Open Stack

Hi Shohel,

First off, I think you guys are doing great work, it’s something I hope to be more involved with moving forward.

You mention below OSSNs and the Security Guide, I think both have a natural fit with the threat modelling you’re working on. There’s potential to have a chapter on threat modelling but I imagine adding a section to each service’s chapter covering the threat analysis etc would work well. Findings from the threat modelling process will probably result in deployment recommendations in the form of OSSNs or in some cases will identify vulnerabilities, in which case OSSAs or OSSNs depending on the root cause, severity etc.

-Rob


From: Abu Shohel Ahmed <ahmed.shohel at ericsson.com<mailto:ahmed.shohel at ericsson.com>>
Date: Mon, 14 Apr 2014 11:18:53 +0300
To: Bryan Payne <bdpayne at acm.org<mailto:bdpayne at acm.org>>, "openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>" <openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>>
Cc: Anne Gentle <anne at openstack.org<mailto:anne at openstack.org>>
Subject: Re: [Openstack-security] Openstack Threat modelling - Common Repository

Hi,

The main purpose of threat modelling is systematically finding the security weakness / threats in the system. In the process, there will be some bug reports related to the implementation,
however IMHO the main contribution should be around design and deployment weakness, which by way the takes longer time to fix or has trade offs related with it ( e.g., the bearer token
issue, adminess issues). Now, some of these are already documented as part of the OSSN, and in the threat modelling we are proactively trying to find new ones in a broader scale.
The other objective is to document the systematic view and all possible threats per project in a single document / place. IMHO, it should a good fit in the documentation project or
security guide / Annex of the security guide.  And the issue about format changing (from .doc, .xls), that is something we will gradually perform - should be small amount of manual job -
 if we agreed on the dissemination platform.

The plan to use Gerrit is to add flow to the process and  add peer review obviously.  From another angle, i was thinking, is it a good idea to merge the  work with Security Guides work.
In that case, we can follow the same process ?

Thanks,
Shohel


On 11 Apr 2014, at 19:06, Bryan D. Payne <bdpayne at acm.org<mailto:bdpayne at acm.org>> wrote:

This doesn't strike me as being as good of a fit for the documentation project.  I say this because the output isn't a long lived document that people will reference.  The findings seem to me to be of high value initially, and then (hopefully) things get fixed and then I don't see people referencing the findings much any more.  Please correct me if I'm thinking of this in the wrong light.

Could you describe a bit more about how you would make of use gerrit here?  Is this just to get some peer review on the findings before presenting them to the projects as bug reports?

-bryan




On Fri, Apr 11, 2014 at 1:13 AM, Abu Shohel Ahmed <ahmed.shohel at ericsson.com<mailto:ahmed.shohel at ericsson.com>> wrote:
Hi,

Yesterday’s OSSG meeting, we are discussing about Threat Modelling process and more specifically gating and publishing process.
Currently, the work is hosted in the Security Wiki page:

https://wiki.openstack.org/wiki/Security/Threat_Analysis

and  some of the contents are in
https://github.com/shohel02/OpenStack_Threat_Modelling.git

Now, that more people are getting interested and there is a need to have engagement and dissemination strategy.
We are thinking of  some common GIT repo with Gerit control, similar to OSSN currently has.  Another aspect is,
can it be part of the documentation project? We think it is well fitted in that category. What do you guys think ?

Thanks,
Shohel


_______________________________________________
Openstack-security mailing list
Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security



_______________________________________________ Openstack-security mailing list Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.openstack.org> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security