[Openstack-security] OSSG Lunch Meeting Notes

Sriram Subramanian sriram at sriramhere.com
Sat Nov 16 05:40:12 UTC 2013 

Shohel,

Thanks for the wiki entry and introducing Bengt and Mats. Hello there!

I am definitely interested in this work. Enjoy your vacation, looking
forward to working with Bengt

thanks,
-Sriram


On Fri, Nov 15, 2013 at 1:44 AM, Abu Shohel Ahmed <ahmed.shohel at ericsson.com
> wrote:

> Hi all,
>
> Yesterday, we had a good introduction discussion related to this work.
>  I have added more content i.e., an Example Threat analysis work.
> in the Wiki page.
>
>  https://wiki.openstack.org/wiki/Security/Threat_Analysis
>
> To get the momentum, we should first discuss who are interested to work
> on this activity. Then we can form a small team to make things faster and
> concentrated work. Please drop an email, if you are interested.
>
> From Ericsson side, we will have more people working in this activity (
> e.g.,
> Mats Näslund and Bengt Sahlin (CC:ed)). I will be on vacation for next
> five weeks,
> during this time Bengt Sahlin will organize discussion and way forward
> for this activity from our side.
>
> Thanks,
> Shohel
>
>
> Sriram Subramanian kirjoitti Nov 14, 2013 kello 9:04 PM:
>
> Thanks Shohel,
>
> I am at the IRC #openstack-meeting. Anyone out there?
>
> thanks,
> -sriram
>
>
> On Thu, Nov 14, 2013 at 9:40 AM, Abu Shohel Ahmed <
> ahmed.shohel at ericsson.com> wrote:
>
>> Hi Sriram,
>>
>> To get started,  I have create an Wiki Page.
>>
>> https://wiki.openstack.org/wiki/Security/Threat_Analysis
>>
>> Currently, consisting of a process diagram and links to relevant
>> literature.
>> The wiki page can be enriched together as the time goes  and we proceed
>> with our work.
>>
>> We have also linked in the Wiki, a security quick study report for
>> Keystone Folsom
>> release  which James has promised in the Summit. The report itself is
>> quite old now
>> compared to the current keystone release. So the most important task now,
>> is to define
>> a common process through which we can do evaluation of OpenStack
>> Components.
>>
>> See you in today's meeting. We can discuss about how we can proceed with
>> this
>> activity.
>>
>> Thanks,
>> Shohel
>>
>>
>> Sriram Subramanian kirjoitti Nov 12, 2013 kello 12:13 AM:
>>
>> Shohel,
>>
>> Could you please send any relevant links for those who are new to the
>> threat model analysis process? Most of the links I used while at Microsoft
>> are internal-only.
>>
>> thanks,
>> -Sriram
>>
>>
>> On Mon, Nov 11, 2013 at 5:47 AM, Abu Shohel Ahmed <
>> ahmed.shohel at ericsson.com> wrote:
>>
>>> Hi Rob,
>>>
>>> Certainly, the meeting transcript should be available in
>>> https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity
>>> After the meeting, we will sent the meeting notes to the OSSG mailing
>>> list.
>>>
>>> …shohel
>>>
>>> Clark, Robert Graham kirjoitti Nov 11, 2013 kello 3:43 PM:
>>>
>>>  I know a few people (me included) won’t be able to make the OSSG
>>> meeting this week.
>>>
>>>  Is there any way we can follow this up by email?
>>>
>>>   From: Abu Shohel Ahmed <ahmed.shohel at ericsson.com>
>>> Date: Monday, 11 November 2013 21:31
>>> To: "openstack-security at lists.openstack.org" <
>>> openstack-security at lists.openstack.org>
>>> Cc: Robert Clark <robert.clark at hp.com>, Sriram Subramanian <
>>> sriram at sriramhere.com>, James Kempf <james.kempf at ericsson.com>
>>>
>>> Subject: Re: [Openstack-security] OSSG Lunch Meeting Notes
>>>
>>>   Hi all,
>>>
>>>   We can have a way forward discussion related to threat analysis in
>>> the next
>>> OSSG IRC meeting (this Thursday). Things we could discuss in the
>>> meeting e.g.,
>>>   - Threat analysis process in general
>>>   - Work items: OpenStack project to target
>>>   - Time frame
>>>   - Team members
>>>   - Way of working
>>>
>>>  See you in the next meeting.
>>>
>>>  Thanks,
>>> Shohel
>>>
>>>
>>>
>>>   James Kempf kirjoitti Nov 7, 2013 kello 2:18 AM:
>>>
>>>  Hi Rob,
>>>
>>> Shohel (cc-ed) from Ericsson will be driving this. He will be setting up
>>> a chat/teleconference sometime late next week to get started.
>>>
>>> jak
>>>
>>> -----Original Message-----
>>>
>>> From: Clark, Robert Graham [mailto:robert.clark at hp.com<robert.clark at hp.com>
>>> ]
>>>
>>> Sent: Thursday, November 07, 2013 12:06 AM
>>>
>>> To: Sriram Subramanian; openstack-security at lists.openstack.org
>>>
>>> Subject: Re: [Openstack-security] OSSG Lunch Meeting Notes
>>>
>>>
>>>  Thanks for the great notes Sriram.
>>>
>>>
>>>  I've made the 'how to contribute' part of the wiki more prominent:
>>>
>>> https://wiki.openstack.org/wiki/Security/How_To_Contribute
>>>
>>>
>>>  To clarify, when we have the ball rolling on Threat Modelling for major
>>>
>>> projects, I can commit some security-architect resources to take part in
>>>
>>> the discussions.
>>>
>>>
>>>  Cheers
>>>
>>> -Rob
>>>
>>>
>>>
>>>  From: Sriram Subramanian
>>>
>>> <sriram at sriramhere.com<mailto:sriram at sriramhere.com<sriram at sriramhere.com>
>>> >>
>>>
>>> Date: Tuesday, 5 November 2013 14:24
>>>
>>> To: "openstack-security at lists.openstack.org<mailto:openstack-<openstack->
>>>
>>> security at lists.openstack.org>" <openstack-
>>>
>>> security at lists.openstack.org<mailto:openstack- <openstack->
>>>
>>> security at lists.openstack.org>>
>>>
>>> Subject: [Openstack-security] OSSG Lunch Meeting Notes
>>>
>>>
>>>  Some of the items discussed, followed by Action Items:
>>>
>>>
>>>  1) How can one get invovled - Wiki will direct
>>>
>>> 2) Where to pick up security tasks from?
>>>
>>>   - wiki is the starting point
>>>
>>>   - people sign up via mailing list
>>>
>>>
>>>
>>>  3) threat analysis
>>>
>>>   - Static Analysis, Formal Verification on projects was proposed by
>>>
>>> James.
>>>
>>>   -
>>>
>>>   - static analysis on python is not very useful; whole projects will
>>>
>>> take a long time
>>>
>>>   -
>>>
>>> 4) Threat modeling -
>>>
>>>   -
>>>
>>> Action item (James Kempf) : share the results from Folsom for TM around
>>>
>>> Keystone
>>>
>>>
>>>    -  Rob can get resources towards this
>>>
>>>   -  get started with core or knowledgeable people
>>>
>>>   -  Ideally, Secuirty Reviews Per month per project. Review coordinator
>>>
>>> prepares the arch diagram before the review day
>>>
>>>
>>>  5) security review - HP's review process; what it translates to for
>>>
>>> OpenStack?
>>>
>>>
>>>  6) Attacker model
>>>
>>>  - single or many
>>>
>>>  -
>>>
>>> 7) Tracking the CVEs, publish in the format
>>>
>>>
>>>  - Action Item:  Daniel (Red Hat) to start discussin in the mailing list
>>>
>>> -  Format:
>>>
>>> 8)
>>>
>>> Getting the word out (wiki, how to contribute, what is going on)
>>>
>>>  - Minutes for the meet
>>>
>>>  - Community Manager
>>>
>>>  - Sprints:
>>>
>>>     - Running the sprint
>>>
>>>
>>>  Action Items:
>>>
>>> - Eric Windisch to Identify topic to set the sprint/ hackathon and time.
>>>
>>>
>>>  Thanks,
>>>
>>> -Sriram
>>>
>>>
>>>  _______________________________________________
>>>
>>> Openstack-security mailing list
>>>
>>> Openstack-security at lists.openstack.org
>>>
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Thanks,
>> -Sriram
>>
>>
>>
>
>
> --
> Thanks,
> -Sriram
>
>
>


-- 
Thanks,
-Sriram
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20131115/adc031e3/attachment.html>

More information about the Openstack-security mailing list