#opnfv-sec log

14:02:01 <lhinds> #startmeeting Security Group 01/06/16
14:02:01 <collabot`> Meeting started Wed Jun  1 14:02:01 2016 UTC.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:02:01 <collabot`> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:02:01 <collabot`> The meeting name has been set to 'security_group_01_06_16'
14:02:01 <aripie> Hi Luke
14:02:20 <lhinds> #topic agenda
14:02:28 <lhinds> #link https://etherpad.opnfv.org/p/opnfv-sec-meetings
14:02:39 <lhinds> take a look all, and see if you want anything added
14:03:31 <aripie> just info item on ETSI-NFV-SEC-013
14:03:55 <lhinds> aripie: pop it into etherpad please
14:04:02 <aripie> sure
14:04:11 <lhinds> #topic functest
14:04:56 <lhinds> quick update here, my newer code was merged into master, and I just need to do some more tests before it is added as a jenkins job.
14:04:58 <Sona> I added https://wiki.opnfv.org/display/security/results
14:05:28 <lhinds> I still hope to perform a live demo if I can (depends on the use of hardware being available)
14:05:47 <Sona> that would be good
14:06:05 <lhinds> #topic badge program
14:06:56 <lhinds> over to you Sona
14:07:21 <Sona> I have started to answer to questions
14:07:44 <Sona> I have submitted Basics (done)
14:07:51 <Sona> https://bestpractices.coreinfrastructure.org/projects/164/
14:08:13 <Sona> I think you can visit https://bestpractices.coreinfrastructure.org/projects/
14:08:22 <Sona> and search for OPNFV
14:08:28 <Sona> you will see the progress
14:08:36 <Sona> one question
14:08:49 <Sona> regarding: The project MUST provide a process for users to submit bug reports ..
14:09:17 <Sona> does OPNFV have a process for users to submit a bug report
14:09:36 <Sona> I couldn't find
14:10:57 <lhinds> I can only find the following
14:11:01 <lhinds> #link https://wiki.opnfv.org/display/DEV/Developer+Getting+Started
14:11:22 <lhinds> oh hold on...I got it
14:11:26 <lhinds> #link https://wiki.opnfv.org/display/DEV/JIRA+Best+Practices+for+OPNFV
14:11:52 <Sona> Maybe we should add some short text for how to send a bug report?
14:12:05 <Sona> to the wiki page
14:12:15 <lhinds> that's what the link above does
14:12:31 <Sona> Ok I can use that :)
14:12:37 <Sona> another question:
14:12:50 <Sona> The project SHOULD respond to most enhancement requests in the last 2-12 months (inclusive).
14:13:23 <Sona> what do you think I should put here?
14:14:39 <lhinds> hmm, tricky, as these go upstream. I am not sure what to put there, might need to check with ray
14:15:00 <lhinds> paging: rpalik
14:15:15 <lhinds> not sure if he picks that up
14:16:01 <Sona> ok
14:16:21 <Sona> how about this question:  The project's initial response time for any vulnerability report received in the last 6 months MUST be less than or equal to 14 days.
14:16:48 <Sona> I will check if OSVM does menation days
14:17:29 <lhinds> you can just put 'agree' and we will adopt 14 days :)
14:17:49 <Sona> ok, good :)
14:18:43 <Sona> I will continue with answering to Badge questions and send you guys email if I stuck
14:18:48 <Sona> I hope it is ok
14:18:57 <lhinds> sounds good, thanks Sona
14:19:06 <Sona> ok we can move on
14:19:15 <Sona> to the next topic
14:19:22 <lhinds> #topic Opnfv Summit Talk
14:19:38 <Sona> Thanks for updating presentation
14:19:57 <Sona> I will make sure my part fits in my time slot
14:20:02 <lhinds> Sona: you would have seen I merged your deck into mine, mainly as its a opnfv branded set I got from someone in marketing
14:20:09 <Sona> I saw
14:20:27 <Sona> very good, thanks
14:20:35 <lhinds> I think you might need to keep some slides as content for people to read afterwards (like FAQ)
14:21:01 <lhinds> one point, my deck might look a little long, but all the slides with the use case flow will go through quickly
14:21:06 <Sona> yes, I will do
14:21:23 <lhinds> when do you arrive in Berlin?
14:21:41 <Sona> on Sunday
14:21:57 <Sona> when do you arrive?
14:22:17 <lhinds> Sunday too.
14:22:30 <lhinds> so we have time to tweak things together, before the talk
14:22:38 <Sona> good, perhaps we can meet and synch a little
14:23:16 <lhinds> sure
14:23:35 <lhinds> #topic Code Audit
14:23:48 <lhinds> your topic Sona, did you have any questions?
14:23:58 <Sona> I have look at https://wiki.opnfv.org/display/security/results
14:24:17 <Sona> Is this some kind of code audit?
14:24:36 <lhinds> yes, languages used and modules / libaries imported
14:25:06 <lhinds> the idea then is we search though those to check if any have CVE's against them
14:25:20 <Sona> all is only python & python modules, right?
14:25:48 <lhinds> there is also C and Java
14:25:59 <Sona> aha , I missed that
14:26:44 <Sona> can we use openscap to scan CVEs
14:27:08 <Sona> for this
14:27:17 <lhinds> on a running system yes, but not against those files
14:27:32 <lhinds> its tricky to do, as we only know the names they use, not the versions.
14:28:15 <lhinds> not sure of what we do with the audit data, might be a good topic for at the summit when we meet with ray and co
14:29:29 <Sona> ok, we can discuss this issue further in the sumit
14:29:35 <aripie> is there any inventory function that could provide version information?
14:29:53 <Sona> We can for instance track python vulnerabilities ex: http://www.cvedetails.com/vulnerability-list/vendor_id-10210/year-2016/Python.html
14:30:18 <aripie> ... or should such a function be provided by Moon project?
14:30:21 <Sona> and chech with your result database and see if OPNFV is using that module
14:31:07 <Sona> I am not very familjar with moon, so I don't know if Moon can do this
14:31:37 <lhinds> its quite complex, and cross-checking systems will take some time. I recommend we check with the others how far they want to go with it
14:32:10 <Sona> ok, agree
14:32:15 <lhinds> if they are very keen, then they will need to volunteer time / resources to help
14:32:37 <Sona> I can help, but I need to know how :)
14:32:57 <Sona> I am looking for automated, efficient way
14:33:11 <Sona> not to spent hours in manual check
14:33:32 <Sona> we discuss this in the summit
14:33:57 <Sona> should we create a task in Jira and add topics we want to discuss?
14:34:24 <lhinds> an etherpad would be good
14:34:35 <lhinds> https://etherpad.opnfv.org/
14:34:37 <Sona> ok
14:35:34 <lhinds> ok..next topic
14:36:04 <lhinds> #topic  ETSI NFV-SEC-013 draft
14:36:07 <lhinds> aripie:
14:36:30 <aripie> Yes, there is a new rev of ETSI-NFV-SEC-013
14:36:35 <aripie> #link https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC013_Sec_mgmt_and_Monitoring_Spec
14:36:54 <Sona> what is new here?
14:37:29 <aripie> seems to be maturing, introduces the concept of Security Controller and some new interfaces
14:38:09 <aripie> and defines some prerequisites for creating trust in an NFV solution
14:38:31 <Sona> ok, thanks. I will read it later
14:38:42 <lhinds> thanks aripie
14:38:44 <aripie> also audit requirements towards the security monitoring function itself
14:39:02 <lhinds> yep, some of this may map to what we have beeen doing
14:39:46 <aripie> that all on that front now
14:40:07 <Sona> Luke, what were you refering to?
14:40:23 <Sona> functest, secguide, etc
14:40:28 <Sona> or something else?
14:41:22 <lhinds> Sona: functest scanning
14:41:37 <lhinds> ok, all good
14:41:50 <lhinds> thanks for attending all...catch you next week
14:41:51 <Sona> yes,
14:42:00 <lhinds> unless there is AOB?
14:42:05 <Sona> I created https://etherpad.opnfv.org/p/items-to-discuss-in-summit
14:42:18 <lhinds> thx Sona
14:42:21 <Sona> to add items to discuss in the summit
14:42:34 <Sona> nI am good now :)
14:42:36 <Sona> thanks
14:42:45 <lhinds> can you share that with the email list discussing the badge program
14:42:54 <Sona> yes
14:43:01 <lhinds> check that ray gets a room reserved too
14:43:26 <lhinds> so we can sit down and go through all the outstnading badge items
14:43:34 <lhinds> thanks!
14:43:44 <lhinds> ok...see you next week
14:43:54 <lhinds> #endmeeting