On Mon, Apr 07, 2014 at 09:06:23AM -0700, Nathan Kinder wrote: > Hi, > > We don't currently collect high-level security related information about > the projects for OpenStack releases. Things like the crypto algorithms > that are used or how we handle sensitive data aren't documented anywhere > that I could see. I did some thinking on how we can improve this. I > wrote up my thoughts in a blog post, which I'll link to instead of > repeating everything here: > > http://blog-nkinder.rhcloud.com/?p=51 > > tl;dr - I'd like to have the development teams for each project keep a > wiki page updated that collects some basic security information. Here's > an example I put together for Keystone for Icehouse: > > https://wiki.openstack.org/wiki/Security/Icehouse/Keystone > > There would need to be an initial effort to gather this information for > each project, but it shouldn't be a large effort to keep it updated once > we have that first pass completed. We would then be able to have a > comprehensive overview of this security information for each OpenStack > release, which is really useful for those evaluating and deploying > OpenStack. > > I see some really nice benefits in collecting this information for > developers as well. We will be able to identify areas of weakness, > inconsistency, and duplication across the projects. We would be able to > use this information to drive security related improvements in future > OpenStack releases. It likely would even make sense to have something > like a cross-project security hackfest once we have taken a pass through > all of the integrated projects so we can have some coordination around > security related functionality. > > For this to effort to succeed, it needs buy-in from each individual > project. I'd like to gauge the interest on this. What do others think? > Any and all feedback is welcome!
I think this is a good idea, and hopefully can provide valuable insight into common pain-points or areas for improvement. I've made a start on a page for Heat, feedback welcome! https://wiki.openstack.org/wiki/Security/Icehouse/Heat Steve _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
