<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>Rob,</div>
<div><br>
</div>
<div>Do you have the source for reference #2 below? I believe the next step was to produce copies of #2 based upon the special different types of containers in the system and combine them into one coherent doc.</div>
<div><br>
</div>
<div>I think continuing to use sequence diagrams makes sense.</div>
<div><br>
</div>
<div>My phone (out of batteries) has a photograph of the different things we wrote down – I was planning to combine that work with multiples of diagram #2, and submit it for review – to get the process started.</div>
<div><br>
</div>
<div>Regards</div>
<div>-steve</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Rob C <<a href="mailto:hyakuhei@gmail.com">hyakuhei@gmail.com</a>><br>
<span style="font-weight:bold">Date: </span>Tuesday, June 14, 2016 at 1:34 AM<br>
<span style="font-weight:bold">To: </span>"OpenStack Development Mailing List (not for usage questions)" <<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>><br>
<span style="font-weight:bold">Cc: </span>Steven Dake <<a href="mailto:stdake@cisco.com">stdake@cisco.com</a>>, "<a href="mailto:robclark@uk.ibm.com">robclark@uk.ibm.com</a>" <<a href="mailto:robclark@uk.ibm.com">robclark@uk.ibm.com</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [openstack-dev] [kolla][security] Finishing the job on threat analysis for Kolla<br>
</div>
<div><br>
</div>
<blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;">
<div>
<div>
<div dir="ltr">
<p class="">I have returned from #drownload and I'm super keen to get ontop of this, in this email I'll just try to tie a few different threads together.</p>
<p class="">The etherpad we used at the summit, along with the Sequence Diagram texts are online [1] are we happy to continue using web sequence diagrams? I think the resulting output is very useful [2] - even if Kolla doesn't fit the typical project style
that we anticipate using these for - they're better suited to more traditional software projects.</p>
<p class="">There's a big effort to formalize the TA process and have OSSP help as guardians of the code base[3] in future, with lots of effort being made to ensure that as new projects come into the fold they meet a certain minimum security level - we'll also
attempt to help more established projects iterate to a level of equal security assurance.</p>
<p class="">I'll leave the process description for our actual documentation but a big part of it will be projects submitting security docs to the newly created security-analysis repo [4]. Projects are welcome to use this for staging and collaboration - the
OSSP will largely ignore projects with the WIP flag set. </p>
<p class="">I think the next step is for Doug and I (and anyone else who cares) to review the current diagrams and provide a quick gap analysis for the Kolla devs detailing what else is required for us to do a proper review.</p>
<p class=""><br>
</p>
<p class=""><span class="">[1]<a href="https://etherpad.openstack.org/p/kolla-newton-summit-threat-analysis"> https://etherpad.openstack.org/p/kolla-newton-summit-threat-analysis</a></span></p>
<p class="">[2] <a href="https://drive.google.com/file/d/0B0osRPn3qBq5X1poTGZqVFBRQW8/view">
https://drive.google.com/file/d/0B0osRPn3qBq5X1poTGZqVFBRQW8/view</a></p>
<p class=""><span class="">[3] <a href="https://review.openstack.org/#/c/300698/">
https://review.openstack.org/#/c/300698/</a></span></p>
<p class=""><span class="">[4] <a href="https://review.openstack.org/#/c/325049/">
https://review.openstack.org/#/c/325049/</a></span></p>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, May 31, 2016 at 5:37 PM, Chivers, Doug <span dir="ltr">
<<a href="mailto:doug.chivers@hpe.com" target="_blank">doug.chivers@hpe.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Thanks for following up Steve, the sessions at the summit were extremely useful.<br>
<br>
Both Rob and I have been caught up with the day-job since we got back from the summit, but will discuss next steps and agree a plan this week.<br>
<br>
Regards<br>
<br>
Doug<br>
<br>
<br>
<br>
<br>
From: "Steven Dake (stdake)" <<a href="mailto:stdake@cisco.com">stdake@cisco.com</a><mailto:<a href="mailto:stdake@cisco.com">stdake@cisco.com</a>>><br>
Date: Tuesday, 24 May 2016 at 17:16<br>
To: "<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a><mailto:<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>>" <<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a><mailto:<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>>><br>
Cc: Doug Chivers <<a href="mailto:doug.chivers@hpe.com">doug.chivers@hpe.com</a><mailto:<a href="mailto:doug.chivers@hpe.com">doug.chivers@hpe.com</a>>>, "<a href="mailto:robclark@uk.ibm.com">robclark@uk.ibm.com</a><mailto:<a href="mailto:robclark@uk.ibm.com">robclark@uk.ibm.com</a>>"
<<a href="mailto:robclark@uk.ibm.com">robclark@uk.ibm.com</a><mailto:<a href="mailto:robclark@uk.ibm.com">robclark@uk.ibm.com</a>>><br>
Subject: [kolla][security] Finishing the job on threat analysis for Kolla<br>
<div>
<div class="h5"><br>
Rob and Doug,<br>
<br>
At Summit we had 4 hours of highly productive work producing a list of "things" that can be "threatened". We have about 4 or 5 common patterns where we follow the principle of least privilege. On Friday of Summit we produced a list of all the things (in this
case deployed containers). I'm not sure who, I think it was Rob was working on a flow diagram for the least privileged case. From there, the Kolla coresec team can produce the rest of the diagrams for increasing privileges.<br>
<br>
I'd like to get that done, then move on to next steps. Not sure what the next steps are, but lets cover the flow diagrams first since we know we need those.<br>
<br>
Regards<br>
-steve<br>
</div>
</div>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</span>
</body>
</html>