[Openstack-security] OpenStack Threat Analysis activity - OSSG

Abu Shohel Ahmed ahmed.shohel at ericsson.com
Fri Feb 21 11:15:08 UTC 2014 

Hi guys,

Sorry for not including the whole OSSG in the initial call. So, we are having an initial call 
for Threat modelling of OpenStack  (first one is Keystone) today, 21 Feb, 17.00 UTC. Let’s
have the discussion today then decide what time suits us best for later meetings. It is in  Free node 
channel  ##openstack-threat-analysis  (unofficial channel). 

Today’s topics of discussion:
   1. Threat modelling process 
         https://drive.google.com/file/d/0B1aEVfmQtqnoMmpPZ3hmUHpBa1k/edit?usp=sharing
          
          First, we t need to agree on this, so  we have  conformity around the whole work. Please feel 
          free to provide your feedback.

   2.    Some concrete example use of the modelling process 
                  Keystone over all :               https://drive.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit?usp=sharing
                  Keystone Token-provider:    https://drive.google.com/file/d/0B1aEVfmQtqnoejN1T1kybjlnMkk/edit?usp=sharing
   
         (Now this documents are work in progress work, things are not always in order and complete)


See you in the meeting,
Shohel




On 20 Feb 2014, at 20:47, Sriram Subramanian <sriram at sriramhere.com> wrote:

> Damn - i missed the meeting again :(. I will check the logs to catch up. Sorry
> 
> 
> On Thu, Feb 20, 2014 at 10:26 AM, Clark, Robert Graham <robert.clark at hp.com> wrote:
> Including the whole security group as there was significant interest during the OSSG weekly meeting.
> 
>  
> 
> From: Sriram Subramanian [mailto:sriram at sriramhere.com] 
> Sent: 20 February 2014 16:35
> To: Abu Shohel Ahmed
> Cc: Clark, Robert Graham; Grant Murphy; Mats Näslund; Makan Pourzandi
> Subject: Re: OpenStack Threat Analysis activity - OSSG
> 
>  
> 
> Shohel,
> 
>  
> 
> Friday 17.00 UTC works - though 18.00 UTC would work better for me. Are we meeting tomorrow?
> 
>  
> 
> thanks,
> 
> -Sriram
> 
>  
> 
> On Wed, Feb 19, 2014 at 4:25 AM, Abu Shohel Ahmed <ahmed.shohel at ericsson.com> wrote:
> 
> Hi,
> 
> From our last week’s, it becomes  clear that we need set up a way of working process in place
> to take this activity forward.
> 
> So here are some ideas (Please also share yours):
> 
> 1.   WoW:
> 
>         In the short time frame,
> 
>        - First, We should define the purpose and the concrete output of this work ( which i think, most of us here has some ideas, if we still have question -
>          we can clear that up before moving forward).
> 
>        - Second issue is, how we can do threat analysis contribution in an effective manner. Here comes the collaboration issues within
>          this group.  For this, I have created a free node IRC channel   ##openstack-threat-analysis  ( unofficial channel, as you can see from name).
>         Lets start biweekly (15 days) meetings from this week. Lets vote for what is the suitable time for meeting for all of us.
>         I propose Friday at 17.00 UTC. However, i am happy to schedule the meeting based on most people preference.
> 
>        In the longer time frame, we should think about setting up a Threat analysis working group (could be under OSSG) to perform threat modelling of all OpenStack components
>            - Define a clear out from this working group e.g., Threat documentation, Design guidance.
>           -  Engage developers and security minded people to the work.
> 
> 
> 2. Now  on the technical side,
> 
>               First and foremost, we should agree on a  threat modelling process that can be applied for all OpenStack services and internal components. We have some ideas that
>                   can be applied for this work… Here is the link of our proposal :
> 
>                    https://drive.google.com/file/d/0B1aEVfmQtqnoMmpPZ3hmUHpBa1k/edit?usp=sharing
> 
>                   and here are two concrete implementation of  applying the threat modelling process…
> 
>                          Keystone over all :               https://drive.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit?usp=sharing
>                          Keystone Token-provider:    https://drive.google.com/file/d/0B1aEVfmQtqnoejN1T1kybjlnMkk/edit?usp=sharing
> 
>                   (These are work in progress documents, so by no means provide a complete picture)
> 
>                   Lets discuss  what do you guys think about the Modelling steps and its applicability with OpenStack (e.g., Keystone)
> 
> 
> 
> Thanks,
> Shohel
> 
> 
> 
> 
> 
>  
> 
> --
> 
> Thanks,
> 
> -Sriram
> 
> 
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> 
> 
> 
> 
> -- 
> Thanks,
> -Sriram
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140221/61643b20/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4163 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140221/61643b20/attachment.bin>

More information about the Openstack-security mailing list