OpenStack Security CI/CD Way
May. 19, 2015•0 likes•1,367 views
Download to read offline
Report
Technology
As OpenStack becomes popular, Continuous Integration and Continuous Deployment (CI/CD) of OpenStack is gaining attention. Customers need the ability to deploy multiple times every day to meet their business needs. This is a huge challenge to application security. Traditional web application security testing and API security testing are manual processes aided by various tools. The tests are time consuming and lack consistence. It is almost impossible to embed these types of security testing into CI/CD process. In Rackspace, security engineering team is working with quality engineers and developers to integrate security testing into CI/CD process. Security engineering team uses the same framework/tool that quality engineer use to ease integration. Currently we are focusing on API security testing automation and web application security testing. We are working on a couple of approaches to integrate security-testing cases with QE testing framework. The security test cases cover necessary security checks including common security vulnerability checks and some product specific checks. These security test cases can be run by anyone from the team. They can also be invoked as Jenkins jobs as part of integration test. The failed security test cases indicate some types of security defects and need to be remediated. The security testing automation improves the consistency, repeatability and auditability of our security testing process. Security testing within CI/CD process can detect security defect in early stage and reduce remediation costs.
michaelxin2015Follow
Recommended
Code to-cloud toolchain-LA OpenStack meet up-20140626aedocw
OpenStack Securityopenstackindia
Openstack security presentation 2013brian_chong
Shmoocon 2013 - OpenStack Security Briefopenfly
Hypervisor Security - OpenStack Summit Hong KongRobert Clark
Holistic Security for OpenStack CloudsMajor Hayden
More Related Content
Recently uploaded
GDSC SRMCEM Info Session 2023HariOM Dwivedi
Deploying CloudStack with CephShapeBlue
DigitalWisers Onepager.pdfMustafa Kuğu
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)Alex Pruden
NoSQL Database Migration Masterclass - Session 3: Migration LogisticsScyllaDB
Generative AI PotentialKapil Khandelwal (KK)
![[KCD GT 2023] Demystifying etcd failure scenarios for Kubernetes.pdf](https://cdn.slidesharecdn.com/ss_thumbnails/wc-kcdgt2023demystifyingetcdfailurescenariosforkubernetes-230819210453-e911a262-thumbnail.jpg?width=2048&height=1162&fit=bounds)
Featured
The six step guide to practical project managementMindGenius
ChatGPT webinar slidesAlireza Esmikhani
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
More than Just Lines on a Map: Best Practices for U.S Bike RoutesProject for Public Spaces & National Center for Biking and Walking
Staying Cool During SummerDeborah Davis
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...DevGAMM Conference
OpenStack Security CI/CD Way
2 Jim Freeman Director of Security Engineering Jim.freeman@rackspace.com Michael Xin Manager of Security Engineering Michael.xin@rackspace.com
It is all about Software Development Testing Security Deployment
Software Development Methodologies Waterfall Methodology Agile Development Methodology Continuous Integration/Continuous Deployment (CI/CD)
6www.rackspace.com Extensive Planning Defined Scope Better Design
7www.rackspace.com Better Engagement Predictable Delivery Improved Quality
8www.rackspace.com 8www.rackspace.com Less Defects Fast Delivery Better Quality
9www.rackspace.com Limited Resources Priority Issue Test Process
10www.rackspace.com
Developers Version Control Server Continuous Integration Server Configure Static Analysis / Security Unit/funct ional/ Security/ tests Report Report Deploy Smoke / Security/ Performance tests commits triggers runs runs runs logs logs logs FAIL Success logs FAIL Success
•Reduce test time from weeks to hours •Security defect fix time reduced from weeks to days •Better security testing –Repeatable –Consistent –Auditable •Build great working relationships CI/CD Security Engineering Advantages
•Reduce test time from weeks to hours •Security defect fix time reduced from weeks to days •Better security testing –Repeatable –Consistent –Auditable •Build great working relationships CI/CD Security Engineering Advantages Test Time: Weeks -> Days Defect Fix time: Weeks-> Days Better Security Tests Test Time: Months -> Weeks
•Reduce test time from weeks to hours •Security defect fix time reduced from weeks to days •Better security testing –Repeatable –Consistent –Auditable •Build great working relationships CI/CD Security Engineering Advantages Test Time: Weeks -> Days Defect Fix time: Weeks-> Days Better Security Tests Defect Fix time: Weeks-> Days
Repeatable Measurable Auditable
Automation Efforts Different CI/CD Pipelines Mindset Change
How to integrate security into CI/CD pipeline?
What should we automate? Security Code Review API Security Tests Infrastructure Test
NO PYTHON
Bandit a framework for performing security analysis of Python source code! https://wiki.openstack.org/wiki/Securi ty/Projects/Bandit OpenStack Security Group
>> Issue: subprocess call without a subshell. Severity: Low Confidence: High Location: ./solum/worker/handlers/shell.py:494 493 try: 494 runtest = subprocess.Popen(command, env=user_env, 495 stdout=subprocess.PIPE) 496 returncode = runtest.wait() >> Issue: Use of random is not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: ./solum/worker/handlers/shell.py:141 140 else: 141 str_assem = (''.join(random.choice(string.ascii_uppercase) 142 for i in range(20))) 143 user_env['ASSEMBLY_ID'] = str_assem
Customize the Configuration File: bandit.yaml # optional: plugins discovery name pattern plugin_name_pattern: '*.py’ exclude_dirs: - '/tests/’ ShellInjection: include: - subprocess_popen_with_shell_equals_true - start_process_with_no_shell exclude: SqlInjection: include: - hardcoded_sql_expressions
Extend Bandit using plugins @takes_config('shell_injection') @checks('Call') def subprocess_popen_with_shell_equals_true(context, config): if config and context.call_function_name_qual in config['subprocess']: if context.check_call_arg_value('shell', 'True'): return bandit.Issue( severity=bandit.HIGH, confidence=bandit.HIGH, text="subprocess call with shell=True identified, security " "issue. %s" % context.call_args_string )
27www.rackspace.com
Commercial automatic Restful API scanner is limited
29www.rackspace.com Quality Engineers QE Framework QE Test Codes
@tags("authorization", "security") def test_get_network_of_other_user(self): resp = self.one_network_client.get_network(self.two_network_id) assert resp.status_code != 200 @tags("authorization", "security") def test_update_network_of_other_user(self): resp = self.one_network_client.update_network(self.two_network_id, name="newname") assert resp.status_code != 200
32www.rackspace.com
POST /v2.0/subnets HTTP/1.1 User-Agent: curl/7.30.0 Host: xxx.xxx.xxx.xxx Content-Type: application/json Accept: application/json Content-Length: 189 {"subnet": {"network_id": "fc795965-cdad-40b5-8e7b- 73ee174a9451", "name": "Sectest", "cidr": "11.168.200.0/24", "ip_version": 4, "dns_nameservers": ["11111111111111111111111111111111111"]}}
HTTP/1.1 503 Service Unavailable Via: 1.1 Repose (Repose/2.12) Content-Length: 0 Server: Jetty(8.0.y.z-SNAPSHOT) CVE-2014-7821 (http://lists.openstack.org/pipermail/openstack-announce/2014- November/000303.html )
CI/CD Evolve Automate Contribute Lessons Learned CI/CD Opportunities AutomationBandit Collaboration
Questions? Jim.Freeman@rackspace.com Michael.Xin@rackspace.com
WE’RE HIRING! bit.ly/RackerTalent Expo Hall Booth P-11 Python OpenStack Engineers C, C++ Linux Systems Engineers Ruby DevOps Engineers Java Frontend & Backend Developers C#, .NET Software Developer in Test JavaScript, CSS, HTML iOS/Android Development Twisted, Backhone Data Scientist Angular.JS, Ember.js, Node.js Field Sales Specialist Restful/JSON/XML Strategic Account Executive Closure, Scala, Erlang Hadoop, MongoDB, MySQL Solution Architect Data Visualization
Editor's Notes
- Add twitter account, email address
- Check the room size and make the picture bigger and increase the font
- Change a different picture! Check whether the audience know CI/CD. The benefits of CI/CD.
- Change a different picture! Check whether the audience know CI/CD. The benefits of CI/CD.
- Change a different picture! Check whether the audience know CI/CD. The benefits of CI/CD.
- Add description to make people understand
- Better examples of challenges. Find a picture. There are general issues and not Rackspace issues.
- This is what we are doing! Different logos for different components.
- More slides for success! Explain the details about better security tests.
- More slides for success! Explain the details about better security tests.
- More slides for success! Explain the details about better security tests.
- More slides for success! Explain the details about better security tests.
- Fix this slides.
- Maybe we do not need these slides.
- The advantages and disadvantages for Bandit.
- Highlight what I want people to see.
- Make this to be a challenge and problem.
- Identify the problem and how the problem and explain the benefits. Real numbers. Make them checklist
- Microsoft Confidential