Security/Threat Analysis

OpenStack Threat Anlaysis

This proposal is to start a threat analysis evaluation of the OpenStack system components. A threat analysis takes a comprehensive look at the system at hand – components, protocols and code - against the existence and capability of an adversary looking for known vulnerabilities. When a threat is identified, it is tallied and reported to the development team. In some cases, the threat analysis team may also include a suggestion to fix the vulnerabilities and related threat.

Threat Analysis Steps

Threat Modelling Process for OpenStack Projects

File:Threat modeling process.pdf

Resources

On Going Work

Earlier we have used Google Docs for sharing documents, documents are still shared from Google Docs, but we are focusing to use GIT as a repository containing all docs.

Keystone Threat Modelling

Git Repo: https://github.com/shohel02/OpenStack_Threat_Modelling.git

Meeting

Meeting on IRC Channel every alternate Fridays's 17.00 UTC at Freenode's ##openstack-threat-analysis (unofficial channel),

Meeting Information

Earlier reports on Threat Modelling related to OpenStack

1. Threat Analysis Example

File:Threat analysis Example.pdf

1. Keystone GAP and Threat Identification for Folsom Release (Quick Study)

File:OpenStack Keystone Analysis.pdf

Existing Literature Study

Process

1. https://www.owasp.org/index.php/Threat_Risk_Modeling
2. Michael Howard, David LeBlanc, Writing Secure Code, Second Edition, Microsoft Press
3. Ross Anderson, Security Engineering, Chapter 11 http://www.cl.cam.ac.uk/~rja14/book.html

Existing Threat Analysis Work related to Cloud

1. The Notorious Nine, Cloud Security Alliance The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf

Identity and Access Management System Analysis

1. Identity Management Protection Profile, http://www.commoncriteriaportal.org/files/ppfiles/pp0024b.pdf