Difference between revisions of "Security/Threat Analysis/Meetings/04-04-14"
< Security | Threat Analysis | Meetings
(Created page with "[19:59] == shohel02 [50dfbb3d@gateway/web/freenode/ip.80.223.187.61] has joined ##openstack-threat-analysis [19:59] -NickServ- This nickname is registered. Please choose a dif...") |
|||
| Line 1: | Line 1: | ||
| − | [19:59] == shohel02 [50dfbb3d@gateway/web/freenode/ip.80.223.187.61] has joined ##openstack-threat-analysis | + | * [19:59] == shohel02 [50dfbb3d@gateway/web/freenode/ip.80.223.187.61] has joined ##openstack-threat-analysis |
| − | [19:59] -NickServ- This nickname is registered. Please choose a different nickname, or identify via /msg NickServ identify <password>. | + | * [19:59] -NickServ- This nickname is registered. Please choose a different nickname, or identify via /msg NickServ identify <password>. |
| − | [20:01] <shohel02> Hi all! | + | * [20:01] <shohel02> Hi all! |
| − | [20:01] <shohel02> Good to see you guys here | + | * [20:01] <shohel02> Good to see you guys here |
| − | [20:01] <udit> hello shohel | + | * [20:01] <udit> hello shohel |
| − | [20:01] <@CristianF> Hi! | + | * [20:01] <@CristianF> Hi! |
| − | [20:01] <shohel02> Hi Udit and Cristian | + | * [20:01] <shohel02> Hi Udit and Cristian |
| − | [20:02] <shohel02> We have already discussed couple of things yesterdays OSSG meeting | + | * [20:02] <shohel02> We have already discussed couple of things yesterdays OSSG meeting |
| − | [20:02] <shohel02> today short meeting | + | * [20:02] <shohel02> today short meeting |
| − | [20:02] <shohel02> #startmeeting OpenStack Threat Modelling | + | * [20:02] <shohel02> #startmeeting OpenStack Threat Modelling |
| − | [20:02] <shohel02> Discussion from earlier meeting, TODO: Gerrit Repo - stack forge or lauchpad use, | + | * [20:02] <shohel02> Discussion from earlier meeting, TODO: Gerrit Repo - stack forge or lauchpad use, |
| − | [20:03] <shohel02> i did not make any progress on that topic, look it next week. In the | + | * [20:03] <shohel02> i did not make any progress on that topic, look it next week. In the |
| − | [20:03] <shohel02> mean time, if some one has good idea please shoot - how to granularize the work | + | * [20:03] <shohel02> mean time, if some one has good idea please shoot - how to granularize the work |
| − | [20:03] <shohel02> and enable tracking. My intentions is the granularize engage more people easily | + | * [20:03] <shohel02> and enable tracking. My intentions is the granularize engage more people easily |
| − | [20:04] <shohel02> Any ideas from anyone ? | + | * [20:04] <shohel02> Any ideas from anyone ? |
| − | [20:05] <@CristianF> Nova has started an approach for uploading/reviewing Blueprints templates using gerrit | + | * [20:05] <@CristianF> Nova has started an approach for uploading/reviewing Blueprints templates using gerrit |
| − | [20:05] <shohel02> thats good, they already have gerrit for code | + | * [20:05] <shohel02> thats good, they already have gerrit for code |
| − | [20:05] <shohel02> In OSSG we have for OSSN | + | * [20:05] <shohel02> In OSSG we have for OSSN |
| − | [20:05] <@CristianF> probably directly submiting in a repo to gerrit the threat analyisis, they coudl be reviewed analyzed | + | * [20:05] <@CristianF> probably directly submiting in a repo to gerrit the threat analyisis, they coudl be reviewed analyzed |
| − | [20:06] <@CristianF> yes, similar to that probably | + | * [20:06] <@CristianF> yes, similar to that probably |
| − | [20:06] <shohel02> you mean, submitting in the Nova Gerrit Repo, | + | * [20:06] <shohel02> you mean, submitting in the Nova Gerrit Repo, |
| − | [20:06] <shohel02> for threat analysis work | + | * [20:06] <shohel02> for threat analysis work |
| − | [20:07] <@CristianF> no, I was thinking of submitting to a new Threat Model/OSSG repo | + | * [20:07] <@CristianF> no, I was thinking of submitting to a new Threat Model/OSSG repo |
| − | [20:08] <shohel02> yes, that was also my line of thought! i think we should do that. | + | * [20:08] <shohel02> yes, that was also my line of thought! i think we should do that. |
| − | [20:08] <@CristianF> although, having a subdirectory for Security analysis in every project probably is a good idea too | + | * [20:08] <@CristianF> although, having a subdirectory for Security analysis in every project probably is a good idea too |
| − | [20:09] <shohel02> I checked the process what was the process, assume that we need some support from core members to have Gerrit repo of this work | + | * [20:09] <shohel02> I checked the process what was the process, assume that we need some support from core members to have Gerrit repo of this work |
| − | [20:09] <shohel02> other possibilities is to ask whether we can use the existing OSSN repo for this purpose | + | * [20:09] <shohel02> other possibilities is to ask whether we can use the existing OSSN repo for this purpose |
| − | [20:10] <@CristianF> yes, sounds like any centralized approach managed by OSSG would be better than distributing along projects and getting all people aligned | + | * [20:10] <@CristianF> yes, sounds like any centralized approach managed by OSSG would be better than distributing along projects and getting all people aligned |
| − | [20:11] <shohel02> yes, that makes sense | + | * [20:11] <shohel02> yes, that makes sense |
| − | [20:11] <shohel02> We should raise this issue in the next OSSG meeting | + | * [20:11] <shohel02> We should raise this issue in the next OSSG meeting |
| − | [20:12] <@CristianF> sounds good | + | * [20:12] <@CristianF> sounds good |
| − | [20:12] <shohel02> OK, now moving on to the Technical side | + | * [20:12] <shohel02> OK, now moving on to the Technical side |
| − | [20:12] <shohel02> #Topic Keystone Threat Analysis | + | * [20:12] <shohel02> #Topic Keystone Threat Analysis |
| − | [20:12] <shohel02> hree new docs in the Git now: | + | * [20:12] <shohel02> hree new docs in the Git now: |
| − | [20:12] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_report/Keystone_Threat_Analysis_IdentityEngineV3.0_2.4.doc | + | * [20:12] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_report/Keystone_Threat_Analysis_IdentityEngineV3.0_2.4.doc |
| − | [20:13] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_report/Keystone_Threat_Analysis_AuthV3.0_2.5.doc | + | * [20:13] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_report/Keystone_Threat_Analysis_AuthV3.0_2.5.doc |
| − | [20:13] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_result/Keystone_Analysis_Result_AuthV3.0_2.5.xls | + | * [20:13] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_result/Keystone_Analysis_Result_AuthV3.0_2.5.xls |
| − | [20:13] <shohel02> Mainly related to V3 AUTH and Identity and Assignment API. | + | * [20:13] <shohel02> Mainly related to V3 AUTH and Identity and Assignment API. |
| − | [20:13] <shohel02> Related to this, as by product, we have reported couple of security bugs to the keystone: | + | * [20:13] <shohel02> Related to this, as by product, we have reported couple of security bugs to the keystone: |
| − | [20:13] <shohel02> https://bugs.launchpad.net/bugs/1300274 | + | * [20:13] <shohel02> https://bugs.launchpad.net/bugs/1300274 |
| − | [20:13] <shohel02> https://bugs.launchpad.net/bugs/1299012 | + | * [20:13] <shohel02> https://bugs.launchpad.net/bugs/1299012 |
| − | [20:13] <shohel02> https://bugs.launchpad.net/bugs/1299039 | + | * [20:13] <shohel02> https://bugs.launchpad.net/bugs/1299039 |
| − | [20:14] <shohel02> I think its really good that we are finding the loopholes and strengthening the overall security | + | * [20:14] <shohel02> I think its really good that we are finding the loopholes and strengthening the overall security |
| − | [20:14] <shohel02> In april, we will see more concerted and concrete things coming up | + | * [20:14] <shohel02> In april, we will see more concerted and concrete things coming up |
| − | [20:14] <shohel02> Thats all from technical side | + | * [20:14] <shohel02> Thats all from technical side |
| − | [20:14] <@CristianF> good progress! | + | * [20:14] <@CristianF> good progress! |
| − | [20:15] <udit> nice | + | * [20:15] <udit> nice |
| − | [20:15] <shohel02> thx | + | * [20:15] <shohel02> thx |
| − | [20:15] <shohel02> #topic Other Issues | + | * [20:15] <shohel02> #topic Other Issues |
| − | [20:15] <shohel02> Any one has other topic in mind | + | * [20:15] <shohel02> Any one has other topic in mind |
| − | [20:15] <shohel02> Cristian how is nova work going | + | * [20:15] <shohel02> Cristian how is nova work going |
| − | + | * | |
| − | [20:16] <@CristianF> yes, do you have any advice of which repo should I use for uploading documents drafts? | + | * [20:16] <@CristianF> yes, do you have any advice of which repo should I use for uploading documents drafts? |
| − | [20:17] <shohel02> i do not know at this point, lets wait for the next week | + | * [20:17] <shohel02> i do not know at this point, lets wait for the next week |
| − | [20:17] <shohel02> We need a common repo | + | * [20:17] <shohel02> We need a common repo |
| − | [20:17] <@CristianF> ok, so I keep that on mi side until a public repo | + | * [20:17] <@CristianF> ok, so I keep that on mi side until a public repo |
| − | [20:17] <@CristianF> my* | + | * [20:17] <@CristianF> my* |
| − | [20:18] <@CristianF> as mentioned yesterday I am working on a top-down approach, first I want to document an analysis of the whole picture | + | * [20:18] <@CristianF> as mentioned yesterday I am working on a top-down approach, first I want to document an analysis of the whole picture |
| − | [20:18] <shohel02> yes, thats the best approach | + | * [20:18] <shohel02> yes, thats the best approach |
| − | [20:18] <@CristianF> for then starting with a prioritization of the sub-component and more detailed analysis | + | * [20:18] <@CristianF> for then starting with a prioritization of the sub-component and more detailed analysis |
| − | [20:19] <shohel02> i think bknudson also give some good ideas | + | * [20:19] <shohel02> i think bknudson also give some good ideas |
| − | [20:19] <@CristianF> currently I have a draft for a threat model diagram of nova end to end, and started identifying asset and common vocabulary/use cases, etc | + | * [20:19] <@CristianF> currently I have a draft for a threat model diagram of nova end to end, and started identifying asset and common vocabulary/use cases, etc |
| − | [20:19] <@CristianF> yes, for then digging in the virtualization side | + | * [20:19] <@CristianF> yes, for then digging in the virtualization side |
| − | [20:20] <shohel02> oh sounds great, it would be nice to see those | + | * [20:20] <shohel02> oh sounds great, it would be nice to see those |
| − | [20:20] <shohel02> are you planning to come next Atlanta Summit | + | * [20:20] <shohel02> are you planning to come next Atlanta Summit |
| − | [20:21] <@CristianF> not at this point.. but still tying to figure it out | + | * [20:21] <@CristianF> not at this point.. but still tying to figure it out |
| − | [20:22] <shohel02> it would be nice to meet all of the OSSG people, and especially i think some people who are really interested in threat modelling | + | * [20:22] <shohel02> it would be nice to meet all of the OSSG people, and especially i think some people who are really interested in threat modelling |
| − | [20:22] <shohel02> we can discuss to go forward and engage more with other projects | + | * [20:22] <shohel02> we can discuss to go forward and engage more with other projects |
| − | [20:23] <@CristianF> I would really love to, but this time seems not possible for me to go | + | * [20:23] <@CristianF> I would really love to, but this time seems not possible for me to go |
| − | [20:23] <@CristianF> I will continue supporting this effort anyway | + | * [20:23] <@CristianF> I will continue supporting this effort anyway |
| − | [20:24] <shohel02> thats g8, we need more proactive approach to security | + | * [20:24] <shohel02> thats g8, we need more proactive approach to security |
| − | [20:25] <shohel02> Any other issues ? | + | * [20:25] <shohel02> Any other issues ? |
| − | [20:26] <@CristianF> not from my side | + | * [20:26] <@CristianF> not from my side |
| − | [20:26] <shohel02> Ok, then we can close the meeting | + | * [20:26] <shohel02> Ok, then we can close the meeting |
| − | [20:26] <shohel02> Thanks for joining | + | * [20:26] <shohel02> Thanks for joining |
| − | [20:26] <shohel02> #endmeeting | + | * [20:26] <shohel02> #endmeeting |
| − | [20:26] <@CristianF> thank you, bye! | + | * [20:26] <@CristianF> thank you, bye! |
| − | [20:27] <shohel02> bye | + | * [20:27] <shohel02> bye |
| − | @CristianF | + | * @CristianF |
| − | shohel02 | + | * shohel02 |
| − | udit | + | * udit |
Latest revision as of 17:31, 4 April 2014
- [19:59] == shohel02 [50dfbb3d@gateway/web/freenode/ip.80.223.187.61] has joined ##openstack-threat-analysis
- [19:59] -NickServ- This nickname is registered. Please choose a different nickname, or identify via /msg NickServ identify <password>.
- [20:01] <shohel02> Hi all!
- [20:01] <shohel02> Good to see you guys here
- [20:01] <udit> hello shohel
- [20:01] <@CristianF> Hi!
- [20:01] <shohel02> Hi Udit and Cristian
- [20:02] <shohel02> We have already discussed couple of things yesterdays OSSG meeting
- [20:02] <shohel02> today short meeting
- [20:02] <shohel02> #startmeeting OpenStack Threat Modelling
- [20:02] <shohel02> Discussion from earlier meeting, TODO: Gerrit Repo - stack forge or lauchpad use,
- [20:03] <shohel02> i did not make any progress on that topic, look it next week. In the
- [20:03] <shohel02> mean time, if some one has good idea please shoot - how to granularize the work
- [20:03] <shohel02> and enable tracking. My intentions is the granularize engage more people easily
- [20:04] <shohel02> Any ideas from anyone ?
- [20:05] <@CristianF> Nova has started an approach for uploading/reviewing Blueprints templates using gerrit
- [20:05] <shohel02> thats good, they already have gerrit for code
- [20:05] <shohel02> In OSSG we have for OSSN
- [20:05] <@CristianF> probably directly submiting in a repo to gerrit the threat analyisis, they coudl be reviewed analyzed
- [20:06] <@CristianF> yes, similar to that probably
- [20:06] <shohel02> you mean, submitting in the Nova Gerrit Repo,
- [20:06] <shohel02> for threat analysis work
- [20:07] <@CristianF> no, I was thinking of submitting to a new Threat Model/OSSG repo
- [20:08] <shohel02> yes, that was also my line of thought! i think we should do that.
- [20:08] <@CristianF> although, having a subdirectory for Security analysis in every project probably is a good idea too
- [20:09] <shohel02> I checked the process what was the process, assume that we need some support from core members to have Gerrit repo of this work
- [20:09] <shohel02> other possibilities is to ask whether we can use the existing OSSN repo for this purpose
- [20:10] <@CristianF> yes, sounds like any centralized approach managed by OSSG would be better than distributing along projects and getting all people aligned
- [20:11] <shohel02> yes, that makes sense
- [20:11] <shohel02> We should raise this issue in the next OSSG meeting
- [20:12] <@CristianF> sounds good
- [20:12] <shohel02> OK, now moving on to the Technical side
- [20:12] <shohel02> #Topic Keystone Threat Analysis
- [20:12] <shohel02> hree new docs in the Git now:
- [20:12] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_report/Keystone_Threat_Analysis_IdentityEngineV3.0_2.4.doc
- [20:13] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_report/Keystone_Threat_Analysis_AuthV3.0_2.5.doc
- [20:13] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_result/Keystone_Analysis_Result_AuthV3.0_2.5.xls
- [20:13] <shohel02> Mainly related to V3 AUTH and Identity and Assignment API.
- [20:13] <shohel02> Related to this, as by product, we have reported couple of security bugs to the keystone:
- [20:13] <shohel02> https://bugs.launchpad.net/bugs/1300274
- [20:13] <shohel02> https://bugs.launchpad.net/bugs/1299012
- [20:13] <shohel02> https://bugs.launchpad.net/bugs/1299039
- [20:14] <shohel02> I think its really good that we are finding the loopholes and strengthening the overall security
- [20:14] <shohel02> In april, we will see more concerted and concrete things coming up
- [20:14] <shohel02> Thats all from technical side
- [20:14] <@CristianF> good progress!
- [20:15] <udit> nice
- [20:15] <shohel02> thx
- [20:15] <shohel02> #topic Other Issues
- [20:15] <shohel02> Any one has other topic in mind
- [20:15] <shohel02> Cristian how is nova work going
- [20:16] <@CristianF> yes, do you have any advice of which repo should I use for uploading documents drafts?
- [20:17] <shohel02> i do not know at this point, lets wait for the next week
- [20:17] <shohel02> We need a common repo
- [20:17] <@CristianF> ok, so I keep that on mi side until a public repo
- [20:17] <@CristianF> my*
- [20:18] <@CristianF> as mentioned yesterday I am working on a top-down approach, first I want to document an analysis of the whole picture
- [20:18] <shohel02> yes, thats the best approach
- [20:18] <@CristianF> for then starting with a prioritization of the sub-component and more detailed analysis
- [20:19] <shohel02> i think bknudson also give some good ideas
- [20:19] <@CristianF> currently I have a draft for a threat model diagram of nova end to end, and started identifying asset and common vocabulary/use cases, etc
- [20:19] <@CristianF> yes, for then digging in the virtualization side
- [20:20] <shohel02> oh sounds great, it would be nice to see those
- [20:20] <shohel02> are you planning to come next Atlanta Summit
- [20:21] <@CristianF> not at this point.. but still tying to figure it out
- [20:22] <shohel02> it would be nice to meet all of the OSSG people, and especially i think some people who are really interested in threat modelling
- [20:22] <shohel02> we can discuss to go forward and engage more with other projects
- [20:23] <@CristianF> I would really love to, but this time seems not possible for me to go
- [20:23] <@CristianF> I will continue supporting this effort anyway
- [20:24] <shohel02> thats g8, we need more proactive approach to security
- [20:25] <shohel02> Any other issues ?
- [20:26] <@CristianF> not from my side
- [20:26] <shohel02> Ok, then we can close the meeting
- [20:26] <shohel02> Thanks for joining
- [20:26] <shohel02> #endmeeting
- [20:26] <@CristianF> thank you, bye!
- [20:27] <shohel02> bye
- @CristianF
- shohel02
- udit
