incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <...@stratosec.co>
Subject CloudStack Security Team
Date Thu, 20 Sep 2012 15:50:23 GMT
As this topic came up again, I wanted to discuss it without stealing from the IRC channel discussion.

Basically - should CloudStack have a "security team" as a formal group? I see real and marketing
value for such a thing, but I don't want to create structure/overhead that isn't needed. So
really I guess my question to the community is "Do you feel the need for such a team?"

One news point that hasn't been announced, yet: In the last week or two I've managed to get
HP to donate a license for Fortify on Demand to the CloudStack community. I've run into some
small technical bumps in preparing the code to be scanned but hoping to have a preliminary
scan done in the next week or so. My goal is to get a scan done and catch any low-hanging
fruit before the 4.0 release, but I'm not quite ready to commit to that yet. We'll seeā€¦
:)

I'll lay out what I consider the scope of such a team to be:
 * Provide application security expertise - As ACS produces a software product, most of the
work would be here, so I'll break this one out:
   * Code review - A security team would participate in performing manual or tool-assisted
security reviews before major releases or after significant changes were made to the code
base.
   * Secure coding assistance - either in general practice or when issues found during a review
need to be remediated, the security team would provide guidance to the development community
on best practices in writing secure code.
   * Architecture and design review - when new functionality is being added, security team
could provide guidance (input sanitization, encryption algorithms, API key management comes
to mind)
 * Incident response - In the event of a issue being found in ACS software or the website/etc,
this team could help respond and interact with other Apache groups to respond to issues.
 * Define security best practices - Along with having common network and infrastructure architectures,
ACS should also recommend best practices for setting up management servers, hosts, and the
like. This sounds like a small category, but I suspect there could be a lot of use cases to
cover here.

Others I'm probably missing, but you get the gist.

Presuming this may go forward, I'd love to hear from others who have a security background
(or decent exposure and want to grow) and would be interested in being part of such a team.

John

Mime
View raw message