==================================================================== #opendaylight-meeting: Security Analysis Team, Introductory meeting. ==================================================================== Meeting started by icbts at 15:06:48 UTC. The full logs are available at http://meetings.opendaylight.org/opendaylight-meeting/2014/security_analysis_team__introductory_meeting_/opendaylight-meeting-security_analysis_team__introductory_meeting_.2014-05-02-15.06.log.html . Meeting summary --------------- * attendees introducing theirselves, and back grounds (icbts, 15:07:20) * LINK: https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis (icbts, 15:12:01) * when to discuss meeting with TSC regarding team activities (icbts, 15:13:39) * 1. Document current security status (icbts, 15:15:24) * Platform Integrity. Develop recommendations for adding security to build process (icbts, 15:18:23) * discussed adding signatures/digests to release artifacts (icbts, 15:18:53) * Jamie - add documentation to wiki regarding how projects use pgp to sign releases - Can ODL adopt a similar procedure? (icbts, 15:19:53) * Access between public and private build server for releases (icbts, 15:20:23) * Is pgp worth it? Is signed releases going to help? (icbts, 15:22:16) * log access to release system (icbts, 15:22:34) * Whom built release and when (icbts, 15:22:48) * OSGI Container Security: what kind of security exists with in the framework (icbts, 15:23:36) * Use OSGi spec level security. Currently ODL uses Equinox and Virgo, we should explore what security mechanism/best practices these frameworks recomment (icbts, 15:27:49) * Cluster Protocol: Ensure cluster protocol and communication is secure + recommendations (icbts, 15:28:22) * infinband vs akka ? (icbts, 15:29:21) * Need to develop expertise in this protocol area, and investigate security areas (icbts, 15:30:23) * OSGi Container Security: authorizing machine users (icbts, 15:30:51) * How do we handle machine access? (icbts, 15:31:10) * authorizing additions to container (icbts, 15:31:37) * Investigate deployment security - whom may install into container (icbts, 15:33:13) * authorized access to container, can they do deployment (icbts, 15:33:41) * security concern regarding hot deployment folder (icbts, 15:33:54) * Jamie - investigate, what does each OSGi implementaion provide regarding security (icbts, 15:34:32) * ie.Equinox vs Felix (icbts, 15:34:52) * Susanta - investigate more into Cluster Protocol (icbts, 15:36:09) * Current status and recommendations (icbts, 15:36:44) * Existing Security in North Bound and South Bound APIs (icbts, 15:37:10) * LINK: https://docs.google.com/presentation/d/1df-GMYVe1zGEU6DgKzFQ3xeceicqcGNRRsT5l5QNd_E/edit?pli=1#slide=id.g26bf015a9_2_42 (icbts, 15:37:45) * Discussing what documentation exists for securing components of ODL (icbts, 15:38:42) * Create central page for locating all documenation regarding securing ODL — possibly a table with component — pages (icbts, 15:39:33) * Need to review projects for current security docs (icbts, 15:41:18) * Mike — DFA (icbts, 15:41:59) * Neutron — ? (icbts, 15:42:38) * VTN Coordinator — ? (icbts, 15:42:59) * attendees picking portions of ODL to review (icbts, 15:45:34) * Recommendations — trusted key storage location (icbts, 15:46:00) * Returning to discussion of authorization to install bundles (icbts, 15:49:17) * permissions in osgi : http://securesoftwaredev.com/2012/11/19/permissions-in-osgi/ (Madhu, 15:50:26) * Certificate Authroties : discussion of what is available (icbts, 15:52:04) * Application Authorization (icbts, 15:55:16) * document RBAC on controller? (icbts, 15:56:28) * IPv4 / IPv6 (icbts, 15:57:35) * Access Authorization (icbts, 15:57:55) * Madhu, current situation vs what we could have in place (icbts, 15:59:58) * Application Authorization needs App Sandboxing (Madhu, 16:00:36) * Java Core Permissions will help with App Sandboxing (Madhu, 16:02:15) * Java sandboxing with Policy privileges in SecurityManager : http://securesoftwaredev.com/2012/11/12/sandboxing-java-code/ (Madhu, 16:03:37) * http://log.illsley.org/2010/11/29/osgi-java-security-manager-and-keeping-things-simple/ (icbts, 16:04:07) * http://www.osgi.org/wiki/uploads/CommunityEvent2008/24_JahnGumbel.pdf (icbts, 16:05:07) * What can we use from OSGi framework & Java security (icbts, 16:06:55) * Securing the deploy folder (out side of scope, but should be reviewed) (icbts, 16:09:54) * App Sand boxing, access to resource (icbts, 16:10:29) * Arash, Madhu - sandbox (icbts, 16:10:51) * Wojciech - concern over overlapping reviews (icbts, 16:11:38) * Sandboxing: collect information on subject (icbts, 16:14:08) * Controller Device Boot Strap, Authentication Authoriazation (icbts, 16:16:17) * Arash, discussing his thoughts on wiki page (icbts, 16:16:41) * LINK: https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis (icbts, 16:16:44) * LINK: https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#OpenDaylight_Controller_Security (icbts, 16:17:08) * Arash requests comments on his notes (icbts, 16:23:20) * on Vulnerability analysis there are available tools which can be used (Madhu, 16:32:07) * ACTION: controller to device security needs to be reviewed and worked on (Madhu, 16:37:26) * thank you Jamie for taking awesome notes :) (Meenakshi, 16:39:51) * plan is to make the security analysis meeting recurring 8.30am PT (Madhu, 16:40:12) Meeting ended at 16:42:24 UTC. People present (lines said) --------------------------- * icbts (71) * Madhu (20) * odl_meetbot (4) * edwarnicke (2) * AnthonyG (1) * Meenakshi (1) * madhu (0) Generated by `MeetBot`_ 0.1.4