This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP OpenStack Security Project

Revision as of 16:59, 17 July 2015 by Mtesauro (talk | contribs) (Added a note to this page to note that tools from this project are now part of the OWASP WTE project.)

Jump to: navigation, search

NOTE: The tools produced by this project, such as [jerry-curl] have been migrated to the OWASP_Web_Testing_Environment_Project. Please consider this project closed.
OWASP Inactive Banner.jpg


The OWASP OpenStack Security project is an attempt to bridge two large open source communities: OWASP and OpenStack. Since I am a member of the OpenStack Security Group (OSSG) and and the leader of this project and other OWASP projects, I am active in both communities and realized that getting the two groups together can inprove both communities.

I work on OpenStack security currently and there is plenty of work to share. Depending on your skillset and interests, here's some things I've considered for inclusion in this project:

  • Creation of tools to help assess the security of OpenStack - either the source code or a working implemetation of OpenStack
  • Reviews of the Python source to try and gather data around dependencies, potentially dangerous calls, 3rd party libraries, etc
  • Dynamic (aka pen testing) Horizon, the community web-based control panel for OpenStack
  • Reviews of what is logged in the various bits of OpenStack to look for logging of sensitive information
  • Review the inter-product communication to find more secure methods to connect various sub-projects in OpenStack
  • Your idea here

Depending on what the project is working on, I have access to compute resources and can provide access to project members to have a safe place to conduct testing. This is a very new OWASP project (started in Feb of 2013) so for now, please join the [mail list] and let us know what your interests are.

Full Disclosure: I work for Rackspace, one of the founding members of the OpenStack Foundation, and work in the product security group which is responsible for the secure SDLC activities for all Rackspace cloud products - most of which are part of OpenStack. Additionally, OWASP's IT infrastructure (including this wiki) have been hosted since 2011 on Rackspace's Open Cloud which is powered by OpenStack.

We're a new OWASP project, join the [mail list] and let us know what you're interested or ask how you can help!

Some background on the project leader for the curious:

  • I have been very involved in OWASP since 2008 and served on the Foundation board until January 2013. I am the project leader for the OWASP WTE project (formerly known as the OWASP Live CD project) and have been involved in serveral other projects and committees. Application Security is a passion of mine and can be traced back to my first days developing software for an international telecom.
  • I'm also a member of the OSSG - OpenStack Security Group. This is a group of OpenStack community members with a particular interest in security. Its a mix of inplementors (those deploying OpenStack) and application security people who are more focused on the code base for OpenStack. It is a very new group with a few members currently - espcially when compared to the number of developers in OpenStack.
  • My day job is the lead for product security at Rackspace. As one of the founding members of the OpenStack foundation, Rackspace obviously has an interest in keeping OpenStack moving forward over time.
  • Selfishly, OWASP's IT infrastructure is currently running on OpenStack because of a donation of hosting from Rackspace back in 2011. I'd love to hlep make sure the software which is running OWASP's IT infrastructure is hardened and secure.
What does this OWASP project offer you?
What releases are available for this project?
what is this project?
Name: OWASP OpenStack Security Project (home page)
Purpose: The OWASP OpenStack Security Project is an effort to provide security testing techniques and tools to assess the security of the OpenStack code base. Generally speaking, the OpenStack community is primarily developers of OpenStack and companies which are implementing all or parts of OpenStack. This project provides a bridge between the OpenStack community and the OWASP community of security professionals. The project leader is also a member of OpenStack and is a member of the OpenStack Security Group. OpenStack has the desire to be the Linux of Cloud infrastructure and OWASP can be the community that ensures the security of that Cloud.
License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
who is working on this project?
Project Leader(s):
  • Matt Tesauro @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact Matt Tesauro @ to contribute to this project
  • Contact Matt Tesauro @ to review or sponsor this project
current release
Not Yet Published
last reviewed release
Not Yet Reviewed

other releases