Open Stack

Bryan, thanks much for the comments.

 

I was also bringing this up now because the new Nova template is still being
modified and under review; so it could be a good timing for proposing
something there and probably to be ready for Juno.

But if there is a related approach work in progress, probably then there is
the need to grow the template in the future.

 

If you may point me to any related effort, I would be happy to offer some
help here.

 

Regards.

Cristian.

 

From: bdpayne at gmail.com [mailto:bdpayne at gmail.com] On Behalf Of Bryan D.
Payne
Sent: Thursday, March 27, 2014 11:55 AM
To: Fiorentino, Cristian
Cc: openstack-security at lists.openstack.org
Subject: Re: [Openstack-security] Security Analysis for new Blueprints

 

Thanks for bringing this up.  I completely agree that it would be nice to
have a security impact section for the new blueprints.  Ideally we could
wire that in to notify this mailing list that a security review is needed.

 

It may also be worth noting that OSSG has also been looking at some security
design guidelines.  If there's room to grow the template in the future, this
could be a nice way to encourage people to think about key security aspects
in their design (e.g., perhaps be going through a basic checklist of
security considerations).  This is still a work in progress, so it's not
quite ready for prime time.  But I just wanted to make sure that you were
aware that we having been thinking about such things :-)

 

Cheers,

-bryan

 

 

 

On Thu, Mar 27, 2014 at 6:26 AM, Fiorentino, Cristian
<cristian.fiorentino at intel.com> wrote:

Dear All,

 

Probably you are already aware that Nova is moving towards reviewing
Blueprints using Gerrit, and proposing a new template with several sections
as you can find here:

https://github.com/openstack/nova-specs/blob/master/specs/template.rst

 

On the other side, currently there is the effort being held by OSSG for
performing a threat model analysis for OpenStack, which is great in my
opinion and would lead to a baseline threat model analysis. 

But new features/Blueprints are being integrated all the time, and with them
new potential Security risks at design time. 

(Please let me know if I am wrong, but I am not aware of required Security
analysis for new Blueprints besides what the reviewers may identify during
the approval process.)

 

That said, I was wondering if it would be worth to push the inclusion of a
"Security impact" section as part of the Blueprints definitions; and
probably to start with the new Nova template approach.

I am not talking about requesting a detailed threat model analysis at the
Blueprint definition stage, but to document at least high level Security
implications that the Blueprint owner could identify for leveraging Security
analysis/reviews in earlier stages of features/components definitions.

 

Any thoughts appreciated.

 

Thanks and Regards.

Cristian.


_______________________________________________
Openstack-security mailing list
Openstack-security at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140327/4b67f976/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6708 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140327/4b67f976/attachment.bin>