[openstack-dev] Security audit of OpenStack projects
Nathan Kinder
nkinder at redhat.com
Mon Apr 7 16:06:23 UTC 2014
Hi,
We don't currently collect high-level security related information about
the projects for OpenStack releases. Things like the crypto algorithms
that are used or how we handle sensitive data aren't documented anywhere
that I could see. I did some thinking on how we can improve this. I
wrote up my thoughts in a blog post, which I'll link to instead of
repeating everything here:
http://blog-nkinder.rhcloud.com/?p=51
tl;dr - I'd like to have the development teams for each project keep a
wiki page updated that collects some basic security information. Here's
an example I put together for Keystone for Icehouse:
https://wiki.openstack.org/wiki/Security/Icehouse/Keystone
There would need to be an initial effort to gather this information for
each project, but it shouldn't be a large effort to keep it updated once
we have that first pass completed. We would then be able to have a
comprehensive overview of this security information for each OpenStack
release, which is really useful for those evaluating and deploying
OpenStack.
I see some really nice benefits in collecting this information for
developers as well. We will be able to identify areas of weakness,
inconsistency, and duplication across the projects. We would be able to
use this information to drive security related improvements in future
OpenStack releases. It likely would even make sense to have something
like a cross-project security hackfest once we have taken a pass through
all of the integrated projects so we can have some coordination around
security related functionality.
For this to effort to succeed, it needs buy-in from each individual
project. I'd like to gauge the interest on this. What do others think?
Any and all feedback is welcome!
Thanks,
-NGK
More information about the OpenStack-dev
mailing list