Jump to: navigation, search

Difference between revisions of "Governance/Proposed/OpenStack Security Group"

m (Text replace - "__NOTOC__" to "")
 
(4 intermediate revisions by 3 users not shown)
Line 1: Line 1:
__NOTOC__
+
 
 
<!-- ##master-page:[[ProposalTemplate]] -->
 
<!-- ##master-page:[[ProposalTemplate]] -->
 
<!-- #format wiki -->
 
<!-- #format wiki -->
Line 5: Line 5:
  
 
= [[OpenStack]] Security Group =
 
= [[OpenStack]] Security Group =
'''Time: ''' 2011-07-16
+
'''Time: ''' 2011-08-18
  
 
'''Drafter: ''' [[JarretRaim]]
 
'''Drafter: ''' [[JarretRaim]]
Line 13: Line 13:
 
'''Status: ''' Proposed  
 
'''Status: ''' Proposed  
  
== Charter ==
+
== Problem Statement ==
  
This proposal describes the formation of an [[OpenStack]] Security Group (OSSG). The group is modeled after other open source security organizations, most notably, the [http://www.mozilla.org/projects/security/membership-policy.html Mozilla Security Group]. The OSSG will have 4 major responsibilities:
+
This proposal defines a structure for the handling of security topics inside the OpenStack community. It describes a specific process for the management of vulnerabilities in the OpenStack ecosystem and a more general process for security related activities like vendor involvement, automated and penetration testing, etc. The goal is to have a defined strategy for reporting security issues from inside the community, OpenStack users and outside security researchers that allows for responsible vulnerability disclosure and recognition procedures as well as providing a place for security related conversions around OpenStack to occur.
  
* Be the public face of the [[OpenStack]] project for security related issues.
+
== Vulnerability Management Team ==
* Operate a private security mailing list and curate private issues in [[LaunchPad]] for tracking & resolving vulnerabilities.
 
* Collating, defining, publishing and maintaining security policies and guidance.
 
* Working with vendors and developers to resolve security issues while adhering to responsible disclosure policies.
 
  
== The Plan ==
+
The vulnerability management group will be responsible for gathering and tracking security vulnerabilities. Their main purpose is to ensure that the appropriate Project Technical Leads (PTLs) are notified of security issues within their products and assist them in fixing those issues as needed. If a vulnerability is particularly exploitable, the vulnerability management team may choose to mark the LaunchPad issue as private until a fix has been developed and deployed by those OpenStack users who would be affected. This decision will be made in consultation with the PTLs for the affected products. In addition, the vulnerability management team will be responsible for interaction with security researchers and other reporters of security issues. In an effort to encourage researchers to disclose vulnerabilities responsibly, the team will take reports and provide recognition to the discovering researchers.
  
My name is Jarret Raim and I am the Application Security Architect at Rackspace. I have been working to get the Group bootstrapped and recommend that the following resources be created for its use.
+
The accomplish these goals, the vulnerability management team will:
  
* Private mailing list
+
* Develop and maintain documentation of the vulnerability management & disclosure process on openstack.org/security
* Private bug category in [[LaunchPad]] (not publicly visible)
+
* Publish the names, email addresses and GPG keys of members of the team for encrypted vulnerability reports
* Security notification email address (security@openstack.org)
+
* Manage the security issues reported in LaunchPad
* Public list of private list members with GPG keys for encrypted notifications
 
* Web presence at (http://openstack.org/security)
 
  
Public discussions will use the current [[OpenStack]] mailing list until there is enough traffic to justify a separate list. If participants wish to join the private list & be granted visibility to private issues, they must make an application to join as the number of people with access to these private resources must necessarily be kept to a minimum. Applications will be approved with a simple majority vote of the current membership in much the same way as the [http://www.mozilla.org/projects/security/membership-policy.html Mozilla Security Group].
+
The group will be made up of a small group (2 - 3) of interested OpenStack community members in the interest of limiting the exposure of any particular vulnerability.
  
The OSSG can only be successful with community involvement. As such, I recommend that a core of [[OpenStack]] community leaders, Rackspace specialists and security experts in the commercial and open source world start out as the seed of the OSSG, maintaining access to private resources. A set of those leaders have already been identified and we plan to add more before the Group officially starts. As the set of people with access to private resources should remain small, the private group should start out with no more than 8 participants.
+
== [[OpenStack]] Security Group (OSSG) ==
  
There is lots of work to be done. As we build membership in the OSSG, we'll need to tackle the following tasks to start:
+
The OpenStack Security Group (OSSG) is designed as a sub-community for OpenStack members interested in security related topics. This includes OpenStack implementors and developer like Rackspace, users and security community members. The group will be responsible for:
  
* Charter and Governance Model
+
* Being the public face of the OpenStack project for security related issues
* Membership Policy
+
* Collating, defining, publishing and maintaining security policies and guidance
* Voting Policy
+
* Work with security vendors interested in OpenStack integration
* Vulnerability Disclosure Policy
 
* Responsible Disclosure Guidelines
 
  
When possible, all discussions will be undertaken on the public mailing list. The private list will be used for vulnerability discussion & classification (MSA/CVE). I welcome all comments and participation from the community. This effort cannot be driven solely by Rackspace, I need your help.
+
The OSSG could use the current public mailing list or a separate list (openstack-security) to encourage discussion on security related topics including best practices, testing, documentation, compliance and other security issues facing OpenStack implementors and community members.
  
 
----
 
----
 
[[Category:Proposal]]
 
[[Category:Proposal]]

Latest revision as of 23:30, 17 February 2013


OpenStack Security Group

Time: 2011-08-18

Drafter: JarretRaim

Drafters Email: jarret.raim@rackspace.com

Status: Proposed

Problem Statement

This proposal defines a structure for the handling of security topics inside the OpenStack community. It describes a specific process for the management of vulnerabilities in the OpenStack ecosystem and a more general process for security related activities like vendor involvement, automated and penetration testing, etc. The goal is to have a defined strategy for reporting security issues from inside the community, OpenStack users and outside security researchers that allows for responsible vulnerability disclosure and recognition procedures as well as providing a place for security related conversions around OpenStack to occur.

Vulnerability Management Team

The vulnerability management group will be responsible for gathering and tracking security vulnerabilities. Their main purpose is to ensure that the appropriate Project Technical Leads (PTLs) are notified of security issues within their products and assist them in fixing those issues as needed. If a vulnerability is particularly exploitable, the vulnerability management team may choose to mark the LaunchPad issue as private until a fix has been developed and deployed by those OpenStack users who would be affected. This decision will be made in consultation with the PTLs for the affected products. In addition, the vulnerability management team will be responsible for interaction with security researchers and other reporters of security issues. In an effort to encourage researchers to disclose vulnerabilities responsibly, the team will take reports and provide recognition to the discovering researchers.

The accomplish these goals, the vulnerability management team will:

  • Develop and maintain documentation of the vulnerability management & disclosure process on openstack.org/security
  • Publish the names, email addresses and GPG keys of members of the team for encrypted vulnerability reports
  • Manage the security issues reported in LaunchPad

The group will be made up of a small group (2 - 3) of interested OpenStack community members in the interest of limiting the exposure of any particular vulnerability.

OpenStack Security Group (OSSG)

The OpenStack Security Group (OSSG) is designed as a sub-community for OpenStack members interested in security related topics. This includes OpenStack implementors and developer like Rackspace, users and security community members. The group will be responsible for:

  • Being the public face of the OpenStack project for security related issues
  • Collating, defining, publishing and maintaining security policies and guidance
  • Work with security vendors interested in OpenStack integration

The OSSG could use the current public mailing list or a separate list (openstack-security) to encourage discussion on security related topics including best practices, testing, documentation, compliance and other security issues facing OpenStack implementors and community members.

Retrieved from "https://wiki.openstack.org/w/index.php?title=Governance/Proposed/OpenStack_Security_Group&oldid=17273"