13:02:27 #startmeeting Validation and Security Team Meeting 13:02:27 Meeting started Thu May 3 13:02:27 2018 UTC. The chair is aimeeu. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:02:27 Useful Commands: #action #agreed #help #info #idea #link #topic. 13:02:27 The meeting name has been set to 'validation_and_security_team_meeting' 13:02:36 #chair bryan_att aimeeu 13:02:36 Current chairs: aimeeu bryan_att 13:08:19 #info attendees: Bryan Sullivan (AT&T), Chuxin Chen (AT&T), Jack Murray (AT&T), Karrie (AT&T), Devendra Sen (TechM), Dev 13:08:58 #info Jack: the validation process will be more complex than a web-based experience 13:09:44 Jack: scope will *not* be completely web 13:10:28 Karrie: web admin manages validation workflow, not necessarily setup and configuration of tools; a validation step could be a real person reviewing 13:11:41 #info Karrie: for end to end validation experience, need to access status, notification - design has to accommodate that part of the process 13:13:07 #info Bryan summarizes: need a behind the scenes workflow engine for validation that does not impact the Portal 13:16:21 #link https://etherpad.acumos.org/p/validation-meeting-180503 13:16:55 Etherpad guide #link https://wiki.acumos.org/display/AC/Etherpad+Guide 13:18:25 #topic Requirements 13:23:05 #info Bryan summarizes requirements on the etherpad 13:26:12 #info Jack: complex problem; define and follow a "best practice" 13:26:50 #info Jack: security of the platform is models as well as underlying platform; very broad scope 13:27:51 #info Bryan: goal for project should be a program of industry best practices 13:29:09 #info similar to #link https://wiki.opnfv.org/display/security/2016/08/24/OPNFV+gets+CII+Best+Practices+Badge+for+Security+and+Quality 13:29:50 #topic Architecture 13:30:19 #info Chuxin sent Bryan some slides to be added to the wiki; capture Validation intent from a user perspective 13:30:56 #info Bryan: separate what's presented in the UI from the back end 13:33:32 #info the work of the Security subcommittee is broader than the subject of today's call 13:34:13 #info this meeting is about the validation component, which resides in the Common Services project 13:35:03 #info Jack: need to separate items for broader Security Subcommittee from the work of the validation component 13:36:27 #info broader goals for Security Subcommittee: #link https://wiki.acumos.org/display/AC/Security+Scanning 13:38:31 #info Security Subcommittee will drive the requirements for the validation component 13:42:34 #info Jack: these security and validation requirements should be discussed by the Security Subcommittee, so this meeting is really a working group within the Security Subcommittee 13:43:08 #info Jack: once the requirements have been finalized, then the work can be passed to the Common Services project for implementation 13:44:42 #info Bryan summarizes what the current validation component does and what it will need to do going forward 13:46:16 newbie question: what is "validation" part of validation-security? Does it include validation of others (requirements not related to security)? 13:47:41 Vishnu - validation is validation of the models - license scanning, security vulnerability scanning 13:48:28 thanks! So it is limited to security requirements. 13:48:58 yes - thanks for the question! 13:52:39 #info discussion on workflow, perhaps incorporating a workflow engine such as Camunda 13:54:58 #info Bryan discusses using a YAML file to define workflow 13:58:36 does "scan" include testing for specific vulnerability cases? Or is it as simple as looking for some signature? (trying to understand). 14:00:58 I thought "scan" would be using something like OpenVAS or OpenSCAP or Clair 14:01:33 thanks! 14:01:35 so scanning for specific vulnerabilities 14:01:54 #endmeeting