Difference between revisions of "Security/Threat Analysis"
(→On Going Work) |
(→OpenStack Threat Anlaysis) |
||
Line 1: | Line 1: | ||
− | == OpenStack Threat | + | == OpenStack Threat Modelling == |
− | + | Security is one of the biggest concern for any cloud solutions. Threat modelling takes a proactive view to identify threats within a system. Threat modelling takes a comprehensive look at the system at hand – components, protocols and code - against the existence and capability of an adversary looking for known vulnerabilities. When a threat is identified, it is tallied and reported to the development team. In some cases, the threat analysis team may also include a suggestion to fix the vulnerabilities and related threat. | |
− | === Threat | + | === Threat Modelling Steps === |
<gallery widths=550px heights=400px> | <gallery widths=550px heights=400px> | ||
File:Threat_Modeling_steps.png | File:Threat_Modeling_steps.png |
Revision as of 06:34, 23 April 2014
Contents
OpenStack Threat Modelling
Security is one of the biggest concern for any cloud solutions. Threat modelling takes a proactive view to identify threats within a system. Threat modelling takes a comprehensive look at the system at hand – components, protocols and code - against the existence and capability of an adversary looking for known vulnerabilities. When a threat is identified, it is tallied and reported to the development team. In some cases, the threat analysis team may also include a suggestion to fix the vulnerabilities and related threat.
Threat Modelling Steps
Threat Modelling Process for OpenStack Projects
File:Threat modeling process.pdf
Resources
Ongoing Work
Earlier we have used Google Docs for sharing documents, documents are still shared from Google Docs, but we are focusing to use GIT as a repository containing all docs.
Git Repo: https://github.com/shohel02/OpenStack_Threat_Modelling.git
Meeting
Meeting on IRC Channel every alternate Fridays's 17.00 UTC at Freenode's ##openstack-threat-analysis (unofficial channel),
- Threat Analysis Example
File:Threat analysis Example.pdf
- Keystone GAP and Threat Identification for Folsom Release (Quick Study)
File:OpenStack Keystone Analysis.pdf
Existing Literature Study
Process
- https://www.owasp.org/index.php/Threat_Risk_Modeling
- Michael Howard, David LeBlanc, Writing Secure Code, Second Edition, Microsoft Press
- Ross Anderson, Security Engineering, Chapter 11 http://www.cl.cam.ac.uk/~rja14/book.html
- The Notorious Nine, Cloud Security Alliance The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
Identity and Access Management System Analysis
- Identity Management Protection Profile, http://www.commoncriteriaportal.org/files/ppfiles/pp0024b.pdf