Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OpenStack Security Group (OSSG): An Update On Our Progress And Plans

Bryan Payne
May 15, 2014
Technology
0
72

OpenStack Security Group (OSSG): An Update On Our Progress And Plans

OpenStack Summit, Spring 2014. Originally organized in Fall 2012, the OpenStack Security Group (OSSG) now fills many critical security roles within the OpenStack Community. From assisting the Vulnerability Management Team (VMT) to consulting with projects about security best practices and testing technique, the OSSG has kept very busy. This talk will highlight the group's recent work and set the direction for future work. Anyone interested in OpenStack security should attend. https://www.youtube.com/watch?v=irLQq9iDTBs

Bryan Payne

May 15, 2014
Tweet

More Decks by Bryan Payne

See All by Bryan Payne
Fail, Learn, Fix: Improving Security The Old-Fashioned Way
bdpayne
0
220
BLESS: Better Security and Ops for SSH Access
bdpayne
3
680
Securing Containers the Netflix Way
bdpayne
1
2.1k
PKI at Scale Using Short-Lived Certificates
bdpayne
0
810
Platform Security Jobs at Netflix
bdpayne
0
840
Improving Cloud Security with Attacker Profiling
bdpayne
2
800
Key Management in AWS: How Netflix Secures Sensitive Data Without Its Own Data Center
bdpayne
4
1.6k
Security at Different Layers of Abstractions: Application, Operating Systems, and Hardware
bdpayne
0
190
Platform Security at Netflix: Securing Microservices from the Ground Up
bdpayne
0
5.6k

Other Decks in Technology

See All in Technology
開発生産性を採用の武器にする
naoto_pq
0
500
Microsoft Fabric のユースケース整理
ryomaru0825
1
170
全世界のユーザー体験の改善にNew Relic Mobileをどのように活用したか/How New Relic Mobile was used to improve the global user experience
isaoshimizu
2
360
ほーるちーむあぷろーち for babies #scrumniigata #SigSQA / Whole-Team Approach (WhTA) for babies
caori_t
1
440
0518LLMmeetup_LLMシステムの非機能要件対応_現場レポート.pdf
hirosatogamo
5
3.8k
Oracle Cloud Infrastructure:2023年5月度サービス・アップデート
oracle4engineer
PRO
0
190
ChatGPTを聞き手にしよう
niryuu
0
320
DevSecOpsへの展開〜全てのチームの能力を最大限に引き出す/Expanding to DevSecOps
newrelic2023
0
190
点群SegmentationのためのTransformerサーベイ
takmin
1
470
Datadogで実現するセキュリティ オブザーバビリティ
taka2noda
1
130
Mirror mirror... what am I typing next?
spinscale
0
140
Profiling a Java Application @DevDays 2023
victorrentea
1
520

Featured

See All Featured
The Invisible Side of Design
smashingmag
292
49k
Facilitating Awesome Meetings
lara
35
4.8k
Build your cross-platform service in a week with App Engine
jlugia
222
17k
The Invisible Customer
myddelton
113
12k
Fireside Chat
paigeccino
18
2.1k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
236
1.1M
Atom: Resistance is Futile
akmur
256
24k
Building Your Own Lightsaber
phodgson
96
5k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
349
28k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
270
12k
A Philosophy of Restraint
colly
195
15k
Optimising Largest Contentful Paint
csswizardry
2
770

Transcript

  1. OpenStack Security Group
    (OSSG)
    An Update On Our Progress And Plans
    Bryan D. Payne Robert Clark Nathan Kinder

    View Slide

  2. Agenda
    ● What is OSSG?
    ● What have we been doing?
    ● What are OSSG’s plans?
    ● How you can help!

    View Slide

  3. Introduction

    View Slide

  4. OSSG Overview
    ● Working to improve security in OpenStack
    ○ Hardening, Deployment, Compliance, etc
    ● Currently over 150 members
    ● Regular meetings and discussions
    ○ Weekly IRC meetings
    ○ openstack-security mailing list
    https://launchpad.net/~openstack-ossg

    View Slide

  5. OSSG Contributions
    ● Documentation
    ● Code Review
    ● Threat Analysis & Review
    ● Assist VMT with Vulnerability Triage

    View Slide

  6. Icehouse Cycle Updates
    ● OpenStack Security Notes
    ● Threat Analysis & Review
    ● OSSG Lead Elections

    View Slide

  7. Plans

    View Slide

  8. Projects
    Threat Analysis
    Jenkins Enhancements
    Developer Security Guidelines
    Static Analysis
    Cryptography Review
    Tempest Modules
    OpenStack Security Guide
    OpenStack
    Security
    OpenStack Security Notes

    View Slide

  9. Key Projects
    Threat Analysis
    Jenkins Enhancements
    Developer Security Guidelines
    Static Analysis
    Cryptography Review
    Tempest Modules
    OpenStack Security Guide
    OpenStack
    Security
    OpenStack Security Notes

    View Slide

  10. Best Practices
    Threat Analysis
    Jenkins Enhancements
    Developer Security Guidelines
    Static Analysis
    Cryptography Review
    Tempest Modules
    OpenStack Security Guide
    OpenStack
    Security
    OpenStack Security Notes

    View Slide

  11. Stretch Goals
    Threat Analysis
    Jenkins Enhancements
    Developer Security Guidelines
    Static Analysis
    Cryptography Review
    Tempest Modules
    OpenStack Security Guide
    OpenStack
    Security
    OpenStack Security Notes

    View Slide

  12. Key Projects
    Threat Analysis
    OpenStack
    Security
    OpenStack Security Notes
    OpenStack Security Guide
    ● Primary Focus
    ● Already Providing Value
    ● Individually Lead Projects
    ● Good opportunity for new
    contributors
    ● Significant Domain
    Expertise

    View Slide

  13. Best Practices
    OpenStack
    Security
    Developer Security Guidelines
    Cryptography Review
    ● Skeleton Projects
    ● Bootstrapped
    ● Ready to provide value
    ● Maturity Indicators
    ● Low bar to entry
    ● OSSG support
    ● Demonstrated need

    View Slide

  14. Stretch Goals
    Jenkins Enhancements
    Tempest Modules
    OpenStack
    Security
    Static Analysis
    ● Not really in scope
    ● Some easy wins
    ● Separately Lead Projects
    ● Waiting on outside
    innovation
    ● Codify Security
    Guidelines
    ● Higher bar to entry
    ● Jenkins - Job Writing
    ● Infrastructure Hooks
    ● Tempest - Template /
    Test

    View Slide

  15. Threat Analysis

    View Slide

  16. Threat Analysis
    ● Community Lead
    ● Growing list of participants
    ● Keystone review in flight
    ● Others to follow
    ● Similar lines to OWASP T/M
    https://wiki.openstack.org/wiki/Security/Threat_Analysis

    View Slide

  17. Threat Analysis

    View Slide

  18. Threat Analysis
    ● Calling on major players to contribute
    ● We are all missing things
    ● Massive duplication of effort
    ● Others to follow
    ● Delta reviews

    View Slide

  19. OpenStack Security Notes
    (OSSN)

    View Slide

  20. What are Security Notes?
    ● Notices for security related issues that do not
    qualify as vulnerabilities or advisories
    (OSSA).
    ● Intended to raise awareness of security
    issues that can be mitigated without code
    changes.
    ● Security related “knowledge base”.

    View Slide

  21. Security Note Examples
    ● OSSN-0013 - Some versions of Glance do not apply property protections as expected
    ● OSSN-0012 - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise
    ● OSSN-0011 - Heat templates with invalid references allows unintended network access
    ● OSSN-0010 - Sample Keystone v3 policy exposes privilege escalation vulnerability
    ● OSSN-0009 - Potential token revocation abuse via group membership
    ● OSSN-0008 - DoS style attack on noVNC server can lead to service interruption or disruption
    ● OSSN-0007 - Live migration instructions recommend unsecured libvirt remote access

    View Slide

  22. Security Note Publishing
    ● Published to the user and development
    mailing lists.
    [email protected]
    [email protected]
    ● Published on the OpenStack wiki
    ○ https://wiki.openstack.org/wiki/Security_Notes
    ● Listed in the OpenStack Community Weekly
    Newsletter.

    View Slide

  23. Process Changes (since Havana)
    ● Creation and review process has been formalized.
    ○ https://wiki.openstack.org/wiki/Security/Security_Note_Process
    ○ Gerrit workflow is used for reviews.
    ● Security Notes are published to the OpenStack wiki.
    ○ https://wiki.openstack.org/wiki/Security/Security_Notes
    ● Security Notes are uniquely identified.
    ○ OSSN-0001, OSSN-0002, etc.

    View Slide

  24. Process Changes (results)
    ● Increased output
    ○ 3 OSSN published during Havana cycle.
    ○ 10 OSSN published during Icehouse cycle.
    ● Increased quality
    ○ Gerrit allows for more granular review feedback.
    ○ Approval requires review by 2 OSSG core members
    and PTL or core member of affected project(s).

    View Slide

  25. Future Improvements
    ● Publish Security Notes into the OpenStack
    Security Guide.
    ● Add automatic gate jobs for formatting
    checks and automatic publishing.
    ● Review published Security Notes to identify
    ways of preventing similar future issues.

    View Slide

  26. OpenStack Security Guide

    View Slide

  27. OpenStack Security Guide
    ● Created summer 2013
    ● Converted to docbook
    ● Edits through gerrit
    ● Ramping up maintenance
    and editing efforts
    http://docs.openstack.org/sec/

    View Slide

  28. Getting Involved

    View Slide

  29. OpenStack Projects “The Glue”
    ● Improve available security
    ● Document best practices
    ● Simplify security compliance
    ● Work with builders, ops, users

    View Slide

  30. Ways to Participate
    ● Key Projects
    ● Best Practices
    ● IRC meetings
    ● Code reviews
    ● Mailing list
    ● Relationship management
    OSSG

    View Slide

  31. Questions

    View Slide