SLIDE 1
OpenStack Security Group (OSSG)
An Update On Our Progress And Plans
Bryan D. Payne Robert Clark Nathan Kinder
Agenda
- What is OSSG?
- What have we been doing?
- What are OSSG’s plans?
- How you can help!
OpenStack Security Group (OSSG) An Update On Our Progress And Plans - - PowerPoint PPT Presentation
OpenStack Security Group (OSSG) An Update On Our Progress And Plans - - PowerPoint PPT Presentation
OpenStack Security Group (OSSG) An Update On Our Progress And Plans Bryan D. Payne Robert Clark Nathan Kinder Agenda What is OSSG? What have we been doing? What are OSSGs plans? How you can help! Introduction OSSG
SLIDE 2
SLIDE 3
Introduction
SLIDE 4
OSSG Overview
- Working to improve security in OpenStack
○ Hardening, Deployment, Compliance, etc
- Currently over 150 members
- Regular meetings and discussions
○ Weekly IRC meetings ○ openstack-security mailing list
https://launchpad.net/~openstack-ossg
SLIDE 5
OSSG Contributions
- Documentation
- Code Review
- Threat Analysis & Review
- Assist VMT with Vulnerability Triage
SLIDE 6
Icehouse Cycle Updates
- OpenStack Security Notes
- Threat Analysis & Review
- OSSG Lead Elections
SLIDE 7
Plans
SLIDE 8
Projects
Threat Analysis Jenkins Enhancements Developer Security Guidelines Static Analysis Cryptography Review Tempest Modules OpenStack Security Guide OpenStack Security OpenStack Security Notes
SLIDE 9
Key Projects
Threat Analysis Jenkins Enhancements Developer Security Guidelines Static Analysis Cryptography Review Tempest Modules OpenStack Security Guide OpenStack Security OpenStack Security Notes
SLIDE 10
Best Practices
Threat Analysis Jenkins Enhancements Developer Security Guidelines Static Analysis Cryptography Review Tempest Modules OpenStack Security Guide OpenStack Security OpenStack Security Notes
SLIDE 11
Stretch Goals
Threat Analysis Jenkins Enhancements Developer Security Guidelines Static Analysis Cryptography Review Tempest Modules OpenStack Security Guide OpenStack Security OpenStack Security Notes
SLIDE 12
Key Projects
Threat Analysis OpenStack Security OpenStack Security Notes OpenStack Security Guide
- Primary Focus
- Already Providing Value
- Individually Lead Projects
- Good opportunity for new
contributors
- Significant Domain
Expertise
SLIDE 13
Best Practices
OpenStack Security Developer Security Guidelines Cryptography Review
- Skeleton Projects
- Bootstrapped
- Ready to provide value
- Maturity Indicators
- Low bar to entry
- OSSG support
- Demonstrated need
SLIDE 14
Stretch Goals
Jenkins Enhancements Tempest Modules OpenStack Security Static Analysis
- Not really in scope
- Some easy wins
- Separately Lead Projects
- Waiting on outside
innovation
- Codify Security
Guidelines
- Higher bar to entry
- Jenkins - Job Writing
- Infrastructure Hooks
- Tempest - Template /
Test
SLIDE 15
Threat Analysis
SLIDE 16
Threat Analysis
- Community Lead
- Growing list of participants
- Keystone review in flight
- Others to follow
- Similar lines to OWASP T/M
https://wiki.openstack.org/wiki/Security/Threat_Analysis
SLIDE 17
Threat Analysis
SLIDE 18
Threat Analysis
- Calling on major players to contribute
- We are all missing things
- Massive duplication of effort
- Others to follow
- Delta reviews
SLIDE 19
OpenStack Security Notes (OSSN)
SLIDE 20
What are Security Notes?
- Notices for security related issues that do not
qualify as vulnerabilities or advisories (OSSA).
- Intended to raise awareness of security
issues that can be mitigated without code changes.
- Security related “knowledge base”.
SLIDE 21
Security Note Examples
- OSSN-0013 - Some versions of Glance do not apply property protections as expected
- OSSN-0012 - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise
- OSSN-0011 - Heat templates with invalid references allows unintended network access
- OSSN-0010 - Sample Keystone v3 policy exposes privilege escalation vulnerability
- OSSN-0009 - Potential token revocation abuse via group membership
- OSSN-0008 - DoS style attack on noVNC server can lead to service interruption or disruption
- OSSN-0007 - Live migration instructions recommend unsecured libvirt remote access
SLIDE 22
Security Note Publishing
- Published to the user and development
mailing lists.
○
- penstack@lists.openstack.org
○
- penstack-dev@lists.openstack.org
- Published on the OpenStack wiki
○ https://wiki.openstack.org/wiki/Security_Notes
- Listed in the OpenStack Community Weekly
Newsletter.
SLIDE 23
Process Changes (since Havana)
- Creation and review process has been formalized.
○ https://wiki.openstack.org/wiki/Security/Security_Note_Process ○ Gerrit workflow is used for reviews.
- Security Notes are published to the OpenStack wiki.
○ https://wiki.openstack.org/wiki/Security/Security_Notes
- Security Notes are uniquely identified.
○ OSSN-0001, OSSN-0002, etc.
SLIDE 24
Process Changes (results)
- Increased output
○ 3 OSSN published during Havana cycle. ○ 10 OSSN published during Icehouse cycle.
- Increased quality
○ Gerrit allows for more granular review feedback. ○ Approval requires review by 2 OSSG core members and PTL or core member of affected project(s).
SLIDE 25
Future Improvements
- Publish Security Notes into the OpenStack
Security Guide.
- Add automatic gate jobs for formatting
checks and automatic publishing.
- Review published Security Notes to identify
ways of preventing similar future issues.
SLIDE 26
OpenStack Security Guide
SLIDE 27
OpenStack Security Guide
- Created summer 2013
- Converted to docbook
- Edits through gerrit
- Ramping up maintenance
and editing efforts http://docs.openstack.org/sec/
SLIDE 28
Getting Involved
SLIDE 29
OpenStack Projects “The Glue”
- Improve available security
- Document best practices
- Simplify security compliance
- Work with builders, ops, users
SLIDE 30
Ways to Participate
- Key Projects
- Best Practices
- IRC meetings
- Code reviews
- Mailing list
- Relationship management
OSSG
SLIDE 31