As OpenStack earns the Core Infrastructure Initiative (CII) Best Practices Badge, we ask a security team member how it got so far, so fast


In just six years, OpenStack has grown into 58 projects that provide open source cloud computing software for public and private clouds.

That rapid expansion just might be the security professional’s worst nightmare. From network orchestration service Astara to messaging service Zaqar, there are thousands of people around the world contributing code. Code that could be full of holes, vulnerabilities and unreported bugs.

That’s what makes OpenStack earning the Core Infrastructure Initiative (CII) Best Practices Badge from the Linux Foundation even more impressive. The badge covers seven areas – from change control to quality and security – you can check out the specifics here.

Superuser asked Travis McPeak, senior security architect at IBM and OpenStack Security Project team member, about some best practices for developing large open source projects with security in mind.

What’s the key to security-conscious development?

Security-conscious development requires security consideration at each stage in the software development lifecycle. If a product hasn’t been designed securely it will be extremely difficult, if not impossible, to fix this later. Similarly, the most secure design can be crippled by simple insecure coding practices. Different security tools are applied at each stage.

Threat modeling, for example, is a very effective way to discover defects in design and missing system controls. Source code review and scanning tools lower the risk of implementation defects. The key is involving security at each stage. Missed steps become increasingly difficult and expensive to correct at later stages.

How do you employ them when working with large teams around the world?

Any software development can be difficult with highly distributed teams and security is no exception. To make this easier we’ve found it useful to adopt multiple methods of communication to ensure everybody has a way they’re comfortable with.

Some teams prefer to have instant communication and use IRC, Slack, and other tools. Other teams like to have video conferences or calls. Still other teams are on sufficiently different timezones that email, forums, and wikis are most effective for them. Regardless of tool choice the important part is that each team member knows who to talk with and has a way to talk with that person.

You can read more about OpenStack and security with a new white paper published by the Foundation available at:

Get involved

If you want to be a part of the security team or have an idea of your own to make OpenStack more secure, head to #openstack-security on FreeNode IRC or join one of our weekly meetings (1700 UTC in #openstack-meeting-alt). Alternatively, drop an email on the OpenStack Developers mailing list use the tag [security] , introduce yourself and what you’re interested in.

Cover Photo: Cover Photo // CC BY NC