Difference between revisions of "Security/Threat Analysis"
Line 11: | Line 11: | ||
A technical steps are defined below: | A technical steps are defined below: | ||
[https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/Threat_modeling_process.pdf Threat Modelling process] | [https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/Threat_modeling_process.pdf Threat Modelling process] | ||
− | |||
− | |||
=== Ongoing Work === | === Ongoing Work === | ||
Line 35: | Line 33: | ||
=== Meeting === | === Meeting === | ||
− | Meeting on IRC Channel every alternate Fridays's 17.00 UTC | + | ( <sub>Meeting on IRC Channel every alternate Fridays's 17.00 UTC |
− | at Freenode's ##openstack-threat-analysis (unofficial channel), | + | at Freenode's ##openstack-threat-analysis (unofficial channel)</sub> ) |
+ | Currently discontinued, instead all related discussion in OSSG | ||
+ | meeting. | ||
[[Security/Threat_Analysis/Meetings|Meeting Information]] | [[Security/Threat_Analysis/Meetings|Meeting Information]] |
Revision as of 10:49, 5 June 2014
Contents
OpenStack Threat Modelling
Security is one of the biggest concern for any cloud solutions. The aim of this project is proactively identify threats and weakness in OpenStack Cloud and contribute to build a secure and robust platform. Threat modelling takes a comprehensive look at the system at hand – components, protocols and code - against the existence and capability of an adversary looking for known vulnerabilities. When a threat is identified, it is tallied and reported to the development team. In some cases, the threat analysis team may also include a suggestion to fix the vulnerabilities and related threat. A simplified view of threat modelling steps are provided below:
Threat Modelling Process for OpenStack Projects
Check the process page to know the overall process
A technical steps are defined below: Threat Modelling process
Ongoing Work
Earlier we have used Google Docs for sharing documents, documents are still shared from Google Docs, but we are focusing to use GIT as a repository containing all docs.
Git Repo:
Includes Threat Modelling Process, Templates and ongoing threat modelling work on Keystone
https://github.com/shohel02/OpenStack_Threat_Modelling.git
Nova:
Includes a High Level Threat Model Analysis for Nova. This is WIP, documentation is still in DRAFT version.
https://github.com/criscad/OpenStack_Threat_Modelling.git
Meeting
( Meeting on IRC Channel every alternate Fridays's 17.00 UTC at Freenode's ##openstack-threat-analysis (unofficial channel) ) Currently discontinued, instead all related discussion in OSSG meeting.
- Threat Analysis Example
File:Threat analysis Example.pdf
- Keystone GAP and Threat Identification for Folsom Release (Quick Study)
File:OpenStack Keystone Analysis.pdf
Existing Literature Study
Process
- https://www.owasp.org/index.php/Threat_Risk_Modeling
- Michael Howard, David LeBlanc, Writing Secure Code, Second Edition, Microsoft Press
- Ross Anderson, Security Engineering, Chapter 11 http://www.cl.cam.ac.uk/~rja14/book.html
- The Notorious Nine, Cloud Security Alliance The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
Identity and Access Management System Analysis
- Identity Management Protection Profile, http://www.commoncriteriaportal.org/files/ppfiles/pp0024b.pdf