Difference between revisions of "Security-SIG"
(→OpenStack Security Group) |
|||
| Line 32: | Line 32: | ||
*Getting acquainted to some degree with the rest of the OpenStack manuals is highly encouraged. | *Getting acquainted to some degree with the rest of the OpenStack manuals is highly encouraged. | ||
*The next step is to choose one of the OpenStack components in order to become closely familiarized with it and eventually be able to use the combined expertise of the OSSG in order to make thoughtful contributions to the component (code reviews, direct code contribution, architectural aspects) and improve its security. It is of course important to chose a component that would closely match your interests; given the size of OpenStack, becoming closely familiar with the chosen component's code base, deployment and administration practices might require significant time investments. Once you have chosen a component, send an email on the OSSG email list to let others know about your intentions. | *The next step is to choose one of the OpenStack components in order to become closely familiarized with it and eventually be able to use the combined expertise of the OSSG in order to make thoughtful contributions to the component (code reviews, direct code contribution, architectural aspects) and improve its security. It is of course important to chose a component that would closely match your interests; given the size of OpenStack, becoming closely familiar with the chosen component's code base, deployment and administration practices might require significant time investments. Once you have chosen a component, send an email on the OSSG email list to let others know about your intentions. | ||
| − | |||
| − | + | See https://wiki.openstack.org/wiki/Security/How_To_Contribute for more details on how you can improve OpenStack security. | |
Revision as of 16:34, 12 September 2013
This is a vast topic, the following links may help you to go in the right direction, depending on what brought you here.
Contents
OpenStack Security Guide
This book was written by a close community of security experts from the OpenStack Security Group in a short, intense week-long effort at an undisclosed location. One of the goals for this book is to bring together interested members to capture their collective knowledge and give it back to the OpenStack community.
See http://docs.openstack.org/sec/
Vulnerability Management Team
The OpenStack Vulnerability Management team is the first point of contact for OpenStack security issues. They are responsible for the vulnerability handling and disclosure process.
See http://wiki.openstack.org/VulnerabilityManagement
OpenStack Security Group
The OpenStack Security Group works to improve OpenStack security through improvements to code, architecture, documentation, etc. The OSSG may hand off vulnerability reports to the VMT. The OSSG may also assist VMT is assessing vulnerabilities when asked to do so. The primary focus points for the OSSG are (1) securing the OpenStack code base and (2) making it easy for people to obtain good security when they install OpenStack.
See https://launchpad.net/~openstack-ossg
Getting started
The process of becoming a member of the group is described on the OSSG Launchpad page. At the moment of writing, there is no defined "procedure" to get involved into the OSSG and a suggested set of steps follows. Each described steps might or not be relevant depending on the individual member's background and familiarity with the OpenStack project.
Some steps to get started are:
- Read the OpenStack documentation and understand the most common deployment scenarios.
- Go through the OpenStack installation guide and create a deployment (either a native one or in a virtualized environment), in order to get a basic understanding of the interaction of the different OpenStack services. Some installation scripts such as Devstack and Packstack are readily available. However, you should not underestimate the educational benefits of spending some quality time to install OpenStack manually.
- Read the newly released OpenStack security guide in order to dive into the security aspects of setting up and running an OpenStack deployment.
- Getting acquainted to some degree with the rest of the OpenStack manuals is highly encouraged.
- The next step is to choose one of the OpenStack components in order to become closely familiarized with it and eventually be able to use the combined expertise of the OSSG in order to make thoughtful contributions to the component (code reviews, direct code contribution, architectural aspects) and improve its security. It is of course important to chose a component that would closely match your interests; given the size of OpenStack, becoming closely familiar with the chosen component's code base, deployment and administration practices might require significant time investments. Once you have chosen a component, send an email on the OSSG email list to let others know about your intentions.
See https://wiki.openstack.org/wiki/Security/How_To_Contribute for more details on how you can improve OpenStack security.
