[Openstack-security] OpenStack Threat Analysis activity - OSSG
Abu Shohel Ahmed
ahmed.shohel at ericsson.com
Thu Mar 20 10:32:40 UTC 2014
Hi Hui,
Thanks for your interests. Some comments inline
On 19 Mar 2014, at 12:59, Hui Xiang <hui.xiang at canonical.com> wrote:
> Hey Rob, Shohel,
>
> Thanks for your good advise : ), I can see from the wiki there're already some great modeling/reports/result docs of keystone, systematic and very detail,
>
> I completely agree with Shohel's gaps descriptions:
> Engagement from Target project team
> Engagement of more OSSG members in active way
> Engament from all
>
> Besides that, I have some questions to bother you:
> 1. I don't know the design process of you guys to output such valued docs, I mean how should I work together with you on this project and not falling far away, would there be milestones to indicate which phase it is during now.
The process currently we are following is defined in the wiki or here:
https://wiki.openstack.org/wiki/File:Threat_modeling_process.pdf
( if you want add something to the process please do mention )
If you say about a project plan, yes we have one but not so formal one. Currently, we are
going one by one, all the components based on the Keystone high level analysis file ( file in repo).
As said earlier, there are multiple ways to contribute
for example, in analysis ( read the docs from one of the file
in git rep ../ananlysis_report/ and perform analysis, or working on finding new threats with existing published one ,
or writing DFD for new components (for example, we have not done anything yet for catalog driver,
memcache or LDAP backend and many other parts of keystone)) and so on.
Our biweekly meeting is also a good place to discuss this issue. i will take this issue in our regular meeting to
discuss how to improve collaboration.
> 2. In other projects, for example, If I want to connect the neutron team with OSSG to output these docs/codes, how should I do? by communicating with neutron cores or do some work by myself more proactive
Here we should do more collaboration by any possible means.
> 3. wish there are more background and the original intention to be added into the docs, that will be easier for people don't attend the meetings and unaware of some beautiful stories.
ok, noted, we will improve this part.
> 4. Wish the OSSG lead may help me grow fast, to the right direction and right way.
>
> Anyway, I want to contribute and involved more but as a new starter to this project and not very familiar with keystone, I am coming speed up but worried to lose your steps, forgive my long comments : )
>
> Best Regards.
>
>
thanks,
shohel
>
>
> On Tue, Mar 18, 2014 at 6:53 PM, Abu Shohel Ahmed <ahmed.shohel at ericsson.com> wrote:
> Hi Rob and all,
>
> You rightly pointed out this is an exciting project which can help to secure all OpenStack projects.
>
> Now, for the status part, what we have done so far
> - We have defined modelling steps for Threat Analysis of OpenStack projects.
> - Templates for the report and analysis part
> - Performed threat modelling for some parts of Keystone.
> - Continued working with Keystone and more reports to come in the coming months
>
> for latest update please check
> https://wiki.openstack.org/wiki/Security/Threat_Analysis
> or
> https://github.com/shohel02/OpenStack_Threat_Modelling
>
>
> What are the gaps:
>
> - Engagement from Target project team (e.g. Keystone developers or other project).
> The engagement could be
> * Reviewing and clarifying the analysis report ( the generated reports
> are also good source of documentation for each project, we can help each other,
> currently we have some amount of engagement from the keystone developers)
> * Acknowledging the threats in relevant projects and defining way forward.
>
> - Engagement of more OSSG members in active way. The engagement could be
> * Aligning threat modelling process ( what to include what not to)
> * Sharing your earlier threat modelling experiences
> * Working collaboratively for the analysis part
>
> - Engament from all:
> * Everyone is welcome to contribute
> * Developers can help us to write DFD from code base
> * Existing core project members can help to review docs
> * Experienced members in OSSG can help to place quality control measure
>
> - Covering all core projects:
> * We need more interested people to form a team and starts working on threat modelling of
> other core projects ( e.g, Nova, Neutron and so on. The list is big)
>
> Lastly,
> - How to create a process which is easy to follow and produces best result
>
> From technical side, i was thinking of Gerrit with some control for each document to go through. And in the
> pipeline we attaches people from both OSSG and Target project team.
>
> Any other ideas.
>
> Thanks,
> Shohel
>
>
>
>
>
>
>
>
>
> On 14 Mar 2014, at 13:19, Clark, Robert Graham <robert.clark at hp.com> wrote:
>
> > I think this is a very exciting project, I’ll do my best to be at the next meeting.
> >
> > Can you summarise for us on the email list, if there are gaps where resource, knowledge etc are required - there are lots of lurkers on the security list just waiting for the right opportunity to jump in and help with something.
> >
> > -Rob
> >
> > On 14 March 2014 at 10:58:07, Hui Xiang (hui.xiang at canonical.com<mailto:hui.xiang at canonical.com>) wrote:
> >
> > Hi Shohel,
> >
> > Thanks for you update, I can understand the timezone problem, I will keep reading the wiki and if there are any questions I will post here, it's really appreciated to help to answer with that then.
> >
> > Thank you : )
> >
> >
> > On Fri, Mar 14, 2014 at 3:55 AM, Fiorentino, Cristian <cristian.fiorentino at intel.com<mailto:cristian.fiorentino at intel.com>> wrote:
> > Hi Shohel and Everyone,
> >
> > I am new to OSSG, and I would be happy to support the OpenStack Threat Analysis activity.
> > Most meeting time proposals in email thread below work for me.
> >
> > Thanks and Regards.
> > Cristian.
> >
> >
> > Date: Thu, 13 Mar 2014 18:18:48 +0200
> > From: Abu Shohel Ahmed <ahmed.shohel at ericsson.com<mailto:ahmed.shohel at ericsson.com>>
> > To: Hui Xiang <hui.xiang at canonical.com<mailto:hui.xiang at canonical.com>>
> > Cc: "Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.openstack.org> , "
> > <Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.openstack.org>>
> > Subject: Re: [Openstack-security] OpenStack Threat Analysis activity -
> > OSSG
> > Message-ID: <EAB3FB86-814A-443E-82AE-06045108004B at ericsson.com<mailto:EAB3FB86-814A-443E-82AE-06045108004B at ericsson.com>>
> > Content-Type: text/plain; charset="windows-1252"
> >
> > Hi Hui Xiang,
> >
> > You are welcome to join the meeting and take part in the review / Threat modelling work we are currently working on. Or if you have some suggestion, please
> > share with us.
> >
> > We will discuss the time schedule issue in the next meeting. I thinks it would be bit difficult cause we have some participants from US timezones.
> >
> > We are continuously updating the Wiki page ( although there is sometimes a lag) and related information, so that everyone is informed.
> >
> > Related information in the
> >> https://wiki.openstack.org/wiki/Security/Threat_Analysis
> >
> >
> > Thanks,
> > Shohel
> >
> > On 13 Mar 2014, at 04:34, Hui Xiang <hui.xiang at canonical.com<mailto:hui.xiang at canonical.com>> wrote:
> >
> >> Hi all,
> >>
> >> I am carefully asking you guys if it is possible to bring the meeting ##openstack-threat-analysis forward to 15.00 UTC, or more earlier? Because I am in UTC+8 timezone, always can't attend the OSSG meeting before due to sleepy, but I don't want to miss this meeting although I am not very familiar with the current topic, I want to contribute more here.
> >>
> >> But if you are inconvenient to reschedule the time, I can understand and will keep follow the info from email and community.
> >>
> >> Thanks for your understanding : )
> >>
> >>
> >> On Fri, Mar 7, 2014 at 11:55 PM, Abu Shohel Ahmed <ahmed.shohel at ericsson.com<mailto:ahmed.shohel at ericsson.com>> wrote:
> >> Hi all,
> >>
> >> Yesterday?s OSSG meeting, i promised to give the current status of the activity.
> >> The activity is ongoing. Based on feed back from last IRC call, we have updated the
> >> Threat Modelling framework.
> >>
> >> The wiki page is updated now..
> >> https://wiki.openstack.org/wiki/Security/Threat_Analysis
> >>
> >> We are almost finishing the analysis for Auth_token middleware, Token manager and token service.
> >> We looking for reviewer of those documents. There is a meeting
> >> today at 17.00 GMT in ##openstack-threat-analysis (unofficial channel)
> >>
> >>
> >> Thanks,
> >> Shohel
> >>
> >>
> >>
> >>
> >> We are going to have a OpenStack Threat m
> >>
> >>
> >>> From: Abu Shohel Ahmed <ahmed.shohel at ericsson.com<mailto:ahmed.shohel at ericsson.com>>
> >>> Subject: Re: [Openstack-security] OpenStack Threat Analysis activity - OSSG
> >>> Date: 21 Feb 2014 13:15:08 GMT+2
> >>> To: "openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>" <openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>>
> >>> Cc: Sriram Subramanian <sriram at sriramhere.com<mailto:sriram at sriramhere.com>>, "Clark, Robert Graham" <robert.clark at hp.com<mailto:robert.clark at hp.com>>
> >>>
> >>> Hi guys,
> >>>
> >>> Sorry for not including the whole OSSG in the initial call. So, we are having an initial call
> >>> for Threat modelling of OpenStack (first one is Keystone) today, 21 Feb, 17.00 UTC. Let?s
> >>> have the discussion today then decide what time suits us best for later meetings. It is in Free node
> >>> channel ##openstack-threat-analysis (unofficial channel).
> >>>
> >>> Today?s topics of discussion:
> >>> 1. Threat modelling process
> >>> https://drive.google.com/file/d/0B1aEVfmQtqnoMmpPZ3hmUHpBa1k/edit?usp=sharing
> >>>
> >>> First, we t need to agree on this, so we have conformity around the whole work. Please feel
> >>> free to provide your feedback.
> >>>
> >>> 2. Some concrete example use of the modelling process
> >>> Keystone over all : https://drive.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit?usp=sharing
> >>> Keystone Token-provider: https://drive.google.com/file/d/0B1aEVfmQtqnoejN1T1kybjlnMkk/edit?usp=sharing
> >>>
> >>> (Now this documents are work in progress work, things are not always in order and complete)
> >>>
> >>>
> >>> See you in the meeting,
> >>> Shohel
> >>>
> >>>
> >>>
> >>>
> >>> On 20 Feb 2014, at 20:47, Sriram Subramanian <sriram at sriramhere.com<mailto:sriram at sriramhere.com>> wrote:
> >>>
> >>>> Damn - i missed the meeting again :(. I will check the logs to catch up. Sorry
> >>>>
> >>>>
> >>>> On Thu, Feb 20, 2014 at 10:26 AM, Clark, Robert Graham <robert.clark at hp.com<mailto:robert.clark at hp.com>> wrote:
> >>>> Including the whole security group as there was significant interest during the OSSG weekly meeting.
> >>>>
> >>>>
> >>>>
> >>>> From: Sriram Subramanian [mailto:sriram at sriramhere.com<mailto:sriram at sriramhere.com>]
> >>>> Sent: 20 February 2014 16:35
> >>>> To: Abu Shohel Ahmed
> >>>> Cc: Clark, Robert Graham; Grant Murphy; Mats N?slund; Makan Pourzandi
> >>>> Subject: Re: OpenStack Threat Analysis activity - OSSG
> >>>>
> >>>>
> >>>>
> >>>> Shohel,
> >>>>
> >>>>
> >>>>
> >>>> Friday 17.00 UTC works - though 18.00 UTC would work better for me. Are we meeting tomorrow?
> >>>>
> >>>>
> >>>>
> >>>> thanks,
> >>>>
> >>>> -Sriram
> >>>>
> >>>>
> >>>>
> >>>> On Wed, Feb 19, 2014 at 4:25 AM, Abu Shohel Ahmed <ahmed.shohel at ericsson.com<mailto:ahmed.shohel at ericsson.com>> wrote:
> >>>>
> >>>> Hi,
> >>>>
> >>>> From our last week?s, it becomes clear that we need set up a way of working process in place
> >>>> to take this activity forward.
> >>>>
> >>>> So here are some ideas (Please also share yours):
> >>>>
> >>>> 1. WoW:
> >>>>
> >>>> In the short time frame,
> >>>>
> >>>> - First, We should define the purpose and the concrete output of this work ( which i think, most of us here has some ideas, if we still have question -
> >>>> we can clear that up before moving forward).
> >>>>
> >>>> - Second issue is, how we can do threat analysis contribution in an effective manner. Here comes the collaboration issues within
> >>>> this group. For this, I have created a free node IRC channel ##openstack-threat-analysis ( unofficial channel, as you can see from name).
> >>>> Lets start biweekly (15 days) meetings from this week. Lets vote for what is the suitable time for meeting for all of us.
> >>>> I propose Friday at 17.00 UTC. However, i am happy to schedule the meeting based on most people preference.
> >>>>
> >>>> In the longer time frame, we should think about setting up a Threat analysis working group (could be under OSSG) to perform threat modelling of all OpenStack components
> >>>> - Define a clear out from this working group e.g., Threat documentation, Design guidance.
> >>>> - Engage developers and security minded people to the work.
> >>>>
> >>>>
> >>>> 2. Now on the technical side,
> >>>>
> >>>> First and foremost, we should agree on a threat modelling process that can be applied for all OpenStack services and internal components. We have some ideas that
> >>>> can be applied for this work? Here is the link of our proposal :
> >>>>
> >>>> https://drive.google.com/file/d/0B1aEVfmQtqnoMmpPZ3hmUHpBa1k/edit?usp=sharing
> >>>>
> >>>> and here are two concrete implementation of applying the threat modelling process?
> >>>>
> >>>> Keystone over all : https://drive.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit?usp=sharing
> >>>> Keystone Token-provider: https://drive.google.com/file/d/0B1aEVfmQtqnoejN1T1kybjlnMkk/edit?usp=sharing
> >>>>
> >>>> (These are work in progress documents, so by no means provide a complete picture)
> >>>>
> >>>> Lets discuss what do you guys think about the Modelling steps and its applicability with OpenStack (e.g., Keystone)
> >>>>
> >>>>
> >>>>
> >>>> Thanks,
> >>>> Shohel
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>>
> >>>> Thanks,
> >>>>
> >>>> -Sriram
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Openstack-security mailing list
> >>>> Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.openstack.org>
> >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Thanks,
> >>>> -Sriram
> >>>> _______________________________________________
> >>>> Openstack-security mailing list
> >>>> Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.openstack.org>
> >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> >>>
> >>
> >>
> >> _______________________________________________
> >> Openstack-security mailing list
> >> Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.openstack.org>
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> >>
> >>
> >
> >
> > _______________________________________________
> > Openstack-security mailing list
> > Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.openstack.org>
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> >
> > _______________________________________________
> > Openstack-security mailing list
> > Openstack-security at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> > _______________________________________________
> > Openstack-security mailing list
> > Openstack-security at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140320/3cc1d0c5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4163 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140320/3cc1d0c5/attachment.bin>
More information about the Openstack-security
mailing list