Open Stack

Hi,

The main purpose of threat modelling is systematically finding the security weakness / threats in the system. In the process, there will be some bug reports related to the implementation,
however IMHO the main contribution should be around design and deployment weakness, which by way the takes longer time to fix or has trade offs related with it ( e.g., the bearer token
issue, adminess issues). Now, some of these are already documented as part of the OSSN, and in the threat modelling we are proactively trying to find new ones in a broader scale. 
The other objective is to document the systematic view and all possible threats per project in a single document / place. IMHO, it should a good fit in the documentation project or 
security guide / Annex of the security guide.  And the issue about format changing (from .doc, .xls), that is something we will gradually perform - should be small amount of manual job -
 if we agreed on the dissemination platform.

The plan to use Gerrit is to add flow to the process and  add peer review obviously.  From another angle, i was thinking, is it a good idea to merge the  work with Security Guides work.
In that case, we can follow the same process ?

Thanks,
Shohel


On 11 Apr 2014, at 19:06, Bryan D. Payne <bdpayne at acm.org> wrote:

> This doesn't strike me as being as good of a fit for the documentation project.  I say this because the output isn't a long lived document that people will reference.  The findings seem to me to be of high value initially, and then (hopefully) things get fixed and then I don't see people referencing the findings much any more.  Please correct me if I'm thinking of this in the wrong light.
> 
> Could you describe a bit more about how you would make of use gerrit here?  Is this just to get some peer review on the findings before presenting them to the projects as bug reports?
> 
> -bryan
> 
> 
> 
> 
> On Fri, Apr 11, 2014 at 1:13 AM, Abu Shohel Ahmed <ahmed.shohel at ericsson.com> wrote:
> Hi,
> 
> Yesterday’s OSSG meeting, we are discussing about Threat Modelling process and more specifically gating and publishing process.
> Currently, the work is hosted in the Security Wiki page:
> 
> https://wiki.openstack.org/wiki/Security/Threat_Analysis
> 
> and  some of the contents are in  
> https://github.com/shohel02/OpenStack_Threat_Modelling.git
> 
> Now, that more people are getting interested and there is a need to have engagement and dissemination strategy.
> We are thinking of  some common GIT repo with Gerit control, similar to OSSN currently has.  Another aspect is, 
> can it be part of the documentation project? We think it is well fitted in that category. What do you guys think ?
> 
> Thanks,
> Shohel
>  
> 
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140414/96aa6bfc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4163 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140414/96aa6bfc/attachment.bin>