← Back to team overview

openstack-poc team mailing list archive

Re: PPB Tuesday Meeting

 

I think that we should separate these two concerns.  Vulnerability
management should be in strict confidence until the appropriate fixes are
known and hotfixes are ready.  The other "security champion" work should
be vocal and publicly visible.  I think that it only confuses things to
overlap these two activities, and I would separate them entirely.  (That's
not to say that the same people couldn't be on both groups, of course.)

Thanks for doing this though, Jarret.  This is massively important work,
and I'm very glad that someone is pushing this forward so strongly.

Cheers,

Ewan.

On 8/17/11 3:16 AM, "Jarret Raim" <jarret.raim@xxxxxxxxxxxxx> wrote:

>Soren,
>
>I see the Group handling vulnerability tracking in addition to the larger
>role of being the security champions inside the OpenStack community. This
>might include documentation, examples, coordinating paid testing from
>companies like Rackspace, etc.
>
>I agree that for just vulnerability management, there isn't a need for a
>large group, and we could certainly create multiple groups to handle the
>individual tasks rather than one big group. I figured the people likely
>to be interested in contributing to these various security oriented tasks
>would overlap quite a bit, hence the larger group.
>
>I also wanted to avoid the appearance of the Group being beholden to a
>single entity. By including non-Rackspace members and even non-OpenStack
>members, I thought we could get a good cross section of interests to
>ensure that we don't get tunnel vision.
>
>Maybe we could start with a single Group, then break it up if we get
>enough interest in the other sections?
>
>I think there is some value in having some names from the security
>community be involved. For example, Matt Tesauro is an OWASP board member
>and is willing to come help out. That means that OpenStack could get more
>exposure at conferences like AppSec USA and other OWASP events and
>possibly collaborate with the OWASP community on projects like AppSensor
>support. Just long range thoughts, but that was part of my desire to
>include some people from the security sector.
>
>There are also lots of vendors interested in integrating with OpenStack
>including WAF vendors like Imperva and application analysis companies
>like VeraCode. I could see a role for the Group in facilitating that work
>to get more tooling that works with OpenStack out of the box.
>
>
>
>Thanks,
>Jarret
>
>
>________________________________________
>From: Soren Hansen [soren@xxxxxxxxxxx]
>Sent: Tuesday, August 16, 2011 2:41 PM
>To: Jarret Raim
>Cc: Jay Pipes; Jonathan Bryce; openstack-poc@xxxxxxxxxxxxxxxxxxx
>Subject: Re: [Openstack-poc] PPB Tuesday Meeting
>
>2011/8/16 Jarret Raim <jarret.raim@xxxxxxxxxxxxx>:
>> I changed the text for the initial group membership to limit it to 8.
>>I'm
>> happy to lower it if that seems to high.
>
>I wonder what your motivations are for such a large group? These are
>not people doing security auditing or anything like that. I see this
>as a very small group of responsible people with experience in dealing
>with security particularly in open source software.
>
>A group focusing on penetration testing and auditing and whatnot would
>be *fantastic*, and while there might be overlap between these two
>groups, I don't think they should be the same.
>
>> The basic goal was to start with
>> a group of diverse people (commercial & open source, Rackspace and not,
>> security contractors and not, etc.) If we just want to start out with a
>> couple of Rackers and one or two interested parties, I'm fine with
>>that. I
>> just wanted to make sure we have a good set of opinions to get going
>>with
>> the initial work.
>
>I don't see this as the sort of thing were wide representation is
>required (or even desirable). The smaller the group, the better. If
>there's an actual vulnerability, you want as few people to know about
>it as possible until it's been addressed.
>
>--
>Soren Hansen        | http://linux2go.dk/
>Ubuntu Developer    | http://www.ubuntu.com/
>OpenStack Developer | http://www.openstack.org/
>This email may include confidential information. If you received it in
>error, please delete it.
>
>
>_______________________________________________
>Mailing list: https://launchpad.net/~openstack-poc
>Post to     : openstack-poc@xxxxxxxxxxxxxxxxxxx
>Unsubscribe : https://launchpad.net/~openstack-poc
>More help   : https://help.launchpad.net/ListHelp



References