#acumos-meeting log

14:04:03 <aimeeu> #startmeeting Acumos Security Subcommittee Meeting
14:04:03 <collabot> Meeting started Tue Jul 24 14:04:03 2018 UTC.  The chair is aimeeu. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:04:03 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:04:03 <collabot> The meeting name has been set to 'acumos_security_subcommittee_meeting'
14:04:11 <aimeeu> #chair bryan_att
14:04:11 <collabot> Current chairs: aimeeu bryan_att
14:04:19 <aimeeu> #topic Roll Call
14:04:41 <aimeeu> #info Aimee (AT&T), Bryan (AT&T), Daniel (Amdocs)
14:06:29 <aimeeu> #topic Welcome
14:06:42 <aimeeu> #topic Security Focus
14:07:12 <aimeeu> #info #link https://wiki.acumos.org/display/SEC/Meetings
14:08:03 <aimeeu> #info Bryan summarizes the 4 areas in scope for the Security Subcommittee
14:17:30 <aimeeu> #info Jack (AT&T) has joined the meeting
14:21:24 <aimeeu> #info Daniel: are you also in charge of the overall Acumos platform security? such as code repo, etc
14:22:00 <aimeeu> #info Bryan: yes, all the platform code as well as uploaded models
14:25:32 <aimeeu> #info Daniel: background in cyber security
14:28:09 <aimeeu> #info Bryan asks Daniel to review the goals and let the Subcommittee know of shortcomings
14:28:53 <aimeeu> #info Daniel has a lot of experience in this area and believes we can come up with creative solutions
14:32:22 <aimeeu> #info Daniel: how to secure the deployed platform is an interesting question
14:32:36 <aimeeu> #action Bryan will send contact info to Daniel
14:38:38 <aimeeu> #info Bryan: documentation is lacking on which services need to be exposed vs those that don't based on how the platform is deployed (k8s, single node Docker)
14:39:03 <aimeeu> #info Daniel: what security for the platform itself
14:41:33 <aimeeu> #info Bryan: we have an assessment of which APIs need to be exposed externally, which APIs need an authentication token
14:42:16 <aimeeu> #info Bryan: weakness is testing APIs; need plan for intrusion detection and remediation
14:43:52 <aimeeu> #info Bryan: need process for vetting how platforms have been deployed/secured for Federation (build community trust for company-installed platforms)
14:45:09 <aimeeu> #info Daniel: if we did come up with recommendations etc, do we have a team to implement the recommendations? what would be the process?
14:45:59 <aimeeu> #info Bryan: identifying weaknesses - create Jira items; if weakness is associated with a specific component, we would work with that team to secure the weakness
14:46:38 <aimeeu> #info Bryan: three areas to concentrate on: Portal, On-Boarding, Federation; work with them to make sure APIs use authentication
14:47:50 <aimeeu> #info Bryan: if we are talking about a new area such as live testing of vulnerabilities, then we have to identify tools and may have to find resources
14:48:10 <aimeeu> #info Bryan: need to expand company participation
14:49:20 <aimeeu> #info Daniel: Amdocs would like to be more involved and is looking for places to fit in
14:51:35 <aimeeu> #info Bryan reiterates that platform development is open source and open to everyone - if Amdocs has people who want to be involved, the Community will welcome them in whatever capacity they can participate
14:53:38 <aimeeu> #info Jack: what do we really want to accomplish in this first release? is there a clear list?
14:54:30 <aimeeu> #info Jack would like a list so he can push the agenda in his role as TSC Chair
14:55:10 <aimeeu> #info Bryan: there are some items in Jira
14:56:39 <aimeeu> #action Bryan will update wiki to summarize main items for Athena release
14:58:20 <aimeeu> #action Bryan will send out new meeting invite with updated info
15:01:15 <aimeeu> #endmeeting