[Openstack-security] OpenStack Threat Analysis activity - OSSG

Hui Xiang hui.xiang at canonical.com
Thu Mar 13 02:34:10 UTC 2014 

Hi all,

  I am carefully asking you guys if it is possible to bring the
meeting  ##openstack-threat-analysis
forward to 15.00 UTC, or more earlier? Because I am in UTC+8 timezone,
always can't attend the OSSG meeting before due to sleepy, but I don't
 want to miss this meeting although I am not very familiar with the current
topic, I want to contribute more here.

  But if you are inconvenient to reschedule the time, I can understand and
will keep follow the info from email and community.

  Thanks for your understanding : )


On Fri, Mar 7, 2014 at 11:55 PM, Abu Shohel Ahmed <ahmed.shohel at ericsson.com
> wrote:

> Hi all,
>
> Yesterday's  OSSG meeting, i promised to give the current status of the
> activity.
> The activity is ongoing.  Based on feed back from last IRC call, we have
> updated the
>  Threat Modelling framework.
>
> The wiki page is updated now..
> https://wiki.openstack.org/wiki/Security/Threat_Analysis
>
> We are almost finishing the analysis for Auth_token middleware, Token
> manager and token service.
> We looking for reviewer of those documents.  There is a meeting
> today at 17.00 GMT in  ##openstack-threat-analysis  (unofficial channel)
>
>
> Thanks,
> Shohel
>
>
>
>
> We are going to have a  OpenStack Threat m
>
>
> *From: *Abu Shohel Ahmed <ahmed.shohel at ericsson.com>
> *Subject: **Re: [Openstack-security] OpenStack Threat Analysis activity -
> OSSG*
> *Date: *21 Feb 2014 13:15:08 GMT+2
> *To: *"openstack-security at lists.openstack.org" <
> openstack-security at lists.openstack.org>
> *Cc: *Sriram Subramanian <sriram at sriramhere.com>, "Clark, Robert Graham" <
> robert.clark at hp.com>
>
> Hi guys,
>
> Sorry for not including the whole OSSG in the initial call. So, we are
> having an initial call
> for Threat modelling of OpenStack  (first one is Keystone) today, 21 Feb,
> 17.00 UTC. Let's
> have the discussion today then decide what time suits us best for later
> meetings. It is in  Free node
> channel  ##openstack-threat-analysis  (unofficial channel).
>
> Today's topics of discussion:
>    1. Threat modelling process
>
> https://drive.google.com/file/d/0B1aEVfmQtqnoMmpPZ3hmUHpBa1k/edit?usp=sharing
>
>           First, we t need to agree on this, so  we have  conformity
> around the whole work. Please feel
>           free to provide your feedback.
>
>    2.    Some concrete example use of the modelling process
>                   Keystone over all :
> https://drive.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit?usp=sharing
>                   Keystone Token-provider:
> https://drive.google.com/file/d/0B1aEVfmQtqnoejN1T1kybjlnMkk/edit?usp=sharing
>
>          (Now this documents are work in progress work, things are not
> always in order and complete)
>
>
> See you in the meeting,
> Shohel
>
>
>
>
> On 20 Feb 2014, at 20:47, Sriram Subramanian <sriram at sriramhere.com>
> wrote:
>
> Damn - i missed the meeting again :(. I will check the logs to catch up.
> Sorry
>
>
> On Thu, Feb 20, 2014 at 10:26 AM, Clark, Robert Graham <
> robert.clark at hp.com> wrote:
>
>> Including the whole security group as there was significant interest
>> during the OSSG weekly meeting.
>>
>>
>>
>> *From:* Sriram Subramanian [mailto:sriram at sriramhere.com]
>> *Sent:* 20 February 2014 16:35
>> *To:* Abu Shohel Ahmed
>> *Cc:* Clark, Robert Graham; Grant Murphy; Mats Näslund; Makan Pourzandi
>> *Subject:* Re: OpenStack Threat Analysis activity - OSSG
>>
>>
>>
>> Shohel,
>>
>>
>>
>> Friday 17.00 UTC works - though 18.00 UTC would work better for me. Are
>> we meeting tomorrow?
>>
>>
>>
>> thanks,
>>
>> -Sriram
>>
>>
>>
>> On Wed, Feb 19, 2014 at 4:25 AM, Abu Shohel Ahmed <
>> ahmed.shohel at ericsson.com> wrote:
>>
>> Hi,
>>
>> From our last week's, it becomes  clear that we need set up a way of
>> working process in place
>> to take this activity forward.
>>
>> So here are some ideas (Please also share yours):
>>
>> 1.   WoW:
>>
>>         In the short time frame,
>>
>>        - First, We should define the purpose and the concrete output of
>> this work ( which i think, most of us here has some ideas, if we still have
>> question -
>>          we can clear that up before moving forward).
>>
>>        - Second issue is, how we can do threat analysis contribution in
>> an effective manner. Here comes the collaboration issues within
>>          this group.  For this, I have created a free node IRC channel
>> ##openstack-threat-analysis  ( unofficial channel, as you can see from
>> name).
>>         Lets start biweekly (15 days) meetings from this week. Lets vote
>> for what is the suitable time for meeting for all of us.
>>         I propose Friday at 17.00 UTC. However, i am happy to schedule
>> the meeting based on most people preference.
>>
>>        In the longer time frame, we should think about setting up a
>> Threat analysis working group (could be under OSSG) to perform threat
>> modelling of all OpenStack components
>>            - Define a clear out from this working group e.g., Threat
>> documentation, Design guidance.
>>           -  Engage developers and security minded people to the work.
>>
>>
>> 2. Now  on the technical side,
>>
>>               First and foremost, we should agree on a  threat modelling
>> process that can be applied for all OpenStack services and internal
>> components. We have some ideas that
>>                   can be applied for this work... Here is the link of our
>> proposal :
>>
>>
>> https://drive.google.com/file/d/0B1aEVfmQtqnoMmpPZ3hmUHpBa1k/edit?usp=sharing
>>
>>                   and here are two concrete implementation of  applying
>> the threat modelling process...
>>
>>                          Keystone over all :
>> https://drive.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit?usp=sharing
>>                          Keystone Token-provider:
>> https://drive.google.com/file/d/0B1aEVfmQtqnoejN1T1kybjlnMkk/edit?usp=sharing
>>
>>                   (These are work in progress documents, so by no means
>> provide a complete picture)
>>
>>                   Lets discuss  what do you guys think about the
>> Modelling steps and its applicability with OpenStack (e.g., Keystone)
>>
>>
>>
>> Thanks,
>> Shohel
>>
>>
>>
>>
>>
>> --
>>
>> Thanks,
>>
>> -Sriram
>>
>> _______________________________________________
>> Openstack-security mailing list
>> Openstack-security at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>
>>
>
>
> --
> Thanks,
> -Sriram
>  _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
>
>
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140313/21d89fa2/attachment.html>

More information about the Openstack-security mailing list