Jump to: navigation, search

Difference between revisions of "Security/Threat Analysis"

(Created page with "== OpenStack Threat Anlaysis == This proposal is to start a threat analysis evaluation of the OpenStack system components. A threat analysis takes a comprehensive look at the ...")
 
 
(31 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== OpenStack Threat Anlaysis ==
+
== OpenStack Threat Modelling ==
This proposal is to start a threat analysis evaluation of the OpenStack system components. A threat analysis takes a comprehensive look at the system at hand – components, protocols and code - against the existence and capability of an adversary looking for known vulnerabilities. When a threat is identified, it is tallied and reported to the development team. In some cases, the threat analysis team may also include a suggestion to fix the vulnerabilities and related threat.
+
Security is one of the biggest concern for any cloud solutions. The aim of this project is proactively identify threats and weakness in OpenStack Cloud and contribute to build a secure and robust platform. Threat modelling takes a comprehensive look at the system at hand – components, protocols and code - against the existence and capability of an adversary looking for known vulnerabilities. When a threat is identified, it is tallied and reported to the development team. In some cases, the threat analysis team may also include a suggestion to fix the vulnerabilities and related threat. A simplified view of threat modelling steps are provided below:
 +
 
 +
<gallery widths=550px heights=400px>
 +
File:Threat_Modeling_steps.png
 +
</gallery>
 +
 
 +
==== Threat Modelling Process for OpenStack Projects ====
 +
Check the [[Security/Threat_Analysis/process|process page]] to know the overall process
 +
 
 +
Technical steps are defined below:
 +
[https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/Threat_modeling_process.md Threat Modelling process]
 +
 
 +
===== Git Repo: =====
 +
 
 +
https://git.openstack.org/openstack/security-analysis
 +
 
 +
=== Archive ===
 +
 
 +
Earlier we have used Google Docs for sharing documents, documents are still shared from Google Docs,
 +
but we are focusing to use GIT as a repository containing all docs.
 +
 
 +
[https://drive.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit?usp=sharing Keystone Threat Modelling]
 +
 
 +
https://github.com/shohel02/OpenStack_Threat_Modelling
 +
 
 +
===== Nova: =====
 +
 
 +
Includes a High Level Threat Model Analysis for Nova.
 +
This is WIP, documentation is still in DRAFT version.
 +
 
 +
https://github.com/criscad/OpenStack_Threat_Modelling.git
 +
 
 +
=== Earlier reports on Threat Modelling related to OpenStack ===
 +
#Threat Analysis Example
 +
[[File:Threat analysis Example.pdf|thumbnail|Threat Analysis Example]]
 +
# Keystone GAP and Threat Identification for Folsom Release (Quick Study)
 +
[[File:OpenStack Keystone Analysis.pdf|OpenStack Keystone GAP and Threat Identification]]
 +
 
 +
=== Existing Literature Study ===
 +
==== Process ====
 +
# [https://www.owasp.org/index.php/Threat_Risk_Modeling%20 https://www.owasp.org/index.php/Threat_Risk_Modeling ]
 +
# Michael Howard, David LeBlanc, Writing Secure Code, Second Edition, Microsoft Press
 +
# Ross Anderson, Security Engineering, Chapter 11 http://www.cl.cam.ac.uk/~rja14/book.html
 +
 
 +
==== Existing Threat Analysis Work related to Cloud ====
 +
# The Notorious Nine, Cloud Security Alliance [https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf]
 +
 
 +
==== Identity and Access Management System Analysis ====
 +
# Identity Management Protection Profile, http://www.commoncriteriaportal.org/files/ppfiles/pp0024b.pdf

Latest revision as of 13:54, 14 March 2018

OpenStack Threat Modelling

Security is one of the biggest concern for any cloud solutions. The aim of this project is proactively identify threats and weakness in OpenStack Cloud and contribute to build a secure and robust platform. Threat modelling takes a comprehensive look at the system at hand – components, protocols and code - against the existence and capability of an adversary looking for known vulnerabilities. When a threat is identified, it is tallied and reported to the development team. In some cases, the threat analysis team may also include a suggestion to fix the vulnerabilities and related threat. A simplified view of threat modelling steps are provided below:

Threat Modelling Process for OpenStack Projects

Check the process page to know the overall process

Technical steps are defined below: Threat Modelling process

Git Repo:

https://git.openstack.org/openstack/security-analysis

Archive

Earlier we have used Google Docs for sharing documents, documents are still shared from Google Docs, but we are focusing to use GIT as a repository containing all docs.

Keystone Threat Modelling

https://github.com/shohel02/OpenStack_Threat_Modelling

Nova:

Includes a High Level Threat Model Analysis for Nova. This is WIP, documentation is still in DRAFT version.

https://github.com/criscad/OpenStack_Threat_Modelling.git

Earlier reports on Threat Modelling related to OpenStack

  1. Threat Analysis Example

File:Threat analysis Example.pdf

  1. Keystone GAP and Threat Identification for Folsom Release (Quick Study)

File:OpenStack Keystone Analysis.pdf

Existing Literature Study

Process

  1. https://www.owasp.org/index.php/Threat_Risk_Modeling
  2. Michael Howard, David LeBlanc, Writing Secure Code, Second Edition, Microsoft Press
  3. Ross Anderson, Security Engineering, Chapter 11 http://www.cl.cam.ac.uk/~rja14/book.html

Existing Threat Analysis Work related to Cloud

  1. The Notorious Nine, Cloud Security Alliance The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf

Identity and Access Management System Analysis

  1. Identity Management Protection Profile, http://www.commoncriteriaportal.org/files/ppfiles/pp0024b.pdf