As this topic came up again, I wanted to discuss it without stealing from the IRC channel discussion.
Basically - should CloudStack have a "security team" as a formal group? I see real and marketing value for such a thing, but I don't want to create structure/overhead that isn't needed. So really I guess my question to the community is "Do you feel the need for such a team?" One news point that hasn't been announced, yet: In the last week or two I've managed to get HP to donate a license for Fortify on Demand to the CloudStack community. I've run into some small technical bumps in preparing the code to be scanned but hoping to have a preliminary scan done in the next week or so. My goal is to get a scan done and catch any low-hanging fruit before the 4.0 release, but I'm not quite ready to commit to that yet. We'll seeā¦ :) I'll lay out what I consider the scope of such a team to be: * Provide application security expertise - As ACS produces a software product, most of the work would be here, so I'll break this one out: * Code review - A security team would participate in performing manual or tool-assisted security reviews before major releases or after significant changes were made to the code base. * Secure coding assistance - either in general practice or when issues found during a review need to be remediated, the security team would provide guidance to the development community on best practices in writing secure code. * Architecture and design review - when new functionality is being added, security team could provide guidance (input sanitization, encryption algorithms, API key management comes to mind) * Incident response - In the event of a issue being found in ACS software or the website/etc, this team could help respond and interact with other Apache groups to respond to issues. * Define security best practices - Along with having common network and infrastructure architectures, ACS should also recommend best practices for setting up management servers, hosts, and the like. This sounds like a small category, but I suspect there could be a lot of use cases to cover here. Others I'm probably missing, but you get the gist. Presuming this may go forward, I'd love to hear from others who have a security background (or decent exposure and want to grow) and would be interested in being part of such a team. John
