18:06:57 <bdpayne> #startmeeting OpenStack Security Group
18:06:58 <openstack> Meeting started Thu Nov 14 18:06:57 2013 UTC and is due to finish in 60 minutes.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:06:59 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:07:01 <openstack> The meeting name has been set to 'openstack_security_group'
18:07:15 <bdpayne> hi everyone
18:07:17 <joel-coffman> hey
18:07:21 <shohel_> hi
18:07:27 <nkinder_> hello
18:07:28 <bdpayne> sorry about the delay... I hadn't updated my calendar for US daylight savings time
18:07:29 <bdpayne> heh
18:07:53 <bdpayne> ok, so let's get right into it
18:08:02 <bdpayne> first I'd like to do a quick brain dump on the summit
18:08:16 <bdpayne> and some of the next steps
18:08:28 <bdpayne> feel free to chime in with additional details and/or to add things that I miss
18:08:47 <bdpayne> after that, I believe shohel_ wanted to talk a bit about threat modeling
18:09:00 <bdpayne> #topic Summit Wrapup
18:09:13 <bdpayne> So, the summit was busy and a lot of fun, as usual
18:09:39 <bdpayne> From an OSSG perspective, I have started to push my agenda for Icehouse: Scaling out OSSG
18:09:55 <bdpayne> in particular, I'll be working to get more participation and to spread some of the leadership load
18:10:08 <bdpayne> and that should free me up to contribute in other ways a bit too
18:10:28 <bdpayne> more tactically, here's some of the areas the group discussed working on
18:10:31 <bdpayne> OSSN
18:10:40 <bdpayne> the security notes could be ramped up
18:10:45 <bdpayne> perhaps up to 1 / week
18:11:02 <bdpayne> based on the email thread, I think we have some volunteers to take that on
18:11:12 <nkinder_> bdpayne: I reached out to Robert to volunteer.
18:11:32 <bdpayne> great
18:12:02 <bdpayne> for the book, I'd like to find 2-3 people that can serve as editors
18:12:13 <bdpayne> these people would drive the improvement of the content
18:12:25 <bdpayne> and there was some talk of doing a 2nd edition at some point as well
18:12:46 <bdpayne> (fwiw, I'll be sending out these requests for volunteers to the mailing list as well)
18:13:15 <bdpayne> for the volume encryption work... I just wanted to give a shout out to joel-coffman and the APL crew for a job well done
18:13:28 <bdpayne> nice summit talk and a nice path forward to continue working in that space
18:13:33 <joel-coffman> thanks
18:13:53 <bdpayne> joel-coffman anything you'd like to add and/or are there ways that others can help you out / get involved there?
18:13:54 <joel-coffman> we're continuing to move forward with our ephemeral storage encryption efforts
18:14:33 <joel-coffman> code reviews are always appreciated
18:14:37 <joel-coffman> :-)
18:14:48 <bdpayne> ok, sounds good
18:14:56 <bdpayne> and there's some barbican integration work too?
18:15:04 <joel-coffman> feedback regarding our design, etc. is always helpful too
18:15:09 <joel-coffman> yes
18:15:32 <joel-coffman> key management is a huge issue for our work
18:15:41 <bdpayne> yes, indeed
18:15:49 <bknudson> using barbican or keystone for key management?
18:16:06 <bdpayne> I believe they are moving forward with barbican
18:16:11 <joel-coffman> integrating Barbican with our key manager interface is something that people could help with
18:16:13 <bdpayne> keystone isn't really designed for key management
18:16:28 <joel-coffman> bknudson: bdpayne: yes
18:16:40 <bdpayne> joel-coffman I may be able to help there, we should chat sometime
18:16:48 <joel-coffman> okay
18:17:12 <bdpayne> threat analysis... there is a new effort here by Ericson that we'll discuss a little more in a bit
18:17:34 <bdpayne> cve tracking... the group decided that there is a need to have a structured feed for the CVEs
18:17:43 <bdpayne> turns out that the VMT is thinking along those lines as well
18:17:49 <bdpayne> so we can collaborate with them on this
18:18:02 <bdpayne> I think we do need someone from OSSG to help drive that effort
18:18:02 <joel-coffman> I think that would be helpful
18:18:13 <joel-coffman> i.e., a feed for CVEs
18:18:33 <bdpayne> dev sprints... we plan to do some dev sprints with a security focus for icehouse
18:19:01 <bdpayne> Eric Windisch has volunteers to organize those
18:19:23 <bdpayne> I've noticed that basically all projects could benefit from more security-focused developers
18:19:34 <joel-coffman> agreed
18:19:43 <bdpayne> so, that's a great place to contribute if you can... just getting your hands dirty :-)
18:19:57 <bdpayne> finally... we spoke a bit about the group's visibility
18:20:05 <nkinder_> bdpayne: that's also an area I'm hoping to help with
18:20:16 <bdpayne> sounds like many of the good things we are doing are not getting out there as much
18:20:26 <bdpayne> nkinder_ with visibility or dev?
18:20:37 <nkinder_> security visibility
18:20:42 <bdpayne> ahh, very nice
18:20:55 <bdpayne> so I think it would be nice to have a community manager to drive this
18:21:03 <bdpayne> perhaps nkinder_ could fill that role?
18:21:05 <nkinder_> Many projects don't seem to think about security.  It seems like guidelines are needed, and lots of watching.
18:21:15 <nkinder_> That's what I'm hoping to do.
18:21:22 <bdpayne> basically, someone to keep the rest of OpenStack abreast of what we are doing
18:21:47 <bdpayne> emails to dev on a regular basis, perhasps... and perhaps getting a section in the newsletter once a month or so
18:21:48 <bdpayne> things like that
18:22:02 <bdpayne> but also to help keep OSSG up to speed as well
18:22:06 <bdpayne> we have nearly 100 people in the group
18:22:20 <bdpayne> and I'd like to keep people engaged and excited about the work happening here
18:22:26 <nkinder_> makes sense
18:22:44 <bdpayne> nkinder_ we can talk more about this seprately too, please drop me a line
18:22:50 <nkinder_> bdpayne: sure
18:23:04 <bdpayne> so that's what I have from the summit
18:23:10 <bdpayne> what can others add?
18:23:59 <bdpayne> ok, perhaps you guys need some coffee
18:24:03 <bdpayne> :-)
18:24:08 <shohel_> he he
18:24:12 <bdpayne> #topic Threat Analysis
18:24:29 <bdpayne> shohel_ please get us up to speed on your plans
18:24:42 <shohel_> ok thanks,
18:24:52 <shohel_> James has already discussed about the plan in the Summit
18:25:16 <shohel_> just to get started, a wiki has been set up
18:25:28 <shohel_> so that we can all be in the same page together
18:25:43 <shohel_> First thing to focus on is the process we want to follow,
18:25:43 <bdpayne> wiki: https://wiki.openstack.org/wiki/Security/Threat_Analysis
18:25:49 <shohel_> thanks
18:26:18 <shohel_> We need to focus on a homogenous process for analysis  of all OpenStack project
18:26:33 <shohel_> Here i think we can start pretty soon.
18:26:35 <bdpayne> do you have something in mind?
18:26:44 <bdpayne> or is this the first step of your work?
18:26:54 <shohel_> There is a sketch diagram in the wiki
18:27:03 <shohel_> but need be more defined
18:27:24 <shohel_> I will some more content tomorrow to make the process clear
18:27:36 <shohel_> *add*
18:27:46 <bdpayne> sounds good
18:27:55 <shohel_> This is something also need to be discussed among OSSG community
18:27:59 <bdpayne> at the summit, Rob Clark from HP suggested that he may have some thoughts on all of this
18:28:07 <bdpayne> I'd encourage you to sync with him on the mailing list as well
18:28:12 <shohel_> yes
18:28:28 <shohel_> That i think we should do soon
18:28:37 <bdpayne> shohel_ this sounds interesting and I'm looking forward to tracking the work
18:28:50 <bdpayne> please keep engaged with OSSG and let us know how the community can help support you in this effort
18:28:57 <shohel_> Sriram also said he will architectural diagram activity
18:29:08 <bdpayne> oh great
18:29:23 <bdpayne> is that all for now?
18:29:26 <bdpayne> on threat modeling?
18:29:34 <shohel_> Another important thing is team member selection and scope selection
18:30:00 <shohel_> we want to focus on Keystone area and proceed from there
18:30:00 <bdpayne> ok
18:30:08 <bdpayne> so we're about out of time for today
18:30:14 <shohel_> Ok
18:30:18 <bdpayne> please do keep us posted and let's bring the discussion to the mailing list
18:30:22 <shohel_> I will inform more my mail
18:30:28 <joel-coffman> thanks
18:30:32 <bdpayne> #topic Wrapup
18:30:44 <bdpayne> thanks all, I'll be following up on the mailing list to recruit more volunteers :-)
18:30:55 <bdpayne> I think that's lots of good efforts coming out of the summit
18:31:01 <bdpayne> have a great week
18:31:07 <nkinder_> thanks
18:31:08 <shohel_> same to all
18:31:20 <bdpayne> #endmeeting