[Openstack-security] OSSG Lunch Meeting Notes

Abu Shohel Ahmed ahmed.shohel at ericsson.com
Fri Nov 15 09:44:01 UTC 2013 

Hi all,

Yesterday, we had a good introduction discussion related to this work.
 I have added more content i.e., an Example Threat analysis work.
in the Wiki page.

 https://wiki.openstack.org/wiki/Security/Threat_Analysis

To get the momentum, we should first discuss who are interested to work 
on this activity. Then we can form a small team to make things faster and
concentrated work. Please drop an email, if you are interested.

From Ericsson side, we will have more people working in this activity ( e.g.,
Mats Näslund and Bengt Sahlin (CC:ed)). I will be on vacation for next five weeks,
during this time Bengt Sahlin will organize discussion and way forward 
for this activity from our side.

Thanks,
Shohel
 

Sriram Subramanian kirjoitti Nov 14, 2013 kello 9:04 PM:

> Thanks Shohel,
>  
> I am at the IRC #openstack-meeting. Anyone out there?
>  
> thanks,
> -sriram
> 
> 
> On Thu, Nov 14, 2013 at 9:40 AM, Abu Shohel Ahmed <ahmed.shohel at ericsson.com> wrote:
> Hi Sriram,
> 
> To get started,  I have create an Wiki Page.
> 
> https://wiki.openstack.org/wiki/Security/Threat_Analysis
> 
> Currently, consisting of a process diagram and links to relevant literature. 
> The wiki page can be enriched together as the time goes  and we proceed with our work.
> 
> We have also linked in the Wiki, a security quick study report for Keystone Folsom 
> release  which James has promised in the Summit. The report itself is quite old now 
> compared to the current keystone release. So the most important task now, is to define
> a common process through which we can do evaluation of OpenStack Components.
> 
> See you in today's meeting. We can discuss about how we can proceed with this
> activity.
> 
> Thanks,
> Shohel
> 
> 
> Sriram Subramanian kirjoitti Nov 12, 2013 kello 12:13 AM:
> 
>> Shohel,
>>  
>> Could you please send any relevant links for those who are new to the threat model analysis process? Most of the links I used while at Microsoft are internal-only.
>>  
>> thanks,
>> -Sriram
>> 
>> 
>> On Mon, Nov 11, 2013 at 5:47 AM, Abu Shohel Ahmed <ahmed.shohel at ericsson.com> wrote:
>> Hi Rob,
>> 
>> Certainly, the meeting transcript should be available in https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity
>> After the meeting, we will sent the meeting notes to the OSSG mailing list.
>> 
>> …shohel
>> 
>> Clark, Robert Graham kirjoitti Nov 11, 2013 kello 3:43 PM:
>> 
>>> I know a few people (me included) won’t be able to make the OSSG meeting this week.
>>> 
>>> Is there any way we can follow this up by email?
>>> 
>>> From: Abu Shohel Ahmed <ahmed.shohel at ericsson.com>
>>> Date: Monday, 11 November 2013 21:31
>>> To: "openstack-security at lists.openstack.org" <openstack-security at lists.openstack.org>
>>> Cc: Robert Clark <robert.clark at hp.com>, Sriram Subramanian <sriram at sriramhere.com>, James Kempf <james.kempf at ericsson.com>
>>> 
>>> Subject: Re: [Openstack-security] OSSG Lunch Meeting Notes
>>> 
>>> Hi all,
>>> 
>>>  We can have a way forward discussion related to threat analysis in the next 
>>> OSSG IRC meeting (this Thursday). Things we could discuss in the 
>>> meeting e.g.,
>>>   - Threat analysis process in general
>>>   - Work items: OpenStack project to target
>>>   - Time frame
>>>   - Team members
>>>   - Way of working
>>> 
>>> See you in the next meeting.
>>> 
>>> Thanks,
>>> Shohel  
>>> 
>>> 
>>> 
>>> James Kempf kirjoitti Nov 7, 2013 kello 2:18 AM:
>>> 
>>>> Hi Rob,
>>>> 
>>>> Shohel (cc-ed) from Ericsson will be driving this. He will be setting up a chat/teleconference sometime late next week to get started.
>>>> 
>>>> jak 
>>>> 
>>>>> -----Original Message-----
>>>>> From: Clark, Robert Graham [mailto:robert.clark at hp.com]
>>>>> Sent: Thursday, November 07, 2013 12:06 AM
>>>>> To: Sriram Subramanian; openstack-security at lists.openstack.org
>>>>> Subject: Re: [Openstack-security] OSSG Lunch Meeting Notes
>>>>> 
>>>>> Thanks for the great notes Sriram.
>>>>> 
>>>>> I've made the 'how to contribute' part of the wiki more prominent:
>>>>> https://wiki.openstack.org/wiki/Security/How_To_Contribute
>>>>> 
>>>>> To clarify, when we have the ball rolling on Threat Modelling for major
>>>>> projects, I can commit some security-architect resources to take part in
>>>>> the discussions.
>>>>> 
>>>>> Cheers
>>>>> -Rob
>>>>> 
>>>>> 
>>>>> From: Sriram Subramanian
>>>>> <sriram at sriramhere.com<mailto:sriram at sriramhere.com>>
>>>>> Date: Tuesday, 5 November 2013 14:24
>>>>> To: "openstack-security at lists.openstack.org<mailto:openstack-
>>>>> security at lists.openstack.org>" <openstack-
>>>>> security at lists.openstack.org<mailto:openstack-
>>>>> security at lists.openstack.org>>
>>>>> Subject: [Openstack-security] OSSG Lunch Meeting Notes
>>>>> 
>>>>> Some of the items discussed, followed by Action Items:
>>>>> 
>>>>> 1) How can one get invovled - Wiki will direct
>>>>> 2) Where to pick up security tasks from?
>>>>>   - wiki is the starting point
>>>>>   - people sign up via mailing list
>>>>> 
>>>>> 
>>>>> 3) threat analysis
>>>>>   - Static Analysis, Formal Verification on projects was proposed by
>>>>> James.
>>>>>   -
>>>>>   - static analysis on python is not very useful; whole projects will
>>>>> take a long time
>>>>>   -
>>>>> 4) Threat modeling -
>>>>>   -
>>>>> Action item (James Kempf) : share the results from Folsom for TM around
>>>>> Keystone
>>>>> 
>>>>>   -  Rob can get resources towards this
>>>>>   -  get started with core or knowledgeable people
>>>>>   -  Ideally, Secuirty Reviews Per month per project. Review coordinator
>>>>> prepares the arch diagram before the review day
>>>>> 
>>>>> 5) security review - HP's review process; what it translates to for
>>>>> OpenStack?
>>>>> 
>>>>> 6) Attacker model
>>>>>  - single or many
>>>>>  -
>>>>> 7) Tracking the CVEs, publish in the format
>>>>> 
>>>>> - Action Item:  Daniel (Red Hat) to start discussin in the mailing list
>>>>> -  Format:
>>>>> 8)
>>>>> Getting the word out (wiki, how to contribute, what is going on)
>>>>>  - Minutes for the meet
>>>>>  - Community Manager
>>>>>  - Sprints:
>>>>>     - Running the sprint
>>>>> 
>>>>> Action Items:
>>>>> - Eric Windisch to Identify topic to set the sprint/ hackathon and time.
>>>>> 
>>>>> Thanks,
>>>>> -Sriram
>>>>> 
>>>>> _______________________________________________
>>>>> Openstack-security mailing list
>>>>> Openstack-security at lists.openstack.org
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>> 
>> 
>> 
>> 
>> 
>> -- 
>> Thanks,
>> -Sriram
> 
> 
> 
> 
> -- 
> Thanks,
> -Sriram

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20131115/a78d17bd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3902 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20131115/a78d17bd/attachment.bin>

More information about the Openstack-security mailing list