The OpenStack Security SIG actively works to improve OpenStack security through improvements to code, architecture and various documentation efforts including vulnerability management (through the Vulnerability Management Team) and issuing of Security Notes.

The primary focus points for the security team are:
(1) Securing the OpenStack code base
(2) Providing deployers with the documentation needed to make sound security choices when deploying or consuming OpenStack
(3) Helping address security needs in a cross project collaborative way.

Author and maintain the OpenStack Security Guide:
* http://docs.openstack.org/sec/

The security team conducts all non-confidential business on the openstack-sig mailing list with the [Security] tag.
* Subscribe: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-sigs

We previously used the openstack-security mailing list
* Archive: http://lists.openstack.org/pipermail/openstack-sigs/

Advisory Activities:
* Act as a consultancy group for OpenStack developers
* The Vulnerability Management Team (VMT) exists as a subset of the Security SIG
* VMT confidentially handles vulnerability disclosures
* The wider security SIG can confirm vulnerability severity at the request of the VMT

Security Guidance:
* OpenStack Security Notes provide Security Guidance on OpenStack Configuration and Usage: https://launchpad.net/ossn/
* Issued Security Notes: https://wiki.openstack.org/wiki/Security_Notes

Research Activities:
* Exploits / Proofs of Concept
* Vulnerability Research
* Threat Verification
* Hardening
* Security Architecture
* Secure OpenStack Provisioning
* Documenting Security Features
* Configuration Management
* Site Survey Functionality / Security Dashboard
* More

In April 2015 the Security SIG became an official part of OpenStack. Previously the security team was comprised of two separate organisations; the VMT and the OSSG. The VMT was a small team handling critical vulnerability reports and remediation whereas the OSSG formed the bulk of the remaining security activities within OpenStack. In early 2015 these teams merged, this was quickly followed by the Security team being accepted into OpenStack.

History of the OSSG:
Originally instigated in 2012 by HP and Nebula, the OSSG initially sought to work on an invite only basis, seeking to draw in contributors from large OpenStack teams such as Rackspace, Ubuntu and Red Hat. The team has grown significantly in size and function and now works on a moderated list model, we're open to contributors of all types and the list is moderated simply to keep out spammers.

In early 2018 what was the Security Project became the Security SIG

Security GIG Code of Ethics:
Members of the security team agree that the goals of the group are to improve the security of OpenStack. Information made available to the security team may at times be sensitive and should always be treated as confidential, not to be shared outside of the group. Members are expressly prohibited from profiting by sharing vulnerability or exploit information obtained from the security team with a third party. All group members agree to abide by industry best practices in responsible disclosure, including providing proper attribution for any technical contributions.

The security SIG has no formal leadership, instead it has chairs, with the current chairs being Luke Hinds (Red Hat) and Gage Hugo (AT&T).

Leadership Functions:
* Formal liaison with OpenStack teams
* Security team co-ordination
* Driving Security Awareness
* Providing Suggestions for Research Direction
* More

Ongoing Tasks for the Security SIG:
* Recruiting security talent
* Evangelizing security within the community
* Document current best practices - useful as a documentation exercise and for understanding next steps. (e.g., if best practices involve strongly isolating a particular component b/c it is riddled with security issues, then that will help reveal where we should be working)
* Develop stress tests that can be integrated with current testing

Team details

Log in for email information.
Luke Hinds
Created on:
Membership policy:
Moderated Team