Open Stack

On 04/16/2014 10:28 AM, Bryan D. Payne wrote:
> I'm not aware of a list of the specific changes, but this seems quite
> related to the work that Nathan has started played with... discussed on
> his blog here:
> 
> https://blog-nkinder.rhcloud.com/?p=51

This is definitely related to the security audit effort that I'm
driving.  It's hard to make recommendations on configurations and
deployment architectures from a security perspective when we don't even
have a clear picture of the current state of things are in the code from
a security standpoint.  This clear picture is what I'm trying to get to
right now (along with keeping this picture up to date so it doesn't get
stale).

Once we know things such as what crypto algorithms are used and how
sensitive data is being handled, we can see what is configurable and
make recommendations.  We'll surely find that not everything is
configurable and sensitive data isn't well protected in areas, which are
things that we can turn into blueprints and bugs and work on improving
in development.

It's still up in the air as to where this information should be
published once it's been compiled.  It might be on the wiki, or possibly
in the documentation (Security Guide seems like a likely candidate).
There was some discussion of this with the PTLs from the Project Meeting
from 2 weeks ago:


http://eavesdrop.openstack.org/meetings/project/2014/project.2014-04-08-21.03.html

I'm not so worried myself about where this should be published, as that
doesn't matter if we don't have accurate and comprehensive information
collected in the first place.  My current focus is on the collection and
maintenance of this info on a project by project basis.  Keystone and
Heat have started, which is great!:

  https://wiki.openstack.org/wiki/Security/Icehouse/Keystone
  https://wiki.openstack.org/wiki/Security/Icehouse/Heat

If any other OSSG members are developers on any of the projects, it
would be great if you could help drive this effort within your project.

Thanks,
-NGK
> 
> Cheers,
> -bryan
> 
> 
> 
> On Tue, Apr 15, 2014 at 1:38 AM, Clark, Robert Graham
> <robert.clark at hp.com <mailto:robert.clark at hp.com>> wrote:
> 
>     Does anyone have a documented run-down of changes that must be made
>     to OpenStack configurations to allow them to comply with EAR
>     requirements?
>     http://www.bis.doc.gov/index.php/policy-guidance/encryption
> 
>     It seems like something we should consider putting into the security
>     guide. I realise that most of the time it’s just “don’t use your own
>     libraries, call to others, make algorithms configurable” etc but
>     it’s a question I’m seeing more and more, the security guide’s
>     compliance section looks like a great place to have something about EAR.
> 
>     -Rob
> 
>     _______________________________________________
>     Openstack-security mailing list
>     Openstack-security at lists.openstack.org
>     <mailto:Openstack-security at lists.openstack.org>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> 
> 
> 
> 
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>