#opnfv-sec log

14:02:24 <lhinds> #startmeeting Security Group 17/08/16
14:02:24 <collabot> Meeting started Wed Aug 17 14:02:24 2016 UTC.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:02:24 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:02:24 <collabot> The meeting name has been set to 'security_group_17_08_16'
14:02:33 <lhinds> let me just get a pad
14:03:32 <lhinds> ok, here we go:
14:03:34 <lhinds> https://etherpad.opnfv.org/p/opnfv-sec-meetings
14:03:39 <lhinds> #topic agenda
14:04:15 <lhinds> anyone wish to make any additions?
14:04:37 <aripie> OK by me
14:04:48 <sona> ok
14:05:20 <lhinds> #topic Security Scanning
14:05:55 <lhinds> that would be me, only thing new is we resolved an issue in Apex, which was making functests use of security scanning hang.
14:06:34 <lhinds> the second thing is we have moved functest over to using security scannings own repo now;
14:06:39 <lhinds> #link https://gerrit.opnfv.org/gerrit/#/c/18727/
14:06:40 <sona> good so functest run successfuly
14:06:49 <lhinds> sona: I think so / hope so
14:06:50 <lhinds> should be
14:06:52 <lhinds> :)
14:07:17 <sona> How can I check the result?
14:08:16 <lhinds> https://build.opnfv.org/ci/job/functest-apex-apex-daily-master-daily-master/
14:08:32 <lhinds> normally its under nosdn-nofeature
14:08:43 <lhinds> but functest fails a lot! so it often does not run
14:08:55 <lhinds> I think I will chat to apex again and maybe run it outside as well
14:09:43 <lhinds> ok badge program
14:09:49 <lhinds> #info badge
14:09:56 <lhinds> #undo
14:09:56 <collabot> Removing item from minutes: <MeetBot.ircmeeting.items.Info object at 0x2b57290>
14:10:05 <lhinds> #topic badge program
14:12:05 <sona> good  news about badge we have  achieved 100%
14:12:28 <sona> https://bestpractices.coreinfrastructure.org/projects?q=opnfv
14:13:28 <lhinds> yeay!
14:13:55 <lhinds> that will make heather happy
14:14:16 <sona> we need to do some work, spread this message to developers
14:14:35 <sona> make them aware of security best practices
14:15:14 <sona> Luke,  I didn't really follow all conversation in the meeting :)
14:15:19 <sona> what was decided?
14:15:47 <sona> we need to have some sort of check/kontroll so all projects follwo these best practices
14:15:49 <lhinds> looks like we are going to start auditing projects, and ashlee will help out and do the policing
14:15:53 <sona> how can we reach this?
14:16:09 <sona> ok good
14:16:51 <lhinds> I don't think we can make sure they follow, but we can start by pointing out what they are doing wrong, to pressure them into looking into security more.
14:17:11 <sona> agree
14:17:33 <sona> bu we need once in a while check criteria again and see they are true
14:18:11 <sona> how can we do this so we don't forget?
14:18:17 <lhinds> I guess we need to then go through the list and see what can be automated.
14:18:29 <lhinds> maybe add that to the etherpad discussion
14:18:30 <sona> good idea
14:19:26 <sona> I will create jira ticket
14:19:45 <sona> I will close all resolved jira issues related to the badge prigram
14:20:21 <lhinds> that would be good sona, give it a good clean up in there, as a lot is shown as open
14:21:23 <sona> yes I will do that
14:22:25 <lhinds> ok cool
14:22:45 <sona> What do you think that I should focus more now that we are almost done with badge program?
14:23:14 <lhinds> I think the audit work we have coming up will be interesting for you
14:23:15 <sona> whould we start with sec-guide or shall I get involved in Openscap/functest?
14:23:22 <sona> ok
14:23:34 <sona> I hope I can help
14:23:54 <lhinds> in fact...
14:24:01 <lhinds> #topic OPNFV Audit
14:24:06 <lhinds> #link https://etherpad.opnfv.org/p/sec-audit
14:24:44 <lhinds> so we will capture thoughts in the above, and put something to the TSC
14:25:11 <lhinds> I think you can help with testing a lot here Sona, as you will be able to run this easily on your laptop or a VM
14:25:35 <sona> ok, I can do that
14:25:37 <lhinds> doing security scan testing is a lot more inaccessable as you need an openstack cloud deployed by apex
14:25:55 <sona> I see
14:26:20 <lhinds> It might need a PTL as well, but we should see if Ash is interested as welll
14:27:37 <lhinds> that's it there for now. I will start playing with some code this week
14:27:54 <serverascode> what's the difference between sec-audit and the other projects?
14:28:10 <serverascode> the idea is that sec-audit is a separate project?
14:28:34 <lhinds> sec-audit looks at all of the opnfv projects and checks to make they are not using insecure artifacts
14:28:41 <lhinds> so yes, seperate project
14:29:20 <lhinds> we might also get it to a code / lint type scan, but package auditing is most import
14:29:49 <lhinds> so like using an OpenSSL version from six years ago that is full of heartbleed and like
14:30:19 <serverascode> ok, cool
14:31:42 <lhinds> which you're welcome to get involved in as well should you like
14:32:00 <lhinds> ok, i think that wraps it up?
14:32:09 <sona> yes
14:32:25 <lhinds> oh btw I am core on the openstack security group now as well, so I am doing a bit more there as well.
14:32:43 <sona> very good Luke
14:32:50 <lhinds> k..thanks all
14:32:52 <aripie> awesome
14:32:55 <sona> you can give us some update maybe
14:33:19 <sona> is there any info it would be good to share?
14:33:26 <lhinds> sure, I will keep you update
14:33:29 <lhinds> ..d
14:33:49 <lhinds> mainly geting out some backlogged security notes, so released this one last week https://wiki.openstack.org/wiki/OSSN/OSSN-0068
14:33:55 <sona> btw there is openstac summit in Stockholm, any one planning to attend?
14:34:08 <lhinds> is that next year?
14:34:25 <sona> next month
14:34:30 <sona> let me check
14:34:32 <lhinds> oh, like a local summit?
14:34:39 <lhinds> usergroup
14:34:55 <lhinds> I plan to be at Barcelona
14:35:15 <sona> http://openstacknordic.org/
14:35:24 <sona> yes, local summit
14:35:34 <serverascode> wish I could go, that'd be nice :)
14:35:36 <sona> I was hoping to see you here :)
14:35:38 <lhinds> ah ok, I won't be there myself
14:35:44 <serverascode> the openstack ops meetup is next week in nyc as well
14:35:59 <sona> ok
14:36:16 <lhinds> are you going serverascode ?
14:36:34 <serverascode> yeah I will be in NYC, and at the opnfv hackfest in TO next week
14:37:11 <serverascode> there will be some NFV sessions as the ops meetup but I'm not too sure how many ppl will be there
14:37:20 <serverascode> for the NFV sessions that is
14:37:25 <lhinds> oh cool, maybe you can do a little slot with some updates next week or after?
14:37:38 <serverascode> yeah for sure
14:38:00 <lhinds> sounds good, need to hash some actions
14:38:12 <lhinds> #sona close jira issues on badge program
14:38:16 <lhinds> derp!
14:38:23 <lhinds> #action sona close jira issues on badge program
14:38:43 <lhinds> #action serverascode to report back on openstack ops day, and hackfest
14:38:55 <lhinds> ok, i think we are done
14:38:57 <lhinds> thanks all!
14:39:05 <sona> thanks
14:39:09 <lhinds> unless any other business?
14:39:09 <serverascode> thanks
14:39:09 <aripie> thanks
14:39:30 <sona> bye all
14:39:33 <lhinds> #endmeeting