===================================================== #acumos-meeting: Acumos Security Subcommittee Meeting ===================================================== Meeting started by aimeeu at 14:04:03 UTC. The full logs are available at http://ircbot.wl.linuxfoundation.org/meetings/acumos-meeting/2018/acumos-meeting.2018-07-24-14.04.log.html . Meeting summary --------------- * Roll Call (aimeeu, 14:04:19) * Aimee (AT&T), Bryan (AT&T), Daniel (Amdocs) (aimeeu, 14:04:41) * Welcome (aimeeu, 14:06:29) * Security Focus (aimeeu, 14:06:42) * #link https://wiki.acumos.org/display/SEC/Meetings (aimeeu, 14:07:12) * Bryan summarizes the 4 areas in scope for the Security Subcommittee (aimeeu, 14:08:03) * Jack (AT&T) has joined the meeting (aimeeu, 14:17:30) * Daniel: are you also in charge of the overall Acumos platform security? such as code repo, etc (aimeeu, 14:21:24) * Bryan: yes, all the platform code as well as uploaded models (aimeeu, 14:22:00) * Daniel: background in cyber security (aimeeu, 14:25:32) * Bryan asks Daniel to review the goals and let the Subcommittee know of shortcomings (aimeeu, 14:28:09) * Daniel has a lot of experience in this area and believes we can come up with creative solutions (aimeeu, 14:28:53) * Daniel: how to secure the deployed platform is an interesting question (aimeeu, 14:32:22) * ACTION: Bryan will send contact info to Daniel (aimeeu, 14:32:36) * Bryan: documentation is lacking on which services need to be exposed vs those that don't based on how the platform is deployed (k8s, single node Docker) (aimeeu, 14:38:38) * Daniel: what security for the platform itself (aimeeu, 14:39:03) * Bryan: we have an assessment of which APIs need to be exposed externally, which APIs need an authentication token (aimeeu, 14:41:33) * Bryan: weakness is testing APIs; need plan for intrusion detection and remediation (aimeeu, 14:42:16) * Bryan: need process for vetting how platforms have been deployed/secured for Federation (build community trust for company-installed platforms) (aimeeu, 14:43:52) * Daniel: if we did come up with recommendations etc, do we have a team to implement the recommendations? what would be the process? (aimeeu, 14:45:09) * Bryan: identifying weaknesses - create Jira items; if weakness is associated with a specific component, we would work with that team to secure the weakness (aimeeu, 14:45:59) * Bryan: three areas to concentrate on: Portal, On-Boarding, Federation; work with them to make sure APIs use authentication (aimeeu, 14:46:38) * Bryan: if we are talking about a new area such as live testing of vulnerabilities, then we have to identify tools and may have to find resources (aimeeu, 14:47:50) * Bryan: need to expand company participation (aimeeu, 14:48:10) * Daniel: Amdocs would like to be more involved and is looking for places to fit in (aimeeu, 14:49:20) * Bryan reiterates that platform development is open source and open to everyone - if Amdocs has people who want to be involved, the Community will welcome them in whatever capacity they can participate (aimeeu, 14:51:35) * Jack: what do we really want to accomplish in this first release? is there a clear list? (aimeeu, 14:53:38) * Jack would like a list so he can push the agenda in his role as TSC Chair (aimeeu, 14:54:30) * Bryan: there are some items in Jira (aimeeu, 14:55:10) * ACTION: Bryan will update wiki to summarize main items for Athena release (aimeeu, 14:56:39) * ACTION: Bryan will send out new meeting invite with updated info (aimeeu, 14:58:20) Meeting ended at 15:01:15 UTC. People present (lines said) --------------------------- * aimeeu (34) * collabot (4) * bryan_att (0) Generated by `MeetBot`_ 0.1.4