[Openstack-security] FW: OpenStack Threat Analysis activity - OSSG

Clark, Robert Graham robert.clark at hp.com
Thu Feb 20 18:26:35 UTC 2014 

Including the whole security group as there was significant interest
during the OSSG weekly meeting.

 

From: Sriram Subramanian [mailto:sriram at sriramhere.com] 
Sent: 20 February 2014 16:35
To: Abu Shohel Ahmed
Cc: Clark, Robert Graham; Grant Murphy; Mats Näslund; Makan Pourzandi
Subject: Re: OpenStack Threat Analysis activity - OSSG

 

Shohel,

 

Friday 17.00 UTC works - though 18.00 UTC would work better for me. Are
we meeting tomorrow?

 

thanks,

-Sriram

 

On Wed, Feb 19, 2014 at 4:25 AM, Abu Shohel Ahmed
<ahmed.shohel at ericsson.com <mailto:ahmed.shohel at ericsson.com> > wrote:

Hi,

>From our last week’s, it becomes  clear that we need set up a way of
working process in place
to take this activity forward.

So here are some ideas (Please also share yours):

1.   WoW:

        In the short time frame,

       - First, We should define the purpose and the concrete output of
this work ( which i think, most of us here has some ideas, if we still
have question -
         we can clear that up before moving forward).

       - Second issue is, how we can do threat analysis contribution in
an effective manner. Here comes the collaboration issues within
         this group.  For this, I have created a free node IRC channel
##openstack-threat-analysis  ( unofficial channel, as you can see from
name).
        Lets start biweekly (15 days) meetings from this week. Lets vote
for what is the suitable time for meeting for all of us.
        I propose Friday at 17.00 UTC. However, i am happy to schedule
the meeting based on most people preference.

       In the longer time frame, we should think about setting up a
Threat analysis working group (could be under OSSG) to perform threat
modelling of all OpenStack components
           - Define a clear out from this working group e.g., Threat
documentation, Design guidance.
          -  Engage developers and security minded people to the work.


2. Now  on the technical side,

              First and foremost, we should agree on a  threat modelling
process that can be applied for all OpenStack services and internal
components. We have some ideas that
                  can be applied for this work
 Here is the link of our
proposal :

 
https://drive.google.com/file/d/0B1aEVfmQtqnoMmpPZ3hmUHpBa1k/edit?usp=sh
aring

                  and here are two concrete implementation of  applying
the threat modelling process


                         Keystone over all :
https://drive.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit?usp=sh
aring
                         Keystone Token-provider:
https://drive.google.com/file/d/0B1aEVfmQtqnoejN1T1kybjlnMkk/edit?usp=sh
aring

                  (These are work in progress documents, so by no means
provide a complete picture)

                  Lets discuss  what do you guys think about the
Modelling steps and its applicability with OpenStack (e.g., Keystone)



Thanks,
Shohel







 

-- 

Thanks,

-Sriram

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140220/2ad97aa4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6187 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140220/2ad97aa4/attachment.bin>

More information about the Openstack-security mailing list