first commit
This commit is contained in:
@@ -0,0 +1,139 @@
|
||||
- TODO [[Plug-in framework vision and strategy]]
|
||||
collapsed:: true
|
||||
- can we target a date for this.
|
||||
- TODO pick a date
|
||||
- This is gaining more priority everyday. It will be great to target the first version for review amongst the three of us next week.
|
||||
- TODO **Morpheus Road Map Review with Cheri** on [[05-20-2025]] and [[05-21-2025]] .
|
||||
- More context on this - Essentially, we need to provide a Morpheus roadmap, high confidence roadmap for the next two quarters, and a medium confidence roadmap for the 12 months after that. Again, the priority here is to have a very high confidence clear roadmap for the next two quarters To an extent that it can be communicated with dates to external customers.
|
||||
- TODO review current roadmap in AHA (any big groups?)
|
||||
- TODO review items in "**FW: PCFS 1st monthly backlog, release and roadmap planning - May 21 & 22**" email
|
||||
-
|
||||
- Neil van Ransburg 1:1 #call #plugins #morpheus
|
||||
collapsed:: true
|
||||
- ISV plugins
|
||||
- morpheus supported
|
||||
- partners upported
|
||||
- get NDA in place + alliance docs in place
|
||||
- low bar to entry at the moment
|
||||
- terms of use (EULA) + plugin source license (based on terraform BSL)
|
||||
- no certification or SLA in place today
|
||||
- informal QA testing from our engineering team
|
||||
- no strict process in place
|
||||
- overhead was key blocker
|
||||
- based on the terraform module processes
|
||||
-
|
||||
-
|
||||
- community
|
||||
- spend largest amount of time doing enablement
|
||||
- certifiation of external plugins?
|
||||
- list of isvs who are creating plugins
|
||||
- https://share.morpheusdata.com/plugin
|
||||
- Maven central (plugin core) = interace to mopheus
|
||||
- Captures
|
||||
- 
|
||||
- plugins are classes are exposed via grooxy classes
|
||||
- 
|
||||
- High interest tight now
|
||||
- openshift virtualization is high priority
|
||||
- SSE tam under divaker want to do this
|
||||
- USU -
|
||||
- tryting to target asia tech jam
|
||||
- Exavity
|
||||
- stackit
|
||||
- german service provider
|
||||
- helped build this plugin, then got stuck on floating IPS
|
||||
-
|
||||
- 
|
||||
-
|
||||
-
|
||||
- Eric Forgette 1:1 #call #morpheus #security #architecture
|
||||
- Security processes/standrds for developmet
|
||||
- Architectural Threat Analysis?
|
||||
- architecture overview and current thinking on future
|
||||
- as we are designing new features in HPE (not yet the process for the core eng. team)
|
||||
- design doc
|
||||
- security design doc
|
||||
- one observation
|
||||
- implemetation of MKS takes a very simlar approach to k8s as it does vmware
|
||||
- leverage RBAC in morpheus, then if allowed AuthZ, then elevated to run the command
|
||||
- Central Service
|
||||
- cloud based mgmt of multiple morpheus installs
|
||||
- PCCP = just morpheus
|
||||
- big changes in PCE - getting more features
|
||||
- PCBE -
|
||||
-
|
||||
- SilverCreek == GLP on prem?
|
||||
- disconnnected PCAI - control plane is huge, expensive on prem
|
||||
-
|
||||
- Adam Lipscombe 1:1 #call #morpheus #security
|
||||
- + Greg Willis
|
||||
- **Security processes/standards for development**
|
||||
- SDLC and guidelines
|
||||
- OWASP top 10
|
||||
- **SLA based on CSSV scroring**
|
||||
- internal engineering process, doesn't hit AHA!
|
||||
- VTN is notification mechanism
|
||||
- noticed as sent to security
|
||||
- Adam/Gram
|
||||
- the review notifications
|
||||
- if needs rememdiation
|
||||
- then goes it 'shortcut' (old Jira alternative)
|
||||
- also triggered via support tickets to Adam
|
||||
- **process today**
|
||||
- featues goes to backlog
|
||||
- this means approved by committe
|
||||
- development happens
|
||||
- in branch
|
||||
- summited for PR
|
||||
- non-trusted have PR
|
||||
- trusted developers peer-review on submisison to dev branch
|
||||
- Dev goes through QA cycle
|
||||
- functional testing
|
||||
- at code freeze promoted to staging
|
||||
- regression testing
|
||||
- release tag on pass etc
|
||||
- **Morpheus**
|
||||
- Architectural Threat Analysis? (see Estes)
|
||||
- **Current State**
|
||||
- HVM not tracked in same process
|
||||
- multi-tenant arch
|
||||
- seperation via rbac and encrytion
|
||||
- config code is encrypted on upload by customer
|
||||
- agent methodology
|
||||
- subscribes to queue
|
||||
- comms channels and authz
|
||||
- only way to get inside the system would be via the applicaiton code
|
||||
- VTN instead of Git dependabot
|
||||
- app pentesting - was used in the past
|
||||
- but no longer used
|
||||
- moving to HPE armor
|
||||
- 3rd party pen testing every year
|
||||
- nothing found in last 4 years
|
||||
- some rapid7 testing happening now
|
||||
- morpheus tested on the PCE end of things
|
||||
- arch diagrams
|
||||
- ref arch diagrams
|
||||
- Tiered model
|
||||
- SQL database
|
||||
- elastic
|
||||
- rabbitmq messaging
|
||||
- app tier
|
||||
- 2 parts
|
||||
- nginx web proxy
|
||||
- tomcat container for ui/app
|
||||
- bouncycastle generates keys etc
|
||||
- Cypher used for key store
|
||||
- Lots of requests from customers re more security features
|
||||
- e.g. create users in external IAM
|
||||
- sec config testing
|
||||
- Certificaitons/regualtions
|
||||
- before HPE - only a shippable software
|
||||
- not a saas etc
|
||||
- hardening guides
|
||||
- disa
|
||||
- tested up to CIS level 1 and 2
|
||||
- post HPE
|
||||
- having to shift into a sevice offering
|
||||
- no one has connected the dots here yet on compliance
|
||||
-
|
||||
- ((6814dcc7-6319-4582-8c00-642a273286ab))
|
||||
@@ -0,0 +1,139 @@
|
||||
- TODO [[Plug-in framework vision and strategy]]
|
||||
collapsed:: true
|
||||
- can we target a date for this.
|
||||
- TODO pick a date
|
||||
- This is gaining more priority everyday. It will be great to target the first version for review amongst the three of us next week.
|
||||
- TODO **Morpheus Road Map Review with Cheri** on [[05-20-2025]] and [[05-21-2025]] .
|
||||
- More context on this - Essentially, we need to provide a Morpheus roadmap, high confidence roadmap for the next two quarters, and a medium confidence roadmap for the 12 months after that. Again, the priority here is to have a very high confidence clear roadmap for the next two quarters To an extent that it can be communicated with dates to external customers.
|
||||
- TODO review current roadmap in AHA (any big groups?)
|
||||
- TODO review items in "**FW: PCFS 1st monthly backlog, release and roadmap planning - May 21 & 22**" email
|
||||
-
|
||||
- Neil van Ransburg 1:1 #call #plugins #morpheus
|
||||
collapsed:: true
|
||||
- ISV plugins
|
||||
- morpheus supported
|
||||
- partners upported
|
||||
- get NDA in place + alliance docs in place
|
||||
- low bar to entry at the moment
|
||||
- terms of use (EULA) + plugin source license (based on terraform BSL)
|
||||
- no certification or SLA in place today
|
||||
- informal QA testing from our engineering team
|
||||
- no strict process in place
|
||||
- overhead was key blocker
|
||||
- based on the terraform module processes
|
||||
-
|
||||
-
|
||||
- community
|
||||
- spend largest amount of time doing enablement
|
||||
- certifiation of external plugins?
|
||||
- list of isvs who are creating plugins
|
||||
- https://share.morpheusdata.com/plugin
|
||||
- Maven central (plugin core) = interace to mopheus
|
||||
- Captures
|
||||
- 
|
||||
- plugins are classes are exposed via grooxy classes
|
||||
- 
|
||||
- High interest tight now
|
||||
- openshift virtualization is high priority
|
||||
- SSE tam under divaker want to do this
|
||||
- USU -
|
||||
- tryting to target asia tech jam
|
||||
- Exavity
|
||||
- stackit
|
||||
- german service provider
|
||||
- helped build this plugin, then got stuck on floating IPS
|
||||
-
|
||||
- 
|
||||
-
|
||||
-
|
||||
- Eric Forgette 1:1 #call #morpheus #security #architecture
|
||||
- Security processes/standrds for developmet
|
||||
- Architectural Threat Analysis?
|
||||
- architecture overview and current thinking on future
|
||||
- as we are designing new features in HPE (not yet the process for the core eng. team)
|
||||
- design doc
|
||||
- security design doc
|
||||
- one observation
|
||||
- implemetation of MKS takes a very simlar approach to k8s as it does vmware
|
||||
- leverage RBAC in morpheus, then if allowed AuthZ, then elevated to run the command
|
||||
- Central Service
|
||||
- cloud based mgmt of multiple morpheus installs
|
||||
- PCCP = just morpheus
|
||||
- big changes in PCE - getting more features
|
||||
- PCBE -
|
||||
-
|
||||
- SilverCreek == GLP on prem?
|
||||
- disconnnected PCAI - control plane is huge, expensive on prem
|
||||
-
|
||||
- Adam Lipscombe 1:1 #call #morpheus #security
|
||||
- + Greg Willis
|
||||
- **Security processes/standards for development**
|
||||
- SDLC and guidelines
|
||||
- OWASP top 10
|
||||
- **SLA based on CSSV scroring**
|
||||
- internal engineering process, doesn't hit AHA!
|
||||
- VTN is notification mechanism
|
||||
- noticed as sent to security
|
||||
- Adam/Gram
|
||||
- the review notifications
|
||||
- if needs rememdiation
|
||||
- then goes it 'shortcut' (old Jira alternative)
|
||||
- also triggered via support tickets to Adam
|
||||
- **process today**
|
||||
- featues goes to backlog
|
||||
- this means approved by committe
|
||||
- development happens
|
||||
- in branch
|
||||
- summited for PR
|
||||
- non-trusted have PR
|
||||
- trusted developers peer-review on submisison to dev branch
|
||||
- Dev goes through QA cycle
|
||||
- functional testing
|
||||
- at code freeze promoted to staging
|
||||
- regression testing
|
||||
- release tag on pass etc
|
||||
- **Morpheus**
|
||||
- Architectural Threat Analysis? (see Estes)
|
||||
- **Current State**
|
||||
- HVM not tracked in same process
|
||||
- multi-tenant arch
|
||||
- seperation via rbac and encrytion
|
||||
- config code is encrypted on upload by customer
|
||||
- agent methodology
|
||||
- subscribes to queue
|
||||
- comms channels and authz
|
||||
- only way to get inside the system would be via the applicaiton code
|
||||
- VTN instead of Git dependabot
|
||||
- app pentesting - was used in the past
|
||||
- but no longer used
|
||||
- moving to HPE armor
|
||||
- 3rd party pen testing every year
|
||||
- nothing found in last 4 years
|
||||
- some rapid7 testing happening now
|
||||
- morpheus tested on the PCE end of things
|
||||
- arch diagrams
|
||||
- ref arch diagrams
|
||||
- Tiered model
|
||||
- SQL database
|
||||
- elastic
|
||||
- rabbitmq messaging
|
||||
- app tier
|
||||
- 2 parts
|
||||
- nginx web proxy
|
||||
- tomcat container for ui/app
|
||||
- bouncycastle generates keys etc
|
||||
- Cypher used for key store
|
||||
- Lots of requests from customers re more security features
|
||||
- e.g. create users in external IAM
|
||||
- sec config testing
|
||||
- Certificaitons/regualtions
|
||||
- before HPE - only a shippable software
|
||||
- not a saas etc
|
||||
- hardening guides
|
||||
- disa
|
||||
- tested up to CIS level 1 and 2
|
||||
- post HPE
|
||||
- having to shift into a sevice offering
|
||||
- no one has connected the dots here yet on compliance
|
||||
-
|
||||
- ((6814dcc7-6319-4582-8c00-642a273286ab))
|
||||
@@ -0,0 +1,139 @@
|
||||
- TODO [[Plug-in framework vision and strategy]]
|
||||
collapsed:: true
|
||||
- can we target a date for this.
|
||||
- TODO pick a date
|
||||
- This is gaining more priority everyday. It will be great to target the first version for review amongst the three of us next week.
|
||||
- TODO **Morpheus Road Map Review with Cheri** on [[05-20-2025]] and [[05-21-2025]] .
|
||||
- More context on this - Essentially, we need to provide a Morpheus roadmap, high confidence roadmap for the next two quarters, and a medium confidence roadmap for the 12 months after that. Again, the priority here is to have a very high confidence clear roadmap for the next two quarters To an extent that it can be communicated with dates to external customers.
|
||||
- TODO review current roadmap in AHA (any big groups?)
|
||||
- TODO review items in "**FW: PCFS 1st monthly backlog, release and roadmap planning - May 21 & 22**" email
|
||||
-
|
||||
- Neil van Ransburg 1:1 #call #plugins #morpheus
|
||||
collapsed:: true
|
||||
- ISV plugins
|
||||
- morpheus supported
|
||||
- partners upported
|
||||
- get NDA in place + alliance docs in place
|
||||
- low bar to entry at the moment
|
||||
- terms of use (EULA) + plugin source license (based on terraform BSL)
|
||||
- no certification or SLA in place today
|
||||
- informal QA testing from our engineering team
|
||||
- no strict process in place
|
||||
- overhead was key blocker
|
||||
- based on the terraform module processes
|
||||
-
|
||||
-
|
||||
- community
|
||||
- spend largest amount of time doing enablement
|
||||
- certifiation of external plugins?
|
||||
- list of isvs who are creating plugins
|
||||
- https://share.morpheusdata.com/plugin
|
||||
- Maven central (plugin core) = interace to mopheus
|
||||
- Captures
|
||||
- 
|
||||
- plugins are classes are exposed via grooxy classes
|
||||
- 
|
||||
- High interest tight now
|
||||
- openshift virtualization is high priority
|
||||
- SSE tam under divaker want to do this
|
||||
- USU -
|
||||
- tryting to target asia tech jam
|
||||
- Exavity
|
||||
- stackit
|
||||
- german service provider
|
||||
- helped build this plugin, then got stuck on floating IPS
|
||||
-
|
||||
- 
|
||||
-
|
||||
-
|
||||
- Eric Forgette 1:1 #call #morpheus #security #architecture
|
||||
- Security processes/standrds for developmet
|
||||
- Architectural Threat Analysis?
|
||||
- architecture overview and current thinking on future
|
||||
- as we are designing new features in HPE (not yet the process for the core eng. team)
|
||||
- design doc
|
||||
- security design doc
|
||||
- one observation
|
||||
- implemetation of MKS takes a very simlar approach to k8s as it does vmware
|
||||
- leverage RBAC in morpheus, then if allowed AuthZ, then elevated to run the command
|
||||
- Central Service
|
||||
- cloud based mgmt of multiple morpheus installs
|
||||
- PCCP = just morpheus
|
||||
- big changes in PCE - getting more features
|
||||
- PCBE -
|
||||
-
|
||||
- SilverCreek == GLP on prem?
|
||||
- disconnnected PCAI - control plane is huge, expensive on prem
|
||||
-
|
||||
- Adam Lipscombe 1:1 #call #morpheus #security
|
||||
- + Greg Willis
|
||||
- **Security processes/standards for development**
|
||||
- SDLC and guidelines
|
||||
- OWASP top 10
|
||||
- **SLA based on CSSV scroring**
|
||||
- internal engineering process, doesn't hit AHA!
|
||||
- VTN is notification mechanism
|
||||
- noticed as sent to security
|
||||
- Adam/Gram
|
||||
- the review notifications
|
||||
- if needs rememdiation
|
||||
- then goes it 'shortcut' (old Jira alternative)
|
||||
- also triggered via support tickets to Adam
|
||||
- **process today**
|
||||
- featues goes to backlog
|
||||
- this means approved by committe
|
||||
- development happens
|
||||
- in branch
|
||||
- summited for PR
|
||||
- non-trusted have PR
|
||||
- trusted developers peer-review on submisison to dev branch
|
||||
- Dev goes through QA cycle
|
||||
- functional testing
|
||||
- at code freeze promoted to staging
|
||||
- regression testing
|
||||
- release tag on pass etc
|
||||
- **Morpheus**
|
||||
- Architectural Threat Analysis? (see Estes)
|
||||
- **Current State**
|
||||
- HVM not tracked in same process
|
||||
- multi-tenant arch
|
||||
- seperation via rbac and encrytion
|
||||
- config code is encrypted on upload by customer
|
||||
- agent methodology
|
||||
- subscribes to queue
|
||||
- comms channels and authz
|
||||
- only way to get inside the system would be via the applicaiton code
|
||||
- VTN instead of Git dependabot
|
||||
- app pentesting - was used in the past
|
||||
- but no longer used
|
||||
- moving to HPE armor
|
||||
- 3rd party pen testing every year
|
||||
- nothing found in last 4 years
|
||||
- some rapid7 testing happening now
|
||||
- morpheus tested on the PCE end of things
|
||||
- arch diagrams
|
||||
- ref arch diagrams
|
||||
- Tiered model
|
||||
- SQL database
|
||||
- elastic
|
||||
- rabbitmq messaging
|
||||
- app tier
|
||||
- 2 parts
|
||||
- nginx web proxy
|
||||
- tomcat container for ui/app
|
||||
- bouncycastle generates keys etc
|
||||
- Cypher used for key store
|
||||
- Lots of requests from customers re more security features
|
||||
- e.g. create users in external IAM
|
||||
- sec config testing
|
||||
- Certificaitons/regualtions
|
||||
- before HPE - only a shippable software
|
||||
- not a saas etc
|
||||
- hardening guides
|
||||
- disa
|
||||
- tested up to CIS level 1 and 2
|
||||
- post HPE
|
||||
- having to shift into a sevice offering
|
||||
- no one has connected the dots here yet on compliance
|
||||
-
|
||||
- ((6814dcc7-6319-4582-8c00-642a273286ab))
|
||||
@@ -0,0 +1,139 @@
|
||||
- TODO [[Plug-in framework vision and strategy]]
|
||||
collapsed:: true
|
||||
- can we target a date for this.
|
||||
- TODO pick a date
|
||||
- This is gaining more priority everyday. It will be great to target the first version for review amongst the three of us next week.
|
||||
- TODO **Morpheus Road Map Review with Cheri** on [[05-20-2025]] and [[05-21-2025]] .
|
||||
- More context on this - Essentially, we need to provide a Morpheus roadmap, high confidence roadmap for the next two quarters, and a medium confidence roadmap for the 12 months after that. Again, the priority here is to have a very high confidence clear roadmap for the next two quarters To an extent that it can be communicated with dates to external customers.
|
||||
- TODO review current roadmap in AHA (any big groups?)
|
||||
- TODO review items in "**FW: PCFS 1st monthly backlog, release and roadmap planning - May 21 & 22**" email
|
||||
-
|
||||
- Neil van Ransburg 1:1 #call #plugins #morpheus
|
||||
collapsed:: true
|
||||
- ISV plugins
|
||||
- morpheus supported
|
||||
- partners upported
|
||||
- get NDA in place + alliance docs in place
|
||||
- low bar to entry at the moment
|
||||
- terms of use (EULA) + plugin source license (based on terraform BSL)
|
||||
- no certification or SLA in place today
|
||||
- informal QA testing from our engineering team
|
||||
- no strict process in place
|
||||
- overhead was key blocker
|
||||
- based on the terraform module processes
|
||||
-
|
||||
-
|
||||
- community
|
||||
- spend largest amount of time doing enablement
|
||||
- certifiation of external plugins?
|
||||
- list of isvs who are creating plugins
|
||||
- https://share.morpheusdata.com/plugin
|
||||
- Maven central (plugin core) = interace to mopheus
|
||||
- Captures
|
||||
- 
|
||||
- plugins are classes are exposed via grooxy classes
|
||||
- 
|
||||
- High interest tight now
|
||||
- openshift virtualization is high priority
|
||||
- SSE tam under divaker want to do this
|
||||
- USU -
|
||||
- tryting to target asia tech jam
|
||||
- Exavity
|
||||
- stackit
|
||||
- german service provider
|
||||
- helped build this plugin, then got stuck on floating IPS
|
||||
-
|
||||
- 
|
||||
-
|
||||
-
|
||||
- Eric Forgette 1:1 #call #morpheus #security #architecture
|
||||
- Security processes/standrds for developmet
|
||||
- Architectural Threat Analysis?
|
||||
- architecture overview and current thinking on future
|
||||
- as we are designing new features in HPE (not yet the process for the core eng. team)
|
||||
- design doc
|
||||
- security design doc
|
||||
- one observation
|
||||
- implemetation of MKS takes a very simlar approach to k8s as it does vmware
|
||||
- leverage RBAC in morpheus, then if allowed AuthZ, then elevated to run the command
|
||||
- Central Service
|
||||
- cloud based mgmt of multiple morpheus installs
|
||||
- PCCP = just morpheus
|
||||
- big changes in PCE - getting more features
|
||||
- PCBE -
|
||||
-
|
||||
- SilverCreek == GLP on prem?
|
||||
- disconnnected PCAI - control plane is huge, expensive on prem
|
||||
-
|
||||
- Adam Lipscombe 1:1 #call #morpheus #security
|
||||
- + Greg Willis
|
||||
- **Security processes/standards for development**
|
||||
- SDLC and guidelines
|
||||
- OWASP top 10
|
||||
- **SLA based on CSSV scroring**
|
||||
- internal engineering process, doesn't hit AHA!
|
||||
- VTN is notification mechanism
|
||||
- noticed as sent to security
|
||||
- Adam/Gram
|
||||
- the review notifications
|
||||
- if needs rememdiation
|
||||
- then goes it 'shortcut' (old Jira alternative)
|
||||
- also triggered via support tickets to Adam
|
||||
- **process today**
|
||||
- featues goes to backlog
|
||||
- this means approved by committe
|
||||
- development happens
|
||||
- in branch
|
||||
- summited for PR
|
||||
- non-trusted have PR
|
||||
- trusted developers peer-review on submisison to dev branch
|
||||
- Dev goes through QA cycle
|
||||
- functional testing
|
||||
- at code freeze promoted to staging
|
||||
- regression testing
|
||||
- release tag on pass etc
|
||||
- **Morpheus**
|
||||
- Architectural Threat Analysis? (see Estes)
|
||||
- **Current State**
|
||||
- HVM not tracked in same process
|
||||
- multi-tenant arch
|
||||
- seperation via rbac and encrytion
|
||||
- config code is encrypted on upload by customer
|
||||
- agent methodology
|
||||
- subscribes to queue
|
||||
- comms channels and authz
|
||||
- only way to get inside the system would be via the applicaiton code
|
||||
- VTN instead of Git dependabot
|
||||
- app pentesting - was used in the past
|
||||
- but no longer used
|
||||
- moving to HPE armor
|
||||
- 3rd party pen testing every year
|
||||
- nothing found in last 4 years
|
||||
- some rapid7 testing happening now
|
||||
- morpheus tested on the PCE end of things
|
||||
- arch diagrams
|
||||
- ref arch diagrams
|
||||
- Tiered model
|
||||
- SQL database
|
||||
- elastic
|
||||
- rabbitmq messaging
|
||||
- app tier
|
||||
- 2 parts
|
||||
- nginx web proxy
|
||||
- tomcat container for ui/app
|
||||
- bouncycastle generates keys etc
|
||||
- Cypher used for key store
|
||||
- Lots of requests from customers re more security features
|
||||
- e.g. create users in external IAM
|
||||
- sec config testing
|
||||
- Certificaitons/regualtions
|
||||
- before HPE - only a shippable software
|
||||
- not a saas etc
|
||||
- hardening guides
|
||||
- disa
|
||||
- tested up to CIS level 1 and 2
|
||||
- post HPE
|
||||
- having to shift into a sevice offering
|
||||
- no one has connected the dots here yet on compliance
|
||||
-
|
||||
- ((6814dcc7-6319-4582-8c00-642a273286ab))
|
||||
@@ -0,0 +1,139 @@
|
||||
- TODO [[Plug-in framework vision and strategy]]
|
||||
collapsed:: true
|
||||
- can we target a date for this.
|
||||
- TODO pick a date
|
||||
- This is gaining more priority everyday. It will be great to target the first version for review amongst the three of us next week.
|
||||
- TODO **Morpheus Road Map Review with Cheri** on [[05-20-2025]] and [[05-21-2025]] .
|
||||
- More context on this - Essentially, we need to provide a Morpheus roadmap, high confidence roadmap for the next two quarters, and a medium confidence roadmap for the 12 months after that. Again, the priority here is to have a very high confidence clear roadmap for the next two quarters To an extent that it can be communicated with dates to external customers.
|
||||
- TODO review current roadmap in AHA (any big groups?)
|
||||
- TODO review items in "**FW: PCFS 1st monthly backlog, release and roadmap planning - May 21 & 22**" email
|
||||
-
|
||||
- Neil van Ransburg 1:1 #call #plugins #morpheus
|
||||
collapsed:: true
|
||||
- ISV plugins
|
||||
- morpheus supported
|
||||
- partners upported
|
||||
- get NDA in place + alliance docs in place
|
||||
- low bar to entry at the moment
|
||||
- terms of use (EULA) + plugin source license (based on terraform BSL)
|
||||
- no certification or SLA in place today
|
||||
- informal QA testing from our engineering team
|
||||
- no strict process in place
|
||||
- overhead was key blocker
|
||||
- based on the terraform module processes
|
||||
-
|
||||
-
|
||||
- community
|
||||
- spend largest amount of time doing enablement
|
||||
- certifiation of external plugins?
|
||||
- list of isvs who are creating plugins
|
||||
- https://share.morpheusdata.com/plugin
|
||||
- Maven central (plugin core) = interace to mopheus
|
||||
- Captures
|
||||
- 
|
||||
- plugins are classes are exposed via grooxy classes
|
||||
- 
|
||||
- High interest tight now
|
||||
- openshift virtualization is high priority
|
||||
- SSE tam under divaker want to do this
|
||||
- USU -
|
||||
- tryting to target asia tech jam
|
||||
- Exavity
|
||||
- stackit
|
||||
- german service provider
|
||||
- helped build this plugin, then got stuck on floating IPS
|
||||
-
|
||||
- 
|
||||
-
|
||||
-
|
||||
- Eric Forgette 1:1 #call #morpheus #security #architecture
|
||||
- Security processes/standrds for developmet
|
||||
- Architectural Threat Analysis?
|
||||
- architecture overview and current thinking on future
|
||||
- as we are designing new features in HPE (not yet the process for the core eng. team)
|
||||
- design doc
|
||||
- security design doc
|
||||
- one observation
|
||||
- implemetation of MKS takes a very simlar approach to k8s as it does vmware
|
||||
- leverage RBAC in morpheus, then if allowed AuthZ, then elevated to run the command
|
||||
- Central Service
|
||||
- cloud based mgmt of multiple morpheus installs
|
||||
- PCCP = just morpheus
|
||||
- big changes in PCE - getting more features
|
||||
- PCBE -
|
||||
-
|
||||
- SilverCreek == GLP on prem?
|
||||
- disconnnected PCAI - control plane is huge, expensive on prem
|
||||
-
|
||||
- Adam Lipscombe 1:1 #call #morpheus #security
|
||||
- + Greg Willis
|
||||
- **Security processes/standards for development**
|
||||
- SDLC and guidelines
|
||||
- OWASP top 10
|
||||
- **SLA based on CSSV scroring**
|
||||
- internal engineering process, doesn't hit AHA!
|
||||
- VTN is notification mechanism
|
||||
- noticed as sent to security
|
||||
- Adam/Gram
|
||||
- the review notifications
|
||||
- if needs rememdiation
|
||||
- then goes it 'shortcut' (old Jira alternative)
|
||||
- also triggered via support tickets to Adam
|
||||
- **process today**
|
||||
- featues goes to backlog
|
||||
- this means approved by committe
|
||||
- development happens
|
||||
- in branch
|
||||
- summited for PR
|
||||
- non-trusted have PR
|
||||
- trusted developers peer-review on submisison to dev branch
|
||||
- Dev goes through QA cycle
|
||||
- functional testing
|
||||
- at code freeze promoted to staging
|
||||
- regression testing
|
||||
- release tag on pass etc
|
||||
- **Morpheus**
|
||||
- Architectural Threat Analysis? (see Estes)
|
||||
- **Current State**
|
||||
- HVM not tracked in same process
|
||||
- multi-tenant arch
|
||||
- seperation via rbac and encrytion
|
||||
- config code is encrypted on upload by customer
|
||||
- agent methodology
|
||||
- subscribes to queue
|
||||
- comms channels and authz
|
||||
- only way to get inside the system would be via the applicaiton code
|
||||
- VTN instead of Git dependabot
|
||||
- app pentesting - was used in the past
|
||||
- but no longer used
|
||||
- moving to HPE armor
|
||||
- 3rd party pen testing every year
|
||||
- nothing found in last 4 years
|
||||
- some rapid7 testing happening now
|
||||
- morpheus tested on the PCE end of things
|
||||
- arch diagrams
|
||||
- ref arch diagrams
|
||||
- Tiered model
|
||||
- SQL database
|
||||
- elastic
|
||||
- rabbitmq messaging
|
||||
- app tier
|
||||
- 2 parts
|
||||
- nginx web proxy
|
||||
- tomcat container for ui/app
|
||||
- bouncycastle generates keys etc
|
||||
- Cypher used for key store
|
||||
- Lots of requests from customers re more security features
|
||||
- e.g. create users in external IAM
|
||||
- sec config testing
|
||||
- Certificaitons/regualtions
|
||||
- before HPE - only a shippable software
|
||||
- not a saas etc
|
||||
- hardening guides
|
||||
- disa
|
||||
- tested up to CIS level 1 and 2
|
||||
- post HPE
|
||||
- having to shift into a sevice offering
|
||||
- no one has connected the dots here yet on compliance
|
||||
-
|
||||
- ((6814dcc7-6319-4582-8c00-642a273286ab))
|
||||
@@ -0,0 +1,139 @@
|
||||
- TODO [[Plug-in framework vision and strategy]]
|
||||
collapsed:: true
|
||||
- can we target a date for this.
|
||||
- TODO pick a date
|
||||
- This is gaining more priority everyday. It will be great to target the first version for review amongst the three of us next week.
|
||||
- TODO **Morpheus Road Map Review with Cheri** on [[05-20-2025]] and [[05-21-2025]] .
|
||||
- More context on this - Essentially, we need to provide a Morpheus roadmap, high confidence roadmap for the next two quarters, and a medium confidence roadmap for the 12 months after that. Again, the priority here is to have a very high confidence clear roadmap for the next two quarters To an extent that it can be communicated with dates to external customers.
|
||||
- TODO review current roadmap in AHA (any big groups?)
|
||||
- TODO review items in "**FW: PCFS 1st monthly backlog, release and roadmap planning - May 21 & 22**" email
|
||||
-
|
||||
- Neil van Ransburg 1:1 #call #plugins #morpheus
|
||||
collapsed:: true
|
||||
- ISV plugins
|
||||
- morpheus supported
|
||||
- partners upported
|
||||
- get NDA in place + alliance docs in place
|
||||
- low bar to entry at the moment
|
||||
- terms of use (EULA) + plugin source license (based on terraform BSL)
|
||||
- no certification or SLA in place today
|
||||
- informal QA testing from our engineering team
|
||||
- no strict process in place
|
||||
- overhead was key blocker
|
||||
- based on the terraform module processes
|
||||
-
|
||||
-
|
||||
- community
|
||||
- spend largest amount of time doing enablement
|
||||
- certifiation of external plugins?
|
||||
- list of isvs who are creating plugins
|
||||
- https://share.morpheusdata.com/plugin
|
||||
- Maven central (plugin core) = interace to mopheus
|
||||
- Captures
|
||||
- 
|
||||
- plugins are classes are exposed via grooxy classes
|
||||
- 
|
||||
- High interest tight now
|
||||
- openshift virtualization is high priority
|
||||
- SSE tam under divaker want to do this
|
||||
- USU -
|
||||
- tryting to target asia tech jam
|
||||
- Exavity
|
||||
- stackit
|
||||
- german service provider
|
||||
- helped build this plugin, then got stuck on floating IPS
|
||||
-
|
||||
- 
|
||||
-
|
||||
-
|
||||
- Eric Forgette 1:1 #call #morpheus #security #architecture
|
||||
- Security processes/standrds for developmet
|
||||
- Architectural Threat Analysis?
|
||||
- architecture overview and current thinking on future
|
||||
- as we are designing new features in HPE (not yet the process for the core eng. team)
|
||||
- design doc
|
||||
- security design doc
|
||||
- one observation
|
||||
- implemetation of MKS takes a very simlar approach to k8s as it does vmware
|
||||
- leverage RBAC in morpheus, then if allowed AuthZ, then elevated to run the command
|
||||
- Central Service
|
||||
- cloud based mgmt of multiple morpheus installs
|
||||
- PCCP = just morpheus
|
||||
- big changes in PCE - getting more features
|
||||
- PCBE -
|
||||
-
|
||||
- SilverCreek == GLP on prem?
|
||||
- disconnnected PCAI - control plane is huge, expensive on prem
|
||||
-
|
||||
- Adam Lipscombe 1:1 #call #morpheus #security
|
||||
- + Greg Willis
|
||||
- **Security processes/standards for development**
|
||||
- SDLC and guidelines
|
||||
- OWASP top 10
|
||||
- **SLA based on CSSV scroring**
|
||||
- internal engineering process, doesn't hit AHA!
|
||||
- VTN is notification mechanism
|
||||
- noticed as sent to security
|
||||
- Adam/Gram
|
||||
- the review notifications
|
||||
- if needs rememdiation
|
||||
- then goes it 'shortcut' (old Jira alternative)
|
||||
- also triggered via support tickets to Adam
|
||||
- **process today**
|
||||
- featues goes to backlog
|
||||
- this means approved by committe
|
||||
- development happens
|
||||
- in branch
|
||||
- summited for PR
|
||||
- non-trusted have PR
|
||||
- trusted developers peer-review on submisison to dev branch
|
||||
- Dev goes through QA cycle
|
||||
- functional testing
|
||||
- at code freeze promoted to staging
|
||||
- regression testing
|
||||
- release tag on pass etc
|
||||
- **Morpheus**
|
||||
- Architectural Threat Analysis? (see Estes)
|
||||
- **Current State**
|
||||
- HVM not tracked in same process
|
||||
- multi-tenant arch
|
||||
- seperation via rbac and encrytion
|
||||
- config code is encrypted on upload by customer
|
||||
- agent methodology
|
||||
- subscribes to queue
|
||||
- comms channels and authz
|
||||
- only way to get inside the system would be via the applicaiton code
|
||||
- VTN instead of Git dependabot
|
||||
- app pentesting - was used in the past
|
||||
- but no longer used
|
||||
- moving to HPE armor
|
||||
- 3rd party pen testing every year
|
||||
- nothing found in last 4 years
|
||||
- some rapid7 testing happening now
|
||||
- morpheus tested on the PCE end of things
|
||||
- arch diagrams
|
||||
- ref arch diagrams
|
||||
- Tiered model
|
||||
- SQL database
|
||||
- elastic
|
||||
- rabbitmq messaging
|
||||
- app tier
|
||||
- 2 parts
|
||||
- nginx web proxy
|
||||
- tomcat container for ui/app
|
||||
- bouncycastle generates keys etc
|
||||
- Cypher used for key store
|
||||
- Lots of requests from customers re more security features
|
||||
- e.g. create users in external IAM
|
||||
- sec config testing
|
||||
- Certificaitons/regualtions
|
||||
- before HPE - only a shippable software
|
||||
- not a saas etc
|
||||
- hardening guides
|
||||
- disa
|
||||
- tested up to CIS level 1 and 2
|
||||
- post HPE
|
||||
- having to shift into a sevice offering
|
||||
- no one has connected the dots here yet on compliance
|
||||
-
|
||||
- ((6814dcc7-6319-4582-8c00-642a273286ab))
|
||||
Reference in New Issue
Block a user