I think that we should separate these two concerns. Vulnerability management should be in strict confidence until the appropriate fixes are known and hotfixes are ready. The other "security champion" work should be vocal and publicly visible. I think that it only confuses things to overlap these two activities, and I would separate them entirely. (That's not to say that the same people couldn't be on both groups, of course.)
Thanks for doing this though, Jarret. This is massively important work, and I'm very glad that someone is pushing this forward so strongly. Cheers, Ewan. On 8/17/11 3:16 AM, "Jarret Raim" <[email protected]> wrote: >Soren, > >I see the Group handling vulnerability tracking in addition to the larger >role of being the security champions inside the OpenStack community. This >might include documentation, examples, coordinating paid testing from >companies like Rackspace, etc. > >I agree that for just vulnerability management, there isn't a need for a >large group, and we could certainly create multiple groups to handle the >individual tasks rather than one big group. I figured the people likely >to be interested in contributing to these various security oriented tasks >would overlap quite a bit, hence the larger group. > >I also wanted to avoid the appearance of the Group being beholden to a >single entity. By including non-Rackspace members and even non-OpenStack >members, I thought we could get a good cross section of interests to >ensure that we don't get tunnel vision. > >Maybe we could start with a single Group, then break it up if we get >enough interest in the other sections? > >I think there is some value in having some names from the security >community be involved. For example, Matt Tesauro is an OWASP board member >and is willing to come help out. That means that OpenStack could get more >exposure at conferences like AppSec USA and other OWASP events and >possibly collaborate with the OWASP community on projects like AppSensor >support. Just long range thoughts, but that was part of my desire to >include some people from the security sector. > >There are also lots of vendors interested in integrating with OpenStack >including WAF vendors like Imperva and application analysis companies >like VeraCode. I could see a role for the Group in facilitating that work >to get more tooling that works with OpenStack out of the box. > > > >Thanks, >Jarret > > >________________________________________ >From: Soren Hansen [[email protected]] >Sent: Tuesday, August 16, 2011 2:41 PM >To: Jarret Raim >Cc: Jay Pipes; Jonathan Bryce; [email protected] >Subject: Re: [Openstack-poc] PPB Tuesday Meeting > >2011/8/16 Jarret Raim <[email protected]>: >> I changed the text for the initial group membership to limit it to 8. >>I'm >> happy to lower it if that seems to high. > >I wonder what your motivations are for such a large group? These are >not people doing security auditing or anything like that. I see this >as a very small group of responsible people with experience in dealing >with security particularly in open source software. > >A group focusing on penetration testing and auditing and whatnot would >be *fantastic*, and while there might be overlap between these two >groups, I don't think they should be the same. > >> The basic goal was to start with >> a group of diverse people (commercial & open source, Rackspace and not, >> security contractors and not, etc.) If we just want to start out with a >> couple of Rackers and one or two interested parties, I'm fine with >>that. I >> just wanted to make sure we have a good set of opinions to get going >>with >> the initial work. > >I don't see this as the sort of thing were wide representation is >required (or even desirable). The smaller the group, the better. If >there's an actual vulnerability, you want as few people to know about >it as possible until it's been addressed. > >-- >Soren Hansen | http://linux2go.dk/ >Ubuntu Developer | http://www.ubuntu.com/ >OpenStack Developer | http://www.openstack.org/ >This email may include confidential information. If you received it in >error, please delete it. > > >_______________________________________________ >Mailing list: https://launchpad.net/~openstack-poc >Post to : [email protected] >Unsubscribe : https://launchpad.net/~openstack-poc >More help : https://help.launchpad.net/ListHelp _______________________________________________ Mailing list: https://launchpad.net/~openstack-poc Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack-poc More help : https://help.launchpad.net/ListHelp
