Open Stack

Yep, certainly interested in a broader OpenStack view of security; sign me
up. :)


On 11/27/13 9:06 PM, "Adrian Otto" <adrian.otto at rackspace.com> wrote:

>
>On Nov 27, 2013, at 11:39 AM, Nathan Kinder <nkinder at redhat.com>
> wrote:
>
>> On 11/27/2013 08:58 AM, Paul Montgomery wrote:
>>> I created some relatively high level security best practices that I
>>> thought would apply to Solum.  I don't think it is ever too early to
>>>get
>>> mindshare around security so that developers keep that in mind
>>>throughout
>>> the project.  When a design decision point could easily go two ways,
>>> perhaps these guidelines can sway direction towards a more secure path.
>>> 
>>> This is a living document, please contribute and let's discuss topics.
>>> I've worn a security hat in various jobs so I'm always interested. :)
>>> Also, I realize that many of these features may not directly be
>>> encapsulated by Solum but rather components such as KeyStone or
>>>Horizon.
>>> 
>>> https://wiki.openstack.org/wiki/Solum/Security
>> 
>> This is a great start.
>> 
>> I think we really need to work towards a set of overarching security
>> guidelines and best practices that can be applied to all of the
>> projects.  I know that each project may have unique security needs, but
>> it would be really great to have a central set of agreed upon
>> cross-project guidelines that a developer can follow.
>> 
>> This is a goal that we have in the OpenStack Security Group.  I am happy
>> to work on coordinating this.  For defining these guidelines, I think a
>> "working group" approach might be best, where we have an interested
>> representative from each project be involved.  Does this approach make
>> sense to others?
>
>Nathan, that sounds great. I'd like Paul Montgomery to be involved for
>Solum, and possibly others from Solum if we have volunteers with this
>skill set to join him.
>
>> 
>> Thanks,
>> -NGK
>> 
>>> 
>>> I would like to build on this list and create blueprints or tasks
>>>based on
>>> topics that the community agrees upon.  We will also need to start
>>> thinking about timing of these features.
>>> 
>>> Is there an OpenStack standard for code comments that highlight
>>>potential
>>> security issues to investigate at a later point?  If not, what would
>>>the
>>> community think of making a standard for Solum?  I would like to
>>>identify
>>> these areas early while the developer is still engaged/thinking about
>>>the
>>> code.  It is always harder to go back later and find everything in my
>>> experience.  Perhaps something like:
>>> 
>>> # (SECURITY) This exception may contain database field data which could
>>> expose passwords to end users unless filtered.
>>> 
>>> Or
>>> 
>>> # (SECURITY) The admin password is read in plain text from a
>>>configuration
>>> file.  We should fix this later.
>>> 
>>> Regards,
>>> Paulmo
>>> 
>>> 
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>> 
>> 
>> 
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>_______________________________________________
>OpenStack-dev mailing list
>OpenStack-dev at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev