Security/Threat Analysis/Meetings/04-04-14
< Security | Threat Analysis | Meetings
- [19:59] == shohel02 [50dfbb3d@gateway/web/freenode/ip.80.223.187.61] has joined ##openstack-threat-analysis
- [19:59] -NickServ- This nickname is registered. Please choose a different nickname, or identify via /msg NickServ identify <password>.
- [20:01] <shohel02> Hi all!
- [20:01] <shohel02> Good to see you guys here
- [20:01] <udit> hello shohel
- [20:01] <@CristianF> Hi!
- [20:01] <shohel02> Hi Udit and Cristian
- [20:02] <shohel02> We have already discussed couple of things yesterdays OSSG meeting
- [20:02] <shohel02> today short meeting
- [20:02] <shohel02> #startmeeting OpenStack Threat Modelling
- [20:02] <shohel02> Discussion from earlier meeting, TODO: Gerrit Repo - stack forge or lauchpad use,
- [20:03] <shohel02> i did not make any progress on that topic, look it next week. In the
- [20:03] <shohel02> mean time, if some one has good idea please shoot - how to granularize the work
- [20:03] <shohel02> and enable tracking. My intentions is the granularize engage more people easily
- [20:04] <shohel02> Any ideas from anyone ?
- [20:05] <@CristianF> Nova has started an approach for uploading/reviewing Blueprints templates using gerrit
- [20:05] <shohel02> thats good, they already have gerrit for code
- [20:05] <shohel02> In OSSG we have for OSSN
- [20:05] <@CristianF> probably directly submiting in a repo to gerrit the threat analyisis, they coudl be reviewed analyzed
- [20:06] <@CristianF> yes, similar to that probably
- [20:06] <shohel02> you mean, submitting in the Nova Gerrit Repo,
- [20:06] <shohel02> for threat analysis work
- [20:07] <@CristianF> no, I was thinking of submitting to a new Threat Model/OSSG repo
- [20:08] <shohel02> yes, that was also my line of thought! i think we should do that.
- [20:08] <@CristianF> although, having a subdirectory for Security analysis in every project probably is a good idea too
- [20:09] <shohel02> I checked the process what was the process, assume that we need some support from core members to have Gerrit repo of this work
- [20:09] <shohel02> other possibilities is to ask whether we can use the existing OSSN repo for this purpose
- [20:10] <@CristianF> yes, sounds like any centralized approach managed by OSSG would be better than distributing along projects and getting all people aligned
- [20:11] <shohel02> yes, that makes sense
- [20:11] <shohel02> We should raise this issue in the next OSSG meeting
- [20:12] <@CristianF> sounds good
- [20:12] <shohel02> OK, now moving on to the Technical side
- [20:12] <shohel02> #Topic Keystone Threat Analysis
- [20:12] <shohel02> hree new docs in the Git now:
- [20:12] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_report/Keystone_Threat_Analysis_IdentityEngineV3.0_2.4.doc
- [20:13] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_report/Keystone_Threat_Analysis_AuthV3.0_2.5.doc
- [20:13] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_result/Keystone_Analysis_Result_AuthV3.0_2.5.xls
- [20:13] <shohel02> Mainly related to V3 AUTH and Identity and Assignment API.
- [20:13] <shohel02> Related to this, as by product, we have reported couple of security bugs to the keystone:
- [20:13] <shohel02> https://bugs.launchpad.net/bugs/1300274
- [20:13] <shohel02> https://bugs.launchpad.net/bugs/1299012
- [20:13] <shohel02> https://bugs.launchpad.net/bugs/1299039
- [20:14] <shohel02> I think its really good that we are finding the loopholes and strengthening the overall security
- [20:14] <shohel02> In april, we will see more concerted and concrete things coming up
- [20:14] <shohel02> Thats all from technical side
- [20:14] <@CristianF> good progress!
- [20:15] <udit> nice
- [20:15] <shohel02> thx
- [20:15] <shohel02> #topic Other Issues
- [20:15] <shohel02> Any one has other topic in mind
- [20:15] <shohel02> Cristian how is nova work going
- [20:16] <@CristianF> yes, do you have any advice of which repo should I use for uploading documents drafts?
- [20:17] <shohel02> i do not know at this point, lets wait for the next week
- [20:17] <shohel02> We need a common repo
- [20:17] <@CristianF> ok, so I keep that on mi side until a public repo
- [20:17] <@CristianF> my*
- [20:18] <@CristianF> as mentioned yesterday I am working on a top-down approach, first I want to document an analysis of the whole picture
- [20:18] <shohel02> yes, thats the best approach
- [20:18] <@CristianF> for then starting with a prioritization of the sub-component and more detailed analysis
- [20:19] <shohel02> i think bknudson also give some good ideas
- [20:19] <@CristianF> currently I have a draft for a threat model diagram of nova end to end, and started identifying asset and common vocabulary/use cases, etc
- [20:19] <@CristianF> yes, for then digging in the virtualization side
- [20:20] <shohel02> oh sounds great, it would be nice to see those
- [20:20] <shohel02> are you planning to come next Atlanta Summit
- [20:21] <@CristianF> not at this point.. but still tying to figure it out
- [20:22] <shohel02> it would be nice to meet all of the OSSG people, and especially i think some people who are really interested in threat modelling
- [20:22] <shohel02> we can discuss to go forward and engage more with other projects
- [20:23] <@CristianF> I would really love to, but this time seems not possible for me to go
- [20:23] <@CristianF> I will continue supporting this effort anyway
- [20:24] <shohel02> thats g8, we need more proactive approach to security
- [20:25] <shohel02> Any other issues ?
- [20:26] <@CristianF> not from my side
- [20:26] <shohel02> Ok, then we can close the meeting
- [20:26] <shohel02> Thanks for joining
- [20:26] <shohel02> #endmeeting
- [20:26] <@CristianF> thank you, bye!
- [20:27] <shohel02> bye
- @CristianF
- shohel02
- udit