[I'm keeping you in Cc since you don't appear to be subscribed to the mailing list, but please still respond to the list.]
On 2022-10-06 11:23:07 +0300 (+0300), jackdaw blues wrote:
I am currently leading a team of offensive security engineers and we are trying to create a checklist for each component of Openstack in the context of Security Assessment.
Welcome! As the current chair of the OpenStack Security SIG (Special Interest Group)[*], I'm happy to do what I can to help and encourage other community members to further enable your efforts.
At the end of the day what we want to end up with is common exploitable configuration weaknesses for each component. It will be against configuration or installation mistakes that result in unintended privileges or information disclosure, etc. Patch management isn't in scope.
Not the exact output, but these links can give a good idea of the contents of the security assessment we are planning (these are for AWS): http://flaws.cloud/ http://flaws2.cloud/
Has anyone had any experience regarding the topic above? If so please feel free to connect. Regardless of the experience, if you want to contribute and at mark zero just like we are, you are still welcome and we can help each other create this assessment checklist.
I'm not aware of any efforts along those lines yet, as far as a coordinated attempt at providing secure usage guidance to end users of OpenStack services, but it sounds like an interesting avenue for research. Most of our focus, to date, has been on solving vulnerabilities within the OpenStack services and tools, and providing guidance to people who deploy and run those services in order that they may better secure their installations. End user guidance has mostly been the realm of the organizations running the software, at least so far.
[*] https://wiki.openstack.org/wiki/Security-SIG