Contributing to the OpenStack Security Group

Contributing to the OpenStack Security Group

The OpenStack Security Group (OSSG) is the primary driving force for security throughout the OpenStack community today. This talk will introduce OSSG by telling the story of how the group formed and grew over the past 2 years. After a brief history, we will explore the primary areas that the group is working in today including threat analysis, the OpenStack Security Notes, and a book on OpenStack Security. Come to learn about the great securtiy work happening in this community, and to see how you can contribute.

938bca9547ba1cac3e69d80efd67fe6b?s=128

Bryan Payne

August 27, 2014
Tweet

Transcript

  1. © 2014 Nebula, Inc. All rights reserved. (cloud) Computing for

    the Enterprise Contributing to the OpenStack Security Group Bryan D. Payne August 27, 2014
  2. © 2014 Nebula, Inc. All rights reserved. OSSG Overview • 

    Working to improve security in OpenStack –  Hardening, Deployment, Compliance, etc. •  Currently over 200 members •  Regular meetings and discussions –  Weekly IRC meetings (Thursdays at 1700 UTC) –  openstack-security mailing list
  3. © 2014 Nebula, Inc. All rights reserved. Building the OpenStack

    Security Group Planning   Bootstrapping   Growth   Apr  2012   Oct  2012   May  2013   Key  Players   Vision   Logis0cs   Public  Rela0ons  
  4. © 2014 Nebula, Inc. All rights reserved. Building the OpenStack

    Security Group Planning   Bootstrapping   Growth   Apr  2012   Oct  2012   May  2013   Key  Players   Vision   Logis0cs   Public  Rela0ons   IRC  Mee0ngs   OSSNs   Volume  Encryp0on  
  5. © 2014 Nebula, Inc. All rights reserved. Building the OpenStack

    Security Group Planning   Bootstrapping   Growth   Apr  2012   Oct  2012   May  2013   Key  Players   Vision   Logis0cs   Public  Rela0ons   IRC  Mee0ngs   OSSNs   Volume  Encryp0on   Security  Guide  Book   Threat  Modeling   BeEer  Process   Security  Track   Mid-­‐Cycle  Meetup   Barbican  
  6. © 2014 Nebula, Inc. All rights reserved. Key Projects • 

    Primary  focus   •  Already  providing  value   •  Individually  lead  projects   •  Good  opportunity  for  new   contributors   •  Significant  domain  exper8se   OpenStack   Security   Threat  Analysis   OpenStack  Security  Guide   OpenStack  Security  Notes  
  7. © 2014 Nebula, Inc. All rights reserved. Best Practices • 

    Skeleton  Projects   •  Bootstrapped   •  Ready  to  Provide  Value   •  Maturity  Indicators   •  Low  bar  to  entry   •  OSSG  support   •  Demonstrated  need   OpenStack   Security   Cryptography  Review   Developer  Security   Guidelines  
  8. © 2014 Nebula, Inc. All rights reserved. Stretch Goals • 

    Not  really  in  scope   •  Some  easy  wins   •  Separately  lead  projects   •  WaiHng  on  outside  work   •  Codify  security  guidelines   •  Higher  bar  to  entry   •  Jenkins  –  Job  wri8ng   •  Infrastructure  hooks   •  Tempest  –  Template  /  Test   OpenStack   Security   Jenkins  Enhancements   StaAc  Analysis   Tempest  Modules  
  9. © 2014 Nebula, Inc. All rights reserved. Putting It All

    Together OpenStack   Security   Threat  Analysis   OpenStack  Security  Guide   OpenStack  Security  Notes   Cryptography  Review   Developer  Security   Guidelines   Jenkins  Enhancements   StaAc  Analysis   Tempest  Modules  
  10. © 2014 Nebula, Inc. All rights reserved. GETTING INVOLVED

  11. © 2014 Nebula, Inc. All rights reserved. OpenStack  Projects  

    “The  Glue”   •  Improve  available  security   •  Document  best  pracHces   •  Simplify  security  compliance   •  Work  with  builders,  ops,  users  
  12. © 2014 Nebula, Inc. All rights reserved. Ways to Participate

    •  Key Projects •  Best Practices •  IRC Meetings •  Code Reviews •  Mailing List •  Relationship Management OSSG  
  13. © 2014 Nebula, Inc. All rights reserved. Email:  bryan.payne@nebula.com  

    TwiRer:  @bdpsecurity