#acumos-meeting log

13:02:27 <aimeeu> #startmeeting Validation and Security Team Meeting
13:02:27 <collabot`> Meeting started Thu May  3 13:02:27 2018 UTC.  The chair is aimeeu. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:02:27 <collabot`> Useful Commands: #action #agreed #help #info #idea #link #topic.
13:02:27 <collabot`> The meeting name has been set to 'validation_and_security_team_meeting'
13:02:36 <aimeeu> #chair bryan_att aimeeu
13:02:36 <collabot`> Current chairs: aimeeu bryan_att
13:08:19 <aimeeu> #info attendees: Bryan Sullivan (AT&T), Chuxin Chen (AT&T), Jack Murray (AT&T), Karrie  (AT&T), Devendra Sen (TechM), Dev
13:08:58 <aimeeu> #info Jack: the validation process will be more complex than a web-based experience
13:09:44 <aimeeu> Jack: scope will *not* be completely web
13:10:28 <aimeeu> Karrie: web admin manages validation workflow, not necessarily setup and configuration of tools; a validation step could be a real person reviewing
13:11:41 <aimeeu> #info Karrie: for end to end validation experience, need to access status, notification - design has to accommodate that part of the process
13:13:07 <aimeeu> #info Bryan summarizes: need a behind the scenes workflow engine for validation that does not impact the Portal
13:16:21 <bryan_att> #link https://etherpad.acumos.org/p/validation-meeting-180503
13:16:55 <aimeeu> Etherpad guide #link https://wiki.acumos.org/display/AC/Etherpad+Guide
13:18:25 <aimeeu> #topic Requirements
13:23:05 <aimeeu> #info Bryan summarizes requirements on the etherpad
13:26:12 <aimeeu> #info Jack: complex problem; define and follow a "best practice"
13:26:50 <aimeeu> #info Jack: security of the platform is models as well as underlying platform; very broad scope
13:27:51 <aimeeu> #info Bryan: goal for project should be a program of industry best practices
13:29:09 <aimeeu> #info similar to #link https://wiki.opnfv.org/display/security/2016/08/24/OPNFV+gets+CII+Best+Practices+Badge+for+Security+and+Quality
13:29:50 <aimeeu> #topic Architecture
13:30:19 <aimeeu> #info Chuxin sent Bryan some slides to be added to the wiki; capture Validation intent from a user perspective
13:30:56 <aimeeu> #info Bryan: separate what's presented in the UI from the back end
13:33:32 <aimeeu> #info the work of the Security subcommittee is broader than the subject of today's call
13:34:13 <aimeeu> #info this meeting is about the validation component, which resides in the Common Services project
13:35:03 <aimeeu> #info Jack: need to separate items for broader Security Subcommittee from the work of the validation component
13:36:27 <aimeeu> #info broader goals for Security Subcommittee:  #link  https://wiki.acumos.org/display/AC/Security+Scanning
13:38:31 <aimeeu> #info Security Subcommittee will drive the requirements for the validation component
13:42:34 <aimeeu> #info Jack: these security and validation requirements should be discussed by the Security Subcommittee, so this meeting is really a working group within the Security Subcommittee
13:43:08 <aimeeu> #info Jack: once the requirements have been finalized, then the work can be passed to the Common Services project for implementation
13:44:42 <aimeeu> #info Bryan summarizes what the current validation component does and what it will need to do going forward
13:46:16 <vishnu> newbie question: what is "validation" part of validation-security? Does it include validation of others (requirements not related to security)?
13:47:41 <aimeeu> Vishnu - validation is validation of the models - license scanning, security vulnerability scanning
13:48:28 <vishnu> thanks! So it is limited to security requirements.
13:48:58 <aimeeu> yes - thanks for the question!
13:52:39 <aimeeu> #info discussion on workflow, perhaps incorporating a workflow engine such as Camunda
13:54:58 <aimeeu> #info Bryan discusses using a YAML file to define workflow
13:58:36 <vishnu> does "scan" include testing for specific vulnerability cases? Or is it as simple as looking for some signature? (trying to understand).
14:00:58 <aimeeu> I thought "scan" would be using something like OpenVAS or OpenSCAP or Clair
14:01:33 <vishnu> thanks!
14:01:35 <aimeeu> so scanning for specific vulnerabilities
14:01:54 <aimeeu> #endmeeting