I have returned from #drownload and I'm super keen to get ontop of this, in this email I'll just try to tie a few different threads together.
The etherpad we used at the summit, along with the Sequence Diagram texts are online [1] are we happy to continue using web sequence diagrams? I think the resulting output is very useful [2] - even if Kolla doesn't fit the typical project style that we anticipate using these for - they're better suited to more traditional software projects. There's a big effort to formalize the TA process and have OSSP help as guardians of the code base[3] in future, with lots of effort being made to ensure that as new projects come into the fold they meet a certain minimum security level - we'll also attempt to help more established projects iterate to a level of equal security assurance. I'll leave the process description for our actual documentation but a big part of it will be projects submitting security docs to the newly created security-analysis repo [4]. Projects are welcome to use this for staging and collaboration - the OSSP will largely ignore projects with the WIP flag set. I think the next step is for Doug and I (and anyone else who cares) to review the current diagrams and provide a quick gap analysis for the Kolla devs detailing what else is required for us to do a proper review. [1] https://etherpad.openstack.org/p/kolla-newton-summit-threat-analysis [2] https://drive.google.com/file/d/0B0osRPn3qBq5X1poTGZqVFBRQW8/view [3] https://review.openstack.org/#/c/300698/ [4] https://review.openstack.org/#/c/325049/ On Tue, May 31, 2016 at 5:37 PM, Chivers, Doug <[email protected]> wrote: > Thanks for following up Steve, the sessions at the summit were extremely > useful. > > Both Rob and I have been caught up with the day-job since we got back from > the summit, but will discuss next steps and agree a plan this week. > > Regards > > Doug > > > > > From: "Steven Dake (stdake)" <[email protected]<mailto:[email protected]>> > Date: Tuesday, 24 May 2016 at 17:16 > To: "[email protected]<mailto: > [email protected]>" <[email protected] > <mailto:[email protected]>> > Cc: Doug Chivers <[email protected]<mailto:[email protected]>>, " > [email protected]<mailto:[email protected]>" <[email protected] > <mailto:[email protected]>> > Subject: [kolla][security] Finishing the job on threat analysis for Kolla > > Rob and Doug, > > At Summit we had 4 hours of highly productive work producing a list of > "things" that can be "threatened". We have about 4 or 5 common patterns > where we follow the principle of least privilege. On Friday of Summit we > produced a list of all the things (in this case deployed containers). I'm > not sure who, I think it was Rob was working on a flow diagram for the > least privileged case. From there, the Kolla coresec team can produce the > rest of the diagrams for increasing privileges. > > I'd like to get that done, then move on to next steps. Not sure what the > next steps are, but lets cover the flow diagrams first since we know we > need those. > > Regards > -steve > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
