The OpenStack Security Group will actively work to improve OpenStack security through improvements to code, architecture, documentation, etc. The OSSG may hand off vulnerability reports to the VMT. The OSSG may also assist VMT is assessing vulnerabilities when asked to do so. The primary focus points for the OSSG are (1) securing the OpenStack code base and (2) making it easy for people to obtain good security when they install OpenStack.

Author and maintain the OpenStack Security Guide:
* http://docs.openstack.org/sec/

Manage the OpenStack-Security mailing list:
* Subscribe: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
* Archive: http://lists.openstack.org/pipermail/openstack-security/

Advisory Activities:
* Act as a consultancy group for OpenStack developers
* Confirm vulnerability severity at the request of the VMT

Security Guidance:
* OpenStack Security Notes provide Security Guidance on OpenStack Configuration and Usage: https://launchpad.net/ossn/
* Issued Security Notes: https://wiki.openstack.org/wiki/Security_Notes

Research Activities:
* Exploits / Proofs of Concept
* Vulnerability Research
* Threat Verification
* Hardening
* Security Architecture
* Secure OpenStack Provisioning
* Documenting Security Features
* Configuration Management
* Site Survey Functionality / Security Dashboard
* More

Instigated by HP and Nebula, the OSSG is in the process of being stood up. Initially the group will seek to work on an invite only basis, seeking to draw in contributors from large OpenStack teams such as Rackspace, Ubuntu and Red Hat. Once a core group has been developed the group will entertain requests for membership from other organisations and individual researchers. Such requests would require the approval of two existing group members. The group is required to have controls on membership due to the nature of the vulnerability information that will be available to group members.

Our initial goal is to organize by placing at least one OSSG member on each OpenStack project. In addition, we will have one at-large member who can focus on cross-project security issues, security best-practices deployment documentation, etc. We strongly encourage OSSG members to contribute code that improves the security of their respective projects.

* Nova: tbd
* Swift: tbd
* Glance: tbd
* Keystone: tbd
* Horizon: tbd
* Quantum: tbd
* At-large: tbd

OSSG Code of Ethics:
Members of the OSSG agree that the goals of the group are to improve the security of OpenStack. Information made available to OSSG may at times be sensitive and should always be treated as confidential, not to be shared outside of the group. Members are expressly prohibited from profiting by sharing vulnerability or exploit information obtained from the OSSG with a third party. All group members agree to abide by industry best practices in responsible disclosure, including providing proper attribution for any technical contributions.

Informal to start with, driven by contribution…

Leadership Functions:
* Formal liaison with OpenStack teams
* OSSG Co-ordination
* Driving Security Awareness
* Providing Suggestions for Research Direction
* More

Initial Tasks for the OSSG:
* Recruiting a core team
* Document current best practices - useful as a documentation exercise and for understanding next steps. (e.g., if best practices involve strongly isolating a particular component b/c it is riddled with security issues, then that will help reveal where we should be working)
* Develop stress tests that can be integrated with current testing

Team details

Log in for email information.
Bryan D. Payne
Created on:
Membership policy:
Moderated Team

All members

You must log in to join or leave this team.

Latest members

Pending approval

Mailing list

mail openstack-ossg@lists.launchpad.net
Policy: You must be a team member to subscribe to the team mailing list.
email View public archive
team View subscribers