Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OpenStack Security Group (OSSG): An Update On Our Progress And Plans

OpenStack Security Group (OSSG): An Update On Our Progress And Plans

OpenStack Summit, Spring 2014. Originally organized in Fall 2012, the OpenStack Security Group (OSSG) now fills many critical security roles within the OpenStack Community. From assisting the Vulnerability Management Team (VMT) to consulting with projects about security best practices and testing technique, the OSSG has kept very busy. This talk will highlight the group's recent work and set the direction for future work. Anyone interested in OpenStack security should attend. https://www.youtube.com/watch?v=irLQq9iDTBs

Bryan Payne

May 15, 2014
Tweet

More Decks by Bryan Payne

Other Decks in Technology

Transcript

  1. OpenStack Security Group (OSSG) An Update On Our Progress And

    Plans Bryan D. Payne Robert Clark Nathan Kinder
  2. Agenda • What is OSSG? • What have we been

    doing? • What are OSSG’s plans? • How you can help!
  3. OSSG Overview • Working to improve security in OpenStack ◦

    Hardening, Deployment, Compliance, etc • Currently over 150 members • Regular meetings and discussions ◦ Weekly IRC meetings ◦ openstack-security mailing list https://launchpad.net/~openstack-ossg
  4. OSSG Contributions • Documentation • Code Review • Threat Analysis

    & Review • Assist VMT with Vulnerability Triage
  5. Projects Threat Analysis Jenkins Enhancements Developer Security Guidelines Static Analysis

    Cryptography Review Tempest Modules OpenStack Security Guide OpenStack Security OpenStack Security Notes
  6. Key Projects Threat Analysis Jenkins Enhancements Developer Security Guidelines Static

    Analysis Cryptography Review Tempest Modules OpenStack Security Guide OpenStack Security OpenStack Security Notes
  7. Best Practices Threat Analysis Jenkins Enhancements Developer Security Guidelines Static

    Analysis Cryptography Review Tempest Modules OpenStack Security Guide OpenStack Security OpenStack Security Notes
  8. Stretch Goals Threat Analysis Jenkins Enhancements Developer Security Guidelines Static

    Analysis Cryptography Review Tempest Modules OpenStack Security Guide OpenStack Security OpenStack Security Notes
  9. Key Projects Threat Analysis OpenStack Security OpenStack Security Notes OpenStack

    Security Guide • Primary Focus • Already Providing Value • Individually Lead Projects • Good opportunity for new contributors • Significant Domain Expertise
  10. Best Practices OpenStack Security Developer Security Guidelines Cryptography Review •

    Skeleton Projects • Bootstrapped • Ready to provide value • Maturity Indicators • Low bar to entry • OSSG support • Demonstrated need
  11. Stretch Goals Jenkins Enhancements Tempest Modules OpenStack Security Static Analysis

    • Not really in scope • Some easy wins • Separately Lead Projects • Waiting on outside innovation • Codify Security Guidelines • Higher bar to entry • Jenkins - Job Writing • Infrastructure Hooks • Tempest - Template / Test
  12. Threat Analysis • Community Lead • Growing list of participants

    • Keystone review in flight • Others to follow • Similar lines to OWASP T/M https://wiki.openstack.org/wiki/Security/Threat_Analysis
  13. Threat Analysis • Calling on major players to contribute •

    We are all missing things • Massive duplication of effort • Others to follow • Delta reviews
  14. What are Security Notes? • Notices for security related issues

    that do not qualify as vulnerabilities or advisories (OSSA). • Intended to raise awareness of security issues that can be mitigated without code changes. • Security related “knowledge base”.
  15. Security Note Examples • OSSN-0013 - Some versions of Glance

    do not apply property protections as expected • OSSN-0012 - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise • OSSN-0011 - Heat templates with invalid references allows unintended network access • OSSN-0010 - Sample Keystone v3 policy exposes privilege escalation vulnerability • OSSN-0009 - Potential token revocation abuse via group membership • OSSN-0008 - DoS style attack on noVNC server can lead to service interruption or disruption • OSSN-0007 - Live migration instructions recommend unsecured libvirt remote access
  16. Security Note Publishing • Published to the user and development

    mailing lists. ◦ [email protected][email protected] • Published on the OpenStack wiki ◦ https://wiki.openstack.org/wiki/Security_Notes • Listed in the OpenStack Community Weekly Newsletter.
  17. Process Changes (since Havana) • Creation and review process has

    been formalized. ◦ https://wiki.openstack.org/wiki/Security/Security_Note_Process ◦ Gerrit workflow is used for reviews. • Security Notes are published to the OpenStack wiki. ◦ https://wiki.openstack.org/wiki/Security/Security_Notes • Security Notes are uniquely identified. ◦ OSSN-0001, OSSN-0002, etc.
  18. Process Changes (results) • Increased output ◦ 3 OSSN published

    during Havana cycle. ◦ 10 OSSN published during Icehouse cycle. • Increased quality ◦ Gerrit allows for more granular review feedback. ◦ Approval requires review by 2 OSSG core members and PTL or core member of affected project(s).
  19. Future Improvements • Publish Security Notes into the OpenStack Security

    Guide. • Add automatic gate jobs for formatting checks and automatic publishing. • Review published Security Notes to identify ways of preventing similar future issues.
  20. OpenStack Security Guide • Created summer 2013 • Converted to

    docbook • Edits through gerrit • Ramping up maintenance and editing efforts http://docs.openstack.org/sec/
  21. OpenStack Projects “The Glue” • Improve available security • Document

    best practices • Simplify security compliance • Work with builders, ops, users
  22. Ways to Participate • Key Projects • Best Practices •

    IRC meetings • Code reviews • Mailing list • Relationship management OSSG