[openstack-dev] [Solum] [Security]

Dolph Mathews dolph.mathews at gmail.com
Mon Dec 2 17:15:07 UTC 2013 

On Wed, Nov 27, 2013 at 10:58 AM, Paul Montgomery <
paul.montgomery at rackspace.com> wrote:

> I created some relatively high level security best practices that I
> thought would apply to Solum.  I don't think it is ever too early to get
> mindshare around security so that developers keep that in mind throughout
> the project.  When a design decision point could easily go two ways,
> perhaps these guidelines can sway direction towards a more secure path.
>
> This is a living document, please contribute and let's discuss topics.
> I've worn a security hat in various jobs so I'm always interested. :)
> Also, I realize that many of these features may not directly be
> encapsulated by Solum but rather components such as KeyStone or Horizon.
>
> https://wiki.openstack.org/wiki/Solum/Security
>
> I would like to build on this list and create blueprints or tasks based on
> topics that the community agrees upon.  We will also need to start
> thinking about timing of these features.
>
> Is there an OpenStack standard for code comments that highlight potential
> security issues to investigate at a later point?  If not, what would the
> community think of making a standard for Solum?  I would like to identify
> these areas early while the developer is still engaged/thinking about the
> code.  It is always harder to go back later and find everything in my
> experience.  Perhaps something like:
>
> # (SECURITY) This exception may contain database field data which could
> expose passwords to end users unless filtered.
>
> Or
>
> # (SECURITY) The admin password is read in plain text from a configuration
> file.  We should fix this later.
>

For known weaknesses such as this one, I'd suggest a FIXME with a bug
number referencing a Public Security bug. The bug can be filed ahead of the
patchset merging, and link to the review proposing the FIXME.


>
> Regards,
> Paulmo
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 

-Dolph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131202/5b4ae9e1/attachment.html>

More information about the OpenStack-dev mailing list