18:00:17 <bdpayne> #startmeeting OpenStack Security Group
18:00:18 <openstack> Meeting started Thu Jan 24 18:00:17 2013 UTC.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:19 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:21 <openstack> The meeting name has been set to 'openstack_security_group'
18:00:37 <bdpayne> good morning / evening to everyone
18:00:46 <bdpayne> welcome to the first security group meeting
18:01:05 <bdpayne> I'd like to start with a few house keeping items...
18:01:23 <bdpayne> #topic House Keeping
18:01:57 <bdpayne> We're using the MeetBot for auto generated mintues
18:02:00 <bdpayne> #link http://wiki.debian.org/MeetBot
18:02:19 <bdpayne> We'll have weekly meetings, starting today
18:02:39 <mtesauro> Where are we archiving those minutes?
18:02:44 <bdpayne> #info Meetings should last 30 min (or less)
18:03:15 <bdpayne> #info I'll post the meeting minutes online after each meeting
18:03:17 <bdpayne> #link http://wiki.openstack.org/Meetings/OpenStackSecurity
18:03:32 <mtesauro> Perfect.  Thanks.
18:03:59 <bdpayne> #info I encourage everyone to subscribe to the mailing list, if you haven't already: openstack-ossg@lists.launchpad.net
18:04:08 <bdpayne> you can do this through the launchpad group
18:04:18 <bdpayne> #link https://launchpad.net/~openstack-ossg
18:04:30 <bdpayne> we'll talk more about the mailing list in a few...
18:04:56 <bdpayne> so, before we dive into other topics, let's do some introductions
18:05:01 <bdpayne> #topic Introductions
18:05:16 <bdpayne> I can start
18:05:59 <bdpayne> #info Many of you have met me at the summit / online… I'm Bryan Payne and I'm working at Nebula… OpenStack and related security tasks are my day to day job
18:06:14 <bdpayne> who else do we have joining us today?
18:06:41 <hyakuhei> #info Security Architect at HP. Started OSSG with Bryan. Speaking at summits etc.
18:07:14 <bdpayne> morning @hyakuhei
18:07:16 <mtesauro> #info I'm Matt Tesauro, I am the lead of the product security engineers at Rackspace.  Was at the last summit and will be at the next.  OpenStack is also part of my normal work with Rackspce
18:07:42 <bdpayne> nice to have you hear Matt
18:08:02 <lauraglendenning> #info I'm Laura Glendenning, I'm a software developer at JHU Applied Physics Lab and am currently leading our OpenStack project here.  I was at the last summit and my team is working on security-related features.
18:08:03 <bdpayne> anyone else here today?  I heard from several others that planned on attending
18:08:04 <estebang9> #info Esteban Gutierrez, IT security for Intel. Working on security requirements for openstack deployments.
18:08:37 <malini> Greetings everyone! I am Malini Bhandaru from Intel, and my focus is security too
18:08:48 <bdpayne> great, I was planning to talk about some Intel and APL work later in the meeting, you guys can keep me honest
18:08:49 <alrs> #info I'm Lars Lehtonen, I'm mostly working around Swift in our deployment right now.
18:08:53 <Randy_Perryman> Greetings, Randy Perryman with Dell.  Work on the Crowbar Team doing actual Deployments of Openstack in the field.
18:09:27 <bdpayne> ok, looks like we have a nice group… thank for the introductions all
18:09:39 <bdpayne> let's dive into some topics
18:09:49 <bdpayne> #topic Mailing list
18:10:21 <bdpayne> #info We currently have a mailing list setup on launchpad, but there is a move afoot to change this to a mailman list
18:10:39 <bdpayne> @hyakuhei, can you report on the status for that?
18:11:11 <hyakuhei> #info In progress. It got lots in the summit setup noise - I'll email Stefano about it again.
18:11:20 <bdpayne> sounds good
18:11:25 <mtesauro> Is this Mailman list OpenStack hosted?
18:11:28 <bdpayne> yeah
18:11:40 <sriramhere> do we need a separate mailing list? [OSSG] won't work with dev?
18:11:43 <bdpayne> the idea here is to allow for integration with the bug tracking system
18:12:01 <bdpayne> so bugs can be marked "security" and we will get a notification
18:12:13 <bdpayne> chatter can happen on dev or on our list, as people see fit
18:12:24 <sriramhere> ok - nice. how many bugs do we have? last I checked, we had three
18:12:30 <hyakuhei> That allows us to build out some pretty cool security tooling.
18:13:29 <hyakuhei> Those are OSN bugs, that's a bit different. That's us using Launchpad for Security notes.
18:13:29 <bdpayne> right
18:13:29 <bdpayne> in the future, we'll get notified (hopefully) of bugs and patches that are security relevant and could benefit from review by someone in this group
18:13:49 <bdpayne> ok, so moving on...
18:13:53 <sriramhere> ok
18:13:58 <bdpayne> #topic Security Notes
18:14:20 <bdpayne> #info We have been asked to occasionally provide "Security Notes" for the OpenStack community
18:14:48 <bdpayne> this is lightweight security configuration guidance
18:14:53 <hyakuhei> These are like advisories for configuration / common things people do wrong that compromises the security of their OpenStack deployment.
18:14:58 <bdpayne> perhaps not quite a CVE, but best practices
18:15:20 <Randy_Perryman> So a Security FAQ page?
18:15:24 <mtesauro> so basically bits of what would be a hardening guide?
18:15:26 <hyakuhei> No.
18:15:32 <bdpayne> there is one note already in progress
18:15:34 <bdpayne> #link https://bugs.launchpad.net/osn/+bug/1098582
18:15:35 <uvirtbot> Launchpad bug 1098582 in osn "Note: Security impact of Libvirt/LXC usage" [High,Confirmed]
18:15:55 <mtesauro> That is the one from last week, right?
18:16:04 <bdpayne> that's right
18:16:31 <bdpayne> largely these will be little advisories to help people make good decisions
18:16:57 <bdpayne> #info these are designed to be more timely than the security guide… and sometime that we can produce on demand and/or as we see the need
18:16:57 <Randy_Perryman> Thank You for the clarification.
18:17:12 <sriramhere> do we have a link to the work in progress?
18:17:20 <bdpayne> that's the link above
18:17:41 <bdpayne> that is for the LXC security note… I would encourage everyone to take a pass and provide some feedback
18:17:51 <bdpayne> we'd like to get that one out the door soon
18:18:13 <bdpayne> apparently many people are using LXC's and thinking that they are getting KVM style isolation… but they aren't, of course
18:18:48 <bdpayne> #topic Security Guide
18:19:02 <sriramhere> thanks - what is the plan for arriving a template? does this need to wait for a common agreed templat for OSN?
18:19:27 <estebang9> Could a list of live items such as that one above exist as a list on the main security group page? This would be a list of "hot" items.
18:19:38 <bdpayne> #info @hyakuhei has put together a repo and some initial templates for the security guide
18:19:57 <bdpayne> yeah, let's speak to those questions
18:20:02 <hyakuhei> I see that very much being in the bootstrap stage.
18:20:22 <bdpayne> the template is basically to have a nice common way to present this info
18:20:31 <bdpayne> work there is needed, but we didn't want to hold up getting the first note out for that
18:20:52 <sriramhere> so, plan looks like first OSN will be out, while the template will be in work.
18:20:54 <bdpayne> contributions are certainly welcome in putting together template for that… probably just a simple plain text format that will work for email / web site posting
18:20:58 <mtesauro> Bootstracp is fine as long as we don't preclude future growth in its implementation.  Better to iterate to what works best for all
18:21:04 <sriramhere> hopefully from second one, we can follow the template.
18:21:11 <bdpayne> that's right
18:21:29 <bdpayne> as for putting items on the website, I think that makes sense
18:21:35 <bdpayne> we should put together a section for that
18:21:37 <sriramhere> hyakuhei - can u point to the wip for template please? so that we can provide feebadk
18:22:25 <hyakuhei> OSN template or Hardening Guide?
18:22:40 <sriramhere> template
18:22:43 <bdpayne> OSN template and related -- https://bugs.launchpad.net/osn
18:22:45 <bdpayne> #link https://bugs.launchpad.net/osn
18:23:00 <hyakuhei> It's largely captured in the LXC note linked previously.
18:23:01 * bdpayne changed the topic too quickly ;-)
18:23:16 <hyakuhei> Basically MD with whatever topics made sense.
18:23:52 <bdpayne> ok… moving on to discuss hardening guide
18:24:00 <bdpayne> #link https://github.com/hyakuhei/OSSG_Hardening_Guide
18:24:17 <bdpayne> this is the git repo with the skel latex code for the guide
18:24:35 <bdpayne> #info Note the outline.txt file as a first cut at the guide outline
18:25:05 <bdpayne> #action We should review that outline and get happy with it so that we can begin working on the writing as a group
18:25:22 <hyakuhei> Yeah, there's virtually no content right now but it's easy to see how this could build out to be something incredibly useful to the community.
18:25:34 <bdpayne> Exactly
18:25:55 <hyakuhei> Please excuse the shonky makefile...
18:26:02 <estebang9> Looks like a good start though.
18:26:07 <bdpayne> I see that we are running a little short on time… I'd like to push through a couple of additional topics in our last 5 min
18:26:11 <sriramhere> may be i missed it - what is the goal for the hardening guide? hows it differnt from OSN?
18:26:20 <bdpayne> ah, sorry...
18:26:40 <bdpayne> hardening guide is designed to be a single document with advice for deploying OS securely
18:26:58 <bdpayne> whereas the OSN's are one off security best practice advice… more timely
18:27:22 <sriramhere> ok - do we plan to include any internal notes (known threats. mitigations etc) in this? or is it for external users?
18:27:22 <mtesauro> Presumably the audience in OpenStack implementors, correct?
18:27:39 <bdpayne> @mtesauro that's correct
18:28:04 <bdpayne> @sriramhere not sure what you mean, audience will be cloud implementors / cloud admins that are working with OS
18:28:42 <sriramhere> i got the answer; what i meant to say is, if we know of a known threat, we will still publish it, so that cloud admins can be aware of that
18:28:49 <bdpayne> ok, just a few final mentions here
18:28:51 <sriramhere> and possibly incorporate our mitigation ideas
18:29:06 <bdpayne> that will have to be handled on a case by case basis
18:29:35 <bdpayne> in general, I would say we provide advice to deploy in a way that offeres layered security and helps mitigate attacks
18:29:54 <sriramhere> thanks
18:30:14 <mtesauro> One additional item, not on the agenda...
18:30:37 <mtesauro> #info Beyond my work with OpenStack, I'm also heavily involved in OWASP - International OpenSource Foundation working on application security
18:30:45 <mtesauro> #info I have just started an OWASP OpenStack Security project with the goal of bringing the two communities together.
18:31:04 <bdpayne> sorry, my irc connection just hicup'd
18:31:16 <mtesauro> There's an Apache-like approval process with OWASP projects which will close at COB today (central time US GMT-6)
18:31:48 <bdpayne> @mtesauro Any specific proposals for OS?
18:31:54 <hyakuhei> @mtesauro That's interesting.
18:31:59 <mtesauro> After that, I'll be actively recruiting from the OWASP community to add to the OSSG work.
18:31:59 <estebang9> @mtesauro, I take it you have that created on the OWASP site? and will it be Appsec focused?
18:31:59 <sriramhere> bpayne - u had few final mentions,
18:32:19 <bdpayne> yeah, we are basically out of time
18:32:28 <bdpayne> let me just close this out and we can have more discussion next week
18:32:36 <mtesauro> After the approval completes today, there will be a OWASP project page on their site + mail list for the project.
18:32:44 <estebang9> I assume we can take items to the mailing list as well?
18:32:50 <bdpayne> #topic Storage Encryption
18:32:52 <mtesauro> will link that to OSSG as well
18:33:18 <estebang9> groovy
18:33:54 <mtesauro> There's a bunch of app sec people at OWASP which could lend a hand with OpenStack work
18:35:10 <bdpayne> #link https://blueprints.launchpad.net/swift/+spec/encrypted-objects
18:35:20 <bdpayne> #link https://blueprints.launchpad.net/nova/+spec/encrypt-cinder-volumes
18:35:31 <bdpayne> both of those are worth getting some eyes from this group
18:35:42 <bdpayne> we should discuss more on the mailing list and at next week's meeting
18:35:52 <malini> Thank you!!! Would appreciate feedback
18:36:01 <bdpayne> #info that's all I had for today… thanks everyone for attending!
18:36:05 <benj__> Additional storage encryption info here http://lists.openstack.org/pipermail/openstack-dev/2013-January/004439.html
18:36:27 <bdpayne> #endmeeting