[Openstack-security] OpenStack Threat Analysis activity - OSSG
Abu Shohel Ahmed
ahmed.shohel at ericsson.com
Thu Mar 13 16:18:48 UTC 2014
Hi Hui Xiang,
You are welcome to join the meeting and take part in the review / Threat modelling work we are currently working on. Or if you have some suggestion, please
share with us.
We will discuss the time schedule issue in the next meeting. I thinks it would be bit difficult cause we have some participants from US timezones.
We are continuously updating the Wiki page ( although there is sometimes a lag) and related information, so that everyone is informed.
Related information in the
> https://wiki.openstack.org/wiki/Security/Threat_Analysis
Thanks,
Shohel
On 13 Mar 2014, at 04:34, Hui Xiang <hui.xiang at canonical.com> wrote:
> Hi all,
>
> I am carefully asking you guys if it is possible to bring the meeting ##openstack-threat-analysis forward to 15.00 UTC, or more earlier? Because I am in UTC+8 timezone, always can't attend the OSSG meeting before due to sleepy, but I don't want to miss this meeting although I am not very familiar with the current topic, I want to contribute more here.
>
> But if you are inconvenient to reschedule the time, I can understand and will keep follow the info from email and community.
>
> Thanks for your understanding : )
>
>
> On Fri, Mar 7, 2014 at 11:55 PM, Abu Shohel Ahmed <ahmed.shohel at ericsson.com> wrote:
> Hi all,
>
> Yesterday’s OSSG meeting, i promised to give the current status of the activity.
> The activity is ongoing. Based on feed back from last IRC call, we have updated the
> Threat Modelling framework.
>
> The wiki page is updated now..
> https://wiki.openstack.org/wiki/Security/Threat_Analysis
>
> We are almost finishing the analysis for Auth_token middleware, Token manager and token service.
> We looking for reviewer of those documents. There is a meeting
> today at 17.00 GMT in ##openstack-threat-analysis (unofficial channel)
>
>
> Thanks,
> Shohel
>
>
>
>
> We are going to have a OpenStack Threat m
>
>
>> From: Abu Shohel Ahmed <ahmed.shohel at ericsson.com>
>> Subject: Re: [Openstack-security] OpenStack Threat Analysis activity - OSSG
>> Date: 21 Feb 2014 13:15:08 GMT+2
>> To: "openstack-security at lists.openstack.org" <openstack-security at lists.openstack.org>
>> Cc: Sriram Subramanian <sriram at sriramhere.com>, "Clark, Robert Graham" <robert.clark at hp.com>
>>
>> Hi guys,
>>
>> Sorry for not including the whole OSSG in the initial call. So, we are having an initial call
>> for Threat modelling of OpenStack (first one is Keystone) today, 21 Feb, 17.00 UTC. Let’s
>> have the discussion today then decide what time suits us best for later meetings. It is in Free node
>> channel ##openstack-threat-analysis (unofficial channel).
>>
>> Today’s topics of discussion:
>> 1. Threat modelling process
>> https://drive.google.com/file/d/0B1aEVfmQtqnoMmpPZ3hmUHpBa1k/edit?usp=sharing
>>
>> First, we t need to agree on this, so we have conformity around the whole work. Please feel
>> free to provide your feedback.
>>
>> 2. Some concrete example use of the modelling process
>> Keystone over all : https://drive.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit?usp=sharing
>> Keystone Token-provider: https://drive.google.com/file/d/0B1aEVfmQtqnoejN1T1kybjlnMkk/edit?usp=sharing
>>
>> (Now this documents are work in progress work, things are not always in order and complete)
>>
>>
>> See you in the meeting,
>> Shohel
>>
>>
>>
>>
>> On 20 Feb 2014, at 20:47, Sriram Subramanian <sriram at sriramhere.com> wrote:
>>
>>> Damn - i missed the meeting again :(. I will check the logs to catch up. Sorry
>>>
>>>
>>> On Thu, Feb 20, 2014 at 10:26 AM, Clark, Robert Graham <robert.clark at hp.com> wrote:
>>> Including the whole security group as there was significant interest during the OSSG weekly meeting.
>>>
>>>
>>>
>>> From: Sriram Subramanian [mailto:sriram at sriramhere.com]
>>> Sent: 20 February 2014 16:35
>>> To: Abu Shohel Ahmed
>>> Cc: Clark, Robert Graham; Grant Murphy; Mats Näslund; Makan Pourzandi
>>> Subject: Re: OpenStack Threat Analysis activity - OSSG
>>>
>>>
>>>
>>> Shohel,
>>>
>>>
>>>
>>> Friday 17.00 UTC works - though 18.00 UTC would work better for me. Are we meeting tomorrow?
>>>
>>>
>>>
>>> thanks,
>>>
>>> -Sriram
>>>
>>>
>>>
>>> On Wed, Feb 19, 2014 at 4:25 AM, Abu Shohel Ahmed <ahmed.shohel at ericsson.com> wrote:
>>>
>>> Hi,
>>>
>>> From our last week’s, it becomes clear that we need set up a way of working process in place
>>> to take this activity forward.
>>>
>>> So here are some ideas (Please also share yours):
>>>
>>> 1. WoW:
>>>
>>> In the short time frame,
>>>
>>> - First, We should define the purpose and the concrete output of this work ( which i think, most of us here has some ideas, if we still have question -
>>> we can clear that up before moving forward).
>>>
>>> - Second issue is, how we can do threat analysis contribution in an effective manner. Here comes the collaboration issues within
>>> this group. For this, I have created a free node IRC channel ##openstack-threat-analysis ( unofficial channel, as you can see from name).
>>> Lets start biweekly (15 days) meetings from this week. Lets vote for what is the suitable time for meeting for all of us.
>>> I propose Friday at 17.00 UTC. However, i am happy to schedule the meeting based on most people preference.
>>>
>>> In the longer time frame, we should think about setting up a Threat analysis working group (could be under OSSG) to perform threat modelling of all OpenStack components
>>> - Define a clear out from this working group e.g., Threat documentation, Design guidance.
>>> - Engage developers and security minded people to the work.
>>>
>>>
>>> 2. Now on the technical side,
>>>
>>> First and foremost, we should agree on a threat modelling process that can be applied for all OpenStack services and internal components. We have some ideas that
>>> can be applied for this work… Here is the link of our proposal :
>>>
>>> https://drive.google.com/file/d/0B1aEVfmQtqnoMmpPZ3hmUHpBa1k/edit?usp=sharing
>>>
>>> and here are two concrete implementation of applying the threat modelling process…
>>>
>>> Keystone over all : https://drive.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit?usp=sharing
>>> Keystone Token-provider: https://drive.google.com/file/d/0B1aEVfmQtqnoejN1T1kybjlnMkk/edit?usp=sharing
>>>
>>> (These are work in progress documents, so by no means provide a complete picture)
>>>
>>> Lets discuss what do you guys think about the Modelling steps and its applicability with OpenStack (e.g., Keystone)
>>>
>>>
>>>
>>> Thanks,
>>> Shohel
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Thanks,
>>>
>>> -Sriram
>>>
>>>
>>> _______________________________________________
>>> Openstack-security mailing list
>>> Openstack-security at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>>
>>>
>>>
>>>
>>> --
>>> Thanks,
>>> -Sriram
>>> _______________________________________________
>>> Openstack-security mailing list
>>> Openstack-security at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>
>
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140313/83f1bf0c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4163 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140313/83f1bf0c/attachment.bin>
More information about the Openstack-security
mailing list