17:00:03 <tmcpeak> #startmeeting security
17:00:04 <openstack> Meeting started Thu Sep  1 17:00:03 2016 UTC and is due to finish in 60 minutes.  The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:05 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:07 <elmiko> ha
17:00:08 <openstack> The meeting name has been set to 'security'
17:00:10 <tmcpeak> #chair elmiko
17:00:11 <jasonhullinger> hola
17:00:14 <tmcpeak> boom, beat you elmiko
17:00:15 <openstack> Current chairs: elmiko tmcpeak
17:00:16 <openstack> elmiko: Error: Can't start another meeting, one is in progress.  Use #endmeeting first.
17:00:17 <elmiko> no no, you take it tmcpeak =)
17:00:20 <tmcpeak> wassup jasonhullinger :)
17:00:22 <lhinds> heyup
17:00:28 <elmiko> #chair lhinds
17:00:28 <openstack> Current chairs: elmiko lhinds tmcpeak
17:00:31 <singlethink> o/
17:00:37 <tmcpeak> #link https://etherpad.openstack.org/p/security-agenda
17:00:41 <tmcpeak> jasonhullinger: ^
17:00:47 <unrahul> o/
17:00:49 <elmiko> tmcpeak: i was mainly just making sure there was someone here =)
17:00:59 <tmcpeak> nope, too late.  You're a chair now elmiko
17:01:07 * elmiko sighs
17:01:10 <elmiko> ;)
17:01:29 <browne> o/
17:01:36 <elmiko> tmcpeak: i just copied an old agenda, hope it's somewhat accurate
17:01:49 <tmcpeak> yep, looks good
17:01:51 <lhinds> lgtm
17:02:00 <tmcpeak> althought we don't do anchor anymore
17:02:09 <elmiko> ah, gotcha
17:02:11 <elmiko> why not?
17:02:16 <tmcpeak> it's mature!
17:02:24 <elmiko> sweet =)
17:02:48 <browne> anchor does have a bunch of patches in limbo waiting for +2
17:02:58 <tmcpeak> ahh, well crap
17:03:20 <tmcpeak> I put it back in topical :P
17:03:31 <tmcpeak> allright, let's get started
17:03:53 <tmcpeak> let's do topical stuff first
17:03:56 <sdake> o/ :)
17:03:56 <tmcpeak> #topic Bandit Jenkins Plugin
17:04:00 <tmcpeak> jasonhullinger: take it away
17:04:05 <jasonhullinger> Cool thanks
17:04:29 <jasonhullinger> So I've been working on integrating Bandit into the Jenkins build process.
17:04:53 <jasonhullinger> So in a Jenkins build process, you can git clone, do other things, then run Bandit on the new source code.
17:05:12 <jasonhullinger> Here is an example of the output from a forked version of Barbican: http://173.247.105.93:8080/job/barbican-forked/
17:05:19 <tmcpeak> #link http://173.247.105.93:8080/job/barbican-forked/
17:05:46 <redrobot> No vulns \o/
17:05:47 <lhinds> nice graph
17:05:50 <tmcpeak> this looks really cool, I think OpenStack largely uses Jenkins Job Builder, right?
17:06:06 <jasonhullinger> It uses git data to see what has changed, points you to the source file and line of code, etc. Basically a bunch of great free stuff that Jenkins gives you that can be added to the build from Bandit.
17:06:08 <tmcpeak> redrobot: lol
17:06:44 <jasonhullinger> So anyway, I'll be in Barcelona. In a breakout session I'd like to demo it, if that would be okay?
17:06:55 <tmcpeak> jasonhullinger: would be really cool to get these results aggregated and pushed somewhere for large stacks of OpenStack projects
17:06:58 <tmcpeak> jasonhullinger: definitely
17:07:13 <lhinds> jasonhullinger: I would be intersted in that
17:07:39 <tmcpeak> #link https://etherpad.openstack.org/p/barcelona-security-sessions
17:07:40 <jasonhullinger> Yeah, I'd like to format it better and such, but I think it would really help teams see security results if it were ran in the build process
17:07:50 <tmcpeak> I'm going to create a new etherpad to start tracking our security stuff in Barcelona
17:07:54 <jasonhullinger> Instead of them manually running it
17:07:56 <tmcpeak> jasonhullinger: can you please add something about it there?
17:07:58 <unrahul> jasonhullinger: it looks cool!
17:08:02 <jasonhullinger> Sure
17:08:05 <jasonhullinger> Thanks!
17:08:05 <sdake> jasonhullinger ++
17:08:37 <tmcpeak> it would be REALLY cool to get a bunch of those graphs and stats pushed somewhere central to get a 10K view of OpenStack project open issues
17:08:51 <tmcpeak> really good work jasonhullinger
17:09:09 <jasonhullinger> Yeah, that would be really great to aggregate the info as well.
17:09:10 <jasonhullinger> thanks
17:09:18 <sdake> tmcpeak - I think that would be a new one for openstack-infra, although they do have elasticsearch in the infra iirc
17:09:56 <tmcpeak> sdake: ahh cool
17:10:19 <tmcpeak> yeah, think Infra is using JJB a lot.  Would be cool to get some boiler plate template stuff in there to make it easy for projects to set this up
17:10:45 <sdake> tmcpeak ya a per-project publish job would probaby be pretty easy
17:10:48 <sdake> but not certain
17:11:29 <tmcpeak> jasonhullinger: this looks really cool, definitely looking forward to seeing this applied to other projects and what kind of cool stuff we can drag out of it :)
17:11:36 <browne> ++
17:11:45 <tmcpeak> really like the links part too
17:11:54 <tmcpeak> so I can just click on the issue and get the code snippet
17:11:56 <jasonhullinger> Yeah thank, I think it will be helpful for developers too to see immedate results for every build
17:12:11 <tmcpeak> we wanted to get this with our HTML reports but never quite got there :P
17:12:40 <tmcpeak> another thing that would be cool is a docker container that deploys your project and small jenkins and does magics behind the scenes to make all this work
17:12:40 <jasonhullinger> Yeah, Jenkins gives you a bunch of cool free stuff. You just have to work your way around the annoying Java frameworks
17:12:48 <sdake> tmcpeak I htink a model that could be used is much like the coverage jobs
17:13:02 <tmcpeak> jasonhullinger: I'm glad you've done that so we don't have to… Java (shudder)
17:13:18 <jasonhullinger> (shudder indeed)
17:13:24 <tmcpeak> cool, thanks man
17:13:29 <tmcpeak> looking forward to the session
17:13:35 <jasonhullinger> Yup, thanks!
17:13:39 <tmcpeak> please throw something up on the page about what you've got planned
17:13:42 <tmcpeak> #topic Anchor
17:13:50 <tmcpeak> browne: open reviews you say?
17:14:23 <browne> #link https://review.openstack.org/#/q/status:open+p:openstack/anchor
17:14:39 <browne> lots of +2, but no +W
17:14:57 <tmcpeak> who are the +A's for Anchor these days?
17:15:19 <tmcpeak> yeah, yikes
17:15:22 <browne> #link https://review.openstack.org/#/admin/groups/498,members
17:15:24 <tmcpeak> lots of stuff needs to land
17:15:56 <tmcpeak> well, dg can't make meeting today, he's got a call and sends his regards and all that
17:16:07 <tmcpeak> same with hyakuhei, so let's revisit this next week
17:16:19 <browne> ok cool.
17:16:21 <tmcpeak> good point though browne
17:16:29 <tmcpeak> #topic Threat Analysis for Kolla
17:16:34 <tmcpeak> sdake: what's our status?
17:16:43 <tmcpeak> we've worked out something that seems useful with Barbican at our last midcycle
17:16:49 <tmcpeak> would be cool to take you guys through it too
17:16:55 <tmcpeak> have you seen our Barbican TA?
17:16:56 <sdake> tmcpeak status iss swe hae been on fire in olla
17:16:56 <sdake> fires are putout
17:16:58 <sdake> i have not
17:17:06 <sdake> if you gie me link it would bee fantastically helpful :)
17:17:06 <tmcpeak> actually we're not calling it TA anymore :P
17:17:08 <tmcpeak> security review
17:17:18 <tmcpeak> #link https://etherpad.openstack.org/p/barbican-threat-analysis
17:17:26 * sdake groans at having to change the governance repo again
17:17:36 <tmcpeak> don't worry about that
17:17:51 <tmcpeak> we'd like to get a basic DFD for you guys like this: http://i.imgur.com/P0RSo5R.png
17:18:10 <tmcpeak> from there we enumerate data assets and then discuss the impact of a breach of CIA for each of those assets
17:18:14 <sdake> tmcpeak the short of it is - now i hae a few weeks to sortou thte documentation
17:18:27 <tmcpeak> which documentation?
17:18:38 <sdake> tmcpeak the security review docs?
17:18:42 <tmcpeak> I'm happy to jump on a call with you and a couple from your team to push through this
17:18:43 <sdake> (for kolla)
17:18:44 <tmcpeak> shouldn't take long
17:18:55 <tmcpeak> can probably smash the whole thing out in 2-3 hours
17:18:56 <sdake> tmcpeak cool - let me set something up with our coresec team
17:19:02 <tmcpeak> ok awesome
17:19:07 <sdake> tmcpeak i'll contact you offline to schedule a time
17:19:12 <tmcpeak> sounds good, thank you
17:19:17 <sdake> thanky ou :)
17:19:26 <sdake> tmcpeak note I may need to rebuild the coresec team
17:19:35 <tmcpeak> why, what happened?
17:19:43 <sdake> mirantis left kolla project
17:19:51 <tmcpeak> ahh, interesting
17:19:56 <sdake> so weneed more recruits in our coresec project
17:19:59 <sdake> coresec team i mean
17:20:03 <tmcpeak> we've been struggling a bit with active members in OSSP too
17:20:19 <sdake> kolla has too much input ;)
17:20:27 <tmcpeak> haha
17:20:39 <sdake> 800 commits this cycle so far
17:20:45 <sdake> anyway - i think thats it :)
17:20:51 <tmcpeak> ok sounds good, thanks sdake
17:20:56 <sdake> oh real quick
17:20:56 <tmcpeak> #topic Syntribos
17:21:00 <tmcpeak> what's up?
17:21:04 <sdake> we have got our bandit gat operational
17:21:10 <sdake> and i am making it voting today
17:21:15 <sdake> thats it :) thankss
17:21:17 <tmcpeak> sdake: sweeeeet!
17:21:22 <tmcpeak> thanks man :)
17:21:33 <unrahul> hey tmcpeak , so ccniel is out, I am filling in for syntribos
17:21:37 <tmcpeak> unrahul:
17:21:42 <tmcpeak> was just about to call you :)
17:22:03 <unrahul> As discussed last week, we are testing all core projects this week (till October)
17:22:08 <unrahul> this week its keystone
17:22:30 <unrahul> and the basic results are a bunch of 500 errors as expected, nothing major..
17:23:07 <unrahul> we also got some initial thoughts on modifying syntribos..,major thing being the time it takes to run syntribos across all the api is too long..
17:23:08 <tmcpeak> a bunch of 500 errors are expected?
17:23:41 <unrahul> from syntribos tmcpeak , the tests we have now.. are not that complex to get other things..i guess
17:24:00 <tmcpeak> 500's are still bugs though, surprised you got a ton of them
17:24:05 <unrahul> we were expecting that syntribos will capture 500 errors from the projects at the minimum, in that way.
17:24:33 <unrahul> yeah.. in most of the endpoints.. we got 500 errors when the body was big and also for a specific string..
17:24:34 <unrahul> :D
17:24:39 <tmcpeak> nice
17:24:51 <tmcpeak> those are at least hardening opportunities
17:25:13 <tmcpeak> what do you mean by "long"
17:25:17 <tmcpeak> like hours, days?
17:25:26 <unrahul> no.. like 3.5 hrs or so
17:25:30 <tmcpeak> ahh ok
17:25:40 <tmcpeak> you have any progress indicators?
17:25:43 <unrahul> so I dont think any team would be okay keeping syntribos as part of their ci pipeline.
17:25:56 <tmcpeak> yeah, good point
17:25:58 <unrahul> me myt look into celery tmcpeak  :P
17:26:01 <unrahul> we*
17:26:20 <unrahul> to speed things up and also to implement some sort of pause funcionality
17:26:24 <tmcpeak> good, everytime somebody uses celery gmurphy smiles awkwardly
17:26:35 <unrahul> well indicators..? like making the tests better??
17:26:52 <tmcpeak> no, like "6/80 tests complete"
17:27:02 <tmcpeak> cute little ascii art progress bar, that kind of stuff
17:27:08 <unrahul> we have some pointers.. so would be modifying our tests a lil bit and see if we are able to capture a bit better..
17:27:10 <unrahul> oh yeah..
17:27:12 <tmcpeak> 5/20 endpoints
17:27:13 <unrahul> we have that now
17:27:21 <tmcpeak> estimated time remaining...
17:27:31 <unrahul> it will show how many failures/tests etc run..
17:27:57 <unrahul> no estimated remaining time though.. will  need to see and include that, good point tmcpeak
17:28:25 <tmcpeak> unrahul: good point on the CI pipeline though
17:28:35 <tmcpeak> maybe you can have a dialed back version that runs in CI and a periodic longer running version
17:28:35 <sdake> tmcpeak best practice in openstack-infra is 1 hour gate jobs
17:28:36 <unrahul> ryt now the progress is estimated /templates(each req)
17:28:46 <sdake> tmcpeak infra willing to go to 90 minutes with negotation :)
17:28:51 <tmcpeak> sdake: yeah, I know they get upset if they take longer
17:29:14 <sdake> tmcpeak option hee is a periodic job
17:29:15 <tmcpeak> can use a specifically configured syntribos instance to check most important stuff in CI
17:29:19 <unrahul> tmcpeak:  yeah.. we need to do something like that, may be run only the post requests or something like that..
17:29:24 <tmcpeak> sdake: yep yep
17:29:33 <unrahul> tmcpeak: yup..
17:29:53 <tmcpeak> cool, thanks unrahul.  Anything else for Syntribos today?
17:30:10 <unrahul> nop thats it for now tmcpeak !
17:30:40 <unrahul> will keep u guys posted if we find some cool vulnerabilities.
17:30:59 <tmcpeak> awesome, thank you!
17:31:11 <tmcpeak> #topic OSSN
17:31:16 <tmcpeak> lhinds: you're up!
17:31:21 <lhinds> k..
17:31:37 <lhinds> OSSN 0070 Published (XSS in Bandit)
17:31:55 <lhinds> OSSN 0068 is close to being published, needs some +1 from neutron core
17:32:25 <tmcpeak> awesome
17:32:32 <lhinds> had a good meeting with nkinder to pick his brains on how he had been looking after things
17:32:33 <tmcpeak> our usual problem, we don't know neutron cores :P
17:32:54 <lhinds> I know a couple of guys at RH, but everyone seems PTO atm.
17:33:11 <lhinds> I will keep pushing there though for someone
17:33:38 <lhinds> Dustin is happy though, which is good, as he knows the topic well having been the original reporter
17:33:53 <tmcpeak> awesome
17:34:04 <tmcpeak> I sent an embargoed note a couple of days ago that will be released to public Sept 13th
17:34:08 <tmcpeak> signed up a new one today
17:34:23 <tmcpeak> seems like embargoed notes are becoming more of a thing so we really need 4 active sec cores
17:34:33 <lhinds> I saw that, I need to email you about how we reach downstream stakeholders.
17:34:34 <tmcpeak> we currently have three since elmiko hasn't been able to participate as much
17:34:39 <jasonhullinger> OSSN 0070 is interesting. I was just wondering myself who was responisble for sanitizing that. If I HTML encode the 'message', and Bandit does, then it woudl be double encoded. Maybe this should be to the Bandit team, but will Bandit be responsible for proeprly encoding HTML output?
17:35:15 <tmcpeak> jasonhullinger: yeah, it should be
17:35:26 <jasonhullinger> Okay, thanks, good to know
17:35:44 <elmiko> sorry =(
17:35:53 <lhinds> tmcpeak: I will query you in private about some of the embargo ones we have right now
17:36:05 <tmcpeak> elmiko: it's all good brotha, you've done a lot of good work for a while
17:36:09 <tmcpeak> day jobs are pesky :P
17:36:12 <tmcpeak> lhinds: sounds good
17:36:14 <elmiko> totally
17:36:19 <lhinds> talking of embargo, do we want to discuss reviews using google docs?
17:36:31 <lhinds> or should we wait for rob?
17:37:21 <tmcpeak> lhinds: we don't have to discuss it here
17:37:28 <tmcpeak> it's just the three of us now and we're all in agreement
17:37:33 <tmcpeak> thumbs up for Google Docs from now on
17:37:41 <lhinds> sure, I will eek out a process and send it to you
17:37:50 <tmcpeak> sounds good, thanks man
17:38:00 <tmcpeak> #topic Docs
17:38:14 <tmcpeak> elmiko: did you find any replacements?
17:38:23 <tmcpeak> we should probably take this out as a standing item
17:38:48 <elmiko> sadly, no
17:39:07 <tmcpeak> ok no worries
17:39:11 <elmiko> but, i have had zero time for docs
17:39:15 <tmcpeak> #topic Blog
17:39:18 <tmcpeak> lhinds: again
17:39:31 <lhinds> oh that was quick
17:39:36 <tmcpeak> :P
17:40:14 <lhinds> so I have that blog PR up, I was going to wait for OSSN-0068 to be up
17:40:23 <lhinds> but I could just change the link to another
17:40:44 <lhinds> I think I fixed the comments you had tmcpeak, so its near ready to go
17:41:51 <lhinds> is there a review procedure for blog posts (two or more people?)
17:42:21 <tmcpeak> not really
17:42:28 <tmcpeak> let me ping dg about it
17:42:42 <lhinds> k
17:43:05 <tmcpeak> I don't think we have much for TA this week since dg and hyakuhei aren't here
17:43:08 <tmcpeak> #topic AOB
17:43:16 <tmcpeak> open floor...
17:44:55 * elmiko starts break-dancing
17:45:23 <tmcpeak> lol
17:45:25 <tmcpeak> thanks elmiko
17:45:28 <tmcpeak> #endmeeting