14:02:24 #startmeeting Security Group 17/08/16 14:02:24 Meeting started Wed Aug 17 14:02:24 2016 UTC. The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:02:24 Useful Commands: #action #agreed #help #info #idea #link #topic. 14:02:24 The meeting name has been set to 'security_group_17_08_16' 14:02:33 let me just get a pad 14:03:32 ok, here we go: 14:03:34 https://etherpad.opnfv.org/p/opnfv-sec-meetings 14:03:39 #topic agenda 14:04:15 anyone wish to make any additions? 14:04:37 OK by me 14:04:48 ok 14:05:20 #topic Security Scanning 14:05:55 that would be me, only thing new is we resolved an issue in Apex, which was making functests use of security scanning hang. 14:06:34 the second thing is we have moved functest over to using security scannings own repo now; 14:06:39 #link https://gerrit.opnfv.org/gerrit/#/c/18727/ 14:06:40 good so functest run successfuly 14:06:49 sona: I think so / hope so 14:06:50 should be 14:06:52 :) 14:07:17 How can I check the result? 14:08:16 https://build.opnfv.org/ci/job/functest-apex-apex-daily-master-daily-master/ 14:08:32 normally its under nosdn-nofeature 14:08:43 but functest fails a lot! so it often does not run 14:08:55 I think I will chat to apex again and maybe run it outside as well 14:09:43 ok badge program 14:09:49 #info badge 14:09:56 #undo 14:09:56 Removing item from minutes: 14:10:05 #topic badge program 14:12:05 good news about badge we have achieved 100% 14:12:28 https://bestpractices.coreinfrastructure.org/projects?q=opnfv 14:13:28 yeay! 14:13:55 that will make heather happy 14:14:16 we need to do some work, spread this message to developers 14:14:35 make them aware of security best practices 14:15:14 Luke, I didn't really follow all conversation in the meeting :) 14:15:19 what was decided? 14:15:47 we need to have some sort of check/kontroll so all projects follwo these best practices 14:15:49 looks like we are going to start auditing projects, and ashlee will help out and do the policing 14:15:53 how can we reach this? 14:16:09 ok good 14:16:51 I don't think we can make sure they follow, but we can start by pointing out what they are doing wrong, to pressure them into looking into security more. 14:17:11 agree 14:17:33 bu we need once in a while check criteria again and see they are true 14:18:11 how can we do this so we don't forget? 14:18:17 I guess we need to then go through the list and see what can be automated. 14:18:29 maybe add that to the etherpad discussion 14:18:30 good idea 14:19:26 I will create jira ticket 14:19:45 I will close all resolved jira issues related to the badge prigram 14:20:21 that would be good sona, give it a good clean up in there, as a lot is shown as open 14:21:23 yes I will do that 14:22:25 ok cool 14:22:45 What do you think that I should focus more now that we are almost done with badge program? 14:23:14 I think the audit work we have coming up will be interesting for you 14:23:15 whould we start with sec-guide or shall I get involved in Openscap/functest? 14:23:22 ok 14:23:34 I hope I can help 14:23:54 in fact... 14:24:01 #topic OPNFV Audit 14:24:06 #link https://etherpad.opnfv.org/p/sec-audit 14:24:44 so we will capture thoughts in the above, and put something to the TSC 14:25:11 I think you can help with testing a lot here Sona, as you will be able to run this easily on your laptop or a VM 14:25:35 ok, I can do that 14:25:37 doing security scan testing is a lot more inaccessable as you need an openstack cloud deployed by apex 14:25:55 I see 14:26:20 It might need a PTL as well, but we should see if Ash is interested as welll 14:27:37 that's it there for now. I will start playing with some code this week 14:27:54 what's the difference between sec-audit and the other projects? 14:28:10 the idea is that sec-audit is a separate project? 14:28:34 sec-audit looks at all of the opnfv projects and checks to make they are not using insecure artifacts 14:28:41 so yes, seperate project 14:29:20 we might also get it to a code / lint type scan, but package auditing is most import 14:29:49 so like using an OpenSSL version from six years ago that is full of heartbleed and like 14:30:19 ok, cool 14:31:42 which you're welcome to get involved in as well should you like 14:32:00 ok, i think that wraps it up? 14:32:09 yes 14:32:25 oh btw I am core on the openstack security group now as well, so I am doing a bit more there as well. 14:32:43 very good Luke 14:32:50 k..thanks all 14:32:52 awesome 14:32:55 you can give us some update maybe 14:33:19 is there any info it would be good to share? 14:33:26 sure, I will keep you update 14:33:29 ..d 14:33:49 mainly geting out some backlogged security notes, so released this one last week https://wiki.openstack.org/wiki/OSSN/OSSN-0068 14:33:55 btw there is openstac summit in Stockholm, any one planning to attend? 14:34:08 is that next year? 14:34:25 next month 14:34:30 let me check 14:34:32 oh, like a local summit? 14:34:39 usergroup 14:34:55 I plan to be at Barcelona 14:35:15 http://openstacknordic.org/ 14:35:24 yes, local summit 14:35:34 wish I could go, that'd be nice :) 14:35:36 I was hoping to see you here :) 14:35:38 ah ok, I won't be there myself 14:35:44 the openstack ops meetup is next week in nyc as well 14:35:59 ok 14:36:16 are you going serverascode ? 14:36:34 yeah I will be in NYC, and at the opnfv hackfest in TO next week 14:37:11 there will be some NFV sessions as the ops meetup but I'm not too sure how many ppl will be there 14:37:20 for the NFV sessions that is 14:37:25 oh cool, maybe you can do a little slot with some updates next week or after? 14:37:38 yeah for sure 14:38:00 sounds good, need to hash some actions 14:38:12 #sona close jira issues on badge program 14:38:16 derp! 14:38:23 #action sona close jira issues on badge program 14:38:43 #action serverascode to report back on openstack ops day, and hackfest 14:38:55 ok, i think we are done 14:38:57 thanks all! 14:39:05 thanks 14:39:09 unless any other business? 14:39:09 thanks 14:39:09 thanks 14:39:30 bye all 14:39:33 #endmeeting