14:02:01 <lhinds> #startmeeting Security Group 01/06/16 14:02:01 <collabot`> Meeting started Wed Jun 1 14:02:01 2016 UTC. The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:02:01 <collabot`> Useful Commands: #action #agreed #help #info #idea #link #topic. 14:02:01 <collabot`> The meeting name has been set to 'security_group_01_06_16' 14:02:01 <aripie> Hi Luke 14:02:20 <lhinds> #topic agenda 14:02:28 <lhinds> #link https://etherpad.opnfv.org/p/opnfv-sec-meetings 14:02:39 <lhinds> take a look all, and see if you want anything added 14:03:31 <aripie> just info item on ETSI-NFV-SEC-013 14:03:55 <lhinds> aripie: pop it into etherpad please 14:04:02 <aripie> sure 14:04:11 <lhinds> #topic functest 14:04:56 <lhinds> quick update here, my newer code was merged into master, and I just need to do some more tests before it is added as a jenkins job. 14:04:58 <Sona> I added https://wiki.opnfv.org/display/security/results 14:05:28 <lhinds> I still hope to perform a live demo if I can (depends on the use of hardware being available) 14:05:47 <Sona> that would be good 14:06:05 <lhinds> #topic badge program 14:06:56 <lhinds> over to you Sona 14:07:21 <Sona> I have started to answer to questions 14:07:44 <Sona> I have submitted Basics (done) 14:07:51 <Sona> https://bestpractices.coreinfrastructure.org/projects/164/ 14:08:13 <Sona> I think you can visit https://bestpractices.coreinfrastructure.org/projects/ 14:08:22 <Sona> and search for OPNFV 14:08:28 <Sona> you will see the progress 14:08:36 <Sona> one question 14:08:49 <Sona> regarding: The project MUST provide a process for users to submit bug reports .. 14:09:17 <Sona> does OPNFV have a process for users to submit a bug report 14:09:36 <Sona> I couldn't find 14:10:57 <lhinds> I can only find the following 14:11:01 <lhinds> #link https://wiki.opnfv.org/display/DEV/Developer+Getting+Started 14:11:22 <lhinds> oh hold on...I got it 14:11:26 <lhinds> #link https://wiki.opnfv.org/display/DEV/JIRA+Best+Practices+for+OPNFV 14:11:52 <Sona> Maybe we should add some short text for how to send a bug report? 14:12:05 <Sona> to the wiki page 14:12:15 <lhinds> that's what the link above does 14:12:31 <Sona> Ok I can use that :) 14:12:37 <Sona> another question: 14:12:50 <Sona> The project SHOULD respond to most enhancement requests in the last 2-12 months (inclusive). 14:13:23 <Sona> what do you think I should put here? 14:14:39 <lhinds> hmm, tricky, as these go upstream. I am not sure what to put there, might need to check with ray 14:15:00 <lhinds> paging: rpalik 14:15:15 <lhinds> not sure if he picks that up 14:16:01 <Sona> ok 14:16:21 <Sona> how about this question: The project's initial response time for any vulnerability report received in the last 6 months MUST be less than or equal to 14 days. 14:16:48 <Sona> I will check if OSVM does menation days 14:17:29 <lhinds> you can just put 'agree' and we will adopt 14 days :) 14:17:49 <Sona> ok, good :) 14:18:43 <Sona> I will continue with answering to Badge questions and send you guys email if I stuck 14:18:48 <Sona> I hope it is ok 14:18:57 <lhinds> sounds good, thanks Sona 14:19:06 <Sona> ok we can move on 14:19:15 <Sona> to the next topic 14:19:22 <lhinds> #topic Opnfv Summit Talk 14:19:38 <Sona> Thanks for updating presentation 14:19:57 <Sona> I will make sure my part fits in my time slot 14:20:02 <lhinds> Sona: you would have seen I merged your deck into mine, mainly as its a opnfv branded set I got from someone in marketing 14:20:09 <Sona> I saw 14:20:27 <Sona> very good, thanks 14:20:35 <lhinds> I think you might need to keep some slides as content for people to read afterwards (like FAQ) 14:21:01 <lhinds> one point, my deck might look a little long, but all the slides with the use case flow will go through quickly 14:21:06 <Sona> yes, I will do 14:21:23 <lhinds> when do you arrive in Berlin? 14:21:41 <Sona> on Sunday 14:21:57 <Sona> when do you arrive? 14:22:17 <lhinds> Sunday too. 14:22:30 <lhinds> so we have time to tweak things together, before the talk 14:22:38 <Sona> good, perhaps we can meet and synch a little 14:23:16 <lhinds> sure 14:23:35 <lhinds> #topic Code Audit 14:23:48 <lhinds> your topic Sona, did you have any questions? 14:23:58 <Sona> I have look at https://wiki.opnfv.org/display/security/results 14:24:17 <Sona> Is this some kind of code audit? 14:24:36 <lhinds> yes, languages used and modules / libaries imported 14:25:06 <lhinds> the idea then is we search though those to check if any have CVE's against them 14:25:20 <Sona> all is only python & python modules, right? 14:25:48 <lhinds> there is also C and Java 14:25:59 <Sona> aha , I missed that 14:26:44 <Sona> can we use openscap to scan CVEs 14:27:08 <Sona> for this 14:27:17 <lhinds> on a running system yes, but not against those files 14:27:32 <lhinds> its tricky to do, as we only know the names they use, not the versions. 14:28:15 <lhinds> not sure of what we do with the audit data, might be a good topic for at the summit when we meet with ray and co 14:29:29 <Sona> ok, we can discuss this issue further in the sumit 14:29:35 <aripie> is there any inventory function that could provide version information? 14:29:53 <Sona> We can for instance track python vulnerabilities ex: http://www.cvedetails.com/vulnerability-list/vendor_id-10210/year-2016/Python.html 14:30:18 <aripie> ... or should such a function be provided by Moon project? 14:30:21 <Sona> and chech with your result database and see if OPNFV is using that module 14:31:07 <Sona> I am not very familjar with moon, so I don't know if Moon can do this 14:31:37 <lhinds> its quite complex, and cross-checking systems will take some time. I recommend we check with the others how far they want to go with it 14:32:10 <Sona> ok, agree 14:32:15 <lhinds> if they are very keen, then they will need to volunteer time / resources to help 14:32:37 <Sona> I can help, but I need to know how :) 14:32:57 <Sona> I am looking for automated, efficient way 14:33:11 <Sona> not to spent hours in manual check 14:33:32 <Sona> we discuss this in the summit 14:33:57 <Sona> should we create a task in Jira and add topics we want to discuss? 14:34:24 <lhinds> an etherpad would be good 14:34:35 <lhinds> https://etherpad.opnfv.org/ 14:34:37 <Sona> ok 14:35:34 <lhinds> ok..next topic 14:36:04 <lhinds> #topic ETSI NFV-SEC-013 draft 14:36:07 <lhinds> aripie: 14:36:30 <aripie> Yes, there is a new rev of ETSI-NFV-SEC-013 14:36:35 <aripie> #link https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC013_Sec_mgmt_and_Monitoring_Spec 14:36:54 <Sona> what is new here? 14:37:29 <aripie> seems to be maturing, introduces the concept of Security Controller and some new interfaces 14:38:09 <aripie> and defines some prerequisites for creating trust in an NFV solution 14:38:31 <Sona> ok, thanks. I will read it later 14:38:42 <lhinds> thanks aripie 14:38:44 <aripie> also audit requirements towards the security monitoring function itself 14:39:02 <lhinds> yep, some of this may map to what we have beeen doing 14:39:46 <aripie> that all on that front now 14:40:07 <Sona> Luke, what were you refering to? 14:40:23 <Sona> functest, secguide, etc 14:40:28 <Sona> or something else? 14:41:22 <lhinds> Sona: functest scanning 14:41:37 <lhinds> ok, all good 14:41:50 <lhinds> thanks for attending all...catch you next week 14:41:51 <Sona> yes, 14:42:00 <lhinds> unless there is AOB? 14:42:05 <Sona> I created https://etherpad.opnfv.org/p/items-to-discuss-in-summit 14:42:18 <lhinds> thx Sona 14:42:21 <Sona> to add items to discuss in the summit 14:42:34 <Sona> nI am good now :) 14:42:36 <Sona> thanks 14:42:45 <lhinds> can you share that with the email list discussing the badge program 14:42:54 <Sona> yes 14:43:01 <lhinds> check that ray gets a room reserved too 14:43:26 <lhinds> so we can sit down and go through all the outstnading badge items 14:43:34 <lhinds> thanks! 14:43:44 <lhinds> ok...see you next week 14:43:54 <lhinds> #endmeeting