openstack-manuals

Security Guide - New Chapter on Vulnerability Management

Bug #1347057 reported by Travis McPeak
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-manuals
Fix Released
Wishlist
Unassigned

Bug Description

New chapter(s) on vulnerability management may be useful. Some examples of topics to touch on here are:

- Lifecycle of a reported vulnerability in OpenStack
- The role of VMT
- Some examples of typical workflow for patching for security issues
- Some mention of the process to get early access to security bugs (if you are a stakeholder)

Realistically this might be a couple of chapters but IMHO this information would be extremely useful to some.

Tags: sec-guide
Revision history for this message
Bryan D. Payne (bdpayne) wrote :

This clearly relates to "Chapter 9. Continuous systems management". However, I think it could be useful to expand on the content in this chapter. I will accept this bug as a placeholder to do so. But it would be good to provide more details here on the specific information to include and how it should be organized.

Changed in openstack-manuals:
status: New → Confirmed
importance: Undecided → Wishlist
Tom Fifield (fifieldt)
Changed in openstack-manuals:
status: Confirmed → Triaged
Revision history for this message
N Dillon (sicarie) wrote :

So there is a bit on this right now under the 'vulnerability awareness' section of the compute chapter: http://docs.openstack.org/security-guide/compute/vulnerability-awareness.html

Agreed this section could/should be it's own bit. I think if T-rav's first two points are swapped it flows a little bit better, and then the remaining info can be pulled from the OSSP deck at: https://docs.google.com/presentation/d/13GG47EdoQCBEGqMe7ji_UzfO9okMTLgbnK5_UpoaXYA/edit?pref=2&pli=1#slide=id.g662702250_0_105.

If nobody picks this up, I'll try to do something next week.

Revision history for this message
Travis McPeak (travis-mcpeak) wrote :

Heh, wow, this is a blast from the past. Back when T-rav was at Symantec and Bryan Payne ran the guide :)

This should be an easy section to write we have most of the material in other places, just have to drag it in.

Revision history for this message
Lana (loquacity) wrote :

Travis or Nathaniel: I'm happy to write this for you if you can point me at source material ...

Revision history for this message
Grant Murphy (gmurphy) wrote :

@Lana there is some pretty good reference material that links off https://security.openstack.org/. The VMT process for example is pretty detailed https://security.openstack.org/vmt-process.html.

If you have any specific questions you are more than welcome to reach out to the VMT members directly.

Revision history for this message
N Dillon (sicarie) wrote :

Travis - with the new section added (http://docs.openstack.org/security-guide/compute/vulnerability-awareness.html) do you think this bug is still needed?

Revision history for this message
Travis McPeak (travis-mcpeak) wrote :

Yeah, ^ that looks good. Let's close this.

Changed in openstack-manuals:
status: Triaged → Invalid
Revision history for this message
N Dillon (sicarie) wrote :

Fix was released with linked section in separate, but parallel effort - http://docs.openstack.org/security-guide/compute/vulnerability-awareness.html

Changed in openstack-manuals:
status: Invalid → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.