Thanks to everyone who attended the Security SIG BoF session!

Attached are the notes taken from the discussion during the session with relevant links. If there was anything missed, please feel free to mention it here or reach out in #openstack-security.

Board Picture: https://drive.google.com/open?id=1YWYdp9F5faGzlww1Cr7-i2TawDh60trg

Topics:

Overall Security SIG

Links:

https://security.openstack.org/

https://wiki.openstack.org/wiki/Security-SIG

Security SIG: https://wiki.openstack.org/wiki/Security-SIG

Weekly Agenda: https://etherpad.openstack.org/p/security-agenda

Meeting Time: Weekly on Thursday at 1500 UTC #openstack-meeting

IRC Server: irc.freenode.net

Key Lime: https://github.com/keylime/keylime

Integration with Ironic https://github.com/keylime/keylime/issues/101

Bandit: https://github.com/PyCQA/bandit

Running bandit as part of tox gate

Keystone does this: https://github.com/openstack/keystone/blob/master/tox.ini#L40

Run as a separate job

Example (not tox): https://github.com/openstack/openstack-helm/blob/master/zuul.d/jobs-openstack-helm.yaml#L27-L36

Host Intrusion

Wazuh was mentioned: https://wazuh.com/

Ansible Hardening

OpenStack Ansible: https://docs.openstack.org/openstack-ansible/latest/

Security SIG "Help Wanted"

https://docs.openstack.org/security-analysis/latest/

Only has Barbican, missing other projects that have been added since

Multiple other libraries in review to be added

https://review.openstack.org/#/q/project:openstack/security-analysis+is:open

https://docs.openstack.org/security-guide/

Security guide doesn’t seem to have been updated since Pike, so it’s a good 1.5 years behind

https://security.openstack.org/#secure-development-guidelines

Improve documentation of secure coding practices

improve coverage of bandit and syntribos jobs across projects, and look into other similar tools we could be using to better secure the software we write

https://wiki.openstack.org/wiki/Security_Notes

Help with writing security notes and triaging the backlog

https://wiki.openstack.org/wiki/Security/Security_Note_Process

https://bugs.launchpad.net/ossn

Security blog: http://openstack-security.github.io/

VMT Public Bug Assistance

Many reports of suspected vulnerabilities start out as public bugs or are made public over the course of being triaged, and assistance with those is encouraged from the entire community

https://bugs.launchpad.net/ossa

Having someone who is familiar with the affected project provide context to a security bug really helps the VMT definine concrete impact statements and speeds up the overall process

Bootstrapping AWS / Windows Guest Domains / Guest VMs

nova-join: https://github.com/openstack/novajoin

application credentials: https://docs.openstack.org/keystone/latest/user/application_credentials.html

Barbican: https://wiki.openstack.org/wiki/Barbican

Policy

Cross-project policy effort:

https://governance.openstack.org/tc/goals/queens/policy-in-code.html

https://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/policy-goals.html