Building an OpenStack Security Group

Building an OpenStack Security Group

OpenStack Summit, Fall 2012. As OpenStack continues to mature, it is increasingly important for the community to be proactive in improving security. The OpenStack Security Group (OSSG) is a new effort led by Nebula and HP to bring together security professionals who can work to address this need. Our goal is to create a group that complements the Vulnerability Management Team by working to improve the security in each project's software architecture, contributing software to address security relevant blueprints and bugs, and providing cross-project security assessments. This talk will introduce the OSSG and describe some of our early success stories, while starting a conversation about the best path forward for OpenStack security. https://www.openstack.org/summit/san-diego-2012/openstack-summit-sessions/presentation/building-an-openstack-security-group

938bca9547ba1cac3e69d80efd67fe6b?s=128

Bryan Payne

October 18, 2012
Tweet

Transcript

  1. Bryan  D.  Payne,  Nebula   Robert  Clark,  HP   Building

     an  OpenStack  Security  Group  
  2. 10/17/12   2  

  3. 10/17/12   3  

  4. •  Alarm  system?   •  Bars  on  the  windows?  

    •  Dog?   •  Security  Cameras?   •  Move?   10/17/12   4  
  5. •  Alarm  system?   •  Bars  on  the  windows?  

    •  Dog?   •  Security  Cameras?   •  Move?   10/17/12   5  
  6. •  Alarm  system?   •  Bars  on  the  windows?  

    •  Dog?   •  Security  Cameras?   •  Move?   10/17/12   6  
  7. •  Alarm  system?   •  Bars  on  the  windows?  

    •  Dog?   •  Security  Cameras?   •  Move?   10/17/12   7  
  8. •  Alarm  system?   •  Bars  on  the  windows?  

    •  Dog?   •  Security  Cameras?   •  Move?   10/17/12   8  
  9. This  Is  Hard   10/17/12   9  

  10. SoSware  Must  Be  Easier,  Right?   10/17/12   10  

  11. But  Who  Wants  to  Hack  OpenStack?   10/17/12   11

     
  12. 10/17/12   12  

  13. Computer  Security:  What  We  Know   Be#er   Worse  

    Design  for  security  from  the  start   Retrofit  security  when  it’s  important   Understand  your  threats   Just  make  it  secure   Understand  your  goals   Seriously,  just  add  some  security   Pervasive  security  culture   That  paranoid  guy  has  it  under  control   10/17/12   13  
  14. Current  Approach   •  Vulnerability   Management  Team    

    •  People  star_ng  to  think   about  security     10/17/12   14  
  15. OpenStack  Security  Challenges   •  Security  as  an  aSerthought  

    •  Security  as  silos   •  Security  by  non-­‐experts     10/17/12   15  
  16. OpenStack  Security  Group  (OSSG)   •  Security  expert  resource  for

     OS   •  Build  security  culture  within  OS  community   10/17/12   16  
  17. 10/17/12   17   OSSG   Game  Plan  

  18. OSSG  Details   •  Place  at  least  one  security  engineer

     on  each  core  project   –  Code  review   –  Implement  blueprints   –  Design  blueprints   •  Have  at  least  one  person  working  cross  project   –  Write  technical  documenta_on   –  Integra_ng  security  into  con_nuous  integra_on   –  Iden_fy  cross  project  security  concerns   •  Mailing  list  to  have  security  discussions   10/17/12   18  
  19. Case  Study:  HTTPS  Support   10/17/12   19  

  20. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Observations from Summit 2012
  21. Crypt Enthusiastic Developer + Hash Algorithm + Async Crypt !=

    Secure Design
  22. Common Mistakes Let us help

  23. OSSG  Next  Steps   •  Will  require  community-­‐level  involvement  

    •  Now  “hiring”  for  OSSG!!   – Security  Engineers   – Technical  Writers   – OpenStack  Deployment  Exper_se   10/17/12   23  
  24. hhps://launchpad.net/~openstack-­‐ossg   10/17/12   24   Please  Join  Us!  

    Bryan  D.  Payne   bryan.payne@nebula.com   Robert  Clark   robert.clark@hp.com