[Openstack-security] OpenStack Threat Analysis activity - OSSG
Hui Xiang
hui.xiang at canonical.com
Fri Mar 14 10:56:09 UTC 2014
Hi Shohel,
Thanks for you update, I can understand the timezone problem, I will keep
reading the wiki and if there are any questions I will post here, it's
really appreciated to help to answer with that then.
Thank you : )
On Fri, Mar 14, 2014 at 3:55 AM, Fiorentino, Cristian <
cristian.fiorentino at intel.com> wrote:
> Hi Shohel and Everyone,
>
> I am new to OSSG, and I would be happy to support the OpenStack Threat
> Analysis activity.
> Most meeting time proposals in email thread below work for me.
>
> Thanks and Regards.
> Cristian.
>
>
> Date: Thu, 13 Mar 2014 18:18:48 +0200
> From: Abu Shohel Ahmed <ahmed.shohel at ericsson.com>
> To: Hui Xiang <hui.xiang at canonical.com>
> Cc: "Openstack-security at lists.openstack.org , "
> <Openstack-security at lists.openstack.org>
> Subject: Re: [Openstack-security] OpenStack Threat Analysis activity -
> OSSG
> Message-ID: <EAB3FB86-814A-443E-82AE-06045108004B at ericsson.com>
> Content-Type: text/plain; charset="windows-1252"
>
> Hi Hui Xiang,
>
> You are welcome to join the meeting and take part in the review / Threat
> modelling work we are currently working on. Or if you have some suggestion,
> please
> share with us.
>
> We will discuss the time schedule issue in the next meeting. I thinks it
> would be bit difficult cause we have some participants from US timezones.
>
> We are continuously updating the Wiki page ( although there is sometimes a
> lag) and related information, so that everyone is informed.
>
> Related information in the
> > https://wiki.openstack.org/wiki/Security/Threat_Analysis
>
>
> Thanks,
> Shohel
>
> On 13 Mar 2014, at 04:34, Hui Xiang <hui.xiang at canonical.com> wrote:
>
> > Hi all,
> >
> > I am carefully asking you guys if it is possible to bring the meeting
> ##openstack-threat-analysis forward to 15.00 UTC, or more earlier? Because
> I am in UTC+8 timezone, always can't attend the OSSG meeting before due to
> sleepy, but I don't want to miss this meeting although I am not very
> familiar with the current topic, I want to contribute more here.
> >
> > But if you are inconvenient to reschedule the time, I can understand
> and will keep follow the info from email and community.
> >
> > Thanks for your understanding : )
> >
> >
> > On Fri, Mar 7, 2014 at 11:55 PM, Abu Shohel Ahmed <
> ahmed.shohel at ericsson.com> wrote:
> > Hi all,
> >
> > Yesterday?s OSSG meeting, i promised to give the current status of the
> activity.
> > The activity is ongoing. Based on feed back from last IRC call, we have
> updated the
> > Threat Modelling framework.
> >
> > The wiki page is updated now..
> > https://wiki.openstack.org/wiki/Security/Threat_Analysis
> >
> > We are almost finishing the analysis for Auth_token middleware, Token
> manager and token service.
> > We looking for reviewer of those documents. There is a meeting
> > today at 17.00 GMT in ##openstack-threat-analysis (unofficial channel)
> >
> >
> > Thanks,
> > Shohel
> >
> >
> >
> >
> > We are going to have a OpenStack Threat m
> >
> >
> >> From: Abu Shohel Ahmed <ahmed.shohel at ericsson.com>
> >> Subject: Re: [Openstack-security] OpenStack Threat Analysis activity -
> OSSG
> >> Date: 21 Feb 2014 13:15:08 GMT+2
> >> To: "openstack-security at lists.openstack.org" <
> openstack-security at lists.openstack.org>
> >> Cc: Sriram Subramanian <sriram at sriramhere.com>, "Clark, Robert Graham"
> <robert.clark at hp.com>
> >>
> >> Hi guys,
> >>
> >> Sorry for not including the whole OSSG in the initial call. So, we are
> having an initial call
> >> for Threat modelling of OpenStack (first one is Keystone) today, 21
> Feb, 17.00 UTC. Let?s
> >> have the discussion today then decide what time suits us best for later
> meetings. It is in Free node
> >> channel ##openstack-threat-analysis (unofficial channel).
> >>
> >> Today?s topics of discussion:
> >> 1. Threat modelling process
> >>
> https://drive.google.com/file/d/0B1aEVfmQtqnoMmpPZ3hmUHpBa1k/edit?usp=sharing
> >>
> >> First, we t need to agree on this, so we have conformity
> around the whole work. Please feel
> >> free to provide your feedback.
> >>
> >> 2. Some concrete example use of the modelling process
> >> Keystone over all :
> https://drive.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit?usp=sharing
> >> Keystone Token-provider:
> https://drive.google.com/file/d/0B1aEVfmQtqnoejN1T1kybjlnMkk/edit?usp=sharing
> >>
> >> (Now this documents are work in progress work, things are not
> always in order and complete)
> >>
> >>
> >> See you in the meeting,
> >> Shohel
> >>
> >>
> >>
> >>
> >> On 20 Feb 2014, at 20:47, Sriram Subramanian <sriram at sriramhere.com>
> wrote:
> >>
> >>> Damn - i missed the meeting again :(. I will check the logs to catch
> up. Sorry
> >>>
> >>>
> >>> On Thu, Feb 20, 2014 at 10:26 AM, Clark, Robert Graham <
> robert.clark at hp.com> wrote:
> >>> Including the whole security group as there was significant interest
> during the OSSG weekly meeting.
> >>>
> >>>
> >>>
> >>> From: Sriram Subramanian [mailto:sriram at sriramhere.com]
> >>> Sent: 20 February 2014 16:35
> >>> To: Abu Shohel Ahmed
> >>> Cc: Clark, Robert Graham; Grant Murphy; Mats N?slund; Makan Pourzandi
> >>> Subject: Re: OpenStack Threat Analysis activity - OSSG
> >>>
> >>>
> >>>
> >>> Shohel,
> >>>
> >>>
> >>>
> >>> Friday 17.00 UTC works - though 18.00 UTC would work better for me.
> Are we meeting tomorrow?
> >>>
> >>>
> >>>
> >>> thanks,
> >>>
> >>> -Sriram
> >>>
> >>>
> >>>
> >>> On Wed, Feb 19, 2014 at 4:25 AM, Abu Shohel Ahmed <
> ahmed.shohel at ericsson.com> wrote:
> >>>
> >>> Hi,
> >>>
> >>> From our last week?s, it becomes clear that we need set up a way of
> working process in place
> >>> to take this activity forward.
> >>>
> >>> So here are some ideas (Please also share yours):
> >>>
> >>> 1. WoW:
> >>>
> >>> In the short time frame,
> >>>
> >>> - First, We should define the purpose and the concrete output
> of this work ( which i think, most of us here has some ideas, if we still
> have question -
> >>> we can clear that up before moving forward).
> >>>
> >>> - Second issue is, how we can do threat analysis contribution
> in an effective manner. Here comes the collaboration issues within
> >>> this group. For this, I have created a free node IRC channel
> ##openstack-threat-analysis ( unofficial channel, as you can see from
> name).
> >>> Lets start biweekly (15 days) meetings from this week. Lets
> vote for what is the suitable time for meeting for all of us.
> >>> I propose Friday at 17.00 UTC. However, i am happy to schedule
> the meeting based on most people preference.
> >>>
> >>> In the longer time frame, we should think about setting up a
> Threat analysis working group (could be under OSSG) to perform threat
> modelling of all OpenStack components
> >>> - Define a clear out from this working group e.g., Threat
> documentation, Design guidance.
> >>> - Engage developers and security minded people to the work.
> >>>
> >>>
> >>> 2. Now on the technical side,
> >>>
> >>> First and foremost, we should agree on a threat
> modelling process that can be applied for all OpenStack services and
> internal components. We have some ideas that
> >>> can be applied for this work? Here is the link of
> our proposal :
> >>>
> >>>
> https://drive.google.com/file/d/0B1aEVfmQtqnoMmpPZ3hmUHpBa1k/edit?usp=sharing
> >>>
> >>> and here are two concrete implementation of
> applying the threat modelling process?
> >>>
> >>> Keystone over all :
> https://drive.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit?usp=sharing
> >>> Keystone Token-provider:
> https://drive.google.com/file/d/0B1aEVfmQtqnoejN1T1kybjlnMkk/edit?usp=sharing
> >>>
> >>> (These are work in progress documents, so by no
> means provide a complete picture)
> >>>
> >>> Lets discuss what do you guys think about the
> Modelling steps and its applicability with OpenStack (e.g., Keystone)
> >>>
> >>>
> >>>
> >>> Thanks,
> >>> Shohel
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>>
> >>> Thanks,
> >>>
> >>> -Sriram
> >>>
> >>>
> >>> _______________________________________________
> >>> Openstack-security mailing list
> >>> Openstack-security at lists.openstack.org
> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> Thanks,
> >>> -Sriram
> >>> _______________________________________________
> >>> Openstack-security mailing list
> >>> Openstack-security at lists.openstack.org
> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> >>
> >
> >
> > _______________________________________________
> > Openstack-security mailing list
> > Openstack-security at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> >
> >
>
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140314/077949ce/attachment.html>
More information about the Openstack-security
mailing list