All, TL:DR; Lets work together and openly on security review and threat analysis for OpenStack
I've discussed this for a while within the security group but now I'm sharing more widely here on -dev. There are currently scores of security reviews taking place on OpenStack architecture, projects and implementations. All the big players in OpenStack are conducting their own security reviews, we are all finding things that should be addressed in the community and I'm sure that we are all missing things that others have found too. There's very little commercial value in holding onto security review data. I am, appealing to the security people out there in the community to come together and share expertise on Threat Modelling/Analysis in OpenStack. There's already been some excellent path-finding here ( https://wiki.openstack.org/wiki/Security/Threat_Analysis ). My long term aspiration is that Threat Analysis and Penetration Testing eventually gets performed in the open, in a collaborative process between several organisations, all finding issues, opening bugs and submitting patches together. With each organisation performing internal audits on their deltas for secret source / value added stuff. I believe by doing this we can raise the bar on all of our collective security efforts while decreasing the massive duplication of effort that's going on right now. The security group is having a mid-cycle sprint in July, we are looking to cover a lot of ground ( https://etherpad.openstack.org/p/ossg-juno-meetup ) but one of the primary topics we will be focussing on is the Threat Modelling process. How it can be shaped and how it should move forward. I hope that some of you can be there and if not, that we can get the sharing and collaboration of security reviews onto the security agenda at your respective organisations. Cheers -Rob
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev