Security/Threat Analysis/Meetings/04-04-14

[19:59] == shohel02 [50dfbb3d@gateway/web/freenode/ip.80.223.187.61] has joined ##openstack-threat-analysis [19:59] -NickServ- This nickname is registered. Please choose a different nickname, or identify via /msg NickServ identify <password>. [20:01] <shohel02> Hi all! [20:01] <shohel02> Good to see you guys here [20:01] <udit> hello shohel [20:01] <@CristianF> Hi! [20:01] <shohel02> Hi Udit and Cristian [20:02] <shohel02> We have already discussed couple of things yesterdays OSSG meeting [20:02] <shohel02> today short meeting [20:02] <shohel02> #startmeeting OpenStack Threat Modelling [20:02] <shohel02> Discussion from earlier meeting, TODO: Gerrit Repo - stack forge or lauchpad use, [20:03] <shohel02> i did not make any progress on that topic, look it next week. In the [20:03] <shohel02> mean time, if some one has good idea please shoot - how to granularize the work [20:03] <shohel02> and enable tracking. My intentions is the granularize engage more people easily [20:04] <shohel02> Any ideas from anyone ? [20:05] <@CristianF> Nova has started an approach for uploading/reviewing Blueprints templates using gerrit [20:05] <shohel02> thats good, they already have gerrit for code [20:05] <shohel02> In OSSG we have for OSSN [20:05] <@CristianF> probably directly submiting in a repo to gerrit the threat analyisis, they coudl be reviewed analyzed [20:06] <@CristianF> yes, similar to that probably [20:06] <shohel02> you mean, submitting in the Nova Gerrit Repo, [20:06] <shohel02> for threat analysis work [20:07] <@CristianF> no, I was thinking of submitting to a new Threat Model/OSSG repo [20:08] <shohel02> yes, that was also my line of thought! i think we should do that. [20:08] <@CristianF> although, having a subdirectory for Security analysis in every project probably is a good idea too [20:09] <shohel02> I checked the process what was the process,  assume that we need some support from core members to have Gerrit repo of this work [20:09] <shohel02> other possibilities is to ask whether we can use the existing OSSN repo for this purpose [20:10] <@CristianF> yes, sounds like any centralized approach managed by OSSG would be better than distributing along projects and getting all people aligned [20:11] <shohel02> yes, that makes sense [20:11] <shohel02> We should raise this issue in the next OSSG meeting [20:12] <@CristianF> sounds good [20:12] <shohel02> OK, now moving on to the Technical side [20:12] <shohel02> #Topic Keystone Threat Analysis [20:12] <shohel02> hree new docs in the Git now: [20:12] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_report/Keystone_Threat_Analysis_IdentityEngineV3.0_2.4.doc [20:13] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_report/Keystone_Threat_Analysis_AuthV3.0_2.5.doc [20:13] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_result/Keystone_Analysis_Result_AuthV3.0_2.5.xls [20:13] <shohel02> Mainly related to V3 AUTH and Identity and Assignment API. [20:13] <shohel02> Related to this, as by product, we have reported couple of security bugs to the keystone: [20:13] <shohel02> https://bugs.launchpad.net/bugs/1300274 [20:13] <shohel02> https://bugs.launchpad.net/bugs/1299012 [20:13] <shohel02> https://bugs.launchpad.net/bugs/1299039 [20:14] <shohel02> I think its really good that we are finding the loopholes and strengthening the overall security [20:14] <shohel02> In april, we will see more concerted and concrete things coming up [20:14] <shohel02> Thats all from technical side [20:14] <@CristianF> good progress! [20:15] <udit> nice [20:15] <shohel02> thx [20:15] <shohel02> #topic Other Issues [20:15] <shohel02> Any one has other topic in mind [20:15] <shohel02> Cristian how is nova work going

[20:16] <@CristianF> yes, do you have any advice of which repo should I use for uploading documents drafts? [20:17] <shohel02> i do not know at this point, lets wait for the next week [20:17] <shohel02> We need a common repo [20:17] <@CristianF> ok, so I keep that on mi side until a public repo [20:17] <@CristianF> my* [20:18] <@CristianF> as mentioned yesterday I am working on a top-down approach, first I want to document an analysis of the whole picture [20:18] <shohel02> yes, thats the best approach [20:18] <@CristianF> for then starting with a prioritization of the sub-component and more detailed analysis [20:19] <shohel02> i think bknudson also give some good ideas [20:19] <@CristianF> currently I have a draft for a threat model diagram of nova end to end, and started identifying asset and common vocabulary/use cases, etc [20:19] <@CristianF> yes, for then digging in the virtualization side [20:20] <shohel02> oh sounds great, it would be nice to see those [20:20] <shohel02> are you planning to come next Atlanta Summit [20:21] <@CristianF> not at this point.. but still tying to figure it out [20:22] <shohel02> it would be nice to meet all of the OSSG people, and especially i think some people who are really interested in threat modelling [20:22] <shohel02> we can discuss to go forward and engage more with other projects [20:23] <@CristianF> I would really love to, but this time seems not possible for me to go [20:23] <@CristianF> I will continue supporting this effort anyway [20:24] <shohel02> thats g8, we need more proactive approach to security [20:25] <shohel02> Any other issues ? [20:26] <@CristianF> not from my side [20:26] <shohel02> Ok, then we can close the meeting [20:26] <shohel02> Thanks for joining [20:26] <shohel02> #endmeeting [20:26] <@CristianF> thank you, bye! [20:27] <shohel02> bye @CristianF shohel02 udit