Open Stack

On 10/25/2012 04:41 PM, David Kranz wrote:
> On 10/23/2012 8:34 PM, Bryan D. Payne wrote:
>> As the OpenStack Security Group (OSSG) begins to take shape, we are
>> looking to identify what work needs to be done.  We have lots of
>> things in our heads, but I know others have similar lists in their
>> heads as well.  I'd like to start this thread to collect security
>> related issues for any OpenStack core project.  These can be things
>> with existing bug reports, or things that have just been sitting in
>> your head without actually making it into a bug report yet.
>>
>> The idea is to have a list of problems where it would be useful for
>> security people to help.  I'll start with the following to get us
>> going.
>>
>> * Fix problems with clients using SSL (see slide 19 of
>> http://www.bryanpayne.org/storage/ossg-oct2012.pdf)
>> * Start a hardening guide
>> * Work with swift team on Swift Message Authentication
>> * Work with nova team on Nova RPC signing
>> * Work with keystone team on new PKI tokens and related code
>> * Work with oslo team on rootwrap code
>> * Add a 'SecurityImpact' tag to mark pull requests as needing a review
>> by someone in OSSG
>>
>> Please help us out by replying with your additions.
>>
>> Cheers,
>> -bryan
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> Is the first bullet related to this 
> http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf?

Still reading that, but it sounds like the #1 thing we need to make sure 
all of the client code is doing is hostname validation.

>
> The Most Dangerous Code in the World:
> Validating SSL Certificates in Non-Browser Software
>
>  -David
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev