© 2014 Nebula, Inc. All rights reserved. (cloud) Computing for the Enterprise Contributing to the OpenStack Security Group Bryan D. Payne August 27, 2014 

© 2014 Nebula, Inc. All rights reserved. OSSG Overview •  Working to improve security in OpenStack –  Hardening, Deployment, Compliance, etc. •  Currently over 200 members •  Regular meetings and discussions –  Weekly IRC meetings (Thursdays at 1700 UTC) –  openstack-security mailing list 

© 2014 Nebula, Inc. All rights reserved. Building the OpenStack Security Group Planning   Bootstrapping   Growth   Apr  2012   Oct  2012   May  2013   Key  Players   Vision   Logis0cs   Public  Rela0ons   

© 2014 Nebula, Inc. All rights reserved. Building the OpenStack Security Group Planning   Bootstrapping   Growth   Apr  2012   Oct  2012   May  2013   Key  Players   Vision   Logis0cs   Public  Rela0ons   IRC  Mee0ngs   OSSNs   Volume  Encryp0on   

© 2014 Nebula, Inc. All rights reserved. Building the OpenStack Security Group Planning   Bootstrapping   Growth   Apr  2012   Oct  2012   May  2013   Key  Players   Vision   Logis0cs   Public  Rela0ons   IRC  Mee0ngs   OSSNs   Volume  Encryp0on   Security  Guide  Book   Threat  Modeling   BeEer  Process   Security  Track   Mid-­‐Cycle  Meetup   Barbican   

© 2014 Nebula, Inc. All rights reserved. Key Projects •  Primary  focus   •  Already  providing  value   •  Individually  lead  projects   •  Good  opportunity  for  new   contributors   •  Significant  domain  exper8se   OpenStack   Security   Threat  Analysis   OpenStack  Security  Guide   OpenStack  Security  Notes   

© 2014 Nebula, Inc. All rights reserved. Best Practices •  Skeleton  Projects   •  Bootstrapped   •  Ready  to  Provide  Value   •  Maturity  Indicators   •  Low  bar  to  entry   •  OSSG  support   •  Demonstrated  need   OpenStack   Security   Cryptography  Review   Developer  Security   Guidelines   

© 2014 Nebula, Inc. All rights reserved. Stretch Goals •  Not  really  in  scope   •  Some  easy  wins   •  Separately  lead  projects   •  WaiHng  on  outside  work   •  Codify  security  guidelines   •  Higher  bar  to  entry   •  Jenkins  –  Job  wri8ng   •  Infrastructure  hooks   •  Tempest  –  Template  /  Test   OpenStack   Security   Jenkins  Enhancements   StaAc  Analysis   Tempest  Modules   

© 2014 Nebula, Inc. All rights reserved. Putting It All Together OpenStack   Security   Threat  Analysis   OpenStack  Security  Guide   OpenStack  Security  Notes   Cryptography  Review   Developer  Security   Guidelines   Jenkins  Enhancements   StaAc  Analysis   Tempest  Modules   

© 2014 Nebula, Inc. All rights reserved. GETTING INVOLVED 

© 2014 Nebula, Inc. All rights reserved. OpenStack  Projects   “The  Glue”   •  Improve  available  security   •  Document  best  pracHces   •  Simplify  security  compliance   •  Work  with  builders,  ops,  users   

© 2014 Nebula, Inc. All rights reserved. Ways to Participate •  Key Projects •  Best Practices •  IRC Meetings •  Code Reviews •  Mailing List •  Relationship Management OSSG   

© 2014 Nebula, Inc. All rights reserved. Email:  [email protected]   TwiRer:  @bdpsecurity