5.3 KiB
5.3 KiB
- DONE Plug-in framework vision and strategy
completed:: 06-05-2025
collapsed:: true
- can we target a date for this.
- DONE pick a date completed:: 06-05-2025
- This is gaining more priority everyday. It will be great to target the first version for review amongst the three of us next week.
- can we target a date for this.
- DONE Morpheus Road Map Review with Cheri on 05-20-2025 and 05-21-2025 .
completed:: 06-05-2025
- More context on this - Essentially, we need to provide a Morpheus roadmap, high confidence roadmap for the next two quarters, and a medium confidence roadmap for the 12 months after that. Again, the priority here is to have a very high confidence clear roadmap for the next two quarters To an extent that it can be communicated with dates to external customers.
- DONE review current roadmap in AHA (any big groups?) completed:: 06-05-2025
- DONE review items in "FW: PCFS 1st monthly backlog, release and roadmap planning - May 21 & 22" email completed:: 06-05-2025
- More context on this - Essentially, we need to provide a Morpheus roadmap, high confidence roadmap for the next two quarters, and a medium confidence roadmap for the 12 months after that. Again, the priority here is to have a very high confidence clear roadmap for the next two quarters To an extent that it can be communicated with dates to external customers.
- Neil van Ransburg 1:1 #call #plugins and integrations #morpheus
collapsed:: true
- ISV plugins
- morpheus supported
- partners upported
- get NDA in place + alliance docs in place
- low bar to entry at the moment
- terms of use (EULA) + plugin source license (based on terraform BSL)
- no certification or SLA in place today
- informal QA testing from our engineering team
- no strict process in place
- overhead was key blocker
- based on the terraform module processes
- informal QA testing from our engineering team
- community
- spend largest amount of time doing enablement
- certifiation of external plugins?
- list of isvs who are creating plugins
- Maven central (plugin core) = interace to mopheus
- Captures
- plugins are classes are exposed via grooxy classes
- High interest tight now
- openshift virtualization is high priority
- SSE tam under divaker want to do this
- USU -
- tryting to target asia tech jam
- Exavity
- stackit
- german service provider
- helped build this plugin, then got stuck on floating IPS
- openshift virtualization is high priority
- ISV plugins
- Eric Forgette 1:1 #call #morpheus #security #architecture
- Security processes/standrds for developmet
- Architectural Threat Analysis?
- architecture overview and current thinking on future
- as we are designing new features in HPE (not yet the process for the core eng. team)
- design doc
- security design doc
- one observation
- implemetation of MKS takes a very simlar approach to k8s as it does vmware
- leverage RBAC in morpheus, then if allowed AuthZ, then elevated to run the command
- implemetation of MKS takes a very simlar approach to k8s as it does vmware
- Central Service
- cloud based mgmt of multiple morpheus installs
- PCCP = just morpheus
- big changes in PCE - getting more features
- PCBE -
- SilverCreek == GLP on prem?
- disconnnected PCAI - control plane is huge, expensive on prem
- as we are designing new features in HPE (not yet the process for the core eng. team)
- Security processes/standrds for developmet
- Adam Lipscombe 1:1 #call #morpheus #security
-
- Greg Willis
- Security processes/standards for development
- SDLC and guidelines
- OWASP top 10
- SLA based on CSSV scroring
- internal engineering process, doesn't hit AHA!
- VTN is notification mechanism
- noticed as sent to security
- Adam/Gram
- the review notifications
- if needs rememdiation
- then goes it 'shortcut' (old Jira alternative)
- noticed as sent to security
- also triggered via support tickets to Adam
- process today
- featues goes to backlog
- this means approved by committe
- development happens
- in branch
- summited for PR
- non-trusted have PR
- trusted developers peer-review on submisison to dev branch
- Dev goes through QA cycle
- functional testing
- at code freeze promoted to staging
- regression testing
- release tag on pass etc
- featues goes to backlog
- Morpheus
- Architectural Threat Analysis? (see Estes)
- Current State
- HVM not tracked in same process
- multi-tenant arch
- seperation via rbac and encrytion
- config code is encrypted on upload by customer
- agent methodology
- subscribes to queue
- comms channels and authz
- only way to get inside the system would be via the applicaiton code
- VTN instead of Git dependabot
- app pentesting - was used in the past
- but no longer used
- moving to HPE armor
- 3rd party pen testing every year
- nothing found in last 4 years
- some rapid7 testing happening now
- morpheus tested on the PCE end of things
- arch diagrams
- ref arch diagrams
- Tiered model
- SQL database
- elastic
- rabbitmq messaging
- app tier
- 2 parts
- nginx web proxy
- tomcat container for ui/app
- bouncycastle generates keys etc
- Cypher used for key store
- 2 parts
- Lots of requests from customers re more security features
- e.g. create users in external IAM
- sec config testing
- Certificaitons/regualtions
- before HPE - only a shippable software
- not a saas etc
- hardening guides
- disa
- tested up to CIS level 1 and 2
- post HPE
- having to shift into a sevice offering
- no one has connected the dots here yet on compliance
- having to shift into a sevice offering
- before HPE - only a shippable software
- SDLC and guidelines
-
- ((6814dcc7-6319-4582-8c00-642a273286ab))
