Security/Threat Analysis/Meetings/04-04-14

[19:59] == shohel02 [50dfbb3d@gateway/web/freenode/ip.80.223.187.61] has joined ##openstack-threat-analysis
[19:59] -NickServ- This nickname is registered. Please choose a different nickname, or identify via /msg NickServ identify <password>.
[20:01] <shohel02> Hi all!
[20:01] <shohel02> Good to see you guys here
[20:01] <udit> hello shohel
[20:01] <@CristianF> Hi!
[20:01] <shohel02> Hi Udit and Cristian
[20:02] <shohel02> We have already discussed couple of things yesterdays OSSG meeting
[20:02] <shohel02> today short meeting
[20:02] <shohel02> #startmeeting OpenStack Threat Modelling
[20:02] <shohel02> Discussion from earlier meeting, TODO: Gerrit Repo - stack forge or lauchpad use,
[20:03] <shohel02> i did not make any progress on that topic, look it next week. In the
[20:03] <shohel02> mean time, if some one has good idea please shoot - how to granularize the work
[20:03] <shohel02> and enable tracking. My intentions is the granularize engage more people easily
[20:04] <shohel02> Any ideas from anyone ?
[20:05] <@CristianF> Nova has started an approach for uploading/reviewing Blueprints templates using gerrit
[20:05] <shohel02> thats good, they already have gerrit for code
[20:05] <shohel02> In OSSG we have for OSSN
[20:05] <@CristianF> probably directly submiting in a repo to gerrit the threat analyisis, they coudl be reviewed analyzed
[20:06] <@CristianF> yes, similar to that probably
[20:06] <shohel02> you mean, submitting in the Nova Gerrit Repo,
[20:06] <shohel02> for threat analysis work
[20:07] <@CristianF> no, I was thinking of submitting to a new Threat Model/OSSG repo
[20:08] <shohel02> yes, that was also my line of thought! i think we should do that.
[20:08] <@CristianF> although, having a subdirectory for Security analysis in every project probably is a good idea too
[20:09] <shohel02> I checked the process what was the process, assume that we need some support from core members to have Gerrit repo of this work
[20:09] <shohel02> other possibilities is to ask whether we can use the existing OSSN repo for this purpose
[20:10] <@CristianF> yes, sounds like any centralized approach managed by OSSG would be better than distributing along projects and getting all people aligned
[20:11] <shohel02> yes, that makes sense
[20:11] <shohel02> We should raise this issue in the next OSSG meeting
[20:12] <@CristianF> sounds good
[20:12] <shohel02> OK, now moving on to the Technical side
[20:12] <shohel02> #Topic Keystone Threat Analysis
[20:12] <shohel02> hree new docs in the Git now:
[20:12] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_report/Keystone_Threat_Analysis_IdentityEngineV3.0_2.4.doc
[20:13] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_report/Keystone_Threat_Analysis_AuthV3.0_2.5.doc
[20:13] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_result/Keystone_Analysis_Result_AuthV3.0_2.5.xls
[20:13] <shohel02> Mainly related to V3 AUTH and Identity and Assignment API.
[20:13] <shohel02> Related to this, as by product, we have reported couple of security bugs to the keystone:
[20:13] <shohel02> https://bugs.launchpad.net/bugs/1300274
[20:13] <shohel02> https://bugs.launchpad.net/bugs/1299012
[20:13] <shohel02> https://bugs.launchpad.net/bugs/1299039
[20:14] <shohel02> I think its really good that we are finding the loopholes and strengthening the overall security
[20:14] <shohel02> In april, we will see more concerted and concrete things coming up
[20:14] <shohel02> Thats all from technical side
[20:14] <@CristianF> good progress!
[20:15] <udit> nice
[20:15] <shohel02> thx
[20:15] <shohel02> #topic Other Issues
[20:15] <shohel02> Any one has other topic in mind
[20:15] <shohel02> Cristian how is nova work going
[20:16] <@CristianF> yes, do you have any advice of which repo should I use for uploading documents drafts?
[20:17] <shohel02> i do not know at this point, lets wait for the next week
[20:17] <shohel02> We need a common repo
[20:17] <@CristianF> ok, so I keep that on mi side until a public repo
[20:17] <@CristianF> my*
[20:18] <@CristianF> as mentioned yesterday I am working on a top-down approach, first I want to document an analysis of the whole picture
[20:18] <shohel02> yes, thats the best approach
[20:18] <@CristianF> for then starting with a prioritization of the sub-component and more detailed analysis
[20:19] <shohel02> i think bknudson also give some good ideas
[20:19] <@CristianF> currently I have a draft for a threat model diagram of nova end to end, and started identifying asset and common vocabulary/use cases, etc
[20:19] <@CristianF> yes, for then digging in the virtualization side
[20:20] <shohel02> oh sounds great, it would be nice to see those
[20:20] <shohel02> are you planning to come next Atlanta Summit
[20:21] <@CristianF> not at this point.. but still tying to figure it out
[20:22] <shohel02> it would be nice to meet all of the OSSG people, and especially i think some people who are really interested in threat modelling
[20:22] <shohel02> we can discuss to go forward and engage more with other projects
[20:23] <@CristianF> I would really love to, but this time seems not possible for me to go
[20:23] <@CristianF> I will continue supporting this effort anyway
[20:24] <shohel02> thats g8, we need more proactive approach to security
[20:25] <shohel02> Any other issues ?
[20:26] <@CristianF> not from my side
[20:26] <shohel02> Ok, then we can close the meeting
[20:26] <shohel02> Thanks for joining
[20:26] <shohel02> #endmeeting
[20:26] <@CristianF> thank you, bye!
[20:27] <shohel02> bye
@CristianF
shohel02
udit