14:02:02 #startmeeting security group meeting 30/09 14:02:02 Meeting started Wed Sep 30 14:02:02 2015 UTC. The chair is LukeHinds. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:02:02 Useful Commands: #action #agreed #help #info #idea #link #topic. 14:02:02 The meeting name has been set to 'security_group_meeting_30_09' 14:02:05 Hi Sona 14:02:20 Ari sent me an email and won't make it today 14:02:36 hi 14:02:44 we don't have much of an agenda this week. 14:03:43 Is there anything you wanted to raise Sona? Or even a Q&A on what can be done in the group? 14:04:13 I just wonder where to you add the meeting notes & logs? 14:04:20 I don't see it here : https://wiki.opnfv.org/meetings/security 14:04:45 I mean "Security Project Meeting Minutes"? 14:05:36 that is the correct page, but I was out a couple of weeks so it needs updating. I should get on to that 14:05:57 this is the main page https://wiki.opnfv.org/security 14:06:10 ok, good, thanks. 14:07:34 its a little quiet as of late, after a lot of activity, so need to get activities going again. very open to any suggestions you have for projects / research items..or anyone else for that matter 14:08:52 Do you have a list of security realted activities/wish list/ to-do-list so I can have a look at and see if there is any task that I can help you with? 14:10:47 The main ones are documentation https://wiki.opnfv.org/security/docs - so best practises for securing opnfv platform. 14:10:55 I can help with this as well. 14:11:14 we also have secure coding https://wiki.opnfv.org/security/securecode 14:11:34 internal sec policies https://wiki.opnfv.org/security/int 14:12:04 or you're welcome to create you're own item should you wish 14:12:20 I have some projects I want to introduce, but need to agree it internally within my company first. 14:12:36 so there will be more coming in i hope. 14:13:52 more coming would be nice, I hope, too :) 14:14:18 the opnfv projects are still maturing as well, so stick around for the long ride, I expect things will get more busy as the overall project (opnfv) matures. 14:14:26 good I will have a look at these docs 14:14:36 I know from customer communications that security is important topic, but opnfv so far has "only" two security projects 14:15:03 I know, 14:15:08 So I think here is also a good opportunity to seed some new ideas, and as Luke says, when overall projects mature 14:16:02 do you have a security contact person? a process that someone can securely (encrypted) if they desire contact the team? 14:20:52 We have a vulnerability process if that's what you mean, that will include public keys for notifying about issues discovered. 14:21:24 For this to get off the ground I need to align with release, but that's taking a bit of time as they have quite a bit on with working out the next release. 14:21:29 let me et you the link 14:22:03 #link https://wiki.opnfv.org/_media/security/osvm.png 14:22:18 #link https://wiki.opnfv.org/security/osvm 14:23:08 thanks, another question :) 14:23:11 going to add you as a member sona on the wiki page 14:23:13 I guess that opnfv security team does not actively scan / monitor for security vulnerabilities in the software used in the opnfv platform but leaves this to each open source project, is this correct? 14:23:13 go for it... 14:24:05 at the moment yes, the main aspect is that quite a lot of projects are upstream, so we rely on them scanning 14:24:13 but we do have secure code review in gerrit 14:24:27 It would be good to have a link to the other projects security page (such as daylight, etc ..) 14:24:46 but none of the projects are using them, so I plan to make some noise at the summit about this. 14:24:54 i mean those that are important part of OPNFV platform 14:25:13 maybe you have it already? 14:25:18 projects are on the wiki page, currently is inspector, or moon, but only inspector is under the security group 14:26:13 I think Sona means upstream security pages, like OpenStack security guide, right? 14:26:25 yes :) 14:27:02 like : https://wiki.opendaylight.org/view/Security_Advisories 14:27:15 these would go into here https://wiki.opnfv.org/security/upstream 14:28:00 i see, so a list of CVE raised exploits? 14:28:06 In the internal security policy (draft) it is mentioned to follow the upstream security guidelines, but not comprehensive list yet 14:28:09 yes 14:28:25 we don't have any from opnfv as yet, but we will have a wiki page when we do. 14:28:38 ok good, 14:28:59 Maybe that could be a work item for Sona to compile such a list ? :-) 14:29:00 so it will be something like https://opfnv.orgview/Security_Advisories 14:29:17 hehe :) yes why not 14:29:17 we don't have a list as yet, unless we mean upstream? 14:29:32 if so better to point to the source where it will be maintained I guess? 14:29:35 I was talking about upstream security guidelines, not CVE 14:30:20 we have the following references https://wiki.opnfv.org/security/securecode (see bottom of page) 14:31:05 but anyone is welcome to edit the wiki, so go for it if you have some ideas of what to put in / amend 14:31:40 Hm... I just notice that such information is not well organized yet. (put on the todo..?) 14:31:41 I think links to CVEs fixed in upstream projects are good to have from OPNVF security wiki page, what do you think? 14:31:42 i think what would be really useful is a security guide for arno 14:31:51 that would be very useful 14:32:05 that can borrow from existing projects 14:32:59 but sure, you can link to CVE's, I guess main thing is you need to maintain it, which is where it might be easier to link to their wiki page. 14:33:17 but any input is welcome :) ! 14:33:52 I can work on Fixed & not fixed CVEs in upstream projects 14:34:36 sounds good, although keep in mind non-fixed are under embargo typically, unless it's a 'Won't fix' 14:34:41 I can check for instance here: https://www.cvedetails.com/vulnerability-list/vendor_id-11727/Openstack.html 14:35:30 and then check what CVEs have openstack fixed in their for instance latest release 14:35:55 if you could map it back to the opnfv releases that would be very useful? 14:36:29 so for example, I think Arno is on juno 14:36:45 yes of course, we could have a common list of CVEs fixed in OPNVF (different upstream projects) 14:36:46 that would be very useful! 14:36:58 especially when you do a new release 14:37:05 go for it Sona, sounds good to me. 14:37:31 ok, I will, in this way maybe we encourage the upstream projects fix more CVEs :) 14:37:53 #action Sona to work on CVE wiki page and map them to the opnfv releases (juno, Lithium, etc) 14:38:14 are you on the openstack security mailing list? 14:38:17 ok, good, I will do my best 14:38:25 that's a good one to see issues come in. 14:39:34 Luke: do uou mean opnfv-security@lists.opnfv.org mailing list, yes I am 14:41:56 that one as well, but there is also one for the OpenStack security group (OSSG) 14:42:18 you can join up here: 14:42:20 #link https://launchpad.net/~openstack-ossg 14:43:16 Ok Luke 14:45:03 next week we can over inspector, and see what happens there. 14:46:20 k, any other business? 14:47:31 some info from me 14:48:13 go for it m.. 14:48:37 I'm working on a document for NBI security of SDN in ONF. Not sure whether this will be directly relevant for OPNFV. But as ETSI NFV and ONF currently have discussions on the role between SDN and NFV, might be. 14:49:15 so, just for information. Probably could be of interest here as well. 14:50:06 yes, please keep us updated, sounds v interesting and useful 14:50:15 ok, will do then 14:50:48 k. i will close meetbot, but as I always say, irc is open 24/7 14:51:03 #action Luke to update minutes to current date 14:51:12 #endmeeting