Recap From Last Summit ● Discussed the need for a unified OpenStack security group ● Attempted to gather the relevant parties ○ Got a lot, happy for others to join ● Put forward a high level game plan
Launchpad Group ● https://launchpad.net/~openstack-ossg ● Linked into other areas of launchpad ○ security tagged bugs ○ linked to security note work ● Provides email notification for the above
Weekly Meetings ● https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity ● IRC Meetings ○ Started in Jan 2013 ○ Thursdays at 18:00 UTC ○ 30 minute sync-up between OSSG members ● Minutes posted online
Security Notes (OSNs) ● https://launchpad.net/osn ● Purpose of OSNs ○ Convey security best practice information ○ Timely ○ Complement CVEs ● OSNs to date ○ Security impact of Libvirt / LXC ○ Keystone request header size can lead to DoS ● More to come
HTTPS Support in Clients ● Work done by Dean Troyer at Nebula ● Starting with (early 2013 release) ○ python-keystoneclient ○ python-glanceclient ○ python-novaclient ○ python-cinderclient ○ python-swiftclient ● Clients support ○ Proper hostname checking ○ Custom certificate chains ○ Full certificate validation ○ http://hackstack.org/x/blog/2012/12/21/securing-openstack-client-connections-part-2/
Review Efforts ● Mailing list discussions ● Security tagging for bugs / PRs ○ Security tag on bugs (available today) ○ Security tag on gerrit (work in progress) ● Assistance on vulnerability reports
OpenStack Security Mailing List ● Setup recently (early April) ● Facilitates security discussions ○ OSSG discussions ○ Meeting place for security discussions ○ Interactions with broader development community ● Fills a separate niche than openstack-dev ● [email protected]
OSSG Challenges ● Rethinking security at all levels ○ Understand current state ○ Monitor, influence changes ○ Start small, but scale ● OpenStack expertise vs. Security expertise ○ OSSG has many security experts ○ OSSG has less OpenStack experts ○ Need more participation from core developers ● Time -- everyone is busy
Nova Swift Network Glance Keystone Horizon Cinder DNS Metering Automation Load Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance SO MUCH PLUMBING Certificate Authorities
OpenStack Hardening Guide ● Initial project and templates ● Engaged with Private, Public and Government Agencies ● Documentation Sprint in June ● Security Awareness
How You Can Help ● Get Involved! ○ Be our eyes & ears on core projects ○ Participate in weekly IRC meetings ○ Volunteer to help with security tasks ● Share your knowledge ○ OpenStack security? ○ Secure deployment options? ○ Architectural security concerns? ○ Please share what you know!
● Documentation sprint in June ● Lots of work to be done ● Actively seeking more OSSG members ● Work with community for improving all aspects of security in OpenStack Summary
bdpayne
trycycle
hassaku63
tenforward
newrelic2023
kumamatsu
kawaguti
salaboy
takahana
nenonaninu
startree
shimap_sampo
yuya4
reverentgeek
eitanlees
eileencodes
sferik
malarkey
garrettdimon
addyosmani
philnash
pauljervisheath
notwaldorf
chrislema
hatefulcrawdad