14:07:45 <lhinds_> #startmeeting Security Group 21/10/15
14:07:45 <collabot> Meeting started Wed Oct 21 14:07:45 2015 UTC.  The chair is lhinds_. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:07:45 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:07:45 <collabot> The meeting name has been set to 'security_group_21_10_15'
14:08:23 <lhinds_> ok, I don't have much for the agenda myself, had a pretty crappy cold / flu thing for the past few days that has had me out of action
14:08:49 <lhinds_> #info There is no date for the confluence migration, which was an AP I had on myself
14:08:55 <Sona> Soory Luke, hope you get better soon
14:09:00 <lhinds_> Thanks Sona
14:09:16 <lhinds_> any agenda items anyone would like to add?
14:09:45 <Sona> I wanted to bring up wiki update
14:09:49 <aripie> just some info; CIS published update on their security guidance
14:10:03 <lhinds_> CIS?
14:10:15 <aripie> center for information security
14:10:20 <lhinds_> ah ok
14:10:24 <aripie> #link http://www.cisecurity.org/critical-controls.cfm
14:10:41 <aripie> this is more from IT angle but still quite valid controls
14:11:40 <Sona> good info, thanks Ari
14:11:57 <aripie> ... correction on CIS 0 center of internet security
14:12:40 <lhinds_> One point: I do plan to get started on the opnfv security guide soon, thinking of using sphinx so in time we can generate PDF's etc.  But I guess confluence does nice exports too. So will find out more
14:13:19 <mwinandy> I don't know sphinx, is that kind of wiki?
14:13:46 <lhinds_> kind of, its more like LaTex
14:14:03 <mwinandy> oh great (love LaTeX) :)
14:14:14 <lhinds_> So you can develop docs in a repo, and then generate html pages / pdf's etc
14:14:51 <aripie> #link http://sphinx-doc.org/rest.html
14:15:05 <lhinds_> I could get something going in my personal repo, and then push into a opnfv repo when it gets momentum
14:17:52 <lhinds_> what licensing are we using in opnfv, can anyone recall?
14:18:00 <lhinds_> mit, apachie, gnu..?
14:18:49 <aripie> apache
14:19:01 <lhinds_> thx
14:19:36 <aripie> v 2.0
14:20:13 <aripie> another piece of info is that ETSI released three more specs relevant for security
14:20:16 <aripie> #link http://www.etsi.org/news-events/news/1015-2015-10-news-etsi-nfv-isg-publishes-security-and-reliability-specifications?highlight=YTozOntpOjA7czozOiJuZnYiO2k6MTtzOjg6InNlY3VyaXR5IjtpOjI7czoxMjoibmZ2IHNlY3VyaXR5Ijt9
14:20:25 <lhinds_> ahh good one ari
14:20:30 <lhinds_> did you have a read yet?
14:21:17 <aripie> I did, some of it is pretty good, some remained a bit weak, I expected a bit more detail on LI
14:22:18 <aripie> in any case, we need to see to that OPNFV projects take input from these req
14:22:56 <lhinds_> yep, look like ashutosh is not around again? did you get anything going with him offline?
14:24:52 <aripie> I failed to do that yet, with the PTL discussion internally to our company, I will take it up again
14:25:50 <lhinds_> np
14:26:13 <aripie> what we did discuss with Ashutosh was that we would propose to collect audit related reqs into one of the ETSI SEC std documents
14:28:32 <lhinds_> k, anyone with any other items?
14:29:19 <mwinandy> I was busy with SDN&OpenFlow World Congress in Duesseldorf. There was also lot of OPNFV, but I was busy with presentation at our booth.
14:29:49 <Sona> I have update wiki with some info, could someone please have a look at it (review it)?
14:30:22 <mwinandy> just another (side) info: Cigital has released BSIMM v6. Maybe not directly relevant for OPNFV projects, but maybe to look at your organizations.
14:30:40 <aripie> mwinandy: any security related discussion popping up in D-dorf?
14:32:11 <mwinandy> Yes indeed. There was one talk on SDN security. We had a demo with SDN security. And a few companies showed virtual network security functions.
14:32:57 <lhinds_> sona, go for it an email over
14:33:48 <Sona> ok
14:34:51 <aripie> ok on SDN
14:35:11 <aripie> sona: I will have a look today
14:35:24 <Sona> Thanks Ari
14:36:35 <mwinandy> Sona: regarding static code analysis, do you know how other projects are doing this? I mean, many companies have their own (expensive) licenses of code analysis tools (hopefully), but for open source projects it is sometimes difficult (in many cased omitted).
14:37:47 <lhinds_> Bandit
14:37:48 <Sona> some run coverity scan https://scan.coverity.com/
14:38:06 <lhinds_> Its what they are using over at OpenStack
14:38:28 <lhinds_> I wonder if we need it though, as most code is going upstream
14:38:39 <lhinds_> apart from foreman scripts etc
14:39:44 <Sona> we need first to have good knowledge of each projetc's in OPNFV eco-system
14:40:06 <Sona> that is what I am trying to do and document in our wiki
14:40:11 <mwinandy> right, but on the other hand I was thinking of having some kind of minimum required policy maybe of using one or another tool. Otherwise, it's more like we're submitting stuff and hope others (upstream) will find the flaws.
14:40:45 <mwinandy> Sona's work would be really helpful to sort this out, for example.
14:43:12 <Sona> We need to know all security work (security test, process, ...) each project does, and then coordinate these work and see if there is a gap somewhere
14:45:31 <Sona> maybe we should eventually arrange monthly/bi-monthly meeting and encourage security team members from different project attend to thiese meeting
14:45:58 <Sona> and share ideas, plan with each other
14:46:41 <mwinandy> Actually I also started looking at the different opnfv projects to find out issues that could be relevant for our internal security policy.
14:47:38 <mwinandy> So I think I should join your activity :)
14:48:08 <lhinds_> Some of the areas that I think need work:..
14:48:33 <lhinds_> Platform Security Guide - especially when a release candidate goes to production.
14:48:46 <Sona> yes, that is a good idea
14:48:52 <lhinds_> Infra people will need to know how to secure the opnfv deployment
14:49:25 <lhinds_> Code Review is in place for checking what goes into our own repos, so if we could get projects using this, that would be good.
14:50:04 <lhinds_> Our own projects, developing tools to check security or perhaps puppet / forerman modules to harden the platform
14:50:28 <lhinds_> that's just an example, but would be great to host some more of our own projects, I have one coming up I hope.
14:51:19 <lhinds_> But I think the first will have a big need. A lot of operators are going to be asking 'how the hell do we secure this?'
14:52:26 <lhinds_> I think they will look to us as the experts!
14:53:38 <Sona> We need a security Guidelines ?
14:53:48 <Sona> hardening tool?
14:53:56 <Sona> :)
14:54:02 <lhinds_> Perhaps this could tie in with Sona's suggestion of bi-weekly introductions to projects, we can start to query them over the security requirements of their project
14:54:11 <lhinds_> I think guidelines first
14:54:27 <lhinds_> hardening tool might be difficult as it will be a moving target
14:54:54 <lhinds_> and then you have...redhat, the canonical guys etc, so different distrubutions.
14:55:30 <lhinds_> I will get a repo and help you all get set up using sphinx, we can then start to seed the guide
14:56:10 <lhinds_> stuff like openattestation, selinux being enforced, TLS for Rest API's.
14:56:18 <lhinds_> there is a lot of suggestions we can make
14:57:04 <Sona> I was also thinking to add a paragraph in the OPNFV security wiki page, "Security News/blogs"
14:57:07 <lhinds_> #link https://github.com/lukehinds/opnfv-security-guide - temporary home for now
14:57:26 <Sona> so we can add hot security related news there
14:58:17 <lhinds_> that might be better on the wiki, but of course if its solid info, it could go into the guide.
14:58:35 <lhinds_> the guide will get auto generated into PDF, ebook etc
14:58:36 <Sona> we can have both
14:58:41 <lhinds_> yup!
14:59:03 <mwinandy> this is really good discussion today !
14:59:24 <lhinds_> ok, I got to go, but I will get sphinx set up and some initial content going, then next week we can look to get anyone interested set up
14:59:35 <lhinds_> oh, next week is Tokyio
14:59:39 <lhinds_> are most around still?
14:59:51 <lhinds_> * Tokyo
15:00:18 <aripie> I am not traveling, will be around
15:00:29 <mwinandy> I may be busy with another meeting, but will try to join
15:00:32 <Sona> I am traveling next week
15:00:55 <Sona> so I will not be able to attend
15:01:29 <lhinds_> ok, I will be about, but we can make do with who is on!
15:01:31 <lhinds_> ok thanks guys
15:01:39 <lhinds_> by all means stick around and chat if you like
15:01:43 <lhinds_> #endmeeting