[Openstack-security] Security Analysis for new Blueprints
David Chadwick
d.w.chadwick at kent.ac.uk
Thu Mar 27 15:09:38 UTC 2014
Hi Cristian
I think it is a very good idea to have a security impact section as part
of all Blueprints, but I am not sure how this procedure would work in
practise, since anyone can write a Blueprint, and there is no vetting of
them before they are published. I think some revised procedures would
need to be agreed as a minimum before this could become a reality
regards
David
On 27/03/2014 13:26, Fiorentino, Cristian wrote:
> Dear All,
>
>
>
> Probably you are already aware that Nova is moving towards reviewing
> Blueprints using Gerrit, and proposing a new template with several
> sections as you can find here:
>
> https://github.com/openstack/nova-specs/blob/master/specs/template.rst
>
>
>
> On the other side, currently there is the effort being held by OSSG for
> performing a threat model analysis for OpenStack, which is great in my
> opinion and would lead to a baseline threat model analysis.
>
> But new features/Blueprints are being integrated all the time, and with
> them new potential Security risks at design time.
>
> (Please let me know if I am wrong, but I am not aware of required
> Security analysis for new Blueprints besides what the reviewers may
> identify during the approval process.)
>
>
>
> That said, I was wondering if it would be worth to push the inclusion of
> a “Security impact” section as part of the Blueprints definitions; and
> probably to start with the new Nova template approach.
>
> I am not talking about requesting a detailed threat model analysis at
> the Blueprint definition stage, but to document at least high level
> Security implications that the Blueprint owner could identify for
> leveraging Security analysis/reviews in earlier stages of
> features/components definitions.
>
>
>
> Any thoughts appreciated.
>
>
>
> Thanks and Regards.
>
> Cristian.
>
>
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
More information about the Openstack-security
mailing list