OpenStack Security Group (OSSG) An Update On Our Progress And Plans Bryan D. Payne Robert Clark Nathan Kinder
Agenda ● What is OSSG? ● What have we been doing? ● What are OSSG’s plans? ● How you can help!
Introduction
OSSG Overview ● Working to improve security in OpenStack ○ Hardening, Deployment, Compliance, etc ● Currently over 150 members ● Regular meetings and discussions ○ Weekly IRC meetings ○ openstack-security mailing list https://launchpad.net/~openstack-ossg
OSSG Contributions ● Documentation ● Code Review ● Threat Analysis & Review ● Assist VMT with Vulnerability Triage
Icehouse Cycle Updates ● OpenStack Security Notes ● Threat Analysis & Review ● OSSG Lead Elections
Plans
Projects Jenkins Enhancements Developer Security Guidelines Threat Analysis OpenStack Tempest Modules Static Analysis Security Cryptography Review OpenStack Security Notes OpenStack Security Guide
Key Projects Jenkins Enhancements Developer Security Guidelines Threat Analysis OpenStack Tempest Modules Static Analysis Security Cryptography Review OpenStack Security Notes OpenStack Security Guide
Best Practices Jenkins Enhancements Developer Security Guidelines Threat Analysis OpenStack Tempest Modules Static Analysis Security Cryptography Review OpenStack Security Notes OpenStack Security Guide
Stretch Goals Jenkins Enhancements Developer Security Guidelines Threat Analysis OpenStack Tempest Modules Static Analysis Security Cryptography Review OpenStack Security Notes OpenStack Security Guide
Key Projects ● Primary Focus Threat Analysis ● Already Providing Value ● Individually Lead Projects OpenStack OpenStack Security Guide Security ● Good opportunity for new contributors OpenStack Security Notes ● Significant Domain Expertise
Best Practices ● Skeleton Projects ● Bootstrapped Cryptography Review ● Ready to provide value ● Maturity Indicators OpenStack Security ● Low bar to entry Developer Security Guidelines ● OSSG support ● Demonstrated need
Stretch Goals ● Not really in scope Jenkins Enhancements ● Some easy wins ● Separately Lead Projects ● Waiting on outside OpenStack innovation Static Analysis Security ● Codify Security Guidelines Tempest Modules ● Higher bar to entry ● Jenkins - Job Writing ● Infrastructure Hooks ● Tempest - Template / Test
Threat Analysis
Threat Analysis ● Community Lead ● Growing list of participants ● Keystone review in flight ● Others to follow ● Similar lines to OWASP T/M https://wiki.openstack.org/wiki/Security/Threat_Analysis
Threat Analysis
Threat Analysis ● Calling on major players to contribute ● We are all missing things ● Massive duplication of effort ● Others to follow ● Delta reviews
OpenStack Security Notes (OSSN)
What are Security Notes? ● Notices for security related issues that do not qualify as vulnerabilities or advisories (OSSA). ● Intended to raise awareness of security issues that can be mitigated without code changes. ● Security related “knowledge base”.
Security Note Examples ● OSSN-0013 - Some versions of Glance do not apply property protections as expected ● OSSN-0012 - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise ● OSSN-0011 - Heat templates with invalid references allows unintended network access ● OSSN-0010 - Sample Keystone v3 policy exposes privilege escalation vulnerability ● OSSN-0009 - Potential token revocation abuse via group membership ● OSSN-0008 - DoS style attack on noVNC server can lead to service interruption or disruption ● OSSN-0007 - Live migration instructions recommend unsecured libvirt remote access
Security Note Publishing ● Published to the user and development mailing lists. openstack@lists.openstack.org ○ ○ openstack-dev@lists.openstack.org ● Published on the OpenStack wiki ○ https://wiki.openstack.org/wiki/Security_Notes ● Listed in the OpenStack Community Weekly Newsletter.
Process Changes (since Havana) ● Creation and review process has been formalized. ○ https://wiki.openstack.org/wiki/Security/Security_Note_Process Gerrit workflow is used for reviews. ○ ● Security Notes are published to the OpenStack wiki. ○ https://wiki.openstack.org/wiki/Security/Security_Notes ● Security Notes are uniquely identified. ○ OSSN-0001, OSSN-0002, etc.
Process Changes (results) ● Increased output ○ 3 OSSN published during Havana cycle. ○ 10 OSSN published during Icehouse cycle. ● Increased quality ○ Gerrit allows for more granular review feedback. ○ Approval requires review by 2 OSSG core members and PTL or core member of affected project(s).
Future Improvements ● Publish Security Notes into the OpenStack Security Guide. ● Add automatic gate jobs for formatting checks and automatic publishing. ● Review published Security Notes to identify ways of preventing similar future issues.
OpenStack Security Guide
OpenStack Security Guide ● Created summer 2013 ● Converted to docbook ● Edits through gerrit ● Ramping up maintenance and editing efforts http://docs.openstack.org/sec/
Getting Involved
OpenStack Projects “The Glue” ● Improve available security ● Document best practices ● Simplify security compliance ● Work with builders, ops, users
Ways to Participate ● Key Projects ● Best Practices ● IRC meetings OSSG ● Code reviews ● Mailing list ● Relationship management
Questions
Recommend
More recommend