13:02:27 <aimeeu> #startmeeting Validation and Security Team Meeting 13:02:27 <collabot`> Meeting started Thu May 3 13:02:27 2018 UTC. The chair is aimeeu. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:02:27 <collabot`> Useful Commands: #action #agreed #help #info #idea #link #topic. 13:02:27 <collabot`> The meeting name has been set to 'validation_and_security_team_meeting' 13:02:36 <aimeeu> #chair bryan_att aimeeu 13:02:36 <collabot`> Current chairs: aimeeu bryan_att 13:08:19 <aimeeu> #info attendees: Bryan Sullivan (AT&T), Chuxin Chen (AT&T), Jack Murray (AT&T), Karrie (AT&T), Devendra Sen (TechM), Dev 13:08:58 <aimeeu> #info Jack: the validation process will be more complex than a web-based experience 13:09:44 <aimeeu> Jack: scope will *not* be completely web 13:10:28 <aimeeu> Karrie: web admin manages validation workflow, not necessarily setup and configuration of tools; a validation step could be a real person reviewing 13:11:41 <aimeeu> #info Karrie: for end to end validation experience, need to access status, notification - design has to accommodate that part of the process 13:13:07 <aimeeu> #info Bryan summarizes: need a behind the scenes workflow engine for validation that does not impact the Portal 13:16:21 <bryan_att> #link https://etherpad.acumos.org/p/validation-meeting-180503 13:16:55 <aimeeu> Etherpad guide #link https://wiki.acumos.org/display/AC/Etherpad+Guide 13:18:25 <aimeeu> #topic Requirements 13:23:05 <aimeeu> #info Bryan summarizes requirements on the etherpad 13:26:12 <aimeeu> #info Jack: complex problem; define and follow a "best practice" 13:26:50 <aimeeu> #info Jack: security of the platform is models as well as underlying platform; very broad scope 13:27:51 <aimeeu> #info Bryan: goal for project should be a program of industry best practices 13:29:09 <aimeeu> #info similar to #link https://wiki.opnfv.org/display/security/2016/08/24/OPNFV+gets+CII+Best+Practices+Badge+for+Security+and+Quality 13:29:50 <aimeeu> #topic Architecture 13:30:19 <aimeeu> #info Chuxin sent Bryan some slides to be added to the wiki; capture Validation intent from a user perspective 13:30:56 <aimeeu> #info Bryan: separate what's presented in the UI from the back end 13:33:32 <aimeeu> #info the work of the Security subcommittee is broader than the subject of today's call 13:34:13 <aimeeu> #info this meeting is about the validation component, which resides in the Common Services project 13:35:03 <aimeeu> #info Jack: need to separate items for broader Security Subcommittee from the work of the validation component 13:36:27 <aimeeu> #info broader goals for Security Subcommittee: #link https://wiki.acumos.org/display/AC/Security+Scanning 13:38:31 <aimeeu> #info Security Subcommittee will drive the requirements for the validation component 13:42:34 <aimeeu> #info Jack: these security and validation requirements should be discussed by the Security Subcommittee, so this meeting is really a working group within the Security Subcommittee 13:43:08 <aimeeu> #info Jack: once the requirements have been finalized, then the work can be passed to the Common Services project for implementation 13:44:42 <aimeeu> #info Bryan summarizes what the current validation component does and what it will need to do going forward 13:46:16 <vishnu> newbie question: what is "validation" part of validation-security? Does it include validation of others (requirements not related to security)? 13:47:41 <aimeeu> Vishnu - validation is validation of the models - license scanning, security vulnerability scanning 13:48:28 <vishnu> thanks! So it is limited to security requirements. 13:48:58 <aimeeu> yes - thanks for the question! 13:52:39 <aimeeu> #info discussion on workflow, perhaps incorporating a workflow engine such as Camunda 13:54:58 <aimeeu> #info Bryan discusses using a YAML file to define workflow 13:58:36 <vishnu> does "scan" include testing for specific vulnerability cases? Or is it as simple as looking for some signature? (trying to understand). 14:00:58 <aimeeu> I thought "scan" would be using something like OpenVAS or OpenSCAP or Clair 14:01:33 <vishnu> thanks! 14:01:35 <aimeeu> so scanning for specific vulnerabilities 14:01:54 <aimeeu> #endmeeting