[openstack-dev] Security audit of OpenStack projects
Steven Hardy
shardy at redhat.com
Thu Apr 10 15:39:14 UTC 2014
On Mon, Apr 07, 2014 at 09:06:23AM -0700, Nathan Kinder wrote:
> Hi,
>
> We don't currently collect high-level security related information about
> the projects for OpenStack releases. Things like the crypto algorithms
> that are used or how we handle sensitive data aren't documented anywhere
> that I could see. I did some thinking on how we can improve this. I
> wrote up my thoughts in a blog post, which I'll link to instead of
> repeating everything here:
>
> http://blog-nkinder.rhcloud.com/?p=51
>
> tl;dr - I'd like to have the development teams for each project keep a
> wiki page updated that collects some basic security information. Here's
> an example I put together for Keystone for Icehouse:
>
> https://wiki.openstack.org/wiki/Security/Icehouse/Keystone
>
> There would need to be an initial effort to gather this information for
> each project, but it shouldn't be a large effort to keep it updated once
> we have that first pass completed. We would then be able to have a
> comprehensive overview of this security information for each OpenStack
> release, which is really useful for those evaluating and deploying
> OpenStack.
>
> I see some really nice benefits in collecting this information for
> developers as well. We will be able to identify areas of weakness,
> inconsistency, and duplication across the projects. We would be able to
> use this information to drive security related improvements in future
> OpenStack releases. It likely would even make sense to have something
> like a cross-project security hackfest once we have taken a pass through
> all of the integrated projects so we can have some coordination around
> security related functionality.
>
> For this to effort to succeed, it needs buy-in from each individual
> project. I'd like to gauge the interest on this. What do others think?
> Any and all feedback is welcome!
I think this is a good idea, and hopefully can provide valuable insight
into common pain-points or areas for improvement.
I've made a start on a page for Heat, feedback welcome!
https://wiki.openstack.org/wiki/Security/Icehouse/Heat
Steve
More information about the OpenStack-dev
mailing list