[openstack-dev] Security audit of OpenStack projects

Russell Bryant rbryant at redhat.com
Thu Apr 10 16:48:04 UTC 2014


On 04/10/2014 11:39 AM, Steven Hardy wrote:
> On Mon, Apr 07, 2014 at 09:06:23AM -0700, Nathan Kinder wrote:
>> Hi,
>>
>> We don't currently collect high-level security related information about
>> the projects for OpenStack releases.  Things like the crypto algorithms
>> that are used or how we handle sensitive data aren't documented anywhere
>> that I could see.  I did some thinking on how we can improve this.  I
>> wrote up my thoughts in a blog post, which I'll link to instead of
>> repeating everything here:
>>
>>   http://blog-nkinder.rhcloud.com/?p=51
>>
>> tl;dr - I'd like to have the development teams for each project keep a
>> wiki page updated that collects some basic security information.  Here's
>> an example I put together for Keystone for Icehouse:
>>
>>   https://wiki.openstack.org/wiki/Security/Icehouse/Keystone
>>
>> There would need to be an initial effort to gather this information for
>> each project, but it shouldn't be a large effort to keep it updated once
>> we have that first pass completed.  We would then be able to have a
>> comprehensive overview of this security information for each OpenStack
>> release, which is really useful for those evaluating and deploying
>> OpenStack.
>>
>> I see some really nice benefits in collecting this information for
>> developers as well.  We will be able to identify areas of weakness,
>> inconsistency, and duplication across the projects.  We would be able to
>> use this information to drive security related improvements in future
>> OpenStack releases.  It likely would even make sense to have something
>> like a cross-project security hackfest once we have taken a pass through
>> all of the integrated projects so we can have some coordination around
>> security related functionality.
>>
>> For this to effort to succeed, it needs buy-in from each individual
>> project.  I'd like to gauge the interest on this.  What do others think?
>>  Any and all feedback is welcome!
> 
> I think this is a good idea, and hopefully can provide valuable insight
> into common pain-points or areas for improvement.

Huge +1.  I think tracking this information is very valuable.

> I've made a start on a page for Heat, feedback welcome!
> 
> https://wiki.openstack.org/wiki/Security/Icehouse/Heat

I wonder if it would be easier to keep up if we restructure this a bit.
 In particular, I'm wondering if having a project-specific page that
isn't version specific would be easier.  It could just contain version
pointers where appropriate.

In the case of Nova, we already have a number of sub-pages under
wiki/Nova, so I think a wiki/Nova/Security page would make sense.

-- 
Russell Bryant



More information about the OpenStack-dev mailing list