Open Stack

> Are the QA folks or Release team aware they need to inspect a setting
> and check a box?

As an application security specialist, I'm sure you realize that this
is something only the local systems administrator can determine. Since
openstack is not shipped as a plug-and-play software product, it
requires a certain amount of configuration. Part of that configuration
will of course be reviewing settings and making correct security
decisions.

In this particular case, if you deploy multiple Horizon instances and
you choose not to use the cookie-based session store, you have to
configure a shared session storage backend before it works correctly
at all. Configuring and deploying this is not a matter of a simple
checkbox. Similarly, if you want the best security, you deploy with
HTTPS, HSTS, and CSP. Each of these require individual configuration,
and cannot easily be encompassed in a "make me secure" checkbox. The
openstack security guide was written to help deployers make correct
decisions, and is a good place to start.

http://docs.openstack.org/sec/

 Each deployment will be slightly different, and nothing can
substitute for a careful security review by competent professionals.

-Paul