Difference between revisions of "OWASP OpenStack Security Project"

The OWASP OpenStack Security project is an attempt to bridge two large open source communities: OWASP and OpenStack. Since I am a member of the OpenStack Security Group (OSSG) and and the leader of this project and other OWASP projects, I am active in both communities and realized that getting the two groups together can inprove both communities.

I work on OpenStack security currently and there is plenty of work to share. Depending on your skillset and interests, here's some things I've considered for inclusion in this project:

• Creation of tools to help assess the security of OpenStack - either the source code or a working implemetation of OpenStack
• Reviews of the Python source to try and gather data around dependencies, potentially dangerous calls, 3rd party libraries, etc
• Dynamic (aka pen testing) Horizon, the community web-based control panel for OpenStack
• Reviews of what is logged in the various bits of OpenStack to look for logging of sensitive information
• Review the inter-product communication to find more secure methods to connect various sub-projects in OpenStack
• Your idea here

Depending on what the project is working on, I have access to compute resources and can provide access to project members to have a safe place to conduct testing. This is a very new OWASP project (started in Feb of 2013) so for now, please join the [mail list] and let us know what your interests are.

Full Disclosure: I work for Rackspace, one of the founding members of the OpenStack Foundation, and work in the product security group which is responsible for the secure SDLC activities for all Rackspace cloud products - most of which are part of OpenStack. Additionally, OWASP's IT infrastructure (including this wiki) have been hosted since 2011 on Rackspace's Open Cloud which is powered by OpenStack.