[openstack-dev] [kolla][security] Finishing the job on threat analysis for Kolla

Rob C hyakuhei at gmail.com
Tue Jun 14 08:34:08 UTC 2016


I have returned from #drownload and I'm super keen to get ontop of this, in
this email I'll just try to tie a few different threads together.

The etherpad we used at the summit, along with the Sequence Diagram texts
are online [1] are we happy to continue using web sequence diagrams? I
think the resulting output is very useful [2] - even if Kolla doesn't fit
the typical project style that we anticipate using these for - they're
better suited to more traditional software projects.

There's a big effort to formalize the TA process and have OSSP help as
guardians of the code base[3] in future, with lots of effort being made to
ensure that as new projects come into the fold they meet a certain minimum
security level - we'll also attempt to help more established projects
iterate to a level of equal security assurance.

I'll leave the process description for our actual documentation but a big
part of it will be projects submitting security docs to the newly created
security-analysis repo [4]. Projects are welcome to use this for staging
and collaboration - the OSSP will largely ignore projects with the WIP flag
set.

I think the next step is for Doug and I (and anyone else who cares) to
review the current diagrams and provide a quick gap analysis for the Kolla
devs detailing what else is required for us to do a proper review.


[1] https://etherpad.openstack.org/p/kolla-newton-summit-threat-analysis

[2] https://drive.google.com/file/d/0B0osRPn3qBq5X1poTGZqVFBRQW8/view

[3] https://review.openstack.org/#/c/300698/

[4] https://review.openstack.org/#/c/325049/

On Tue, May 31, 2016 at 5:37 PM, Chivers, Doug <doug.chivers at hpe.com> wrote:

> Thanks for following up Steve, the sessions at the summit were extremely
> useful.
>
> Both Rob and I have been caught up with the day-job since we got back from
> the summit, but will discuss next steps and agree a plan this week.
>
> Regards
>
> Doug
>
>
>
>
> From: "Steven Dake (stdake)" <stdake at cisco.com<mailto:stdake at cisco.com>>
> Date: Tuesday, 24 May 2016 at 17:16
> To: "openstack-dev at lists.openstack.org<mailto:
> openstack-dev at lists.openstack.org>" <openstack-dev at lists.openstack.org
> <mailto:openstack-dev at lists.openstack.org>>
> Cc: Doug Chivers <doug.chivers at hpe.com<mailto:doug.chivers at hpe.com>>, "
> robclark at uk.ibm.com<mailto:robclark at uk.ibm.com>" <robclark at uk.ibm.com
> <mailto:robclark at uk.ibm.com>>
> Subject: [kolla][security] Finishing the job on threat analysis for Kolla
>
> Rob and Doug,
>
> At Summit we had 4 hours of highly productive work producing a list of
> "things" that can be "threatened".  We have about 4 or 5 common patterns
> where we follow the principle of least privilege.  On Friday of Summit we
> produced a list of all the things (in this case deployed containers).  I'm
> not sure who, I think it was Rob was working on a flow diagram for the
> least privileged case.  From there, the Kolla coresec team can produce the
> rest of the diagrams for increasing privileges.
>
> I'd like to get that done, then move on to next steps.  Not sure what the
> next steps are, but lets cover the flow diagrams first since we know we
> need those.
>
> Regards
> -steve
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160614/338c4e77/attachment.html>


More information about the OpenStack-dev mailing list