Open Stack

Hi All,

As we didn't have a meeting last week I wanted to take a few moments to share a few things from the last meeting that people on-list will probably care about.

Adding Security Tests to OpenStack Infrastructure:
There was discussion around the possibility of introducing security checks into the CI/CD system for OpenStack.  Once we can work out where the appropriate hooks are there's lots of opportunity to add security value into the process. I imagine an early version of this would introduce basic credential checking, regression checking and perhaps some specific pylint profiling. Later versions would probably look to include static analysis technologies. Hooks can be placed at later stages i.e Tempest to perform automated testing of API endpoints and Horizon.

Security Guidelines:
An area we need to get agreement on is the basic security guidelines that we can publish, get buy-in from PTLs and drive as basic security principles within the community. In some cases these can be codified and tied into the security testing work that I mention above. Some actions were taken to work on this at the last meeting and I'll follow-up on that during the next few days.

Security Review:
There is at the moment some great security review work that is taking place in the community, I think in the whole the OSSG should look to embrace this further. We have many large players in OpenStack participating in the OSSG, with organisations such as Intel, IBM, HP, Nebula - each are doing their own security reviews internally and slapping a proprietary 'Do not share' sticker on the results. I'd like to find a way to change that. For starters we are all repeating each other's work and we are all missing things that others have caught. In an ideal world I'd like to see us all working together on centralized security reviews, that are conducted in the open and interact with the community. I'm sure we will all still have internal reviews to do for value-add and extensions but at least these would be delta reviews, starting from a common base - probably crazy talk but I think it's worth discussing further.

Blueprints?
We need a way to record all the smart, interesting or crazy ideas that come up in the OSSG be them technical or otherwise. I think perhaps either coming up with a 'future project' page on the wiki or looking at the way blueprints are currently used for other projects might make sense.

Hopefully this email is useful for starting discussion or just keeping you informed on some of what's been going on and the direction we are likely to go in.

-Rob

IRC Minutes: http://eavesdrop.openstack.org/meetings/openstack_security_group/2014/openstack_security_group.2014-03-20-18.01.log.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140401/07686c86/attachment.html>