Wednesday, 3 July 2013

Worried About OpenStack Security? We literally wrote the book!

The OpenStack Security Group proudly presents the OpenStack Security Guide! Developed using the now legendary book-sprint methodology the whole book was written in a week, with most of the content being written in the first 2-3 days.

For me this was a fascinating opportunity to work with some of the smartest security minds in the OpenStack community. It was fantastic to meet so many security group members in the flesh. Special thanks go to my co-founder in security group - Bryan Payne for all the work he did getting this project off the ground. Special mention should be made of the sponsorship we received from RedHat with the awesome Keith Basil and Shawn Wells who picked up the tab most days, organised the hotel room and were basically super-stars all week!

It was really interesting to work in this collaborative environment with so many ideas and perspectives. I think given the time we had we managed to find a good balance between conceptual overview and specific guidance in this guide - sometimes directing the user to specific security controls (Nova DB MySQL Auth with x.509 client certificates) and other times highlighting pain-points in a "you're going to need to think hard about this" sort of way!

One of the interesting tangential benefits of this work was the vulnerability list, where we documented vulnerabilities or security gaps that the OSSG will now work through and report to the VMT or produce an OSSN for depending on the context.

There's a lot of work to be done on the guide I expect the comments, content and criticisms to start flying thick and fast over the next few weeks and I'm looking forward to seeing how the document evolves over the period between now and the OpenStack Summit in HongKong

I expect that a number of us from the original group will continue to contribute and there's talk of doing a security panel at the summit this year, hopefully such a thing would be interesting to a lot of people!

So all that's left is to thank the guys I worked with last week, I'd love to work with any of you again!