Security/Threat Analysis/Meetings/21-03-14
< Security | Threat Analysis | Meetings
- [19:00] == shohel02 [50dfbb3d@gateway/web/freenode/ip.80.223.187.61] has joined ##openstack-threat-analysis
- [19:00] <shohel02> hi all
- [19:01] <udit> hello shohel
- [19:01] <shohel02> hi udit
- [19:01] == kazi [591b2744@gateway/web/freenode/ip.89.27.39.68] has joined ##openstack-threat-analysis
- [19:01] <cfiorent> Hi everybody, this is Cristian here
- [19:02] <shohel02> hello Cristian
- [19:02] <kazi> Hi all!
- [19:02] <shohel02> hi
- [19:02] <shohel02> Rob is supposed to join the meeting
- [19:02] <bknudson> hi
- [19:02] <shohel02> hi
- [19:02] <shohel02> But lets start now
- [19:03] <shohel02> #startmeeting OpenStack Threat Modelling
- [19:03] <shohel02> Ok first give some recap of last week
- [19:03] <shohel02> 1. Discussion on AUTH_TOKEN module
- [19:03] <shohel02> thanks to bknudson
- [19:04] <shohel02> 2. Ways of working
- [19:04] <shohel02> discussed with Rob regarding HP’s Threat modelling of OpenStack. Rob will look into this.
- [19:04] <shohel02> lets see how it goes
- [19:04] <shohel02> now, Last couple of days, there was discussion in the mailing list
- [19:05] <shohel02> how others can engage / actively contribute in this work. i think we
- [19:05] <shohel02> need to address this issue.
- [19:05] <shohel02> I am thinking of bug tracker or gerrit for this project
- [19:05] <shohel02> OSSN has bug tracker
- [19:06] <shohel02> anyone has better ideas ?
- [19:06] <bknudson> what's the plan to eventually publish the work?
- [19:06] <shohel02> yes
- [19:06] <bknudson> does it get published with the security guide or on openstack docs site?
- [19:06] <cfiorent> I think you referring to the new OSSN approach, discussed yesterday in OSSG meeting
- [19:07] <shohel02> yes
- [19:07] <shohel02> i was more thinking of something of a tracker tool
- [19:07] <shohel02> so anyone can take an activity, commit it and review can be done
- [19:08] <shohel02> Google docs seems to be bit messy
- [19:08] <bknudson> people seem to be able to work collaboratively on the security guide in gerrit
- [19:09] <shohel02> bknudson, now its going the Wiki page eventually to security guide
- [19:09] <cfiorent> that sounds good for me, i.e. include a topic: missing threat model for nova conductor, and anyone takes that and completes the activity
- [19:09] <shohel02> Gerrit should be good one
- [19:10] <shohel02> yes, thats the approach i was talking about
- [19:11] <shohel02> Ok, i will check the Gerrit issue
- [19:11] <shohel02> #Topic Status update
- [19:12] <shohel02> So we are thinking of now moving towards git repo. Google docs managing is becoming messy
- [19:12] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling.git
- [19:12] <shohel02> Wiki also contains the link
- [19:12] <shohel02> From our side, we added two more docs there
- [19:13] <shohel02> related to token provider
- [19:13] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_report/Keystone_Threat_Analysis_TokenControllerV2.0_2.5.doc
- [19:13] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_report/Keystone_Threat_Analysis_TokenApiV2.0_2.5.doc
- [19:14] <shohel02> Some are almost in the pipe line
- [19:14] <shohel02> policy, identity and assignment driver
- [19:15] <shohel02> We have planned to go fast one phase of work then come back for each of the docs for a detailed analysis
- [19:15] <shohel02> Anyone wants to give some other update
- [19:16] <cfiorent> just a question, currently all work is centralized in keystone, or are there other components being analyzed in parallel?
- [19:17] <shohel02> nop, there are some discussion to work with Solum
- [19:17] <shohel02> paulmo is supposed to drive that one
- [19:18] <shohel02> This is relatively new activity , so many things to do
- [19:18] <shohel02> or remains
- [19:19] <cfiorent> is this a matter of analyzed priorities? or are we expecting to go thru all components in parallel?
- [19:19] <shohel02> Keystone is a critical component, we thought this is good to start
- [19:20] <shohel02> and lets get engaged with others if someone wants take lead
- [19:20] <shohel02> on that component
- [19:21] <shohel02> cfiorent, do you have active engagement plan with Threat modelling
- [19:23] <shohel02> bknudson any comments on the docs or overall ?
- [19:25] == cfiorent [c0373628@gateway/web/freenode/ip.192.55.54.40] has quit [Ping timeout: 245 seconds]
- [19:26] <shohel02> ok everyone seems quite today
- [19:26] <bknudson> shohel02: I haven't had a chance to look at the docs.
- [19:27] == cfiorent2 [8686894b@gateway/web/freenode/ip.134.134.137.75] has joined ##openstack-threat-analysis
- [19:27] <shohel02> ok, i think if we have the gerrit up and ready
- [19:27] <shohel02> then things will be easier for checking
- [19:27] <cfiorent2> my apologies, I should reconnect
- [19:28] <shohel02> no probs.
- [19:28] <shohel02> So, Cfiorent do you have any engagement plan to work with Threat Modeling
- [19:29] <cfiorent2> yes, I would be happy to support on this
- [19:29] <shohel02> g8, we have more people for the work
- [19:30] <shohel02> Any other Issue, we can address
- [19:30] <cfiorent2> I was trying to understand if better start with a new component from scratch, or to support on current activities (i.e. keystone)
- [19:31] <shohel02> yes, both are equally good
- [19:31] <shohel02> :)
- [19:32] <cfiorent2> ok, got it thanks
- [19:32] <shohel02> ok, if no other issue, we can close the meeting
- [19:32] <shohel02> thanks for joining all
- [19:33] <kazi> Thanks for the updates!
- [19:33] <kazi> Bye
- [19:33] <cfiorent2> nice meeting you, thanks
- [19:33] <shohel02> #endmeeting
- * Bulleted list item
- Bulleted list item