14:04:03 <aimeeu> #startmeeting Acumos Security Subcommittee Meeting 14:04:03 <collabot> Meeting started Tue Jul 24 14:04:03 2018 UTC. The chair is aimeeu. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:04:03 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic. 14:04:03 <collabot> The meeting name has been set to 'acumos_security_subcommittee_meeting' 14:04:11 <aimeeu> #chair bryan_att 14:04:11 <collabot> Current chairs: aimeeu bryan_att 14:04:19 <aimeeu> #topic Roll Call 14:04:41 <aimeeu> #info Aimee (AT&T), Bryan (AT&T), Daniel (Amdocs) 14:06:29 <aimeeu> #topic Welcome 14:06:42 <aimeeu> #topic Security Focus 14:07:12 <aimeeu> #info #link https://wiki.acumos.org/display/SEC/Meetings 14:08:03 <aimeeu> #info Bryan summarizes the 4 areas in scope for the Security Subcommittee 14:17:30 <aimeeu> #info Jack (AT&T) has joined the meeting 14:21:24 <aimeeu> #info Daniel: are you also in charge of the overall Acumos platform security? such as code repo, etc 14:22:00 <aimeeu> #info Bryan: yes, all the platform code as well as uploaded models 14:25:32 <aimeeu> #info Daniel: background in cyber security 14:28:09 <aimeeu> #info Bryan asks Daniel to review the goals and let the Subcommittee know of shortcomings 14:28:53 <aimeeu> #info Daniel has a lot of experience in this area and believes we can come up with creative solutions 14:32:22 <aimeeu> #info Daniel: how to secure the deployed platform is an interesting question 14:32:36 <aimeeu> #action Bryan will send contact info to Daniel 14:38:38 <aimeeu> #info Bryan: documentation is lacking on which services need to be exposed vs those that don't based on how the platform is deployed (k8s, single node Docker) 14:39:03 <aimeeu> #info Daniel: what security for the platform itself 14:41:33 <aimeeu> #info Bryan: we have an assessment of which APIs need to be exposed externally, which APIs need an authentication token 14:42:16 <aimeeu> #info Bryan: weakness is testing APIs; need plan for intrusion detection and remediation 14:43:52 <aimeeu> #info Bryan: need process for vetting how platforms have been deployed/secured for Federation (build community trust for company-installed platforms) 14:45:09 <aimeeu> #info Daniel: if we did come up with recommendations etc, do we have a team to implement the recommendations? what would be the process? 14:45:59 <aimeeu> #info Bryan: identifying weaknesses - create Jira items; if weakness is associated with a specific component, we would work with that team to secure the weakness 14:46:38 <aimeeu> #info Bryan: three areas to concentrate on: Portal, On-Boarding, Federation; work with them to make sure APIs use authentication 14:47:50 <aimeeu> #info Bryan: if we are talking about a new area such as live testing of vulnerabilities, then we have to identify tools and may have to find resources 14:48:10 <aimeeu> #info Bryan: need to expand company participation 14:49:20 <aimeeu> #info Daniel: Amdocs would like to be more involved and is looking for places to fit in 14:51:35 <aimeeu> #info Bryan reiterates that platform development is open source and open to everyone - if Amdocs has people who want to be involved, the Community will welcome them in whatever capacity they can participate 14:53:38 <aimeeu> #info Jack: what do we really want to accomplish in this first release? is there a clear list? 14:54:30 <aimeeu> #info Jack would like a list so he can push the agenda in his role as TSC Chair 14:55:10 <aimeeu> #info Bryan: there are some items in Jira 14:56:39 <aimeeu> #action Bryan will update wiki to summarize main items for Athena release 14:58:20 <aimeeu> #action Bryan will send out new meeting invite with updated info 15:01:15 <aimeeu> #endmeeting