On Sep 20, 2012, at 9:06 AM, Joe Brockmeier <j...@zonker.net> wrote: > On Thu, Sep 20, 2012, at 10:50 AM, John Kinsella wrote: >> As this topic came up again, I wanted to discuss it without stealing from >> the IRC channel discussion. >> >> Basically - should CloudStack have a "security team" as a formal group? I >> see real and marketing value for such a thing, but I don't want to create >> structure/overhead that isn't needed. So really I guess my question to >> the community is "Do you feel the need for such a team?" > > I'll let others weigh in on this, but for the purpose of this discussion > we should note the existing Apache Security Team: > > http://www.apache.org/security/ > > Anything we do should probably loop in the folks who are already on the > security team, and look to them for advice/suggestions/cautions, etc. > > Note that the Apache Security Team is strictly concerned with > vulnerability reporting/handling. It's also probably useful to read up > on the project security for committers page for folks who haven't > already: > > http://www.apache.org/security/committers.html
Both good pages, and I would expect a CloudStack security team to work with the Apache orgs. What I was getting at is do we need more than that from an application security POV? Do we want to try and be proactive about these things, or is reactive enough for ? > Finally, we have to be very cautious about over-selling any security > efforts when we're recommending best practices, etc. so that it's very > clear that we're not providing any warranties of security and so forth. We need to disclaim everything, but shouldn't be an issue, IMHO. John
