Overview:
The OpenStack Security team actively works to improve OpenStack security through improvements to code, architecture and various documentation efforts including vulnerability management (through the Vulnerability Management Team) and issuing of Security Notes.

The primary focus points for the security team are:
(1) Securing the OpenStack code base
(2) Providing deployers with the documentation needed to make sound security choices when deploying or consuming OpenStack

Author and maintain the OpenStack Security Guide:
* http://docs.openstack.org/sec/

The security team conducts all non-confidential business on the openstack-dev mailing list with the [Security] tag.
* Subscribe: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

We previously used the openstack-security mailing list
* Archive: http://lists.openstack.org/pipermail/openstack-security/

Advisory Activities:
* Act as a consultancy group for OpenStack developers
* The Vulnerability Management Team (VMT) exists as a subset of the Security Team
* VMT confidentially handles vulnerability disclosures
* The wider security team can confirm vulnerability severity at the request of the VMT

Security Guidance:
* OpenStack Security Notes provide Security Guidance on OpenStack Configuration and Usage: https://launchpad.net/ossn/
* Issued Security Notes: https://wiki.openstack.org/wiki/Security_Notes

Research Activities:
* Exploits / Proofs of Concept
* Vulnerability Research
* Threat Verification
* Hardening
* Security Architecture
* Secure OpenStack Provisioning
* Documenting Security Features
* Configuration Management
* Site Survey Functionality / Security Dashboard
* More

Membership:
In April 2015 the Security team became an official part of OpenStack. Previously the security team was comprised of two separate organisations; the VMT and the OSSG. The VMT was a small team handling critical vulnerability reports and remediation whereas the OSSG formed the bulk of the remaining security activities within OpenStack. In early 2015 these teams merged, this was quickly followed by the Security team being accepted into OpenStack.

History of the OSSG:
Originally instigated in 2012 by HP and Nebula, the OSSG initially sought to work on an invite only basis, seeking to draw in contributors from large OpenStack teams such as Rackspace, Ubuntu and Red Hat. The team has grown significantly in size and function and now works on a moderated list model, we're open to contributors of all types and the list is moderated simply to keep out spammers.

Security Team Code of Ethics:
Members of the security team agree that the goals of the group are to improve the security of OpenStack. Information made available to the security team may at times be sensitive and should always be treated as confidential, not to be shared outside of the group. Members are expressly prohibited from profiting by sharing vulnerability or exploit information obtained from the security team with a third party. All group members agree to abide by industry best practices in responsible disclosure, including providing proper attribution for any technical contributions.

Leadership:
The security team follows the processes in place for all OpenStack projects and has an elected Project Technical Lead (PTL) - at this moment that PTL is Robert Clark (hyakuhei)

Leadership Functions:
* Formal liaison with OpenStack teams
* Security team co-ordination
* Driving Security Awareness
* Providing Suggestions for Research Direction
* More

Ongoing Tasks for the Security Team:
* Recruiting security talent
* Evangelizing security within the community
* Document current best practices - useful as a documentation exercise and for understanding next steps. (e.g., if best practices involve strongly isolating a particular component b/c it is riddled with security issues, then that will help reveal where we should be working)
* Develop stress tests that can be integrated with current testing

Team details

Email:
Log in for email information.
Owner:
Bryan D. Payne
Created on:
2012-05-23
Languages:
English
Membership policy:
Moderated Team

Mailing list

mail openstack-ossg@lists.launchpad.net
Policy: You must be a team member to subscribe to the team mailing list.
email View public archive
team View subscribers