18:01:12 #startmeeting OpenStack Security Group 18:01:12 the first endmeeting was a few second early :) 18:01:13 Meeting started Thu Oct 10 18:01:12 2013 UTC and is due to finish in 60 minutes. The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:01:14 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:01:17 The meeting name has been set to 'openstack_security_group' 18:01:26 Hi security group! 18:01:35 hello 18:01:50 Greetings! 18:02:07 I'd like to continue talking about the summit today 18:02:14 And get updates on any work in progress 18:02:19 Anything else on people's minds? 18:02:27 hi 18:02:36 #endmeeting 18:02:53 oh, someone else managed it :) 18:02:55 not from me 18:03:12 ok, let's start with wip 18:03:22 #topic Work In Progress 18:03:54 On my end, the folks at White Hat Security have offered to do a free security assessment of Horizon 18:04:14 they have tools that will perform a scan, and then they do some human analysis to weed out false positives and such 18:04:45 what kind of scan? 18:04:48 Since the OpenStack folk are still working on standing up a reference implementation, I'll be working with White Hat to use a Nebula installation for the scanning 18:05:07 basically the can scan web services for a variety of security issues 18:05:13 I'm still flushing out the details 18:05:28 oh, that sounds good 18:05:45 they can't do REST APIs, aparently 18:05:48 so it will be just Horizon 18:05:54 but that's still useful 18:05:58 bdpayne: your scan checklist will be a juicy addition for the security guide 18:06:32 checklist? 18:06:40 do we have a list do test cases they use? (I didn't follow the thread to be honest) 18:06:56 is not "flushing out the details" a checklist? 18:07:02 oh I see 18:07:11 yeah, I'll need to learn more about what they are doing 18:07:21 I do not currently know all of their test cases 18:07:30 ok 18:07:39 I would think that the security guide may be improved if there's a deployment option that can mitigate problems better 18:07:41 test coverage could also be interesting 18:07:54 so we'll see how this goes 18:08:03 but I just wanted to let people know that this was starting to take shape 18:08:12 cool 18:08:26 absolutely cool 18:08:28 [ 18:08:29 . 18:08:34 Any other ongoing projects people would llke to discuss? 18:08:36 slides? 18:08:44 dev work? 18:08:47 new blueprints? 18:09:20 quiet from our end right now 18:09:27 sorry: my WIP -- edits on guide and slides -- no further progress. looks this way till Dec 18:09:29 sorry guys. Those two messages were brought to you by my kitten. 18:09:47 np on the kitten issue 18:09:49 :-) 18:10:25 #topic Summit Planning 18:10:41 hi. little late... 18:10:46 So I shared this previously 18:10:47 https://docs.google.com/spreadsheet/ccc?key=0AqnzHH5YYzZvdHM0R042U0t5LTNXWFp1MlB2VHpCZmc&usp=sharing#gid=0 18:10:49 hi elo 18:11:20 Still need to go through the dev sessions once those are flushed out 18:11:30 I'd also like to have an OSSG gathering at the summit 18:11:41 For those that are attending, any preferences on when that takes place? 18:12:19 not from me 18:12:28 no preference from me 18:12:44 thursday/friday I'm not available for a few hour due to sessions that I'm helping out on 18:12:55 ok, I'm leaning towards finding a long lunch one day 18:13:00 i submitted a geo-tagging design session and blueprint 18:13:10 I'll review the schedule and try to find a time with minimal potential conflicts 18:13:36 malini1 interesting 18:13:45 feel free to add any dev sessions of interest to the wiki 18:13:54 s/wiki/google doc/ 18:14:06 even at this stage, without knowing what is accepted there 18:14:10 link to the blueprint? 18:14:13 would be good to start tracking stuff 18:14:32 will do, but it may be rejected 18:14:37 of course 18:14:55 So, a few more words on the summit... 18:15:17 I view the summit as an opportunity to (1) reflect on how we've done over the past 6 months, and (2) plan for the next 6 months 18:15:47 I'd like to discuss both of these items at the OSSG meeting at the summit 18:15:57 i think for next summit we should aim for a workshop, 1-2 hours on securiing and openstack implementation 18:16:06 But, some prep between now and then could make that discussion more fruitful 18:16:22 malini1 perfect 18:16:33 so, yeah, I was going to ask for ideas / goals / etc for the upcoming 6 months 18:16:46 Absolutely, like your Nebula reference impl and what makes it secure 18:16:53 basically, where would you like to see OSSG heading 18:17:31 yeah, that would be interesting 18:17:48 any other ideas? 18:18:01 surely there's plenty of ways that OSSG can improve / have more influence / etc 18:18:35 I thin OSSG is gaining momentum with the guide, the OSSNs and being a crosscutting entity across the OS projects, but have to be more vocal, kind of establish ourselves such that people come to us "please take a look" type thing 18:18:53 yeah 18:19:05 I think that will come with more specific involvement in each project 18:19:30 we could really benefit from having people just dig in and get involved in the various projects 18:20:03 ok, well the key take away here is to really think about this topic 18:20:04 agreed, it's difficult to review code for security issues when unfamiliar with the context 18:20:10 I'd like to have a good discussion on it at the summit 18:20:22 specifically: 18:20:30 for one thing, coming from Intel and TXT land, at the very least I have to be savvy setting it up, its limitations (like its OK for VMMs, but not yet for bare metal, so we are not yet there for TXT for the openstack service nodes) 18:20:31 * What are the problems / areas we can improve 18:20:33 or contribute security-related bug fixes 18:20:40 * What are specific things we can do to improve 18:21:17 #topic Other business 18:21:26 So that's all that I have for today… anything else on people's minds? 18:22:15 Hearing none, I guess we're all done here 18:22:20 would be nice to research "known holes" and share with each other. For instance security wrt to SR-IOV 18:22:39 ah… 18:22:42 agreed 18:23:26 malini1 on a similar topic, I'd be interested in more information on Intel SGX 18:23:48 :-) Will learn more and get back to you on it. 18:24:21 anything specific 18:24:31 clearly it's new, not out yet, but I think it may have a role to play for securing nodes 18:24:31 can even bug developers 18:25:07 specifically, I'm curious if this could be used to protect a security agent on a host that then uses memory introspection techniques to monitor the host and, perhaps, the VMs / containers on that host 18:25:32 and, if it can, then I'd like to play with engineering samples :-) 18:25:43 on a separate note, I am relishing the many flavors of the word "TEAM", for it it means making things possible, achieving things, because we leverage each others strengths 18:25:55 OK, that is an action item for me. 18:26:00 cool, thanks 18:26:31 for those not interested in SGX, check out the Intel presentations here https://sites.google.com/site/haspworkshop2013/workshop-program 18:26:40 s/interested/ familiar/ :-) 18:27:13 ok, then I think we're really done here 18:27:16 thanks everyone 18:27:18 cya next time 18:27:22 bye 18:27:25 cheers 18:27:25 bye 18:27:40 bye 18:27:45 #endmeeting