Open Stack

Thanks for the great notes Sriram.

I’ve made the ‘how to contribute’ part of the wiki more prominent:
https://wiki.openstack.org/wiki/Security/How_To_Contribute

To clarify, when we have the ball rolling on Threat Modelling for major projects, I can commit some security-architect resources to take part in the discussions.

Cheers
-Rob


From: Sriram Subramanian <sriram at sriramhere.com<mailto:sriram at sriramhere.com>>
Date: Tuesday, 5 November 2013 14:24
To: "openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>" <openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>>
Subject: [Openstack-security] OSSG Lunch Meeting Notes

Some of the items discussed, followed by Action Items:

1) How can one get invovled - Wiki will direct
2) Where to pick up security tasks from?
   - wiki is the starting point
   - people sign up via mailing list


3) threat analysis
   - Static Analysis, Formal Verification on projects was proposed by James.
   -
   - static analysis on python is not very useful; whole projects will take a long time
   -
4) Threat modeling -
   -
Action item (James Kempf) : share the results from Folsom for TM around Keystone

   -  Rob can get resources towards this
   -  get started with core or knowledgeable people
   -  Ideally, Secuirty Reviews Per month per project. Review coordinator prepares the arch diagram before the review day

5) security review - HP's review process; what it translates to for OpenStack?

6) Attacker model
  - single or many
  -
7) Tracking the CVEs, publish in the format

 - Action Item:  Daniel (Red Hat) to start discussin in the mailing list
 -  Format:
8)
 Getting the word out (wiki, how to contribute, what is going on)
  - Minutes for the meet
  - Community Manager
  - Sprints:
     - Running the sprint

Action Items:
- Eric Windisch to Identify topic to set the sprint/ hackathon and time.

Thanks,
-Sriram