This is a summary of the latest OpenStack design summit for the Vulnerability Management Team (VMT). The team’s goal is to coordinate the progressive disclosure of vulnerability in OpenStack, the complete process is explained here: vmt-process. This team writes OpenStack Security Advisories (OSSA).
A look back at previous releases
|Oct 17 2013||Havana||58||24|
|Apr 17 2014||Icehouse||102||23|
|Oct 16 2014||Juno||78||12|
Depending on how you count these metrics, numbers may vary, though the trend is fortunately good: a healthy amount of bugs are reported while less and less vulnerabilities are being discovered.
Advisories are now YAML formated and stored in the openstack/ossa repository. This allows the team to use the Gerrit code review system to approve the OSSA before its publication. Then an openstack-infra job automatically renders the document and publishes it on security.openstack.org.
The Security Project
The VMT is now part of the newly created security project and is no longer attached to Release Management. This should reduce confusion about the different security teams. The PTL, Robert Clark, gave an excellent presentation on this project that you can watch here.
Comming next with Liberty
Versioning model change
OpenStack server projects are likely to switch to a semver version to accommodate the more permissive release model according to the new OpenStack Big Tent. Now that projects are free to release independently, it does not make sense to force a shared version number like 2015.1.0.
VMT supported tag
A new tag should be created in order to better identify which project are covered by the vmt-process. A project should at least have:
- stable branches.
- an active coresec group with a liaison.
- a Bandit check job.
No severity metric
Considering the many deployment modes of OpenStack, the attack surface is too broad to have a metric like DREAD remains meaningful. Some measurements have been tried but they more or less all resulted in the highest score, after-all OSSAs are important documentation for administrators, and the need to differentiate between them is negligible.
A better security website
security.openstack.org will host other documents from the Security Project and a better description of the VMT team inner process should be documented in order for other teams to use the same model.
Relevant shortlog from other sessions
- Server project like Nova will now be on pypi.
- Icehouse might not release a 2014.1.5 version and the branch will certainly die two to three months earlier than expected.
I’m happy to see these progressions and I’m looking forward to further developments.