Security/Threat Analysis/Meetings/04-04-14


 * [19:59] == shohel02 [50dfbb3d@gateway/web/freenode/ip.80.223.187.61] has joined ##openstack-threat-analysis
 * [19:59] -NickServ- This nickname is registered. Please choose a different nickname, or identify via /msg NickServ identify.
 * [20:01] Hi all!
 * [20:01] Good to see you guys here
 * [20:01] hello shohel
 * [20:01] <@CristianF> Hi!
 * [20:01] Hi Udit and Cristian
 * [20:02] We have already discussed couple of things yesterdays OSSG meeting
 * [20:02] today short meeting
 * [20:02] #startmeeting OpenStack Threat Modelling
 * [20:02] Discussion from earlier meeting, TODO: Gerrit Repo - stack forge or lauchpad use,
 * [20:03] i did not make any progress on that topic, look it next week. In the
 * [20:03] mean time, if some one has good idea please shoot - how to granularize the work
 * [20:03] and enable tracking. My intentions is the granularize engage more people easily
 * [20:04] Any ideas from anyone ?
 * [20:05] <@CristianF> Nova has started an approach for uploading/reviewing Blueprints templates using gerrit
 * [20:05] thats good, they already have gerrit for code
 * [20:05] In OSSG we have for OSSN
 * [20:05] <@CristianF> probably directly submiting in a repo to gerrit the threat analyisis, they coudl be reviewed analyzed
 * [20:06] <@CristianF> yes, similar to that probably
 * [20:06] you mean, submitting in the Nova Gerrit Repo,
 * [20:06] for threat analysis work
 * [20:07] <@CristianF> no, I was thinking of submitting to a new Threat Model/OSSG repo
 * [20:08] yes, that was also my line of thought! i think we should do that.
 * [20:08] <@CristianF> although, having a subdirectory for Security analysis in every project probably is a good idea too
 * [20:09] I checked the process what was the process,  assume that we need some support from core members to have Gerrit repo of this work
 * [20:09] other possibilities is to ask whether we can use the existing OSSN repo for this purpose
 * [20:10] <@CristianF> yes, sounds like any centralized approach managed by OSSG would be better than distributing along projects and getting all people aligned
 * [20:11] yes, that makes sense
 * [20:11] We should raise this issue in the next OSSG meeting
 * [20:12] <@CristianF> sounds good
 * [20:12] OK, now moving on to the Technical side
 * [20:12] #Topic Keystone Threat Analysis
 * [20:12] hree new docs in the Git now:
 * [20:12] https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_report/Keystone_Threat_Analysis_IdentityEngineV3.0_2.4.doc
 * [20:13] https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_report/Keystone_Threat_Analysis_AuthV3.0_2.5.doc
 * [20:13] https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_result/Keystone_Analysis_Result_AuthV3.0_2.5.xls
 * [20:13] Mainly related to V3 AUTH and Identity and Assignment API.
 * [20:13] Related to this, as by product, we have reported couple of security bugs to the keystone:
 * [20:13] https://bugs.launchpad.net/bugs/1300274
 * [20:13] https://bugs.launchpad.net/bugs/1299012
 * [20:13] https://bugs.launchpad.net/bugs/1299039
 * [20:14] I think its really good that we are finding the loopholes and strengthening the overall security
 * [20:14] In april, we will see more concerted and concrete things coming up
 * [20:14] Thats all from technical side
 * [20:14] <@CristianF> good progress!
 * [20:15] nice
 * [20:15] thx
 * [20:15] #topic Other Issues
 * [20:15] Any one has other topic in mind
 * [20:15] Cristian how is nova work going
 * [20:16] <@CristianF> yes, do you have any advice of which repo should I use for uploading documents drafts?
 * [20:17] i do not know at this point, lets wait for the next week
 * [20:17] We need a common repo
 * [20:17] <@CristianF> ok, so I keep that on mi side until a public repo
 * [20:17] <@CristianF> my*
 * [20:18] <@CristianF> as mentioned yesterday I am working on a top-down approach, first I want to document an analysis of the whole picture
 * [20:18] yes, thats the best approach
 * [20:18] <@CristianF> for then starting with a prioritization of the sub-component and more detailed analysis
 * [20:19] i think bknudson also give some good ideas
 * [20:19] <@CristianF> currently I have a draft for a threat model diagram of nova end to end, and started identifying asset and common vocabulary/use cases, etc
 * [20:19] <@CristianF> yes, for then digging in the virtualization side
 * [20:20] oh sounds great, it would be nice to see those
 * [20:20] are you planning to come next Atlanta Summit
 * [20:21] <@CristianF> not at this point.. but still tying to figure it out
 * [20:22] it would be nice to meet all of the OSSG people, and especially i think some people who are really interested in threat modelling
 * [20:22] we can discuss to go forward and engage more with other projects
 * [20:23] <@CristianF> I would really love to, but this time seems not possible for me to go
 * [20:23] <@CristianF> I will continue supporting this effort anyway
 * [20:24] thats g8, we need more proactive approach to security
 * [20:25] Any other issues ?
 * [20:26] <@CristianF> not from my side
 * [20:26] Ok, then we can close the meeting
 * [20:26] Thanks for joining
 * [20:26] #endmeeting
 * [20:26] <@CristianF> thank you, bye!
 * [20:27] bye
 * @CristianF
 * shohel02
 * udit
 * udit