[Openstack-security] OpenStack Threat Analysis activity - OSSG
Hui Xiang
hui.xiang at canonical.com
Wed Mar 19 10:59:07 UTC 2014
Hey Rob, Shohel,
Thanks for your good advise : ), I can see from the wiki there're already
some great modeling/reports/result docs of keystone, systematic and very
detail,
I completely agree with Shohel's gaps descriptions:
Engagement from Target project team
Engagement of more OSSG members in active way
Engament from all
Besides that, I have some questions to bother you:
1. I don't know the design process of you guys to output such valued
docs, I mean how should I work together with you on this project and not
falling far away, would there be milestones to indicate which phase it is
during now.
2. In other projects, for example, If I want to connect the neutron
team with OSSG to output these docs/codes, how should I do? by
communicating with neutron cores or do some work by myself more proactive.
3. wish there are more background and the original intention to be
added into the docs, that will be easier for people don't attend the
meetings and unaware of some beautiful stories.
4. Wish the OSSG lead may help me grow fast, to the right direction
and right way.
Anyway, I want to contribute and involved more but as a new starter to
this project and not very familiar with keystone, I am coming speed up but
worried to lose your steps, forgive my long comments : )
Best Regards.
On Tue, Mar 18, 2014 at 6:53 PM, Abu Shohel Ahmed <ahmed.shohel at ericsson.com
> wrote:
> Hi Rob and all,
>
> You rightly pointed out this is an exciting project which can help to
> secure all OpenStack projects.
>
> Now, for the status part, what we have done so far
> - We have defined modelling steps for Threat Analysis of OpenStack
> projects.
> - Templates for the report and analysis part
> - Performed threat modelling for some parts of Keystone.
> - Continued working with Keystone and more reports to come in the coming
> months
>
> for latest update please check
> https://wiki.openstack.org/wiki/Security/Threat_Analysis
> or
> https://github.com/shohel02/OpenStack_Threat_Modelling
>
>
> What are the gaps:
>
> - Engagement from Target project team (e.g. Keystone developers or other
> project).
> The engagement could be
> * Reviewing and clarifying the analysis report ( the
> generated reports
> are also good source of documentation for each project,
> we can help each other,
> currently we have some amount of engagement from the
> keystone developers)
> * Acknowledging the threats in relevant projects and
> defining way forward.
>
> - Engagement of more OSSG members in active way. The engagement could be
> * Aligning threat modelling process ( what to include what
> not to)
> * Sharing your earlier threat modelling experiences
> * Working collaboratively for the analysis part
>
> - Engament from all:
> * Everyone is welcome to contribute
> * Developers can help us to write DFD from code base
> * Existing core project members can help to review docs
> * Experienced members in OSSG can help to place quality
> control measure
>
> - Covering all core projects:
> * We need more interested people to form a team and starts
> working on threat modelling of
> other core projects ( e.g, Nova, Neutron and so on. The
> list is big)
>
> Lastly,
> - How to create a process which is easy to follow and produces best result
>
> From technical side, i was thinking of Gerrit with some control for
> each document to go through. And in the
> pipeline we attaches people from both OSSG and Target project team.
>
> Any other ideas.
>
> Thanks,
> Shohel
>
>
>
>
>
>
>
>
>
> On 14 Mar 2014, at 13:19, Clark, Robert Graham <robert.clark at hp.com>
> wrote:
>
> > I think this is a very exciting project, I'll do my best to be at the
> next meeting.
> >
> > Can you summarise for us on the email list, if there are gaps where
> resource, knowledge etc are required - there are lots of lurkers on the
> security list just waiting for the right opportunity to jump in and help
> with something.
> >
> > -Rob
> >
> > On 14 March 2014 at 10:58:07, Hui Xiang (hui.xiang at canonical.com<mailto:
> hui.xiang at canonical.com>) wrote:
> >
> > Hi Shohel,
> >
> > Thanks for you update, I can understand the timezone problem, I will
> keep reading the wiki and if there are any questions I will post here, it's
> really appreciated to help to answer with that then.
> >
> > Thank you : )
> >
> >
> > On Fri, Mar 14, 2014 at 3:55 AM, Fiorentino, Cristian <
> cristian.fiorentino at intel.com<mailto:cristian.fiorentino at intel.com>>
> wrote:
> > Hi Shohel and Everyone,
> >
> > I am new to OSSG, and I would be happy to support the OpenStack Threat
> Analysis activity.
> > Most meeting time proposals in email thread below work for me.
> >
> > Thanks and Regards.
> > Cristian.
> >
> >
> > Date: Thu, 13 Mar 2014 18:18:48 +0200
> > From: Abu Shohel Ahmed <ahmed.shohel at ericsson.com<mailto:
> ahmed.shohel at ericsson.com>>
> > To: Hui Xiang <hui.xiang at canonical.com<mailto:hui.xiang at canonical.com>>
> > Cc: "Openstack-security at lists.openstack.org<mailto:
> Openstack-security at lists.openstack.org> , "
> > <Openstack-security at lists.openstack.org<mailto:
> Openstack-security at lists.openstack.org>>
> > Subject: Re: [Openstack-security] OpenStack Threat Analysis activity -
> > OSSG
> > Message-ID: <EAB3FB86-814A-443E-82AE-06045108004B at ericsson.com<mailto:
> EAB3FB86-814A-443E-82AE-06045108004B at ericsson.com>>
> > Content-Type: text/plain; charset="windows-1252"
> >
> > Hi Hui Xiang,
> >
> > You are welcome to join the meeting and take part in the review / Threat
> modelling work we are currently working on. Or if you have some suggestion,
> please
> > share with us.
> >
> > We will discuss the time schedule issue in the next meeting. I thinks it
> would be bit difficult cause we have some participants from US timezones.
> >
> > We are continuously updating the Wiki page ( although there is sometimes
> a lag) and related information, so that everyone is informed.
> >
> > Related information in the
> >> https://wiki.openstack.org/wiki/Security/Threat_Analysis
> >
> >
> > Thanks,
> > Shohel
> >
> > On 13 Mar 2014, at 04:34, Hui Xiang <hui.xiang at canonical.com<mailto:
> hui.xiang at canonical.com>> wrote:
> >
> >> Hi all,
> >>
> >> I am carefully asking you guys if it is possible to bring the meeting
> ##openstack-threat-analysis forward to 15.00 UTC, or more earlier? Because
> I am in UTC+8 timezone, always can't attend the OSSG meeting before due to
> sleepy, but I don't want to miss this meeting although I am not very
> familiar with the current topic, I want to contribute more here.
> >>
> >> But if you are inconvenient to reschedule the time, I can understand
> and will keep follow the info from email and community.
> >>
> >> Thanks for your understanding : )
> >>
> >>
> >> On Fri, Mar 7, 2014 at 11:55 PM, Abu Shohel Ahmed <
> ahmed.shohel at ericsson.com<mailto:ahmed.shohel at ericsson.com>> wrote:
> >> Hi all,
> >>
> >> Yesterday?s OSSG meeting, i promised to give the current status of the
> activity.
> >> The activity is ongoing. Based on feed back from last IRC call, we
> have updated the
> >> Threat Modelling framework.
> >>
> >> The wiki page is updated now..
> >> https://wiki.openstack.org/wiki/Security/Threat_Analysis
> >>
> >> We are almost finishing the analysis for Auth_token middleware, Token
> manager and token service.
> >> We looking for reviewer of those documents. There is a meeting
> >> today at 17.00 GMT in ##openstack-threat-analysis (unofficial channel)
> >>
> >>
> >> Thanks,
> >> Shohel
> >>
> >>
> >>
> >>
> >> We are going to have a OpenStack Threat m
> >>
> >>
> >>> From: Abu Shohel Ahmed <ahmed.shohel at ericsson.com<mailto:
> ahmed.shohel at ericsson.com>>
> >>> Subject: Re: [Openstack-security] OpenStack Threat Analysis activity -
> OSSG
> >>> Date: 21 Feb 2014 13:15:08 GMT+2
> >>> To: "openstack-security at lists.openstack.org<mailto:
> openstack-security at lists.openstack.org>" <
> openstack-security at lists.openstack.org<mailto:
> openstack-security at lists.openstack.org>>
> >>> Cc: Sriram Subramanian <sriram at sriramhere.com<mailto:
> sriram at sriramhere.com>>, "Clark, Robert Graham" <robert.clark at hp.com
> <mailto:robert.clark at hp.com>>
> >>>
> >>> Hi guys,
> >>>
> >>> Sorry for not including the whole OSSG in the initial call. So, we are
> having an initial call
> >>> for Threat modelling of OpenStack (first one is Keystone) today, 21
> Feb, 17.00 UTC. Let?s
> >>> have the discussion today then decide what time suits us best for
> later meetings. It is in Free node
> >>> channel ##openstack-threat-analysis (unofficial channel).
> >>>
> >>> Today?s topics of discussion:
> >>> 1. Threat modelling process
> >>>
> https://drive.google.com/file/d/0B1aEVfmQtqnoMmpPZ3hmUHpBa1k/edit?usp=sharing
> >>>
> >>> First, we t need to agree on this, so we have conformity
> around the whole work. Please feel
> >>> free to provide your feedback.
> >>>
> >>> 2. Some concrete example use of the modelling process
> >>> Keystone over all :
> https://drive.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit?usp=sharing
> >>> Keystone Token-provider:
> https://drive.google.com/file/d/0B1aEVfmQtqnoejN1T1kybjlnMkk/edit?usp=sharing
> >>>
> >>> (Now this documents are work in progress work, things are not
> always in order and complete)
> >>>
> >>>
> >>> See you in the meeting,
> >>> Shohel
> >>>
> >>>
> >>>
> >>>
> >>> On 20 Feb 2014, at 20:47, Sriram Subramanian <sriram at sriramhere.com
> <mailto:sriram at sriramhere.com>> wrote:
> >>>
> >>>> Damn - i missed the meeting again :(. I will check the logs to catch
> up. Sorry
> >>>>
> >>>>
> >>>> On Thu, Feb 20, 2014 at 10:26 AM, Clark, Robert Graham <
> robert.clark at hp.com<mailto:robert.clark at hp.com>> wrote:
> >>>> Including the whole security group as there was significant interest
> during the OSSG weekly meeting.
> >>>>
> >>>>
> >>>>
> >>>> From: Sriram Subramanian [mailto:sriram at sriramhere.com<mailto:
> sriram at sriramhere.com>]
> >>>> Sent: 20 February 2014 16:35
> >>>> To: Abu Shohel Ahmed
> >>>> Cc: Clark, Robert Graham; Grant Murphy; Mats N?slund; Makan Pourzandi
> >>>> Subject: Re: OpenStack Threat Analysis activity - OSSG
> >>>>
> >>>>
> >>>>
> >>>> Shohel,
> >>>>
> >>>>
> >>>>
> >>>> Friday 17.00 UTC works - though 18.00 UTC would work better for me.
> Are we meeting tomorrow?
> >>>>
> >>>>
> >>>>
> >>>> thanks,
> >>>>
> >>>> -Sriram
> >>>>
> >>>>
> >>>>
> >>>> On Wed, Feb 19, 2014 at 4:25 AM, Abu Shohel Ahmed <
> ahmed.shohel at ericsson.com<mailto:ahmed.shohel at ericsson.com>> wrote:
> >>>>
> >>>> Hi,
> >>>>
> >>>> From our last week?s, it becomes clear that we need set up a way of
> working process in place
> >>>> to take this activity forward.
> >>>>
> >>>> So here are some ideas (Please also share yours):
> >>>>
> >>>> 1. WoW:
> >>>>
> >>>> In the short time frame,
> >>>>
> >>>> - First, We should define the purpose and the concrete output
> of this work ( which i think, most of us here has some ideas, if we still
> have question -
> >>>> we can clear that up before moving forward).
> >>>>
> >>>> - Second issue is, how we can do threat analysis contribution
> in an effective manner. Here comes the collaboration issues within
> >>>> this group. For this, I have created a free node IRC channel
> ##openstack-threat-analysis ( unofficial channel, as you can see from
> name).
> >>>> Lets start biweekly (15 days) meetings from this week. Lets
> vote for what is the suitable time for meeting for all of us.
> >>>> I propose Friday at 17.00 UTC. However, i am happy to schedule
> the meeting based on most people preference.
> >>>>
> >>>> In the longer time frame, we should think about setting up a
> Threat analysis working group (could be under OSSG) to perform threat
> modelling of all OpenStack components
> >>>> - Define a clear out from this working group e.g., Threat
> documentation, Design guidance.
> >>>> - Engage developers and security minded people to the work.
> >>>>
> >>>>
> >>>> 2. Now on the technical side,
> >>>>
> >>>> First and foremost, we should agree on a threat
> modelling process that can be applied for all OpenStack services and
> internal components. We have some ideas that
> >>>> can be applied for this work? Here is the link of
> our proposal :
> >>>>
> >>>>
> https://drive.google.com/file/d/0B1aEVfmQtqnoMmpPZ3hmUHpBa1k/edit?usp=sharing
> >>>>
> >>>> and here are two concrete implementation of
> applying the threat modelling process?
> >>>>
> >>>> Keystone over all :
> https://drive.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit?usp=sharing
> >>>> Keystone Token-provider:
> https://drive.google.com/file/d/0B1aEVfmQtqnoejN1T1kybjlnMkk/edit?usp=sharing
> >>>>
> >>>> (These are work in progress documents, so by no
> means provide a complete picture)
> >>>>
> >>>> Lets discuss what do you guys think about the
> Modelling steps and its applicability with OpenStack (e.g., Keystone)
> >>>>
> >>>>
> >>>>
> >>>> Thanks,
> >>>> Shohel
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>>
> >>>> Thanks,
> >>>>
> >>>> -Sriram
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Openstack-security mailing list
> >>>> Openstack-security at lists.openstack.org<mailto:
> Openstack-security at lists.openstack.org>
> >>>>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Thanks,
> >>>> -Sriram
> >>>> _______________________________________________
> >>>> Openstack-security mailing list
> >>>> Openstack-security at lists.openstack.org<mailto:
> Openstack-security at lists.openstack.org>
> >>>>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> >>>
> >>
> >>
> >> _______________________________________________
> >> Openstack-security mailing list
> >> Openstack-security at lists.openstack.org<mailto:
> Openstack-security at lists.openstack.org>
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> >>
> >>
> >
> >
> > _______________________________________________
> > Openstack-security mailing list
> > Openstack-security at lists.openstack.org<mailto:
> Openstack-security at lists.openstack.org>
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> >
> > _______________________________________________
> > Openstack-security mailing list
> > Openstack-security at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> > _______________________________________________
> > Openstack-security mailing list
> > Openstack-security at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140319/ba7ba4c8/attachment.html>
More information about the Openstack-security
mailing list