17:01:59 #startmeeting openstack security group 17:01:59 Meeting started Thu Aug 21 17:01:59 2014 UTC and is due to finish in 60 minutes. The chair is nkinder. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:02:00 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:02:02 The meeting name has been set to 'openstack_security_group' 17:02:17 Greetings everyone! 17:02:20 hey! 17:02:23 #topic rollcall 17:02:24 Greetings 17:02:24 hi all 17:02:28 Hey OSSG folks 17:02:36 hey nkinder 17:02:39 how it goes? 17:02:49 not bad 17:03:01 hyakuhei_ is unable to make it today 17:03:16 he passes on his apologies 17:03:31 busy busy man 17:03:40 Good morning 17:03:44 o/ peeps 17:04:18 we have a number of topics to cover today 17:04:26 I've got 3 17:04:47 what topics did others have? 17:04:53 ops for the channel, stevedore follow up, qualys follow up 17:05:04 ok, I have stevedore on my list too 17:05:08 oh good 17:05:10 * sicarie sneaks in late 17:05:14 you take that, I missed last week 17:05:34 also security guide status, ossns, bandit, the security track for the summit 17:05:43 cool 17:05:43 so let's dive in 17:05:47 Hi guys 17:05:53 Randy Perryman here 17:06:01 hi rlpple 17:06:03 hey rlpple 17:06:05 #topic summit talks 17:06:22 Thanks to everyone who submitted talks for the security track! 17:06:42 The initial voting has been completed, and I expect that results will be sent out in the near future 17:06:55 any idea how near future? 17:07:23 tmcpeak: not sure exactly 17:07:27 tmcpeak: I'll try to find out 17:07:33 cool 17:07:39 The propsals covered a broad range of topics 17:08:41 There was some "how do I secure things" talks, some threat assesment work, some intrusion detection topics as well 17:09:30 Mixed in were a number of forward looking topics, covering things like barbican, congress, and utilizing projects that are outside of OpenStack right now 17:10:10 overall, I think there were around 45 proposals, so I think we'll have a nice track! 17:10:36 #topic stevedore 17:10:42 awesome! 17:10:46 tmcpeak: take it away 17:11:00 oh, I don't have anything new 17:11:05 meant to synch up with you from last week 17:11:19 will start poking through code this week 17:11:23 who were the others? 17:11:25 mxin? 17:11:27 I don't see him 17:11:38 I'd recommend checking last weeks IRC logs. Basically, nobody has really looked into stevedore it seems. 17:11:48 ok, if it's just me, that's fine 17:11:52 i was supposed to dive in too but nothing attempted yet 17:11:53 I'll have status update next week 17:11:58 cool 17:12:03 I think there is interest, but nobody has jumped in yet 17:12:17 Basically, there is some level of trust in loading a plugin via stevedore 17:12:19 I read through the docs and plan to finish code review before next meeting 17:12:52 ok, that's fine 17:12:55 tmcpeak: ok, sounds good. Anything else on stevedore? 17:12:55 we'll revisit next week 17:13:31 #topic ossn 17:13:48 We have a few OSSNs out for review right now. 17:14:01 OSSN-0020 and OSSN-0023 need reviewers 17:14:09 I think they are both close 17:14:28 I don't see shohel around, but he had proposed a OSSN-0024 agains the old repo 17:14:56 #link https://review.openstack.org/113422 17:15:09 That's OSSN-0020 that priti was working on 17:15:13 looks like we have one here too: https://bugs.launchpad.net/glance/+bug/1354512 17:15:14 Launchpad bug 1354512 in ossn "Anonymous user can download public image through Swift" [Undecided,New] 17:15:24 tmcpeak: yep, that was just opened up today 17:15:49 Stan has this one out for review... 17:15:52 #link https://review.openstack.org/114971 17:16:38 And shohel has this one... 17:16:42 #link https://review.openstack.org/114460 17:16:59 So if anyone has some time to review any of those, it would be appreciated! 17:17:08 cool, will do 17:17:17 will have a look 17:17:23 will do 17:17:42 #topic security-guide 17:17:54 bdpayne: how are things progressing on the security guide bugs? 17:18:07 quite well actually 17:18:15 we are maintaining a pretty good steady state velocity 17:18:21 with several active contributors 17:18:26 so thanks to all involved 17:18:37 great! 17:18:39 I still owe the group some forward direction on the book 17:18:44 which I am working on :-) 17:18:48 (I promise!) 17:19:05 bdpayne: You mean in terms of a v2 "roadmap"? 17:19:12 yes 17:19:18 I would like to plot the course for that 17:19:31 and also determine how we manage the book with respect to openstack releases and such 17:20:04 btw, we are down to 42 bugs against the book atm 17:20:04 bdpayne: that will probably be a good topic to talk about at the Summit too (if we don't figure it all out by then) 17:20:13 agreed 17:20:20 hopefully I'm moving forward at least a bit by then 17:20:26 :) 17:20:28 but the summit is a great place for that 17:20:52 if others would like to help, you can pluck off a bug from https://bugs.launchpad.net/openstack-manuals/+bugs?field.tag=sec-guide 17:21:00 plenty of work to be done 17:21:07 and sometimes writing is a nice change from coding :-) 17:21:20 ok, that's all that I have on the book today 17:21:27 ok, thanks 17:21:28 unless others have comments / questions / stuff to add 17:22:03 not from me. Sounds like good progress on the bugs 17:22:18 indeed 17:22:30 #topic summit 17:22:44 speaking of the summit, who here is planning on attending? 17:23:13 Malini -- unsure 17:23:15 If we have an idea of who is going, we can start to think about OSSG items that we plan to accomplish there 17:23:23 I'll be there 17:23:30 I will be there 17:23:35 I will be there as well 17:23:38 I'll do my best ;) 17:23:42 I know that hyakuhei_ will be there 17:23:59 in not sure 17:24:01 shohel proposed a talk, so he must be planning to attend 17:24:13 priti proposed a talk too, so she's in the same boat 17:24:42 stan too 17:24:46 I'm pretty sure Priti will be there 17:25:57 ok, well given the above I think that it's safe to assume we can get some coverage of doc and threat modeling efforts at a minimum 17:26:38 tmcpeak: I think trying to get some discussion on the gate tests there could be valuable 17:27:04 definitely, I hope that summit/dev talks make it, but if not, I'll be running around trying to get attention 17:27:11 I mean attention for the gate tests :P 17:27:44 tmcpeak: It might be worthy of a design session if we have things far enough along at that point. 17:27:57 oh yeah, that's what I mean, design session, not dev 17:28:02 yeah, shooting for a design sessions there makes a lot of sense, IMHO 17:28:18 yeah, I'm going to try to get bandit built out with some more tests 17:28:30 Any other summit related topics from anyone before we talk about bandit some more? 17:28:33 find some more bugs, and then we can really make a compelling case to why gate tests are useful 17:28:58 ok then... 17:29:02 #topic bandit 17:29:13 hi! 17:29:18 chair6: hey 17:29:24 i emailed a summary of status to the mailing list last week 17:29:42 haven't seen any response, but it's out there and ready for people to write more tests against 17:29:53 Yeah, thanks for sending that out. I didn't see any replies... :( 17:29:59 i plan on doing some when i have time, but would be good if others could contribute 17:30:15 chair6: I'm going to do some work on that end 17:30:19 what's the subject of the note? 17:30:26 chair6: I've found a couple other subprocess calls we want to check 17:30:45 OpenStack has a wrapper on subprocess that most components are probably using, so we should check that call too for starters 17:31:01 I'm planning to look at how we could make it run as a part of the CI (non-voting) 17:31:10 tmcpeak .. i saw your comment on that, and did some digging 17:31:13 finding the time to actually do that is a different matter though... 17:31:26 there were a few different examples of what you're describingg 17:31:44 so i wrote a test that identifies any function call, regardless of name, that includes a shell=True argument 17:31:54 flooded in fun? 17:32:21 I switched email unfortunately around the exact time you sent it out so I didn't get that ML, can you forward it to me, btw? 17:32:28 will do 17:32:59 the other thing we might want to look for is eval 17:33:09 that's about it though .. i plan to keep working on improving the framework, and building out more tests 17:33:18 i'll leave the CI-integration piece to you, nkinder 17:34:38 chair6: ok, sounds good 17:34:39 is bandit going to live in github or get pulled into openstack repo? 17:35:07 bknudson: good question 17:35:15 i'd like to get it into an openstack repo 17:35:22 I think it would be nice to have gerrit for reviews 17:35:26 agreed 17:35:28 inside oslo would be nice 17:35:53 any other bandit talk? 17:36:09 and +1 on gerrit for bandit tests 17:36:11 can you point me to the check that bandit is doing now? 17:36:30 in github 17:36:32 https://github.com/chair6/bandit/tree/master/plugins is where they're defined 17:36:44 chair6: thanks! 17:37:04 neat! 17:37:22 want to refactor this at some point, but that's it at the moment :) 17:38:15 #topic open discussion 17:38:28 any other topics from anyone? 17:38:32 ops in channel 17:38:45 I think it would be useful to get a few: maybe nkinder, bdpayne, hyakuhei_ 17:38:54 just to keep an eye out for gabriela kind of BS 17:39:04 yeah, I agree that this would be useful 17:39:12 +1 17:39:20 I was told that we need to work with one of the general ops types for freenode to get setup 17:39:24 she was back today (with a different number at the end of her nick) 17:39:28 I just haven't had the time to chase that down yet 17:39:37 really? it should have banned by IP 17:39:44 botnets 17:39:48 tmcpeak: it was banned by name 17:39:49 lots of ips 17:40:00 but, yeah, I think it was banned by name 17:40:02 I found the block button in pidgin 17:40:05 oh, yeah banned by name doesn't work 17:40:06 bdpayne: we manage ops for the channels you shouldn't need to go to freenode for that 17:40:15 bdpayne: i thought fungi pointed you at the change to make? 17:40:33 oh, perhaps I misunderstood what fungi was saying 17:40:45 it sounded like I needed to contact someone to request access 17:40:46 messages to irc should all be signed. 17:41:07 hi all, 17:41:19 bdpayne: what is the channel name? 17:41:27 openstack-security 17:41:28 #openstack-security 17:41:31 is there any status update about threat modeling project? 17:42:06 wanna to join into this project in my free time 17:42:18 kai: There is a separate IRC meeting for that IIRC 17:42:39 kai: but I'm sure your help would be much appreciated there! 17:43:08 yup its maanged so you need to edit https://git.openstack.org/cgit/openstack-infra/config/tree/modules/openstack_project/files/accessbot/channels.yaml to add additional ops 17:43:24 oh nice, I'll do that shortly 17:43:26 clarkb: perfect, thanks! 17:43:27 thanks clarkb 17:43:31 under the channel name do operators: and a yaml list of ops 17:43:33 other thing I had was about qualys 17:43:40 note ops need to be registered with nickserv and identified 17:44:17 ok 17:44:25 sounds good 17:44:55 i'm always idling here so happy to take on ops if you need volunteers 17:46:12 chair6 ok thanks 17:47:01 anything else from anyone? 17:47:06 qualys discussion 17:47:55 not really qualys, but I'll call it that for lack of a better one word description 17:48:02 "Gate testing XSS" 17:48:38 sounds interesting 17:49:20 this is in regards to gmurphy's original proposition on the ML to figure out root cause of new XSS bugs 17:49:47 one of the Nebula folks seems to have a pretty good grasp on why this was happening and provided a good explanation 17:50:23 tmcpeak: I'm not familiar with qualys 17:50:30 but what I was thinking is that we should integrate some integrated XSS automated tool into gate tests 17:50:36 qualys is a vulnerability scanner 17:50:53 yeah, I spoke with Paul about this... he said that the right people could come together and hammer out a lasting solution in a day or two 17:51:02 provided as a service or software? 17:51:20 my understanding is service 17:51:32 bdpayne: yeah, that would be a good item to try to get people to hash out at the summit 17:51:37 bdpayne: right, so there is the long lasting solution 17:51:58 bdpayne: it sounds like an architectural sort of change, so it would be best to take place early in the dev. cycle 17:52:02 bdpayne: but I think there is also room for a gate test here, just to make sure people we don't drift into the same situation again 17:52:17 it sounded like the problem is that new devs come on and just fire out code without understanding the correct way to do things 17:52:46 tmcpeak: yeah, but adding gate jobs after cleaning up the code would catch that 17:52:58 agreed on all accounts 17:53:01 nkinder: yeah totally agree 17:53:04 tmcpeak: I think the issue is that the code has bad examples that new devs copy right now 17:53:08 the XSS bugs seem to be poor design decisions 17:53:10 fix in early in the cycle, have gate tests to avoid it from happening again 17:53:18 yep 17:53:28 for example, the table code requires you to set an option to escape the input 17:53:32 rather than escaping the input by default 17:53:37 I don't know if gmurphy is planning on attending the summit (I'll check with him) 17:53:43 bknudson: oh really? 17:53:58 tmcpeak: yes, see the latest XSS bug... 17:54:16 wow, nice 17:54:17 https://review.openstack.org/#/c/115310/1/openstack_dashboard/dashboards/admin/aggregates/tables.py 17:54:49 seems like an easy enough fix if you educate devs 17:54:50 so you have to pass in autoescape=True to escape 17:54:52 so fwiw anyone can propose a new job and run it experimentally against any project 17:55:05 so you could just go do a thing and see how it works, if people like it then you can work on making it gating 17:55:29 clarkb: oh cool, I was wondering about that 17:55:47 would it be appropriate to have a security education session at the dev part of the summit? 17:55:48 you know where there is info on how to do that? 17:55:54 like, security coding best practices for openstack? 17:56:00 bdpayne: +1 17:56:17 bdpayne: targeting XSS issues specifically? 17:56:21 bdpayne: +1 17:56:25 well, it could hit on some of that 17:56:29 bdpayne: that seems like a good idea 17:56:30 but I was thinking more broad 17:56:42 this whole discussion just got me thinking 17:56:43 root wrapper use would probably be pretty useful 17:56:46 carry on ;-) 17:56:56 as an outside observer, i would definitely attend a security education session at summit 17:57:05 +1 17:57:05 elmiko: +1 17:57:10 cool, good to know 17:57:26 bdpayne, bdpayne, bdpayne 17:57:28 ok, that's a good idea for the design sessions if we have a security track 17:57:44 could also go in a general track or something 17:57:52 that actually fits in line perfectly with OSSG mission 17:57:54 security track at the design sessions... seems unlikely 17:58:00 yeah, a cross-project/general track 17:58:10 whatever track our stuff was in last time 17:58:23 yeah, the cross-project thingy 17:58:27 ok, we're getting short on time here 17:58:50 anything else before we end the meeting? 17:59:54 ok, thanks all! 17:59:57 #endmeeting