OWASP OpenStack Security Project
|NOTE: The tools produced by this project, such as [jerry-curl] have been migrated to the OWASP_Web_Testing_Environment_Project. Please consider this project closed.|
The OWASP OpenStack Security project is an attempt to bridge two large open source communities: OWASP and OpenStack. Since I am a member of the OpenStack Security Group (OSSG) and and the leader of this project and other OWASP projects, I am active in both communities and realized that getting the two groups together can inprove both communities.
I work on OpenStack security currently and there is plenty of work to share. Depending on your skillset and interests, here's some things I've considered for inclusion in this project:
- Creation of tools to help assess the security of OpenStack - either the source code or a working implemetation of OpenStack
- Reviews of the Python source to try and gather data around dependencies, potentially dangerous calls, 3rd party libraries, etc
- Dynamic (aka pen testing) Horizon, the community web-based control panel for OpenStack
- Reviews of what is logged in the various bits of OpenStack to look for logging of sensitive information
- Review the inter-product communication to find more secure methods to connect various sub-projects in OpenStack
- Your idea here
Depending on what the project is working on, I have access to compute resources and can provide access to project members to have a safe place to conduct testing. This is a very new OWASP project (started in Feb of 2013) so for now, please join the [mail list] and let us know what your interests are.
Full Disclosure: I work for Rackspace, one of the founding members of the OpenStack Foundation, and work in the product security group which is responsible for the secure SDLC activities for all Rackspace cloud products - most of which are part of OpenStack. Additionally, OWASP's IT infrastructure (including this wiki) have been hosted since 2011 on Rackspace's Open Cloud which is powered by OpenStack.
We're a new OWASP project, join the [mail list] and let us know what you're interested or ask how you can help!
Some background on the project leader for the curious:
- I have been very involved in OWASP since 2008 and served on the Foundation board until January 2013. I am the project leader for the OWASP WTE project (formerly known as the OWASP Live CD project) and have been involved in serveral other projects and committees. Application Security is a passion of mine and can be traced back to my first days developing software for an international telecom.
- I'm also a member of the OSSG - OpenStack Security Group. This is a group of OpenStack community members with a particular interest in security. Its a mix of inplementors (those deploying OpenStack) and application security people who are more focused on the code base for OpenStack. It is a very new group with a few members currently - espcially when compared to the number of developers in OpenStack.
- My day job is the lead for product security at Rackspace. As one of the founding members of the OpenStack foundation, Rackspace obviously has an interest in keeping OpenStack moving forward over time.
- Selfishly, OWASP's IT infrastructure is currently running on OpenStack because of a donation of hosting from Rackspace back in 2011. I'd love to hlep make sure the software which is running OWASP's IT infrastructure is hardened and secure.
| PROJECT INFO
What does this OWASP project offer you?
| RELEASE(S) INFO|
What releases are available for this project?