18:00:35 <nkinder> #startmeeting OpenStack Security Group
18:00:36 <openstack> Meeting started Thu Apr 10 18:00:35 2014 UTC and is due to finish in 60 minutes.  The chair is nkinder. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:38 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:40 <openstack> The meeting name has been set to 'openstack_security_group'
18:01:04 <nkinder> #topic Roll Call
18:01:23 <shohel02> hi
18:01:24 <nkinder> Hi all.  Who do we have here for the Security Group meeting?
18:02:10 <nkinder> It might be a quiet meeting today.  I believe that bdpayne is traveling, and hyakuhei had a conflict.
18:02:40 <nkinder> hi malini1
18:02:40 <malini1> present!
18:03:12 <nkinder> ok, only a few of us today it seems
18:03:29 <nkinder> #topic Agenda
18:04:27 <nkinder> I have a few items today - OSSNs and security auditing of projects
18:04:59 <nkinder> Does anyone have any other topics?  Anything on the threat assessment shohel02?
18:05:17 <shohel02> yes i would like to point some update
18:05:22 <nkinder> or updates from anyone working on the security guidelines?
18:05:36 <nkinder> shohel02: ok, let's start with you then
18:05:39 <malini1> nkinder: good work on shooting an OSSN on the OpenSSL Heartbeat
18:05:44 <nkinder> #topic Threat Assessment
18:05:54 <shohel02> definitely the OSSN was excellent
18:06:05 <shohel02> Now related to Threat analysis
18:06:21 <shohel02> Cristian has also started working with Nova Analysis
18:06:52 <shohel02> We have discussion last week among Cristian, Bknudson and me, Bdpayne
18:07:04 <shohel02> We are working on keystone
18:07:15 <shohel02> the issue is how to store and disseminate them
18:07:30 <shohel02> we are thinking of some common repository and control
18:07:38 <shohel02> any ideas ?
18:07:42 <morganfainberg> shohel02, personally i like that.
18:07:51 <nkinder> Ok, so a separate repository?  What form will they ultimately take?
18:07:53 <shohel02> Can we have some common GIT repo
18:08:09 <nkinder> Is this doing to end up as standalone papers, or be rolled up into a book?
18:08:15 <shohel02> All the reports
18:08:42 <shohel02> End would be by combing all the current reports form some guides
18:08:46 <shohel02> Not sure yet
18:08:48 <nkinder> For repos, it needs to live under a program (or it can be stackforge)
18:09:00 <malini1> does it makes sense to be somethign like OSSN under docs like nkinder set up
18:09:13 <nkinder> With the OSSN repo, we put it under the Documentation program.  We'd need their buy-in on this.
18:09:32 <nkinder> So we might want to skip to dissemination to see if that's a good fit.
18:09:36 <CristianF> as we discussed probably something similar to the new OSSN approach
18:09:50 <morganfainberg> nkinder, i think stackforge is the wrong place. I'd say this belongs under documentation (if they don't mind it living there)
18:10:02 <nkinder> How will these ultimately be published?  Do we see them being part of the Security Guide, or standalone?
18:10:12 <nkinder> morganfainberg: I tend to agree.
18:11:00 <malini1> i am seeing this as feeding in security guide, future design, ..
18:11:10 <nkinder> shohel02: We can discuss this with annegentle, but we'll want to discuss how they end up getting published to make a decision.
18:11:23 <shohel02> yes, sounds good
18:11:28 <nkinder> shohel02: I'd recommend starting a mail thread on the security list and cc annegentle
18:11:39 <shohel02> ok, i will do that
18:11:39 <morganfainberg> I would expect the security guide to reference it, likely it should also be standalone for ease of finding/consuming it.
18:12:03 <nkinder> yeah, it might even be a standalone guide (or separate reports)
18:12:09 <nkinder> lots of ways we can go here
18:12:10 <morganfainberg> nkinder, ++
18:12:18 <nkinder> ok, anything else on that topic?
18:12:35 <shohel02> another thing is about quality control
18:12:45 <shohel02> How to ensure that?
18:13:01 <nkinder> shohel02: at what level?  Writing, or technical contents?
18:13:07 <nkinder> or both? :)
18:13:14 <shohel02> I think both
18:13:21 <shohel02> but mainly technical content
18:13:26 <shohel02> should we set up some team
18:13:32 <shohel02> if interested
18:13:42 <nkinder> For writing/format, we can leverage the doc gate jobs depending on the format we use.
18:14:05 <nkinder> Technical content would be handled by reviews (which we can use gerrit for if we have a repo)
18:14:33 <nkinder> I would say that we'll need to involve interested developers from each project when working on the report for said project.
18:14:34 <shohel02> thats sounds good
18:14:55 <nkinder> ok, next topic
18:15:00 <nkinder> #topic OSSNs
18:15:28 <nkinder> I pushed a few OSSNs out over the last week, including the Heartbleed one last night/this morning
18:15:52 <nkinder> The review system is working nicely thus far.  It's much nicer than the informal process we had before.
18:16:13 <nkinder> chair6 (not present) has another one out for review
18:16:30 <nkinder> morganfainberg: that OSSN is for Keystone, and we'd like a keystone-core to review it
18:17:04 <nkinder> morganfainberg: if you have a chance, it's https://review.openstack.org/#/c/85441/
18:17:19 <nkinder> If not, I'll try to wrangle someone else into doing it.
18:17:50 <nkinder> There are a few other OSSNs in the backlog if anyone wants to volunteer... (nudge nudge)
18:18:29 <nkinder> ok, if nothing more on OSSNs...
18:18:44 <nkinder> #topic Security auditing of projects
18:19:02 <malini1> :-) how does pull just OSSNs from review system
18:19:32 <nkinder> malini1: you can monitor the one specific repo.  let me grab a link
18:19:49 <nkinder> #link https://review.openstack.org/#/q/status:open+project:openstack/openstack-security-notes,n,z
18:19:57 <malini1> thank you nkinder
18:20:20 <nkinder> For anyone who wants to monitor those, you can set up your gerrit prefs to watch the openstack-security-notes project.
18:20:58 <nkinder> I've started an effort on security auditing of OpenStack projects within the development teams
18:21:24 <nkinder> This isn't really an OSSG effort, but its something we can help provide feedback on I think.
18:21:29 <morganfainberg> nkinder, i'll look at it
18:21:47 <paulmo> How is that going btw?  I have extremely difficult time getting security traction in dev teams.
18:21:55 <nkinder> The basics are that each project should keep track of some basic security info on a release by release basis.
18:22:03 <nkinder> paulmo: Very good actually.
18:22:19 <nkinder> I brought it up with all of the PTLs on Monday, and there is a lot of interest
18:22:36 <paulmo> Good to hear!
18:22:39 <nkinder> I started for Keystone, and Heat produced a first pass as well.  Let me grab some examples for folks
18:22:57 <nkinder> #link https://wiki.openstack.org/wiki/Security/Icehouse/Keystone
18:23:18 <nkinder> So that's an example I produced for Keystone.  You can get an idea of what info I would like to cover.
18:24:08 <nkinder> The ultimate goal is that it should be easy for someone to look at a set of documents to find out what crypto is used, why it is used, and how sensitive data is handled for a given OpenStack release.
18:24:10 <CristianF> I think this is related, being in Heat meeting yesterday there discussion there of generating this Decurity Documentation wiki for Heat
18:24:27 <nkinder> Yes, Heat has a page now too.  Grabbing it...
18:24:42 <nkinder> #link https://wiki.openstack.org/wiki/Security/Icehouse/Heat
18:24:49 <paulmo> nkinder: Might add the key length of AES in there (maybe I'm just missing it)
18:24:49 <malini1> nkinder: Nice!
18:25:08 <nkinder> Neutron is interested too, so I'll be working with them to get it started.
18:25:51 <nkinder> I'll kep the group updated on how this is going, but it's been great to see the interest from the project teams thus far.  It's just ironing out the details right now.
18:26:12 <paulmo> Also, the PRNG source would be good (maybe I'm missing it again)
18:26:20 <nkinder> paulmo: good call on the key length (will look into it)
18:26:48 <nkinder> paulmo: this is exactly where I thin the OSSG can help.  Reviewing the docs and asking questions so we can make sure they are complete.
18:26:50 <paulmo> Love what you are doing though! :)
18:27:10 <nkinder> #topic Open Discussion
18:27:24 <nkinder> Anyone have anything else to discuss?
18:27:26 <paulmo> I do have a few thoughts if you'll bare with me
18:27:31 <nkinder> paulmo: sure thing
18:28:01 <paulmo> What would the team think of trying to get some basic security requirements and reporting as part of the incubation requirements to give OSSG some more "teeth"?
18:28:31 <nkinder> paulmo: I think it's a nice medium/long term goal.
18:28:37 <malini1> nkinder: on ML thre was a discussion to replace MD5 with sha1/2 with longer key
18:29:09 <paulmo> Yep, certainly not short term. :)  And also, a TC security representative position.  That is my other thought to bring security up to be a first class OpenStack citizen.
18:29:28 <nkinder> paulmo: That's part of establishing the security guidelines first.
18:29:52 * paulmo nods.  Just bringing up some thoughts I've been having.  It certainly isn't a "right now" thing. :)
18:29:57 <nkinder> paulmo: the other tough thing is seeing if the current integrated projects meet the requirements (which is one of the reasons we need to see what the current state of things is)
18:30:06 <nkinder> paulmo: yeah, I want to get there too.
18:30:31 <paulmo> Yeah, excellent point.  Core projects need to be compliant and leaders for the rest of the projects.
18:30:33 <nkinder> malini1: yes, replacing md5 for token hashing is in review for Juno for Keystone
18:30:49 <nkinder> ok, we're out of time
18:31:03 <nkinder> sorry to cut folks off, but we need to clear out.  Thanks everyone!
18:31:05 <malini1> out of time?! whoosh
18:31:10 <malini1> :-)
18:31:15 <CristianF> thanks,  bye
18:31:15 <nkinder> we need an hour :)
18:31:22 <shohel02> ok thanks nkinder
18:31:23 <nkinder> #endmeeting