[Openstack-security] OpenStack Threat Analysis activity - OSSG
Hui Xiang
hui.xiang at canonical.com
Thu Mar 20 10:47:31 UTC 2014
Thanks shohel for your nice response, it's helpful : D
On Thu, Mar 20, 2014 at 6:32 PM, Abu Shohel Ahmed <ahmed.shohel at ericsson.com
> wrote:
> Hi Hui,
>
> Thanks for your interests. Some comments inline
>
> On 19 Mar 2014, at 12:59, Hui Xiang <hui.xiang at canonical.com> wrote:
>
> Hey Rob, Shohel,
>
> Thanks for your good advise : ), I can see from the wiki there're
> already some great modeling/reports/result docs of keystone, systematic and
> very detail,
>
> I completely agree with Shohel's gaps descriptions:
> Engagement from Target project team
> Engagement of more OSSG members in active way
> Engament from all
>
> Besides that, I have some questions to bother you:
> 1. I don't know the design process of you guys to output such
> valued docs, I mean how should I work together with you on this project and
> not falling far away, would there be milestones to indicate which phase it
> is during now.
>
> The process currently we are following is defined in the wiki or here:
> https://wiki.openstack.org/wiki/File:Threat_modeling_process.pdf
> ( if you want add something to the process please do mention )
>
> If you say about a project plan, yes we have one but not so formal one.
> Currently, we are
> going one by one, all the components based on the Keystone high level
> analysis file ( file in repo).
> As said earlier, there are multiple ways to contribute
> for example, in analysis ( read the docs from one of the file
> in git rep ../ananlysis_report/ and perform analysis, or working on
> finding new threats with existing published one ,
> or writing DFD for new components (for example, we have not done anything
> yet for catalog driver,
> memcache or LDAP backend and many other parts of keystone)) and so on.
>
> Our biweekly meeting is also a good place to discuss this issue. i will
> take this issue in our regular meeting to
> discuss how to improve collaboration.
>
> 2. In other projects, for example, If I want to connect the neutron
> team with OSSG to output these docs/codes, how should I do? by
> communicating with neutron cores or do some work by myself more proactive
>
> Here we should do more collaboration by any possible means.
>
> 3. wish there are more background and the original intention to be
> added into the docs, that will be easier for people don't attend the
> meetings and unaware of some beautiful stories.
>
> ok, noted, we will improve this part.
>
> 4. Wish the OSSG lead may help me grow fast, to the right direction
> and right way.
>
> Anyway, I want to contribute and involved more but as a new starter to
> this project and not very familiar with keystone, I am coming speed up but
> worried to lose your steps, forgive my long comments : )
>
> Best Regards.
>
>
>
>
> thanks,
> shohel
>
>
>
>
> On Tue, Mar 18, 2014 at 6:53 PM, Abu Shohel Ahmed <
> ahmed.shohel at ericsson.com> wrote:
>
>> Hi Rob and all,
>>
>> You rightly pointed out this is an exciting project which can help to
>> secure all OpenStack projects.
>>
>> Now, for the status part, what we have done so far
>> - We have defined modelling steps for Threat Analysis of OpenStack
>> projects.
>> - Templates for the report and analysis part
>> - Performed threat modelling for some parts of Keystone.
>> - Continued working with Keystone and more reports to come in the coming
>> months
>>
>> for latest update please check
>> https://wiki.openstack.org/wiki/Security/Threat_Analysis
>> or
>> https://github.com/shohel02/OpenStack_Threat_Modelling
>>
>>
>> What are the gaps:
>>
>> - Engagement from Target project team (e.g. Keystone developers or other
>> project).
>> The engagement could be
>> * Reviewing and clarifying the analysis report ( the
>> generated reports
>> are also good source of documentation for each project,
>> we can help each other,
>> currently we have some amount of engagement from the
>> keystone developers)
>> * Acknowledging the threats in relevant projects and
>> defining way forward.
>>
>> - Engagement of more OSSG members in active way. The engagement could be
>> * Aligning threat modelling process ( what to include
>> what not to)
>> * Sharing your earlier threat modelling experiences
>> * Working collaboratively for the analysis part
>>
>> - Engament from all:
>> * Everyone is welcome to contribute
>> * Developers can help us to write DFD from code base
>> * Existing core project members can help to review docs
>> * Experienced members in OSSG can help to place quality
>> control measure
>>
>> - Covering all core projects:
>> * We need more interested people to form a team and starts
>> working on threat modelling of
>> other core projects ( e.g, Nova, Neutron and so on. The
>> list is big)
>>
>> Lastly,
>> - How to create a process which is easy to follow and produces best result
>>
>> From technical side, i was thinking of Gerrit with some control for
>> each document to go through. And in the
>> pipeline we attaches people from both OSSG and Target project team.
>>
>> Any other ideas.
>>
>> Thanks,
>> Shohel
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On 14 Mar 2014, at 13:19, Clark, Robert Graham <robert.clark at hp.com>
>> wrote:
>>
>> > I think this is a very exciting project, I'll do my best to be at the
>> next meeting.
>> >
>> > Can you summarise for us on the email list, if there are gaps where
>> resource, knowledge etc are required - there are lots of lurkers on the
>> security list just waiting for the right opportunity to jump in and help
>> with something.
>> >
>> > -Rob
>> >
>> > On 14 March 2014 at 10:58:07, Hui Xiang (hui.xiang at canonical.com
>> <mailto:hui.xiang at canonical.com>) wrote:
>> >
>> > Hi Shohel,
>> >
>> > Thanks for you update, I can understand the timezone problem, I will
>> keep reading the wiki and if there are any questions I will post here, it's
>> really appreciated to help to answer with that then.
>> >
>> > Thank you : )
>> >
>> >
>> > On Fri, Mar 14, 2014 at 3:55 AM, Fiorentino, Cristian <
>> cristian.fiorentino at intel.com<mailto:cristian.fiorentino at intel.com>>
>> wrote:
>> > Hi Shohel and Everyone,
>> >
>> > I am new to OSSG, and I would be happy to support the OpenStack Threat
>> Analysis activity.
>> > Most meeting time proposals in email thread below work for me.
>> >
>> > Thanks and Regards.
>> > Cristian.
>> >
>> >
>> > Date: Thu, 13 Mar 2014 18:18:48 +0200
>> > From: Abu Shohel Ahmed <ahmed.shohel at ericsson.com<mailto:
>> ahmed.shohel at ericsson.com>>
>> > To: Hui Xiang <hui.xiang at canonical.com<mailto:hui.xiang at canonical.com>>
>> > Cc: "Openstack-security at lists.openstack.org<mailto:
>> Openstack-security at lists.openstack.org> , "
>> > <Openstack-security at lists.openstack.org<mailto:
>> Openstack-security at lists.openstack.org>>
>> > Subject: Re: [Openstack-security] OpenStack Threat Analysis activity -
>> > OSSG
>> > Message-ID: <EAB3FB86-814A-443E-82AE-06045108004B at ericsson.com<mailto:
>> EAB3FB86-814A-443E-82AE-06045108004B at ericsson.com>>
>> > Content-Type: text/plain; charset="windows-1252"
>> >
>> > Hi Hui Xiang,
>> >
>> > You are welcome to join the meeting and take part in the review /
>> Threat modelling work we are currently working on. Or if you have some
>> suggestion, please
>> > share with us.
>> >
>> > We will discuss the time schedule issue in the next meeting. I thinks
>> it would be bit difficult cause we have some participants from US timezones.
>> >
>> > We are continuously updating the Wiki page ( although there is
>> sometimes a lag) and related information, so that everyone is informed.
>> >
>> > Related information in the
>> >> https://wiki.openstack.org/wiki/Security/Threat_Analysis
>> >
>> >
>> > Thanks,
>> > Shohel
>> >
>> > On 13 Mar 2014, at 04:34, Hui Xiang <hui.xiang at canonical.com<mailto:
>> hui.xiang at canonical.com>> wrote:
>> >
>> >> Hi all,
>> >>
>> >> I am carefully asking you guys if it is possible to bring the meeting
>> ##openstack-threat-analysis forward to 15.00 UTC, or more earlier? Because
>> I am in UTC+8 timezone, always can't attend the OSSG meeting before due to
>> sleepy, but I don't want to miss this meeting although I am not very
>> familiar with the current topic, I want to contribute more here.
>> >>
>> >> But if you are inconvenient to reschedule the time, I can understand
>> and will keep follow the info from email and community.
>> >>
>> >> Thanks for your understanding : )
>> >>
>> >>
>> >> On Fri, Mar 7, 2014 at 11:55 PM, Abu Shohel Ahmed <
>> ahmed.shohel at ericsson.com<mailto:ahmed.shohel at ericsson.com>> wrote:
>> >> Hi all,
>> >>
>> >> Yesterday?s OSSG meeting, i promised to give the current status of
>> the activity.
>> >> The activity is ongoing. Based on feed back from last IRC call, we
>> have updated the
>> >> Threat Modelling framework.
>> >>
>> >> The wiki page is updated now..
>> >> https://wiki.openstack.org/wiki/Security/Threat_Analysis
>> >>
>> >> We are almost finishing the analysis for Auth_token middleware, Token
>> manager and token service.
>> >> We looking for reviewer of those documents. There is a meeting
>> >> today at 17.00 GMT in ##openstack-threat-analysis (unofficial
>> channel)
>> >>
>> >>
>> >> Thanks,
>> >> Shohel
>> >>
>> >>
>> >>
>> >>
>> >> We are going to have a OpenStack Threat m
>> >>
>> >>
>> >>> From: Abu Shohel Ahmed <ahmed.shohel at ericsson.com<mailto:
>> ahmed.shohel at ericsson.com>>
>> >>> Subject: Re: [Openstack-security] OpenStack Threat Analysis activity
>> - OSSG
>> >>> Date: 21 Feb 2014 13:15:08 GMT+2
>> >>> To: "openstack-security at lists.openstack.org<mailto:
>> openstack-security at lists.openstack.org>" <
>> openstack-security at lists.openstack.org<mailto:
>> openstack-security at lists.openstack.org>>
>> >>> Cc: Sriram Subramanian <sriram at sriramhere.com<mailto:
>> sriram at sriramhere.com>>, "Clark, Robert Graham" <robert.clark at hp.com
>> <mailto:robert.clark at hp.com>>
>> >>>
>> >>> Hi guys,
>> >>>
>> >>> Sorry for not including the whole OSSG in the initial call. So, we
>> are having an initial call
>> >>> for Threat modelling of OpenStack (first one is Keystone) today, 21
>> Feb, 17.00 UTC. Let?s
>> >>> have the discussion today then decide what time suits us best for
>> later meetings. It is in Free node
>> >>> channel ##openstack-threat-analysis (unofficial channel).
>> >>>
>> >>> Today?s topics of discussion:
>> >>> 1. Threat modelling process
>> >>>
>> https://drive.google.com/file/d/0B1aEVfmQtqnoMmpPZ3hmUHpBa1k/edit?usp=sharing
>> >>>
>> >>> First, we t need to agree on this, so we have conformity
>> around the whole work. Please feel
>> >>> free to provide your feedback.
>> >>>
>> >>> 2. Some concrete example use of the modelling process
>> >>> Keystone over all :
>> https://drive.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit?usp=sharing
>> >>> Keystone Token-provider:
>> https://drive.google.com/file/d/0B1aEVfmQtqnoejN1T1kybjlnMkk/edit?usp=sharing
>> >>>
>> >>> (Now this documents are work in progress work, things are not
>> always in order and complete)
>> >>>
>> >>>
>> >>> See you in the meeting,
>> >>> Shohel
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> On 20 Feb 2014, at 20:47, Sriram Subramanian <sriram at sriramhere.com
>> <mailto:sriram at sriramhere.com>> wrote:
>> >>>
>> >>>> Damn - i missed the meeting again :(. I will check the logs to catch
>> up. Sorry
>> >>>>
>> >>>>
>> >>>> On Thu, Feb 20, 2014 at 10:26 AM, Clark, Robert Graham <
>> robert.clark at hp.com<mailto:robert.clark at hp.com>> wrote:
>> >>>> Including the whole security group as there was significant interest
>> during the OSSG weekly meeting.
>> >>>>
>> >>>>
>> >>>>
>> >>>> From: Sriram Subramanian [mailto:sriram at sriramhere.com<mailto:
>> sriram at sriramhere.com>]
>> >>>> Sent: 20 February 2014 16:35
>> >>>> To: Abu Shohel Ahmed
>> >>>> Cc: Clark, Robert Graham; Grant Murphy; Mats N?slund; Makan Pourzandi
>> >>>> Subject: Re: OpenStack Threat Analysis activity - OSSG
>> >>>>
>> >>>>
>> >>>>
>> >>>> Shohel,
>> >>>>
>> >>>>
>> >>>>
>> >>>> Friday 17.00 UTC works - though 18.00 UTC would work better for me.
>> Are we meeting tomorrow?
>> >>>>
>> >>>>
>> >>>>
>> >>>> thanks,
>> >>>>
>> >>>> -Sriram
>> >>>>
>> >>>>
>> >>>>
>> >>>> On Wed, Feb 19, 2014 at 4:25 AM, Abu Shohel Ahmed <
>> ahmed.shohel at ericsson.com<mailto:ahmed.shohel at ericsson.com>> wrote:
>> >>>>
>> >>>> Hi,
>> >>>>
>> >>>> From our last week?s, it becomes clear that we need set up a way of
>> working process in place
>> >>>> to take this activity forward.
>> >>>>
>> >>>> So here are some ideas (Please also share yours):
>> >>>>
>> >>>> 1. WoW:
>> >>>>
>> >>>> In the short time frame,
>> >>>>
>> >>>> - First, We should define the purpose and the concrete output
>> of this work ( which i think, most of us here has some ideas, if we still
>> have question -
>> >>>> we can clear that up before moving forward).
>> >>>>
>> >>>> - Second issue is, how we can do threat analysis contribution
>> in an effective manner. Here comes the collaboration issues within
>> >>>> this group. For this, I have created a free node IRC
>> channel ##openstack-threat-analysis ( unofficial channel, as you can see
>> from name).
>> >>>> Lets start biweekly (15 days) meetings from this week. Lets
>> vote for what is the suitable time for meeting for all of us.
>> >>>> I propose Friday at 17.00 UTC. However, i am happy to
>> schedule the meeting based on most people preference.
>> >>>>
>> >>>> In the longer time frame, we should think about setting up a
>> Threat analysis working group (could be under OSSG) to perform threat
>> modelling of all OpenStack components
>> >>>> - Define a clear out from this working group e.g., Threat
>> documentation, Design guidance.
>> >>>> - Engage developers and security minded people to the work.
>> >>>>
>> >>>>
>> >>>> 2. Now on the technical side,
>> >>>>
>> >>>> First and foremost, we should agree on a threat
>> modelling process that can be applied for all OpenStack services and
>> internal components. We have some ideas that
>> >>>> can be applied for this work? Here is the link of
>> our proposal :
>> >>>>
>> >>>>
>> https://drive.google.com/file/d/0B1aEVfmQtqnoMmpPZ3hmUHpBa1k/edit?usp=sharing
>> >>>>
>> >>>> and here are two concrete implementation of
>> applying the threat modelling process?
>> >>>>
>> >>>> Keystone over all :
>> https://drive.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit?usp=sharing
>> >>>> Keystone Token-provider:
>> https://drive.google.com/file/d/0B1aEVfmQtqnoejN1T1kybjlnMkk/edit?usp=sharing
>> >>>>
>> >>>> (These are work in progress documents, so by no
>> means provide a complete picture)
>> >>>>
>> >>>> Lets discuss what do you guys think about the
>> Modelling steps and its applicability with OpenStack (e.g., Keystone)
>> >>>>
>> >>>>
>> >>>>
>> >>>> Thanks,
>> >>>> Shohel
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>>
>> >>>> Thanks,
>> >>>>
>> >>>> -Sriram
>> >>>>
>> >>>>
>> >>>> _______________________________________________
>> >>>> Openstack-security mailing list
>> >>>> Openstack-security at lists.openstack.org<mailto:
>> Openstack-security at lists.openstack.org>
>> >>>>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> Thanks,
>> >>>> -Sriram
>> >>>> _______________________________________________
>> >>>> Openstack-security mailing list
>> >>>> Openstack-security at lists.openstack.org<mailto:
>> Openstack-security at lists.openstack.org>
>> >>>>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>> >>>
>> >>
>> >>
>> >> _______________________________________________
>> >> Openstack-security mailing list
>> >> Openstack-security at lists.openstack.org<mailto:
>> Openstack-security at lists.openstack.org>
>> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>> >>
>> >>
>> >
>> >
>> > _______________________________________________
>> > Openstack-security mailing list
>> > Openstack-security at lists.openstack.org<mailto:
>> Openstack-security at lists.openstack.org>
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>> >
>> > _______________________________________________
>> > Openstack-security mailing list
>> > Openstack-security at lists.openstack.org
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>> > _______________________________________________
>> > Openstack-security mailing list
>> > Openstack-security at lists.openstack.org
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140320/0bde0c93/attachment.html>
More information about the Openstack-security
mailing list