14:07:45 <lhinds_> #startmeeting Security Group 21/10/15 14:07:45 <collabot> Meeting started Wed Oct 21 14:07:45 2015 UTC. The chair is lhinds_. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:07:45 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic. 14:07:45 <collabot> The meeting name has been set to 'security_group_21_10_15' 14:08:23 <lhinds_> ok, I don't have much for the agenda myself, had a pretty crappy cold / flu thing for the past few days that has had me out of action 14:08:49 <lhinds_> #info There is no date for the confluence migration, which was an AP I had on myself 14:08:55 <Sona> Soory Luke, hope you get better soon 14:09:00 <lhinds_> Thanks Sona 14:09:16 <lhinds_> any agenda items anyone would like to add? 14:09:45 <Sona> I wanted to bring up wiki update 14:09:49 <aripie> just some info; CIS published update on their security guidance 14:10:03 <lhinds_> CIS? 14:10:15 <aripie> center for information security 14:10:20 <lhinds_> ah ok 14:10:24 <aripie> #link http://www.cisecurity.org/critical-controls.cfm 14:10:41 <aripie> this is more from IT angle but still quite valid controls 14:11:40 <Sona> good info, thanks Ari 14:11:57 <aripie> ... correction on CIS 0 center of internet security 14:12:40 <lhinds_> One point: I do plan to get started on the opnfv security guide soon, thinking of using sphinx so in time we can generate PDF's etc. But I guess confluence does nice exports too. So will find out more 14:13:19 <mwinandy> I don't know sphinx, is that kind of wiki? 14:13:46 <lhinds_> kind of, its more like LaTex 14:14:03 <mwinandy> oh great (love LaTeX) :) 14:14:14 <lhinds_> So you can develop docs in a repo, and then generate html pages / pdf's etc 14:14:51 <aripie> #link http://sphinx-doc.org/rest.html 14:15:05 <lhinds_> I could get something going in my personal repo, and then push into a opnfv repo when it gets momentum 14:17:52 <lhinds_> what licensing are we using in opnfv, can anyone recall? 14:18:00 <lhinds_> mit, apachie, gnu..? 14:18:49 <aripie> apache 14:19:01 <lhinds_> thx 14:19:36 <aripie> v 2.0 14:20:13 <aripie> another piece of info is that ETSI released three more specs relevant for security 14:20:16 <aripie> #link http://www.etsi.org/news-events/news/1015-2015-10-news-etsi-nfv-isg-publishes-security-and-reliability-specifications?highlight=YTozOntpOjA7czozOiJuZnYiO2k6MTtzOjg6InNlY3VyaXR5IjtpOjI7czoxMjoibmZ2IHNlY3VyaXR5Ijt9 14:20:25 <lhinds_> ahh good one ari 14:20:30 <lhinds_> did you have a read yet? 14:21:17 <aripie> I did, some of it is pretty good, some remained a bit weak, I expected a bit more detail on LI 14:22:18 <aripie> in any case, we need to see to that OPNFV projects take input from these req 14:22:56 <lhinds_> yep, look like ashutosh is not around again? did you get anything going with him offline? 14:24:52 <aripie> I failed to do that yet, with the PTL discussion internally to our company, I will take it up again 14:25:50 <lhinds_> np 14:26:13 <aripie> what we did discuss with Ashutosh was that we would propose to collect audit related reqs into one of the ETSI SEC std documents 14:28:32 <lhinds_> k, anyone with any other items? 14:29:19 <mwinandy> I was busy with SDN&OpenFlow World Congress in Duesseldorf. There was also lot of OPNFV, but I was busy with presentation at our booth. 14:29:49 <Sona> I have update wiki with some info, could someone please have a look at it (review it)? 14:30:22 <mwinandy> just another (side) info: Cigital has released BSIMM v6. Maybe not directly relevant for OPNFV projects, but maybe to look at your organizations. 14:30:40 <aripie> mwinandy: any security related discussion popping up in D-dorf? 14:32:11 <mwinandy> Yes indeed. There was one talk on SDN security. We had a demo with SDN security. And a few companies showed virtual network security functions. 14:32:57 <lhinds_> sona, go for it an email over 14:33:48 <Sona> ok 14:34:51 <aripie> ok on SDN 14:35:11 <aripie> sona: I will have a look today 14:35:24 <Sona> Thanks Ari 14:36:35 <mwinandy> Sona: regarding static code analysis, do you know how other projects are doing this? I mean, many companies have their own (expensive) licenses of code analysis tools (hopefully), but for open source projects it is sometimes difficult (in many cased omitted). 14:37:47 <lhinds_> Bandit 14:37:48 <Sona> some run coverity scan https://scan.coverity.com/ 14:38:06 <lhinds_> Its what they are using over at OpenStack 14:38:28 <lhinds_> I wonder if we need it though, as most code is going upstream 14:38:39 <lhinds_> apart from foreman scripts etc 14:39:44 <Sona> we need first to have good knowledge of each projetc's in OPNFV eco-system 14:40:06 <Sona> that is what I am trying to do and document in our wiki 14:40:11 <mwinandy> right, but on the other hand I was thinking of having some kind of minimum required policy maybe of using one or another tool. Otherwise, it's more like we're submitting stuff and hope others (upstream) will find the flaws. 14:40:45 <mwinandy> Sona's work would be really helpful to sort this out, for example. 14:43:12 <Sona> We need to know all security work (security test, process, ...) each project does, and then coordinate these work and see if there is a gap somewhere 14:45:31 <Sona> maybe we should eventually arrange monthly/bi-monthly meeting and encourage security team members from different project attend to thiese meeting 14:45:58 <Sona> and share ideas, plan with each other 14:46:41 <mwinandy> Actually I also started looking at the different opnfv projects to find out issues that could be relevant for our internal security policy. 14:47:38 <mwinandy> So I think I should join your activity :) 14:48:08 <lhinds_> Some of the areas that I think need work:.. 14:48:33 <lhinds_> Platform Security Guide - especially when a release candidate goes to production. 14:48:46 <Sona> yes, that is a good idea 14:48:52 <lhinds_> Infra people will need to know how to secure the opnfv deployment 14:49:25 <lhinds_> Code Review is in place for checking what goes into our own repos, so if we could get projects using this, that would be good. 14:50:04 <lhinds_> Our own projects, developing tools to check security or perhaps puppet / forerman modules to harden the platform 14:50:28 <lhinds_> that's just an example, but would be great to host some more of our own projects, I have one coming up I hope. 14:51:19 <lhinds_> But I think the first will have a big need. A lot of operators are going to be asking 'how the hell do we secure this?' 14:52:26 <lhinds_> I think they will look to us as the experts! 14:53:38 <Sona> We need a security Guidelines ? 14:53:48 <Sona> hardening tool? 14:53:56 <Sona> :) 14:54:02 <lhinds_> Perhaps this could tie in with Sona's suggestion of bi-weekly introductions to projects, we can start to query them over the security requirements of their project 14:54:11 <lhinds_> I think guidelines first 14:54:27 <lhinds_> hardening tool might be difficult as it will be a moving target 14:54:54 <lhinds_> and then you have...redhat, the canonical guys etc, so different distrubutions. 14:55:30 <lhinds_> I will get a repo and help you all get set up using sphinx, we can then start to seed the guide 14:56:10 <lhinds_> stuff like openattestation, selinux being enforced, TLS for Rest API's. 14:56:18 <lhinds_> there is a lot of suggestions we can make 14:57:04 <Sona> I was also thinking to add a paragraph in the OPNFV security wiki page, "Security News/blogs" 14:57:07 <lhinds_> #link https://github.com/lukehinds/opnfv-security-guide - temporary home for now 14:57:26 <Sona> so we can add hot security related news there 14:58:17 <lhinds_> that might be better on the wiki, but of course if its solid info, it could go into the guide. 14:58:35 <lhinds_> the guide will get auto generated into PDF, ebook etc 14:58:36 <Sona> we can have both 14:58:41 <lhinds_> yup! 14:59:03 <mwinandy> this is really good discussion today ! 14:59:24 <lhinds_> ok, I got to go, but I will get sphinx set up and some initial content going, then next week we can look to get anyone interested set up 14:59:35 <lhinds_> oh, next week is Tokyio 14:59:39 <lhinds_> are most around still? 14:59:51 <lhinds_> * Tokyo 15:00:18 <aripie> I am not traveling, will be around 15:00:29 <mwinandy> I may be busy with another meeting, but will try to join 15:00:32 <Sona> I am traveling next week 15:00:55 <Sona> so I will not be able to attend 15:01:29 <lhinds_> ok, I will be about, but we can make do with who is on! 15:01:31 <lhinds_> ok thanks guys 15:01:39 <lhinds_> by all means stick around and chat if you like 15:01:43 <lhinds_> #endmeeting