[openstack-dev] [OSSG] OpenStack Security Group Task List

Sriram Subramanian sriram at sriramhere.com
Thu Oct 25 23:31:29 UTC 2012 

Do we have an idea about the threat surface/ or do we have a threat model
yet? I understand it is a complex  task, but would like to understand the
team's feel for it.

thanks,
-Sriram
On Thu, Oct 25, 2012 at 1:41 PM, David Kranz <david.kranz at qrclab.com> wrote:

> On 10/23/2012 8:34 PM, Bryan D. Payne wrote:
>
>> As the OpenStack Security Group (OSSG) begins to take shape, we are
>> looking to identify what work needs to be done.  We have lots of
>> things in our heads, but I know others have similar lists in their
>> heads as well.  I'd like to start this thread to collect security
>> related issues for any OpenStack core project.  These can be things
>> with existing bug reports, or things that have just been sitting in
>> your head without actually making it into a bug report yet.
>>
>> The idea is to have a list of problems where it would be useful for
>> security people to help.  I'll start with the following to get us
>> going.
>>
>> * Fix problems with clients using SSL (see slide 19 of
>> http://www.bryanpayne.org/**storage/ossg-oct2012.pdf<http://www.bryanpayne.org/storage/ossg-oct2012.pdf>
>> )
>> * Start a hardening guide
>> * Work with swift team on Swift Message Authentication
>> * Work with nova team on Nova RPC signing
>> * Work with keystone team on new PKI tokens and related code
>> * Work with oslo team on rootwrap code
>> * Add a 'SecurityImpact' tag to mark pull requests as needing a review
>> by someone in OSSG
>>
>> Please help us out by replying with your additions.
>>
>> Cheers,
>> -bryan
>>
>>
>> ______________________________**_________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.**org <OpenStack-dev at lists.openstack.org>
>> http://lists.openstack.org/**cgi-bin/mailman/listinfo/**openstack-dev<http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>>
> Is the first bullet related to this http://www.cs.utexas.edu/~**
> shmat/shmat_ccs12.pdf <http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf>?
>
> The Most Dangerous Code in the World:
> Validating SSL Certificates in Non-Browser Software
>
>  -David
>
>
>
> ______________________________**_________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.**org <OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/**cgi-bin/mailman/listinfo/**openstack-dev<http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121025/219067a1/attachment.html>

More information about the OpenStack-dev mailing list