Security/Threat Analysis/Meetings/21-03-14


 * [19:00] == shohel02 [50dfbb3d@gateway/web/freenode/ip.80.223.187.61] has joined ##openstack-threat-analysis
 * [19:00] hi all
 * [19:01] hello shohel
 * [19:01] hi udit
 * [19:01] == kazi [591b2744@gateway/web/freenode/ip.89.27.39.68] has joined ##openstack-threat-analysis
 * [19:01] Hi everybody, this is Cristian here
 * [19:02] hello Cristian
 * [19:02] Hi all!
 * [19:02] hi
 * [19:02] Rob is supposed to join the meeting
 * [19:02] hi
 * [19:02] hi
 * [19:02] But lets start now
 * [19:03] #startmeeting OpenStack Threat Modelling
 * [19:03] Ok first give some recap of last week
 * [19:03] 1. Discussion on AUTH_TOKEN module
 * [19:03] thanks to bknudson
 * [19:04] 2. Ways of working
 * [19:04] discussed with Rob regarding HP’s Threat modelling of OpenStack. Rob will look into this.
 * [19:04] lets see how it goes
 * [19:04] now, Last couple of days, there was discussion in the mailing list
 * [19:05] how others can engage / actively contribute in this work. i think we
 * [19:05] need to address this issue.
 * [19:05] I am thinking of bug tracker or gerrit for this project
 * [19:05] OSSN has bug tracker
 * [19:06] anyone has better ideas ?
 * [19:06] what's the plan to eventually publish the work?
 * [19:06] yes
 * [19:06] does it get published with the security guide or on openstack docs site?
 * [19:06] I think you referring to the new OSSN approach, discussed yesterday in OSSG meeting
 * [19:07] yes
 * [19:07] i was more thinking of something of a tracker tool
 * [19:07] so anyone can take an activity, commit it and review can be done
 * [19:08] Google docs seems to be bit messy
 * [19:08] people seem to be able to work collaboratively on the security guide in gerrit
 * [19:09] bknudson, now its going the Wiki page eventually to security guide
 * [19:09] that sounds good for me, i.e. include a topic: missing threat model for nova conductor, and anyone takes that and completes the activity
 * [19:09] Gerrit should be good one
 * [19:10] yes, thats the approach i was talking about
 * [19:11] Ok, i will check the Gerrit issue
 * [19:11] #Topic Status update
 * [19:12] So we are thinking of now moving towards git repo.  Google docs managing is becoming messy
 * [19:12] https://github.com/shohel02/OpenStack_Threat_Modelling.git
 * [19:12] Wiki also contains the link
 * [19:12] From our side, we added two more docs there
 * [19:13] related to token provider
 * [19:13] https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_report/Keystone_Threat_Analysis_TokenControllerV2.0_2.5.doc
 * [19:13] https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_report/Keystone_Threat_Analysis_TokenApiV2.0_2.5.doc
 * [19:14] Some are almost in the pipe line
 * [19:14] policy, identity and assignment driver
 * [19:15] We have planned to go fast one phase of work then come back for each of the docs for a detailed analysis
 * [19:15] Anyone wants to give some other update
 * [19:16] just a question, currently all work is centralized in keystone, or are there other components being analyzed in parallel?
 * [19:17] nop,   there are some discussion to work with Solum
 * [19:17] paulmo is supposed to drive that one
 * [19:18] This is relatively new activity, so many things to do
 * [19:18] or remains
 * [19:19] is this a matter of analyzed priorities? or are we expecting to go thru all components in parallel?
 * [19:19] Keystone is a critical component, we thought this is good to start
 * [19:20] and lets get engaged with others if someone wants take lead
 * [19:20] on that component
 * [19:21] cfiorent, do you have active engagement plan with Threat modelling
 * [19:23] bknudson any comments on the docs or overall ?
 * [19:25] == cfiorent [c0373628@gateway/web/freenode/ip.192.55.54.40] has quit [Ping timeout: 245 seconds]
 * [19:26] ok everyone seems quite today
 * [19:26] shohel02: I haven't had a chance to look at the docs.
 * [19:27] == cfiorent2 [8686894b@gateway/web/freenode/ip.134.134.137.75] has joined ##openstack-threat-analysis
 * [19:27] ok, i think if we have the gerrit up and ready
 * [19:27] then things will be easier for checking
 * [19:27] my apologies, I should reconnect
 * [19:28] no probs.
 * [19:28] So, Cfiorent do you have any engagement plan to work with Threat Modeling
 * [19:29] yes, I would be happy to support on this
 * [19:29] g8, we have more people for the work
 * [19:30] Any other Issue, we can address
 * [19:30] I was trying to understand if better start with a new component from scratch, or to support on current activities (i.e. keystone)
 * [19:31] yes, both are equally good
 * [19:31] :)
 * [19:32] ok, got it thanks
 * [19:32] ok, if no other issue, we can close the meeting
 * [19:32] thanks for joining all
 * [19:33] Thanks for the updates!
 * [19:33] Bye
 * [19:33] nice meeting you, thanks
 * [19:33] #endmeeting
 * * Bulleted list item
 * Bulleted list item
 * Bulleted list item