 <hyakuhei> excellent
17:44:04 <tmcpeak> when are the design sessions?
17:44:13 <tmcpeak> first part or second part?
17:44:27 <hyakuhei> Normally second but that's not defined right now afaik
17:44:38 <tmcpeak> ahh ok
17:44:50 <tmcpeak> so we have those rooms for all of summit or just part of it?
17:45:02 <lhinds> Ocata Design Summit, Oct 25-28, 2016 in Barcelona, Spain.
17:45:16 <hyakuhei> Those dates are the whole thing
17:45:23 <hyakuhei> I think
17:45:35 <lhinds> https://wiki.openstack.org/wiki/Design_Summit
17:46:23 <dg___> I hope to attend, budget pending (still arguing with finance about the midcycle)
17:46:42 <hyakuhei> I'll be there
17:47:19 <hyakuhei> Is everyone aware of the changes that are coming after this summit to the overall format
17:47:21 <tmcpeak> cool, so I guess for now we just want to start thinking about what we're going to do in those rooms?
17:47:43 <tmcpeak> hyakuhei: not rly, summarize?
17:47:44 <hyakuhei> #link http://www.openstack.org/blog/2016/05/faq-evolving-the-openstack-design-summit/
17:47:47 <dg___> security review all the things
17:47:54 <hyakuhei> No more combined conference+summit
17:48:42 <hyakuhei> Split apart over the year, conference and Project-Team-Gathering
17:48:49 <hyakuhei> both will be pay-to-attend events
17:48:56 <hyakuhei> You should really read the blog if you have time.
17:49:12 <lhinds> I heard that too, not sure how I feel about it.
17:49:17 <tmcpeak> “Forum” is the codename for the part of the Design Summit (Ops+Devs) that would still happen at the main Summit event.
17:49:25 <tmcpeak> ok, so we just stuff all our actions into forum,problem solved
17:49:27 <hyakuhei> After reading the blog, some parts of it make more sense
17:50:18 <lhinds> http://www.openstack.org/blog/2016/05/faq-evolving-the-openstack-design-summit/
17:50:38 <hyakuhei> So that's homework for everyone :P
17:51:00 <tmcpeak> cool
17:51:01 <tmcpeak> #topic AOB
17:51:47 <hyakuhei> I don't have much to add
17:51:54 <tmcpeak> me neither
17:51:56 <tmcpeak> going once...
17:52:06 <tmcpeak> #endmeeting