Your SlideShare is downloading. ×
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
CloudStack Secured
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

CloudStack Secured

1,220

Published on

My talk from CloudStack Collab 2012

My talk from CloudStack Collab 2012

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,220
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
50
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Grepping is basically same as Fortify’s Semantic Analyzer
  • Transcript

    • 1. CloudStack Secured John Kinsella @johnlkinsella Apache CloudStack PPMC Founder, Stratosec Inc.
    • 2. Overview • Code Review • Incident response • Stratosec extras • What’s next
    • 3. LOOKING FOR WEAKNESSES IN ACS
    • 4. Manual review• Process of combing code looking for flaws• “Targeted” manual review can be cheaper, easier• Grepping for known patterns can quickly point to issues in code – “crypt” – “password” – “FIXME” – “this is a hack”
    • 5. This is a hack
    • 6. Manual review, cont• Once we find an area where there’s a “smell,” we investigate closer.
    • 7. Static analysis• Automated!• Automation good, right?• But tools usually not cheap.
    • 8. FoD Overview
    • 9. Fod Source
    • 10. FoD Trace
    • 11. FoD Suspicious
    • 12. What does this get us?So far, not much.• No critical findings discovered• Low issues possible (eg raw error message displayed in UI)
    • 13. Good guys vs bad guys governments $$ Malicious user Community
    • 14. Email from customer
    • 15. Incident response• Report findings to ACS security team (PPMC)• We strive to investigate and respond ASAP• Verified issues• Pre-4.0 issues are forwarded to Citrix• Pre-notification list for critical vendors (Gizoogle cloudstack security response)
    • 16. STRATOSEC EXTRAS
    • 17. SSL• ACS Ships with SSL disabled.• Instructions in ACS wiki under “CloudStack Security”
    • 18. VPNs• SSL is nice, but we like OpenVPN for any administrative access• Con: iOS doesn’t like OpenVPN* *Jailbroken iOS does like OpenVPN
    • 19. Tighter firewalling• If you place unprotected hypervisors on public Internet, after several days, you will find VMs at a grub prompt• Firewall everything. Use VPN, but firewall that too.
    • 20. Testing• Vulnerability scanning• Penetration testing• Important – monitoring for changes
    • 21. IDS• Run snort on hypervisors monitoring bridges• Run OSSEC, monitoring anything sensitive – /etc• AntiVirus? Shouldn’t have to…
    • 22. Two Factor Authentication• Becoming more and more common• Passwords aren’t enough – Guessable – Stealable – Sniffable, when you’re not using SSL/VPN
    • 23. 2FA any day now…• WiKID Systems 2 factor auth• “Mutual HTTPS Authentication”• Code seems to be working, just need to tweak build
    • 24. What’s next• Admin login notification• KVM + SELinux – Working on it – not production ready• After SELinux, auditd• Goal: Provide users with transparency
    • 25. Logging• We collect/analyze logs from – All IDS – Network firewalls – Web application firewalls – Syslog (Management, node, AND VM) collected centrally
    • 26. We’d love help• Security Frameworks• Security plugins (authentication, monitoring)• grsecurity support?• Further xen hardening?• Ideas? http://cloudstack.org
    • 27. Thanks! Questions? John Kinsella @johnlkinsella http://www.slideshare.net/jlkinsel/

    ×