Open Stack

Deciding whether or not something is an exploitable vulnerability and
how it should be handled are difficult tasks, not least in the OpenStack
world where most people run different deployment types, have different
attack models and threats to consider.

Over the last 6 months I've occasionally been roped in to help the VMT
make decisions about how security vulnerabilities should be handled. At
the VMT session this summit, it was suggested that the OSSG involvement
with the VMT should be more formalised. I couldn't agree more with this
statement, I'd like to continue working with the VMT as I've found the
work rewarding and beneficial. HP now operates OpenStack clouds in the
Public, Hybrid and Private scopes, meaning that I and my security team
are well positioned to address the concerns of most cloud deployers.

If the OSSG were to start being involved with the VMT more regularly
it's likely that we'd need more than one person to cover VMT
engagements. I have the resource within my security team to do this but
it would likely make sense for this to be someone from another
organisation, being in a different time zone would also likely be
beneficial.

I believe that Joel Coffman from APL has volunteered to work with the
VMT too, is there any objection within the OSSG to the proposal that we
start with myself and Joel providing support to the VMT? There will be
scope to change the team around and also for Joel or I to draw on the
expertise from others in the OSSG for individual issues.

If members of the OSSG agree this is a reasonable first step to further
involvement with the VMT, I'll start a discussion with them to work out
the best way forward.

Regards
-Rob

Robert Clark
Security Architect
HP Cloud Services

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6187 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20131119/2591097d/attachment.bin>