- DONE [[Plug-in framework vision and strategy]]
  completed:: [[06-05-2025]]
  collapsed:: true
	- can we target a date for this.
		- DONE pick a date
		  completed:: [[06-05-2025]]
	- This is gaining more priority everyday. It will be great to target the first version for review amongst the three of us next week.
- DONE **Morpheus Road Map Review with Cheri** on  [[05-20-2025]] and [[05-21-2025]] .
  completed:: [[06-05-2025]]
	- More context on this - Essentially, we need to provide a Morpheus roadmap, high confidence roadmap for the next two quarters, and a medium confidence roadmap for the 12 months after that. Again, the priority here is to have a very high confidence clear roadmap for the next two quarters To an extent that it can be communicated with dates to external customers.
		- DONE review current roadmap in AHA (any big groups?)
		  completed:: [[06-05-2025]]
		- DONE review items in "**FW: PCFS 1st monthly backlog, release and roadmap planning - May 21 & 22**" email
		  completed:: [[06-05-2025]]
		-
- Neil van Ransburg 1:1 #call #[[plugins and integrations]] #morpheus
  collapsed:: true
	- ISV plugins
		- morpheus supported
		- partners upported
			- get NDA in place + alliance docs in place
			- low bar to entry at the moment
			- terms of use (EULA) + plugin source license (based on terraform BSL)
			- no certification or SLA in place today
				- informal QA testing from our engineering team
					- no strict process in place
					- overhead was key blocker
				- based on the terraform module processes
			-
			-
		- community
	- spend largest amount of time  doing enablement
	- certifiation of external plugins?
	- list of isvs who are creating plugins
		- https://share.morpheusdata.com/plugin
	- Maven central (plugin core) = interace to mopheus
	- Captures
		- ![image.png](../assets/image_1746194618508_0.png)
		- plugins are classes are exposed via grooxy classes
		- ![image.png](../assets/image_1746194983184_0.png)
		- High interest tight now
			- openshift virtualization is high priority
				- SSE tam under divaker want to do this
			- USU -
				- tryting to target asia tech jam
			- Exavity
			- stackit
				- german service provider
				- helped build this plugin, then got stuck on floating IPS
			-
		- ![image.png](../assets/image_1746195121912_0.png)
		-
		-
- Eric Forgette 1:1 #call #morpheus #security #architecture
	- Security processes/standrds for developmet
		- Architectural Threat Analysis?
	- architecture overview and current thinking on future
		- as we are designing new features in HPE (not yet the process for the core eng. team)
			- design doc
			- security design doc
		- one observation
			- implemetation of MKS takes a very simlar approach to k8s as it does vmware
				- leverage RBAC in morpheus, then if allowed AuthZ, then elevated to run the command
		- Central Service
			- cloud based mgmt of multiple morpheus installs
		- PCCP = just morpheus
			- big changes in PCE - getting more features
			- PCBE -
			-
		- SilverCreek == GLP on prem?
		- disconnnected PCAI - control plane is huge, expensive on prem
		-
- Adam Lipscombe 1:1 #call #morpheus #security
	- + Greg Willis
	- **Security processes/standards for development**
		- SDLC and guidelines
			- OWASP top 10
		- **SLA based on CSSV scroring**
			- internal engineering process, doesn't hit AHA!
			- VTN is notification mechanism
				- noticed as sent to security
					- Adam/Gram
				- the review notifications
				- if needs rememdiation
				- then goes it 'shortcut' (old Jira alternative)
			- also triggered via support tickets to Adam
		- **process today**
			- featues goes to backlog
				- this means approved by committe
			- development happens
				- in branch
			- summited for PR
				- non-trusted have PR
				- trusted developers peer-review on submisison to dev branch
			- Dev goes through QA cycle
				- functional testing
			- at code freeze promoted to staging
				- regression testing
			- release tag on pass etc
		- **Morpheus**
			- Architectural Threat Analysis? (see Estes)
		- **Current State**
			- HVM not tracked in same process
			- multi-tenant arch
				- seperation via rbac and encrytion
				- config code is encrypted on upload by customer
				- agent methodology
					- subscribes to queue
				- comms channels and authz
					- only way to get inside the system would be via the applicaiton code
					- VTN instead of Git dependabot
					- app pentesting - was used in the past
						- but no longer used
						- moving to HPE armor
					- 3rd party pen testing every year
						- nothing found in last 4 years
					- some rapid7 testing happening now
				- morpheus tested on the PCE end of things
				- arch diagrams
					- ref arch diagrams
					- Tiered model
						- SQL database
						- elastic
						- rabbitmq messaging
						- app tier
							- 2 parts
								- nginx web proxy
								- tomcat container for ui/app
									- bouncycastle generates keys etc
							- Cypher used for key store
			- Lots of requests from customers re more security features
				- e.g. create users in external IAM
				- sec config testing
			- Certificaitons/regualtions
				- before HPE - only a shippable software
					- not a saas etc
				- hardening guides
					- disa
					- tested up to CIS level 1 and 2
				- post HPE
					- having to shift into a sevice offering
						- no one has connected the dots here yet on compliance
			-
- ((6814dcc7-6319-4582-8c00-642a273286ab))