[openstack-dev] [OSSG] OpenStack Security Group Task List

Bryan D. Payne bdpayne at acm.org
Fri Oct 26 18:24:26 UTC 2012


>> Do we have an idea about the threat surface/ or do we have a threat model
>> yet? I understand it is a complex  task, but would like to understand the
>> team's feel for it.
>
> Threat models always struck me as low in value.  Trust relationships are far
> more useful.

I find both useful.  Either way, some of the challenge here is that
different people are using OpenStack differently.  So they will have
different concerns from a threat model / trust relationship
perspective.  Nevertheless, this is a useful activity for us to engage
in at some point.  I would like to see perhaps a few different models
that represent the spectrum of most likely OpenStack deployments.
This could provide a useful guide as we think about how to best
approach the security improvements.

In the near term, there are a large number of low hanging fruit from a
security fix perspective.  I think it is safe to safe that we should
address these items regardless of the threat model.  Hopefully this
email thread will continue to identify these key areas.

Cheers,
-bryan



More information about the OpenStack-dev mailing list