[security-sig] Openstack Security Assessments
Jeremy Stanley
fungi at yuggoth.org
Thu Oct 6 14:55:20 UTC 2022
[I'm keeping you in Cc since you don't appear to be subscribed to
the mailing list, but please still respond to the list.]
On 2022-10-06 11:23:07 +0300 (+0300), jackdaw blues wrote:
> I am currently leading a team of offensive security engineers and
> we are trying to create a checklist for each component of
> Openstack in the context of Security Assessment.
Welcome! As the current chair of the OpenStack Security SIG (Special
Interest Group)[*], I'm happy to do what I can to help and encourage
other community members to further enable your efforts.
> At the end of the day what we want to end up with is common
> exploitable configuration weaknesses for each component. It will
> be against configuration or installation mistakes that result in
> unintended privileges or information disclosure, etc. Patch
> management isn't in scope.
>
> Not the exact output, but these links can give a good idea of the
> contents of the security assessment we are planning (these are for
> AWS):
> http://flaws.cloud/
> http://flaws2.cloud/
>
> Has anyone had any experience regarding the topic above? If so
> please feel free to connect. Regardless of the experience, if you
> want to contribute and at mark zero just like we are, you are
> still welcome and we can help each other create this assessment
> checklist.
I'm not aware of any efforts along those lines yet, as far as a
coordinated attempt at providing secure usage guidance to end users
of OpenStack services, but it sounds like an interesting avenue for
research. Most of our focus, to date, has been on solving
vulnerabilities within the OpenStack services and tools, and
providing guidance to people who deploy and run those services in
order that they may better secure their installations. End user
guidance has mostly been the realm of the organizations running the
software, at least so far.
[*] https://wiki.openstack.org/wiki/Security-SIG
--
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20221006/5c489011/attachment.sig>
More information about the openstack-discuss
mailing list