[Openstack-security] OpenStack Threat Analysis activity - OSSG
Clark, Robert Graham
robert.clark at hp.com
Fri Mar 14 11:19:09 UTC 2014
I think this is a very exciting project, I’ll do my best to be at the next meeting.
Can you summarise for us on the email list, if there are gaps where resource, knowledge etc are required - there are lots of lurkers on the security list just waiting for the right opportunity to jump in and help with something.
-Rob
On 14 March 2014 at 10:58:07, Hui Xiang (hui.xiang at canonical.com<mailto:hui.xiang at canonical.com>) wrote:
Hi Shohel,
Thanks for you update, I can understand the timezone problem, I will keep reading the wiki and if there are any questions I will post here, it's really appreciated to help to answer with that then.
Thank you : )
On Fri, Mar 14, 2014 at 3:55 AM, Fiorentino, Cristian <cristian.fiorentino at intel.com<mailto:cristian.fiorentino at intel.com>> wrote:
Hi Shohel and Everyone,
I am new to OSSG, and I would be happy to support the OpenStack Threat Analysis activity.
Most meeting time proposals in email thread below work for me.
Thanks and Regards.
Cristian.
Date: Thu, 13 Mar 2014 18:18:48 +0200
From: Abu Shohel Ahmed <ahmed.shohel at ericsson.com<mailto:ahmed.shohel at ericsson.com>>
To: Hui Xiang <hui.xiang at canonical.com<mailto:hui.xiang at canonical.com>>
Cc: "Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.openstack.org> , "
<Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.openstack.org>>
Subject: Re: [Openstack-security] OpenStack Threat Analysis activity -
OSSG
Message-ID: <EAB3FB86-814A-443E-82AE-06045108004B at ericsson.com<mailto:EAB3FB86-814A-443E-82AE-06045108004B at ericsson.com>>
Content-Type: text/plain; charset="windows-1252"
Hi Hui Xiang,
You are welcome to join the meeting and take part in the review / Threat modelling work we are currently working on. Or if you have some suggestion, please
share with us.
We will discuss the time schedule issue in the next meeting. I thinks it would be bit difficult cause we have some participants from US timezones.
We are continuously updating the Wiki page ( although there is sometimes a lag) and related information, so that everyone is informed.
Related information in the
> https://wiki.openstack.org/wiki/Security/Threat_Analysis
Thanks,
Shohel
On 13 Mar 2014, at 04:34, Hui Xiang <hui.xiang at canonical.com<mailto:hui.xiang at canonical.com>> wrote:
> Hi all,
>
> I am carefully asking you guys if it is possible to bring the meeting ##openstack-threat-analysis forward to 15.00 UTC, or more earlier? Because I am in UTC+8 timezone, always can't attend the OSSG meeting before due to sleepy, but I don't want to miss this meeting although I am not very familiar with the current topic, I want to contribute more here.
>
> But if you are inconvenient to reschedule the time, I can understand and will keep follow the info from email and community.
>
> Thanks for your understanding : )
>
>
> On Fri, Mar 7, 2014 at 11:55 PM, Abu Shohel Ahmed <ahmed.shohel at ericsson.com<mailto:ahmed.shohel at ericsson.com>> wrote:
> Hi all,
>
> Yesterday?s OSSG meeting, i promised to give the current status of the activity.
> The activity is ongoing. Based on feed back from last IRC call, we have updated the
> Threat Modelling framework.
>
> The wiki page is updated now..
> https://wiki.openstack.org/wiki/Security/Threat_Analysis
>
> We are almost finishing the analysis for Auth_token middleware, Token manager and token service.
> We looking for reviewer of those documents. There is a meeting
> today at 17.00 GMT in ##openstack-threat-analysis (unofficial channel)
>
>
> Thanks,
> Shohel
>
>
>
>
> We are going to have a OpenStack Threat m
>
>
>> From: Abu Shohel Ahmed <ahmed.shohel at ericsson.com<mailto:ahmed.shohel at ericsson.com>>
>> Subject: Re: [Openstack-security] OpenStack Threat Analysis activity - OSSG
>> Date: 21 Feb 2014 13:15:08 GMT+2
>> To: "openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>" <openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>>
>> Cc: Sriram Subramanian <sriram at sriramhere.com<mailto:sriram at sriramhere.com>>, "Clark, Robert Graham" <robert.clark at hp.com<mailto:robert.clark at hp.com>>
>>
>> Hi guys,
>>
>> Sorry for not including the whole OSSG in the initial call. So, we are having an initial call
>> for Threat modelling of OpenStack (first one is Keystone) today, 21 Feb, 17.00 UTC. Let?s
>> have the discussion today then decide what time suits us best for later meetings. It is in Free node
>> channel ##openstack-threat-analysis (unofficial channel).
>>
>> Today?s topics of discussion:
>> 1. Threat modelling process
>> https://drive.google.com/file/d/0B1aEVfmQtqnoMmpPZ3hmUHpBa1k/edit?usp=sharing
>>
>> First, we t need to agree on this, so we have conformity around the whole work. Please feel
>> free to provide your feedback.
>>
>> 2. Some concrete example use of the modelling process
>> Keystone over all : https://drive.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit?usp=sharing
>> Keystone Token-provider: https://drive.google.com/file/d/0B1aEVfmQtqnoejN1T1kybjlnMkk/edit?usp=sharing
>>
>> (Now this documents are work in progress work, things are not always in order and complete)
>>
>>
>> See you in the meeting,
>> Shohel
>>
>>
>>
>>
>> On 20 Feb 2014, at 20:47, Sriram Subramanian <sriram at sriramhere.com<mailto:sriram at sriramhere.com>> wrote:
>>
>>> Damn - i missed the meeting again :(. I will check the logs to catch up. Sorry
>>>
>>>
>>> On Thu, Feb 20, 2014 at 10:26 AM, Clark, Robert Graham <robert.clark at hp.com<mailto:robert.clark at hp.com>> wrote:
>>> Including the whole security group as there was significant interest during the OSSG weekly meeting.
>>>
>>>
>>>
>>> From: Sriram Subramanian [mailto:sriram at sriramhere.com<mailto:sriram at sriramhere.com>]
>>> Sent: 20 February 2014 16:35
>>> To: Abu Shohel Ahmed
>>> Cc: Clark, Robert Graham; Grant Murphy; Mats N?slund; Makan Pourzandi
>>> Subject: Re: OpenStack Threat Analysis activity - OSSG
>>>
>>>
>>>
>>> Shohel,
>>>
>>>
>>>
>>> Friday 17.00 UTC works - though 18.00 UTC would work better for me. Are we meeting tomorrow?
>>>
>>>
>>>
>>> thanks,
>>>
>>> -Sriram
>>>
>>>
>>>
>>> On Wed, Feb 19, 2014 at 4:25 AM, Abu Shohel Ahmed <ahmed.shohel at ericsson.com<mailto:ahmed.shohel at ericsson.com>> wrote:
>>>
>>> Hi,
>>>
>>> From our last week?s, it becomes clear that we need set up a way of working process in place
>>> to take this activity forward.
>>>
>>> So here are some ideas (Please also share yours):
>>>
>>> 1. WoW:
>>>
>>> In the short time frame,
>>>
>>> - First, We should define the purpose and the concrete output of this work ( which i think, most of us here has some ideas, if we still have question -
>>> we can clear that up before moving forward).
>>>
>>> - Second issue is, how we can do threat analysis contribution in an effective manner. Here comes the collaboration issues within
>>> this group. For this, I have created a free node IRC channel ##openstack-threat-analysis ( unofficial channel, as you can see from name).
>>> Lets start biweekly (15 days) meetings from this week. Lets vote for what is the suitable time for meeting for all of us.
>>> I propose Friday at 17.00 UTC. However, i am happy to schedule the meeting based on most people preference.
>>>
>>> In the longer time frame, we should think about setting up a Threat analysis working group (could be under OSSG) to perform threat modelling of all OpenStack components
>>> - Define a clear out from this working group e.g., Threat documentation, Design guidance.
>>> - Engage developers and security minded people to the work.
>>>
>>>
>>> 2. Now on the technical side,
>>>
>>> First and foremost, we should agree on a threat modelling process that can be applied for all OpenStack services and internal components. We have some ideas that
>>> can be applied for this work? Here is the link of our proposal :
>>>
>>> https://drive.google.com/file/d/0B1aEVfmQtqnoMmpPZ3hmUHpBa1k/edit?usp=sharing
>>>
>>> and here are two concrete implementation of applying the threat modelling process?
>>>
>>> Keystone over all : https://drive.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit?usp=sharing
>>> Keystone Token-provider: https://drive.google.com/file/d/0B1aEVfmQtqnoejN1T1kybjlnMkk/edit?usp=sharing
>>>
>>> (These are work in progress documents, so by no means provide a complete picture)
>>>
>>> Lets discuss what do you guys think about the Modelling steps and its applicability with OpenStack (e.g., Keystone)
>>>
>>>
>>>
>>> Thanks,
>>> Shohel
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Thanks,
>>>
>>> -Sriram
>>>
>>>
>>> _______________________________________________
>>> Openstack-security mailing list
>>> Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.openstack.org>
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>>
>>>
>>>
>>>
>>> --
>>> Thanks,
>>> -Sriram
>>> _______________________________________________
>>> Openstack-security mailing list
>>> Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.openstack.org>
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>
>
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
>
_______________________________________________
Openstack-security mailing list
Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
_______________________________________________
Openstack-security mailing list
Openstack-security at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
More information about the Openstack-security
mailing list