openstack-poc team mailing list archive

[Jarret Raim <jarret.raim@xxxxxxxxxxxxx>]

Soren,

I see the Group handling vulnerability tracking in addition to the larger role of being the security champions inside the OpenStack community. This might include documentation, examples, coordinating paid testing from companies like Rackspace, etc.

I agree that for just vulnerability management, there isn't a need for a large group, and we could certainly create multiple groups to handle the individual tasks rather than one big group. I figured the people likely to be interested in contributing to these various security oriented tasks would overlap quite a bit, hence the larger group.

I also wanted to avoid the appearance of the Group being beholden to a single entity. By including non-Rackspace members and even non-OpenStack members, I thought we could get a good cross section of interests to ensure that we don't get tunnel vision.

Maybe we could start with a single Group, then break it up if we get enough interest in the other sections? 

I think there is some value in having some names from the security community be involved. For example, Matt Tesauro is an OWASP board member and is willing to come help out. That means that OpenStack could get more exposure at conferences like AppSec USA and other OWASP events and possibly collaborate with the OWASP community on projects like AppSensor support. Just long range thoughts, but that was part of my desire to include some people from the security sector.

There are also lots of vendors interested in integrating with OpenStack including WAF vendors like Imperva and application analysis companies like VeraCode. I could see a role for the Group in facilitating that work to get more tooling that works with OpenStack out of the box.



Thanks,
Jarret


________________________________________
From: Soren Hansen [soren@xxxxxxxxxxx]
Sent: Tuesday, August 16, 2011 2:41 PM
To: Jarret Raim
Cc: Jay Pipes; Jonathan Bryce; openstack-poc@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Openstack-poc] PPB Tuesday Meeting

2011/8/16 Jarret Raim <jarret.raim@xxxxxxxxxxxxx>:
> I changed the text for the initial group membership to limit it to 8. I'm
> happy to lower it if that seems to high.

I wonder what your motivations are for such a large group? These are
not people doing security auditing or anything like that. I see this
as a very small group of responsible people with experience in dealing
with security particularly in open source software.

A group focusing on penetration testing and auditing and whatnot would
be *fantastic*, and while there might be overlap between these two
groups, I don't think they should be the same.

> The basic goal was to start with
> a group of diverse people (commercial & open source, Rackspace and not,
> security contractors and not, etc.) If we just want to start out with a
> couple of Rackers and one or two interested parties, I'm fine with that. I
> just wanted to make sure we have a good set of opinions to get going with
> the initial work.

I don't see this as the sort of thing were wide representation is
required (or even desirable). The smaller the group, the better. If
there's an actual vulnerability, you want as few people to know about
it as possible until it's been addressed.

--
Soren Hansen        | http://linux2go.dk/
Ubuntu Developer    | http://www.ubuntu.com/
OpenStack Developer | http://www.openstack.org/
This email may include confidential information. If you received it in error, please delete it.