#opnfv-sec log

14:02:02 <LukeHinds> #startmeeting security group meeting 30/09
14:02:02 <collabot> Meeting started Wed Sep 30 14:02:02 2015 UTC.  The chair is LukeHinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:02:02 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:02:02 <collabot> The meeting name has been set to 'security_group_meeting_30_09'
14:02:05 <LukeHinds> Hi Sona
14:02:20 <LukeHinds> Ari sent me an email and won't make it today
14:02:36 <mwinandy> hi
14:02:44 <LukeHinds> we don't have much of an agenda this week.
14:03:43 <LukeHinds> Is there anything you wanted to raise Sona? Or even a Q&A on what can be done in the group?
14:04:13 <Sona> I just wonder where to you add the meeting notes & logs?
14:04:20 <Sona> I don't see it here : https://wiki.opnfv.org/meetings/security
14:04:45 <Sona> I mean "Security Project Meeting Minutes"?
14:05:36 <LukeHinds> that is the correct page, but I was out a couple of weeks so it needs updating. I should get on to that
14:05:57 <LukeHinds> this is the main page https://wiki.opnfv.org/security
14:06:10 <Sona> ok, good, thanks.
14:07:34 <LukeHinds> its a little quiet as of late, after a lot of activity, so need to get activities going again. very open to any suggestions you have for projects / research items..or anyone else for that matter
14:08:52 <Sona> Do you have a list of security realted activities/wish list/ to-do-list so I can have a look at and see if there is any task that I can help you with?
14:10:47 <LukeHinds> The main ones are documentation https://wiki.opnfv.org/security/docs - so best practises for securing opnfv platform.
14:10:55 <LukeHinds> I can help with this as well.
14:11:14 <LukeHinds> we also have secure coding https://wiki.opnfv.org/security/securecode
14:11:34 <LukeHinds> internal sec policies https://wiki.opnfv.org/security/int
14:12:04 <LukeHinds> or you're welcome to create you're own item should you wish
14:12:20 <LukeHinds> I have some projects I want to introduce, but need to agree it internally within my company first.
14:12:36 <LukeHinds> so there will be more coming in i hope.
14:13:52 <mwinandy> more coming would be nice, I hope, too :)
14:14:18 <LukeHinds> the opnfv projects are still maturing as well, so stick around for the long ride, I expect things will get more busy as the overall project (opnfv) matures.
14:14:26 <Sona> good I will have a look at these docs
14:14:36 <mwinandy> I know from customer communications that security is important topic, but opnfv so far has "only" two security projects
14:15:03 <Sona> I know,
14:15:08 <mwinandy> So I think here is also a good opportunity to seed some new ideas, and as Luke says, when overall projects mature
14:16:02 <Sona> do you have a security contact person? a process that someone can securely (encrypted) if they desire contact the team?
14:20:52 <LukeHinds> We have a vulnerability process if that's what you mean, that will include public keys for notifying about issues discovered.
14:21:24 <LukeHinds> For this to get off the ground I need to align with release, but that's taking a bit of time as they have quite a bit on with working out the next release.
14:21:29 <LukeHinds> let me et you the link
14:22:03 <LukeHinds> #link https://wiki.opnfv.org/_media/security/osvm.png
14:22:18 <LukeHinds> #link https://wiki.opnfv.org/security/osvm
14:23:08 <Sona> thanks, another question :)
14:23:11 <LukeHinds> going to add you as a member sona on the wiki page
14:23:13 <Sona> I guess that opnfv security team does not actively scan / monitor for security vulnerabilities in the software used in the opnfv platform but leaves this to each open source project, is this correct?
14:23:13 <LukeHinds> go for it...
14:24:05 <LukeHinds> at the moment yes, the main aspect is that quite a lot of projects are upstream, so we rely on them scanning
14:24:13 <LukeHinds> but we do have secure code review in gerrit
14:24:27 <Sona> It would be good to have a link to the other projects security page (such as daylight, etc ..)
14:24:46 <LukeHinds> but none of the projects are using them, so I plan to make some noise at the summit about this.
14:24:54 <Sona> i mean those that are important part of OPNFV platform
14:25:13 <Sona> maybe you have it already?
14:25:18 <LukeHinds> projects are on the wiki page, currently is inspector, or moon, but only inspector is under the security group
14:26:13 <mwinandy> I think Sona means upstream security pages, like OpenStack security guide, right?
14:26:25 <Sona> yes :)
14:27:02 <Sona> like : https://wiki.opendaylight.org/view/Security_Advisories
14:27:15 <LukeHinds> these would go into here https://wiki.opnfv.org/security/upstream
14:28:00 <LukeHinds> i see, so a list of CVE raised exploits?
14:28:06 <mwinandy> In the internal security policy (draft) it is mentioned to follow the upstream security guidelines, but not comprehensive list yet
14:28:09 <Sona> yes
14:28:25 <LukeHinds> we don't have any from opnfv as yet, but we will have a wiki page when we do.
14:28:38 <Sona> ok good,
14:28:59 <mwinandy> Maybe that could be a work item for Sona to compile such a list ? :-)
14:29:00 <LukeHinds> so it will be something like https://opfnv.orgview/Security_Advisories
14:29:17 <Sona> hehe :) yes why not
14:29:17 <LukeHinds> we don't have a list as yet, unless we mean upstream?
14:29:32 <LukeHinds> if so better to point to the source where it will be maintained I guess?
14:29:35 <mwinandy> I was talking about upstream security guidelines, not CVE
14:30:20 <LukeHinds> we have the following references https://wiki.opnfv.org/security/securecode (see bottom of page)
14:31:05 <LukeHinds> but anyone is welcome to edit the wiki, so go for it if you have some ideas of what to put in / amend
14:31:40 <mwinandy> Hm... I just notice that such information is not well organized yet. (put on the todo..?)
14:31:41 <Sona> I think links to CVEs fixed in upstream projects are good to have from OPNVF security wiki page, what do you think?
14:31:42 <LukeHinds> i think what would be really useful is a security guide for arno
14:31:51 <LukeHinds> that would be very useful
14:32:05 <LukeHinds> that can borrow from existing projects
14:32:59 <LukeHinds> but sure, you can link to CVE's, I guess main thing is you need to maintain it, which is where it might be easier to link to their wiki page.
14:33:17 <LukeHinds> but any input is welcome :) !
14:33:52 <Sona> I can work on Fixed & not fixed CVEs in upstream projects
14:34:36 <LukeHinds> sounds good, although keep in mind non-fixed are under embargo typically, unless it's a 'Won't fix'
14:34:41 <Sona> I can check for instance here: https://www.cvedetails.com/vulnerability-list/vendor_id-11727/Openstack.html
14:35:30 <Sona> and then check what CVEs have openstack fixed in their for instance latest release
14:35:55 <LukeHinds> if you could map it back to the opnfv releases that would be very useful?
14:36:29 <LukeHinds> so for example, I think Arno is on juno
14:36:45 <Sona> yes of course, we could have a common list of CVEs fixed in OPNVF (different upstream projects)
14:36:46 <LukeHinds> that would be very useful!
14:36:58 <Sona> especially when you do a new release
14:37:05 <LukeHinds> go for it Sona, sounds good to me.
14:37:31 <Sona> ok, I will, in this way maybe we encourage the upstream projects fix more CVEs :)
14:37:53 <LukeHinds> #action Sona to work on CVE wiki page and map them to the opnfv releases (juno, Lithium, etc)
14:38:14 <LukeHinds> are you on the openstack security mailing list?
14:38:17 <Sona> ok, good, I will do my best
14:38:25 <LukeHinds> that's a good one to see issues come in.
14:39:34 <Sona> Luke: do uou mean opnfv-security@lists.opnfv.org mailing list, yes I am
14:41:56 <LukeHinds> that one as well, but there is also one for the OpenStack security group (OSSG)
14:42:18 <LukeHinds> you can join up here:
14:42:20 <LukeHinds> #link https://launchpad.net/~openstack-ossg
14:43:16 <Sona> Ok Luke
14:45:03 <LukeHinds> next week we can over inspector, and see what happens there.
14:46:20 <LukeHinds> k, any other business?
14:47:31 <mwinandy> some info from me
14:48:13 <LukeHinds> go for it m..
14:48:37 <mwinandy> I'm working on a document for NBI security of SDN in ONF. Not sure whether this will be directly relevant for OPNFV. But as ETSI NFV and ONF currently have discussions on the role between SDN and NFV, might be.
14:49:15 <mwinandy> so, just for information. Probably could be of interest here as well.
14:50:06 <LukeHinds> yes, please keep us updated, sounds v interesting and useful
14:50:15 <mwinandy> ok, will do then
14:50:48 <LukeHinds> k. i will close meetbot, but as I always say, irc is open 24/7
14:51:03 <LukeHinds> #action Luke to update minutes to current date
14:51:12 <LukeHinds> #endmeeting