Jump to: navigation, search

Difference between revisions of "Security-SIG"

m
m (Advisory Activities: fix up wording for intro sentence to no longer omit advisories)
 
(45 intermediate revisions by 13 users not shown)
Line 3: Line 3:
 
<!-- #language en -->
 
<!-- #language en -->
  
This is a vast topic, the following links may help you to go in the right direction, depending on what brought you here.
+
Security issues, tooling, innovations and education within OpenStack are the responsibility of the Security SIG. The Security SIG is a horizontal effort within OpenStack that undertakes both technical and governance activities within OpenStack, aiming to provide guidance, information and code that enhances the overall security of the OpenStack ecosystem.
  
== OpenStack Security Guide ==
+
== Organization and Contribution  ==
This book was written by a close community of security experts from the OpenStack Security Group in a short, intense week-long effort at an undisclosed location. One of the goals for this book is to bring together interested members to capture their collective knowledge and give it back to the OpenStack community.
+
The Security SIG is built up primarily of two groups of people; those who write OpenStack code and those who try to secure OpenStack clouds! If you're interested in helping to make OpenStack more secure, either through writing better code, cross project collaboration, writing documentation or inventing cool new features and tooling - we want to hear from you!
  
See http://docs.openstack.org/sec/
+
=== Leadership ===
  
== Vulnerability Management Team ==
+
The security SIG has no formal leadership, instead it has chairs who arrange meetings and organize votes. The current chair can be found listed on the [https://governance.openstack.org/sigs/ SIG governance page].
The OpenStack Vulnerability Management team is the first point of contact for OpenStack security issues. They are responsible for the vulnerability handling and disclosure process.
 
  
See http://wiki.openstack.org/VulnerabilityManagement
+
==== IRC ====
 +
The security SIG has a discussion channel (#openstack-security) on the OFTC IRC network that's used for general communications, chat and the occasional user query. The security SIG meets monthly to discuss current security activities and progress on security happenings within OpenStack. We encourage new contributors to say hello during our meetings.
  
== OpenStack Security Group ==
+
* [https://meetings.opendev.org/#OpenStack_Security_SIG_meeting Weekly meeting IRC information]
The OpenStack Security Group works to improve OpenStack security through improvements to code, architecture, documentation, etc. The OSSG may hand off vulnerability reports to the VMT. The OSSG may also assist VMT is assessing vulnerabilities when asked to do so. The primary focus points for the OSSG are (1) securing the OpenStack code base and (2) making it easy for people to obtain good security when they install OpenStack.
+
* [https://meetings.opendev.org/meetings/security/ Weekly meeting logs]
 +
* [https://meetings.opendev.org/irclogs/%23openstack-security/ Logs from the #openstack-security room]
 +
* [https://app.element.io/#/room%2F%23oftc_%23openstack-security%3Amatrix.org Connect to #openstack-security through the Matrix-OFTC bridge]
  
See https://launchpad.net/~openstack-ossg
+
== Advisory Activities ==
 +
The Security SIG issues advisories and notes targeted at OpenStack Users and Vendors who either run or package OpenStack for use by downstream consumers.
  
=== Getting started ===
+
Advisories are typically issued by the VMT, a small group of experienced developers within the Security SIG who receive, triage and release fixes for vulnerabilities in OpenStack. The final stage of fixing a vulnerability is to release a Security Advisory for the community. The OSSA details the nature of the vulnerability and the patches required to solve it.
  
The process of becoming a member of the group is described on the OSSG [https://launchpad.net/~openstack-ossg Launchpad page].
+
Security Notes are designed to complement the Security Advisories issued by the Vulnerability Management Team. Security notes can be issued for almost anything affecting the security of potential OpenStack deployments. In many cases a vulnerability may be reported that cannot be fixed immediately because the fix might break the API or otherwise cause service-breaking issues for downstream consumers. Often the Security SIG write notes that will guide deployers in how to best mitigate the issues when an OSSA cannot be provided. OSSNs are also issued for significant vulnerabilities in third party applications that would affect OpenStack deployments.
At the moment of writing, there is no defined "procedure" to get involved into the OSSG and a suggested set of steps
 
follows. Each described steps might or not be relevant depending on the individual member's background and familiarity with the OpenStack project.
 
  
Some steps to get started are:
+
See the [https://security.openstack.org/ OpenStack security site] for the list of advisories and vulnerability management process documentation, as well as links to security note details.
*Read the OpenStack documentation and understand the most common deployment scenarios.
 
*Go through the [http://docs.openstack.org/trunk/openstack-compute/install/yum/content/ OpenStack installation guide] and create a deployment (either a native one or in a virtualized environment), in order to get a basic understanding of the interaction of the different OpenStack services. Some installation scripts such as [http://devstack.org/ Devstack] and [http://openstack.redhat.com/Quickstart Packstack] are readily available. However, you should not underestimate the educational benefits of spending some quality time to install OpenStack manually.
 
*Read the newly released [http://docs.openstack.org/trunk/openstack-security/content/index.html OpenStack security guide] in order to dive into the security aspects of setting up and running an OpenStack deployment.
 
*Getting acquainted to some degree with the rest of the OpenStack manuals is highly encouraged.
 
*The next step is to choose one of the OpenStack components in order to become closely familiarized with it and eventually be able to use the combined expertise of the OSSG in order to make thoughtful contributions to the component (code reviews, direct code contribution, architectural aspects) and improve its security. It is of course important to chose a component that would closely match your interests; given the size of OpenStack, becoming closely familiar with the chosen component's code base, deployment and administration practices might require significant time investments. Once you have chosen a component, send an email on the OSSG email list to let others know about your intentions.
 
 
 
 
 
See https://wiki.openstack.org/wiki/Security/How_To_Contribute for more details on how you can improve OpenStack security.
 

Latest revision as of 17:47, 6 October 2022


Security issues, tooling, innovations and education within OpenStack are the responsibility of the Security SIG. The Security SIG is a horizontal effort within OpenStack that undertakes both technical and governance activities within OpenStack, aiming to provide guidance, information and code that enhances the overall security of the OpenStack ecosystem.

Organization and Contribution

The Security SIG is built up primarily of two groups of people; those who write OpenStack code and those who try to secure OpenStack clouds! If you're interested in helping to make OpenStack more secure, either through writing better code, cross project collaboration, writing documentation or inventing cool new features and tooling - we want to hear from you!

Leadership

The security SIG has no formal leadership, instead it has chairs who arrange meetings and organize votes. The current chair can be found listed on the SIG governance page.

IRC

The security SIG has a discussion channel (#openstack-security) on the OFTC IRC network that's used for general communications, chat and the occasional user query. The security SIG meets monthly to discuss current security activities and progress on security happenings within OpenStack. We encourage new contributors to say hello during our meetings.

Advisory Activities

The Security SIG issues advisories and notes targeted at OpenStack Users and Vendors who either run or package OpenStack for use by downstream consumers.

Advisories are typically issued by the VMT, a small group of experienced developers within the Security SIG who receive, triage and release fixes for vulnerabilities in OpenStack. The final stage of fixing a vulnerability is to release a Security Advisory for the community. The OSSA details the nature of the vulnerability and the patches required to solve it.

Security Notes are designed to complement the Security Advisories issued by the Vulnerability Management Team. Security notes can be issued for almost anything affecting the security of potential OpenStack deployments. In many cases a vulnerability may be reported that cannot be fixed immediately because the fix might break the API or otherwise cause service-breaking issues for downstream consumers. Often the Security SIG write notes that will guide deployers in how to best mitigate the issues when an OSSA cannot be provided. OSSNs are also issued for significant vulnerabilities in third party applications that would affect OpenStack deployments.

See the OpenStack security site for the list of advisories and vulnerability management process documentation, as well as links to security note details.

Retrieved from "https://wiki.openstack.org/w/index.php?title=Security-SIG&oldid=182028"