I created some relatively high level security best practices that I thought would apply to Solum. I don't think it is ever too early to get mindshare around security so that developers keep that in mind throughout the project. When a design decision point could easily go two ways, perhaps these guidelines can sway direction towards a more secure path.
This is a living document, please contribute and let's discuss topics. I've worn a security hat in various jobs so I'm always interested. :) Also, I realize that many of these features may not directly be encapsulated by Solum but rather components such as KeyStone or Horizon. https://wiki.openstack.org/wiki/Solum/Security I would like to build on this list and create blueprints or tasks based on topics that the community agrees upon. We will also need to start thinking about timing of these features. Is there an OpenStack standard for code comments that highlight potential security issues to investigate at a later point? If not, what would the community think of making a standard for Solum? I would like to identify these areas early while the developer is still engaged/thinking about the code. It is always harder to go back later and find everything in my experience. Perhaps something like: # (SECURITY) This exception may contain database field data which could expose passwords to end users unless filtered. Or # (SECURITY) The admin password is read in plain text from a configuration file. We should fix this later. Regards, Paulmo _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
