Open Stack

All Internet RFCs have to have a Security Considerations section, even
if they say nothing. If we could get something similar added to
blueprints and code changes by all the different OpenStack projects,
this would be a good first step. Even if initially their content was
only added on a best efforts basis by the author, and there was not any
requirement for them to be checked by the OSSG, nevertheless it would
establish a security conscious mode of working by authors, and would
make it easier to introduce checking and sign off by the OSSG at a later
stage.

This could be a topic for discussion in Atlanta.

regards

David

On 27/03/2014 15:21, Bryan D. Payne wrote:
> I would love to get to the point where we could do the following:
> 
> 1) flag a blueprint or code change as having a security impact
> 2) have gerrit gate on accepting that artifact until a designated
> security person performs the review and provides a +1
> 
> (1) is pretty straightforward to setup.  (2) is harder.  Not so much
> because of gerrit (although I don't know how possible that would be with
> gerrit), but because we would really need a set of core security
> reviewers for each project taking this approach.  I think this is
> achievable, but the timeline is less clear to me.  Part of it will
> depend on the project's willingness to go down this path, of course.  If
> Nova wants to explore this, I'd be happy to have that discussion.  If
> not, doing (1) still does provide some value as it allows people to at
> least stay aware of the security relevant changes in the system (of
> course with the restriction that these are largely self-reported).
> 
> -bryan
> 
> 
> 
> On Thu, Mar 27, 2014 at 8:09 AM, David Chadwick <d.w.chadwick at kent.ac.uk
> <mailto:d.w.chadwick at kent.ac.uk>> wrote:
> 
>     Hi Cristian
> 
>     I think it is a very good idea to have a security impact section as part
>     of all Blueprints, but I am not sure how this procedure would work in
>     practise, since anyone can write a Blueprint, and there is no vetting of
>     them before they are published. I think some revised procedures would
>     need to be agreed as a minimum before this could become a reality
> 
>     regards
> 
>     David
> 
>     On 27/03/2014 13:26, Fiorentino, Cristian wrote:
>     > Dear All,
>     >
>     >
>     >
>     > Probably you are already aware that Nova is moving towards reviewing
>     > Blueprints using Gerrit, and proposing a new template with several
>     > sections as you can find here:
>     >
>     > https://github.com/openstack/nova-specs/blob/master/specs/template.rst
>     >
>     >
>     >
>     > On the other side, currently there is the effort being held by
>     OSSG for
>     > performing a threat model analysis for OpenStack, which is great in my
>     > opinion and would lead to a baseline threat model analysis.
>     >
>     > But new features/Blueprints are being integrated all the time, and
>     with
>     > them new potential Security risks at design time.
>     >
>     > (Please let me know if I am wrong, but I am not aware of required
>     > Security analysis for new Blueprints besides what the reviewers may
>     > identify during the approval process.)
>     >
>     >
>     >
>     > That said, I was wondering if it would be worth to push the
>     inclusion of
>     > a “Security impact” section as part of the Blueprints definitions; and
>     > probably to start with the new Nova template approach.
>     >
>     > I am not talking about requesting a detailed threat model analysis at
>     > the Blueprint definition stage, but to document at least high level
>     > Security implications that the Blueprint owner could identify for
>     > leveraging Security analysis/reviews in earlier stages of
>     > features/components definitions.
>     >
>     >
>     >
>     > Any thoughts appreciated.
>     >
>     >
>     >
>     > Thanks and Regards.
>     >
>     > Cristian.
>     >
>     >
>     >
>     > _______________________________________________
>     > Openstack-security mailing list
>     > Openstack-security at lists.openstack.org
>     <mailto:Openstack-security at lists.openstack.org>
>     > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>     >
> 
>     _______________________________________________
>     Openstack-security mailing list
>     Openstack-security at lists.openstack.org
>     <mailto:Openstack-security at lists.openstack.org>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> 
>