[security-sig] Security SIG BoF Notes

Gage Hugo gagehugo at gmail.com
Wed May 1 21:57:52 UTC 2019

Thanks to everyone who attended the Security SIG BoF session!

Attached are the notes taken from the discussion during the session with
relevant links.  If there was anything missed, please feel free to mention
it here or reach out in #openstack-security.

Board Picture:


   - Overall Security SIG

   - Links:

   - https://security.openstack.org/

   - https://wiki.openstack.org/wiki/Security-SIG

   - Security SIG: https://wiki.openstack.org/wiki/Security-SIG

   - Weekly Agenda: https://etherpad.openstack.org/p/security-agenda

   - Meeting Time: Weekly on Thursday at 1500 UTC #openstack-meeting

   - IRC Server: irc.freenode.net

   - Key Lime: https://github.com/keylime/keylime

   - Integration with Ironic https://github.com/keylime/keylime/issues/101

   - Bandit: https://github.com/PyCQA/bandit

   - Running bandit as part of tox gate

   - Keystone does this:

   - Run as a separate job

   - Example (not tox):

   - Host Intrusion

   - Wazuh was mentioned: https://wazuh.com/

   - Ansible Hardening

   - OpenStack Ansible: https://docs.openstack.org/openstack-ansible/latest/

   - Security SIG "Help Wanted"

   - https://docs.openstack.org/security-analysis/latest/

   - Only has Barbican, missing other projects that have been added since

   - Multiple other libraries in review to be added


   - https://docs.openstack.org/security-guide/

   - Security guide doesn’t seem to have been updated since Pike, so it’s a
   good 1.5 years behind

   - https://security.openstack.org/#secure-development-guidelines

   - Improve documentation of secure coding practices

   - improve coverage of bandit and syntribos jobs across projects, and
   look into other similar tools we could be using to better secure the
   software we write

   - https://wiki.openstack.org/wiki/Security_Notes

   - Help with writing security notes and triaging the backlog

   - https://wiki.openstack.org/wiki/Security/Security_Note_Process

   - https://bugs.launchpad.net/ossn

   - Security blog: http://openstack-security.github.io/

   - VMT Public Bug Assistance

   - Many reports of suspected vulnerabilities start out as public bugs or
   are made public over the course of being triaged, and assistance with those
   is encouraged from the entire community

   - https://bugs.launchpad.net/ossa

   - Having someone who is familiar with the affected project provide
   context to a security bug really helps the VMT definine concrete impact
   statements and speeds up the overall process

   - Bootstrapping AWS / Windows Guest Domains / Guest VMs

   - nova-join: https://github.com/openstack/novajoin

   - application credentials:

   - Barbican: https://wiki.openstack.org/wiki/Barbican

   - Policy

   - Cross-project policy effort:

   - https://governance.openstack.org/tc/goals/queens/policy-in-code.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190501/a433472d/attachment-0001.html>

More information about the openstack-discuss mailing list