Security/Threat Analysis/Meetings/21-03-14

[19:00] == shohel02 [50dfbb3d@gateway/web/freenode/ip.80.223.187.61] has joined ##openstack-threat-analysis
[19:00] <shohel02> hi all
[19:01] <udit> hello shohel
[19:01] <shohel02> hi udit
[19:01] == kazi [591b2744@gateway/web/freenode/ip.89.27.39.68] has joined ##openstack-threat-analysis
[19:01] <cfiorent> Hi everybody, this is Cristian here
[19:02] <shohel02> hello Cristian
[19:02] <kazi> Hi all!
[19:02] <shohel02> hi
[19:02] <shohel02> Rob is supposed to join the meeting
[19:02] <bknudson> hi
[19:02] <shohel02> hi
[19:02] <shohel02> But lets start now
[19:03] <shohel02> #startmeeting OpenStack Threat Modelling
[19:03] <shohel02> Ok first give some recap of last week
[19:03] <shohel02> 1. Discussion on AUTH_TOKEN module
[19:03] <shohel02> thanks to bknudson
[19:04] <shohel02> 2. Ways of working
[19:04] <shohel02> discussed with Rob regarding HP’s Threat modelling of OpenStack. Rob will look into this.
[19:04] <shohel02> lets see how it goes
[19:04] <shohel02> now, Last couple of days, there was discussion in the mailing list
[19:05] <shohel02> how others can engage / actively contribute in this work. i think we
[19:05] <shohel02> need to address this issue.
[19:05] <shohel02> I am thinking of bug tracker or gerrit for this project
[19:05] <shohel02> OSSN has bug tracker
[19:06] <shohel02> anyone has better ideas ?
[19:06] <bknudson> what's the plan to eventually publish the work?
[19:06] <shohel02> yes
[19:06] <bknudson> does it get published with the security guide or on openstack docs site?
[19:06] <cfiorent> I think you referring to the new OSSN approach, discussed yesterday in OSSG meeting
[19:07] <shohel02> yes
[19:07] <shohel02> i was more thinking of something of a tracker tool
[19:07] <shohel02> so anyone can take an activity, commit it and review can be done
[19:08] <shohel02> Google docs seems to be bit messy
[19:08] <bknudson> people seem to be able to work collaboratively on the security guide in gerrit
[19:09] <shohel02> bknudson, now its going the Wiki page eventually to security guide
[19:09] <cfiorent> that sounds good for me, i.e. include a topic: missing threat model for nova conductor, and anyone takes that and completes the activity
[19:09] <shohel02> Gerrit should be good one
[19:10] <shohel02> yes, thats the approach i was talking about
[19:11] <shohel02> Ok, i will check the Gerrit issue
[19:11] <shohel02> #Topic Status update
[19:12] <shohel02> So we are thinking of now moving towards git repo. Google docs managing is becoming messy
[19:12] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling.git
[19:12] <shohel02> Wiki also contains the link
[19:12] <shohel02> From our side, we added two more docs there
[19:13] <shohel02> related to token provider
[19:13] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_report/Keystone_Threat_Analysis_TokenControllerV2.0_2.5.doc
[19:13] <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/analysis_report/Keystone_Threat_Analysis_TokenApiV2.0_2.5.doc
[19:14] <shohel02> Some are almost in the pipe line
[19:14] <shohel02> policy, identity and assignment driver
[19:15] <shohel02> We have planned to go fast one phase of work then come back for each of the docs for a detailed analysis
[19:15] <shohel02> Anyone wants to give some other update
[19:16] <cfiorent> just a question, currently all work is centralized in keystone, or are there other components being analyzed in parallel?
[19:17] <shohel02> nop, there are some discussion to work with Solum
[19:17] <shohel02> paulmo is supposed to drive that one
[19:18] <shohel02> This is relatively new activity , so many things to do
[19:18] <shohel02> or remains
[19:19] <cfiorent> is this a matter of analyzed priorities? or are we expecting to go thru all components in parallel?
[19:19] <shohel02> Keystone is a critical component, we thought this is good to start
[19:20] <shohel02> and lets get engaged with others if someone wants take lead
[19:20] <shohel02> on that component
[19:21] <shohel02> cfiorent, do you have active engagement plan with Threat modelling
[19:23] <shohel02> bknudson any comments on the docs or overall ?
[19:25] == cfiorent [c0373628@gateway/web/freenode/ip.192.55.54.40] has quit [Ping timeout: 245 seconds]
[19:26] <shohel02> ok everyone seems quite today
[19:26] <bknudson> shohel02: I haven't had a chance to look at the docs.
[19:27] == cfiorent2 [8686894b@gateway/web/freenode/ip.134.134.137.75] has joined ##openstack-threat-analysis
[19:27] <shohel02> ok, i think if we have the gerrit up and ready
[19:27] <shohel02> then things will be easier for checking
[19:27] <cfiorent2> my apologies, I should reconnect
[19:28] <shohel02> no probs.
[19:28] <shohel02> So, Cfiorent do you have any engagement plan to work with Threat Modeling
[19:29] <cfiorent2> yes, I would be happy to support on this
[19:29] <shohel02> g8, we have more people for the work
[19:30] <shohel02> Any other Issue, we can address
[19:30] <cfiorent2> I was trying to understand if better start with a new component from scratch, or to support on current activities (i.e. keystone)
[19:31] <shohel02> yes, both are equally good
[19:31] <shohel02> :)
[19:32] <cfiorent2> ok, got it thanks
[19:32] <shohel02> ok, if no other issue, we can close the meeting
[19:32] <shohel02> thanks for joining all
[19:33] <kazi> Thanks for the updates!
[19:33] <kazi> Bye
[19:33] <cfiorent2> nice meeting you, thanks
[19:33] <shohel02> #endmeeting
* Bulleted list item
Bulleted list item