I am currently leading a team of offensive security engineers and we are trying to create a checklist for each component of Openstack in the context of Security Assessment. 

At the end of the day what we want to end up with is common exploitable configuration weaknesses for each component. It will be against configuration or installation mistakes that result in unintended privileges or information disclosure, etc. Patch management isn't in scope.

Not the exact output, but these links can give a good idea of the contents of the security assessment we are planning (these are for AWS):

http://flaws2.cloud/ 

Has anyone had any experience regarding the topic above? If so please feel free to connect. Regardless of the experience, if you want to contribute and at mark zero just like we are, you are still welcome and we can help each other create this assessment checklist.

Cheers,

Asil