SlideShare a Scribd company logo

Building an OpenStack Security Group.pdf

OpenStack Foundation
OpenStack Foundation

The document discusses the formation of the OpenStack Security Group (OSSG) to help build security into the OpenStack platform. The OSSG plans to place security engineers on each core project to conduct code reviews, implement and design security blueprints, and work across projects. They will also create documentation and help integrate security into continuous integration processes. The OSSG is seeking community involvement from security engineers, technical writers, and those with OpenStack deployment expertise.

1 of 24
Download to read offline
Building  an  OpenStack  Security  Group   Bryan  D.  Payne,  Nebula   Robert  Clark,  HP  
2   10/17/12  
3   10/17/12  
•  Alarm  system?   •  Bars  on  the  windows?   •  Dog?   •  Security  Cameras?   •  Move?   4   10/17/12  
•  Alarm  system?   •  Bars  on  the  windows?   •  Dog?   •  Security  Cameras?   •  Move?   5   10/17/12  
•  Alarm  system?   •  Bars  on  the  windows?   •  Dog?   •  Security  Cameras?   •  Move?   6   10/17/12  
•  Alarm  system?   •  Bars  on  the  windows?   •  Dog?   •  Security  Cameras?   •  Move?   7   10/17/12  
•  Alarm  system?   •  Bars  on  the  windows?   •  Dog?   •  Security  Cameras?   •  Move?   8   10/17/12  
This  Is  Hard   9   10/17/12  
SoSware  Must  Be  Easier,  Right?   10   10/17/12  
But  Who  Wants  to  Hack  OpenStack?   11   10/17/12  
12   10/17/12  
Computer  Security:  What  We  Know   Be#er   Worse   Design  for  security  from  the  start   Retrofit  security  when  it’s  important   Understand  your  threats   Just  make  it  secure   Understand  your  goals   Seriously,  just  add  some  security   Pervasive  security  culture   That  paranoid  guy  has  it  under  control   13   10/17/12  
Current  Approach   •  Vulnerability   Management  Team     •  People  star_ng  to  think   about  security     14   10/17/12  
OpenStack  Security  Challenges   •  Security  as  an  aSerthought   •  Security  as  silos   •  Security  by  non-­‐experts     15   10/17/12  
OpenStack  Security  Group  (OSSG)   •  Security  expert  resource  for  OS   •  Build  security  culture  within  OS  community   16   10/17/12  
OSSG   Game  Plan   17   10/17/12  
OSSG  Details   •  Place  at  least  one  security  engineer  on  each  core  project   –  Code  review   –  Implement  blueprints   –  Design  blueprints   •  Have  at  least  one  person  working  cross  project   –  Write  technical  documenta_on   –  Integra_ng  security  into  con_nuous  integra_on   –  Iden_fy  cross  project  security  concerns   •  Mailing  list  to  have  security  discussions   18   10/17/12  
Case  Study:  HTTPS  Support   19   10/17/12  
Observations from Summit 2012 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Crypt Enthusiastic Developer + Hash Algorithm + Async Crypt != Secure Design
Common Mistakes Let us help
OSSG  Next  Steps   •  Will  require  community-­‐level  involvement   •  Now  “hiring”  for  OSSG!!   –  Security  Engineers   –  Technical  Writers   –  OpenStack  Deployment  Exper_se   23   10/17/12  
Please  Join  Us!   hhps://launchpad.net/~openstack-­‐ossg   Bryan  D.  Payne   Robert  Clark   bryan.payne@nebula.com   robert.clark@hp.com   24   10/17/12  

Recommended

Security as Code
Security as CodeSecurity as Code
Security as CodeEd Bellis
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
WhiteSource
 
Journey to Establish an Open Source Policy in a Fortune 20 Health Care Company
Journey to Establish an Open Source Policy in a Fortune 20 Health Care CompanyJourney to Establish an Open Source Policy in a Fortune 20 Health Care Company
Journey to Establish an Open Source Policy in a Fortune 20 Health Care Company
All Things Open
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanent
Tom Stiehm
 
OWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringOWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos Engineering
Aaron Rinehart
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOps
WhiteSource
 
Shifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceShifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 Conference
Tom Stiehm
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
Aaron Rinehart
 

Recommended

Security as Code
Security as CodeSecurity as Code
Security as CodeEd Bellis
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
WhiteSource
 
Journey to Establish an Open Source Policy in a Fortune 20 Health Care Company
Journey to Establish an Open Source Policy in a Fortune 20 Health Care CompanyJourney to Establish an Open Source Policy in a Fortune 20 Health Care Company
Journey to Establish an Open Source Policy in a Fortune 20 Health Care Company
All Things Open
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanent
Tom Stiehm
 
OWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringOWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos Engineering
Aaron Rinehart
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOps
WhiteSource
 
Shifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceShifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 Conference
Tom Stiehm
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
Aaron Rinehart
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos Testing
Aaron Rinehart
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
Rogue Wave Software
 
Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOps
Uchit Vyas ☁
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOp
James Wickett
 
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOpsDays Tel Aviv
 
Evolving threat landscape
Evolving threat landscapeEvolving threat landscape
Evolving threat landscape
Motiv
 
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryAttacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
James Wickett
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
SeniorStoryteller
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Adrian Sanabria
 
Ops Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsOps Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon Edwards
SeniorStoryteller
 
DevSecOps and the New Path Forward
DevSecOps and the New Path ForwardDevSecOps and the New Path Forward
DevSecOps and the New Path Forward
James Wickett
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bugcrowd
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
Security at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooSecurity at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at Yahoo
Alex Stamos
 
Tackling the Container Iceberg: How to Approach Security When Most of Your So...
Tackling the Container Iceberg: How to Approach Security When Most of Your So...Tackling the Container Iceberg: How to Approach Security When Most of Your So...
Tackling the Container Iceberg: How to Approach Security When Most of Your So...
DevOps.com
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
WhiteSource
 
NSS Labs Präsentation isd
NSS Labs Präsentation isdNSS Labs Präsentation isd
NSS Labs Präsentation isd
Daniel Busch
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Adrian Sanabria
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOps
lokori
 
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpThe Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
James Wickett
 
Tizen Security
Tizen SecurityTizen Security
Tizen Security
Jason Ross
 
Hidden empires of malware
Hidden empires of malwareHidden empires of malware
Hidden empires of malware
Ryan Kovar
 

More Related Content

What's hot

ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos Testing
Aaron Rinehart
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
Rogue Wave Software
 
Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOps
Uchit Vyas ☁
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOp
James Wickett
 
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOpsDays Tel Aviv
 
Evolving threat landscape
Evolving threat landscapeEvolving threat landscape
Evolving threat landscape
Motiv
 
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryAttacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
James Wickett
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
SeniorStoryteller
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Adrian Sanabria
 
Ops Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsOps Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon Edwards
SeniorStoryteller
 
DevSecOps and the New Path Forward
DevSecOps and the New Path ForwardDevSecOps and the New Path Forward
DevSecOps and the New Path Forward
James Wickett
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bugcrowd
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
Security at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooSecurity at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at Yahoo
Alex Stamos
 
Tackling the Container Iceberg: How to Approach Security When Most of Your So...
Tackling the Container Iceberg: How to Approach Security When Most of Your So...Tackling the Container Iceberg: How to Approach Security When Most of Your So...
Tackling the Container Iceberg: How to Approach Security When Most of Your So...
DevOps.com
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
WhiteSource
 
NSS Labs Präsentation isd
NSS Labs Präsentation isdNSS Labs Präsentation isd
NSS Labs Präsentation isd
Daniel Busch
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Adrian Sanabria
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOps
lokori
 
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpThe Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
James Wickett
 

What's hot (20)

ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos Testing
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOps
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOp
 
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
 
Evolving threat landscape
Evolving threat landscapeEvolving threat landscape
Evolving threat landscape
 
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryAttacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
 
Ops Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsOps Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon Edwards
 
DevSecOps and the New Path Forward
DevSecOps and the New Path ForwardDevSecOps and the New Path Forward
DevSecOps and the New Path Forward
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Security at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooSecurity at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at Yahoo
 
Tackling the Container Iceberg: How to Approach Security When Most of Your So...
Tackling the Container Iceberg: How to Approach Security When Most of Your So...Tackling the Container Iceberg: How to Approach Security When Most of Your So...
Tackling the Container Iceberg: How to Approach Security When Most of Your So...
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
 
NSS Labs Präsentation isd
NSS Labs Präsentation isdNSS Labs Präsentation isd
NSS Labs Präsentation isd
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOps
 
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpThe Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
 

Similar to Building an OpenStack Security Group.pdf

Tizen Security
Tizen SecurityTizen Security
Tizen Security
Jason Ross
 
Hidden empires of malware
Hidden empires of malwareHidden empires of malware
Hidden empires of malware
Ryan Kovar
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022
Liran Tal
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS Defense
James Dickenson
 
Threat Dissection - Alberto Soliño Testa Research Director, Core Security
Threat Dissection - Alberto Soliño Testa Research Director, Core SecurityThreat Dissection - Alberto Soliño Testa Research Director, Core Security
Threat Dissection - Alberto Soliño Testa Research Director, Core Security
Core Security
 
SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)
Priyanka Aash
 
Open source software: The infrastructure impact
Open source software: The infrastructure impactOpen source software: The infrastructure impact
Open source software: The infrastructure impact
Rogue Wave Software
 
The Thing That Should Not Be
The Thing That Should Not BeThe Thing That Should Not Be
The Thing That Should Not Be
morisson
 
Splunk September 2023 User Group PDX.pdf
Splunk September 2023 User Group PDX.pdfSplunk September 2023 User Group PDX.pdf
Splunk September 2023 User Group PDX.pdf
Amanda Richardson
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source software
Priyanka Aash
 
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics MethodsSplunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk
 
Question of trust
Question of trustQuestion of trust
Question of trust
ssuserd8f6cf1
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevOps Indonesia
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Shannon Williams
 
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationDevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
Alex Senkevitch
 
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Canada
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
Derek King
 
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
DevOps Indonesia
 
DevOps and the Death & Rebirth of Childhood Innocence
DevOps and the Death & Rebirth of Childhood InnocenceDevOps and the Death & Rebirth of Childhood Innocence
DevOps and the Death & Rebirth of Childhood Innocence
Robert Douglass
 
PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków
PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadkówPLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków
PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków
PROIDEA
 

Similar to Building an OpenStack Security Group.pdf (20)

Tizen Security
Tizen SecurityTizen Security
Tizen Security
 
Hidden empires of malware
Hidden empires of malwareHidden empires of malware
Hidden empires of malware
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS Defense
 
Threat Dissection - Alberto Soliño Testa Research Director, Core Security
Threat Dissection - Alberto Soliño Testa Research Director, Core SecurityThreat Dissection - Alberto Soliño Testa Research Director, Core Security
Threat Dissection - Alberto Soliño Testa Research Director, Core Security
 
SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)
 
Open source software: The infrastructure impact
Open source software: The infrastructure impactOpen source software: The infrastructure impact
Open source software: The infrastructure impact
 
The Thing That Should Not Be
The Thing That Should Not BeThe Thing That Should Not Be
The Thing That Should Not Be
 
Splunk September 2023 User Group PDX.pdf
Splunk September 2023 User Group PDX.pdfSplunk September 2023 User Group PDX.pdf
Splunk September 2023 User Group PDX.pdf
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source software
 
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics MethodsSplunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
 
Question of trust
Question of trustQuestion of trust
Question of trust
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
 
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationDevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
 
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
 
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
 
DevOps and the Death & Rebirth of Childhood Innocence
DevOps and the Death & Rebirth of Childhood InnocenceDevOps and the Death & Rebirth of Childhood Innocence
DevOps and the Death & Rebirth of Childhood Innocence
 
PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków
PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadkówPLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków
PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków
 

More from OpenStack Foundation

Sponsor Webinar - OpenStack Summit Vancouver 2018
Sponsor Webinar - OpenStack Summit Vancouver 2018Sponsor Webinar - OpenStack Summit Vancouver 2018
Sponsor Webinar - OpenStack Summit Vancouver 2018
OpenStack Foundation
 
OpenStack Summits 101: A Guide For Attendees
OpenStack Summits 101: A Guide For AttendeesOpenStack Summits 101: A Guide For Attendees
OpenStack Summits 101: A Guide For Attendees
OpenStack Foundation
 
OpenStack Marketing Plan - Community Presentation
OpenStack Marketing Plan - Community PresentationOpenStack Marketing Plan - Community Presentation
OpenStack Marketing Plan - Community Presentation
OpenStack Foundation
 
OpenStack 5th Birthday - User Group Parties
OpenStack 5th Birthday - User Group PartiesOpenStack 5th Birthday - User Group Parties
OpenStack 5th Birthday - User Group Parties
OpenStack Foundation
 
Liberty release: Preliminary marketing materials & messages
Liberty release: Preliminary marketing materials & messagesLiberty release: Preliminary marketing materials & messages
Liberty release: Preliminary marketing materials & messages
OpenStack Foundation
 
OpenStack Foundation 2H 2015 Marketing Plan
OpenStack Foundation 2H 2015 Marketing PlanOpenStack Foundation 2H 2015 Marketing Plan
OpenStack Foundation 2H 2015 Marketing Plan
OpenStack Foundation
 
OpenStack Summit Tokyo Sponsor Webinar
OpenStack Summit Tokyo Sponsor Webinar OpenStack Summit Tokyo Sponsor Webinar
OpenStack Summit Tokyo Sponsor Webinar
OpenStack Foundation
 
Cinder Updates - Liberty Edition
Cinder Updates - Liberty Edition Cinder Updates - Liberty Edition
Cinder Updates - Liberty Edition
OpenStack Foundation
 
Glance Updates - Liberty Edition
Glance Updates - Liberty EditionGlance Updates - Liberty Edition
Glance Updates - Liberty Edition
OpenStack Foundation
 
Heat Updates - Liberty Edition
Heat Updates - Liberty EditionHeat Updates - Liberty Edition
Heat Updates - Liberty Edition
OpenStack Foundation
 
Neutron Updates - Liberty Edition
Neutron Updates - Liberty Edition Neutron Updates - Liberty Edition
Neutron Updates - Liberty Edition
OpenStack Foundation
 
Nova Updates - Liberty Edition
Nova Updates - Liberty EditionNova Updates - Liberty Edition
Nova Updates - Liberty Edition
OpenStack Foundation
 
Sahara Updates - Liberty Edition
Sahara Updates - Liberty EditionSahara Updates - Liberty Edition
Sahara Updates - Liberty Edition
OpenStack Foundation
 
Searchlight Updates - Liberty Edition
Searchlight Updates - Liberty EditionSearchlight Updates - Liberty Edition
Searchlight Updates - Liberty Edition
OpenStack Foundation
 
Trove Updates - Liberty Edition
Trove Updates - Liberty EditionTrove Updates - Liberty Edition
Trove Updates - Liberty Edition
OpenStack Foundation
 
OpenStack: five years in
OpenStack: five years inOpenStack: five years in
OpenStack: five years in
OpenStack Foundation
 
Swift Updates - Liberty Edition
Swift Updates - Liberty EditionSwift Updates - Liberty Edition
Swift Updates - Liberty Edition
OpenStack Foundation
 
Congress Updates - Liberty Edition
Congress Updates - Liberty EditionCongress Updates - Liberty Edition
Congress Updates - Liberty Edition
OpenStack Foundation
 
Release Cycle Management Updates - Liberty Edition
Release Cycle Management Updates - Liberty EditionRelease Cycle Management Updates - Liberty Edition
Release Cycle Management Updates - Liberty Edition
OpenStack Foundation
 
OpenStack Day CEE 2015: Real-World Use Cases
OpenStack Day CEE 2015: Real-World Use CasesOpenStack Day CEE 2015: Real-World Use Cases
OpenStack Day CEE 2015: Real-World Use Cases
OpenStack Foundation
 

More from OpenStack Foundation (20)

Sponsor Webinar - OpenStack Summit Vancouver 2018
Sponsor Webinar - OpenStack Summit Vancouver 2018Sponsor Webinar - OpenStack Summit Vancouver 2018
Sponsor Webinar - OpenStack Summit Vancouver 2018
 
OpenStack Summits 101: A Guide For Attendees
OpenStack Summits 101: A Guide For AttendeesOpenStack Summits 101: A Guide For Attendees
OpenStack Summits 101: A Guide For Attendees
 
OpenStack Marketing Plan - Community Presentation
OpenStack Marketing Plan - Community PresentationOpenStack Marketing Plan - Community Presentation
OpenStack Marketing Plan - Community Presentation
 
OpenStack 5th Birthday - User Group Parties
OpenStack 5th Birthday - User Group PartiesOpenStack 5th Birthday - User Group Parties
OpenStack 5th Birthday - User Group Parties
 
Liberty release: Preliminary marketing materials & messages
Liberty release: Preliminary marketing materials & messagesLiberty release: Preliminary marketing materials & messages
Liberty release: Preliminary marketing materials & messages
 
OpenStack Foundation 2H 2015 Marketing Plan
OpenStack Foundation 2H 2015 Marketing PlanOpenStack Foundation 2H 2015 Marketing Plan
OpenStack Foundation 2H 2015 Marketing Plan
 
OpenStack Summit Tokyo Sponsor Webinar
OpenStack Summit Tokyo Sponsor Webinar OpenStack Summit Tokyo Sponsor Webinar
OpenStack Summit Tokyo Sponsor Webinar
 
Cinder Updates - Liberty Edition
Cinder Updates - Liberty Edition Cinder Updates - Liberty Edition
Cinder Updates - Liberty Edition
 
Glance Updates - Liberty Edition
Glance Updates - Liberty EditionGlance Updates - Liberty Edition
Glance Updates - Liberty Edition
 
Heat Updates - Liberty Edition
Heat Updates - Liberty EditionHeat Updates - Liberty Edition
Heat Updates - Liberty Edition
 
Neutron Updates - Liberty Edition
Neutron Updates - Liberty Edition Neutron Updates - Liberty Edition
Neutron Updates - Liberty Edition
 
Nova Updates - Liberty Edition
Nova Updates - Liberty EditionNova Updates - Liberty Edition
Nova Updates - Liberty Edition
 
Sahara Updates - Liberty Edition
Sahara Updates - Liberty EditionSahara Updates - Liberty Edition
Sahara Updates - Liberty Edition
 
Searchlight Updates - Liberty Edition
Searchlight Updates - Liberty EditionSearchlight Updates - Liberty Edition
Searchlight Updates - Liberty Edition
 
Trove Updates - Liberty Edition
Trove Updates - Liberty EditionTrove Updates - Liberty Edition
Trove Updates - Liberty Edition
 
OpenStack: five years in
OpenStack: five years inOpenStack: five years in
OpenStack: five years in
 
Swift Updates - Liberty Edition
Swift Updates - Liberty EditionSwift Updates - Liberty Edition
Swift Updates - Liberty Edition
 
Congress Updates - Liberty Edition
Congress Updates - Liberty EditionCongress Updates - Liberty Edition
Congress Updates - Liberty Edition
 
Release Cycle Management Updates - Liberty Edition
Release Cycle Management Updates - Liberty EditionRelease Cycle Management Updates - Liberty Edition
Release Cycle Management Updates - Liberty Edition
 
OpenStack Day CEE 2015: Real-World Use Cases
OpenStack Day CEE 2015: Real-World Use CasesOpenStack Day CEE 2015: Real-World Use Cases
OpenStack Day CEE 2015: Real-World Use Cases
 

Building an OpenStack Security Group.pdf

  • 1. Building  an  OpenStack  Security  Group   Bryan  D.  Payne,  Nebula   Robert  Clark,  HP  
  • 2. 2   10/17/12  
  • 3. 3   10/17/12  
  • 4. •  Alarm  system?   •  Bars  on  the  windows?   •  Dog?   •  Security  Cameras?   •  Move?   4   10/17/12  
  • 5. •  Alarm  system?   •  Bars  on  the  windows?   •  Dog?   •  Security  Cameras?   •  Move?   5   10/17/12  
  • 6. •  Alarm  system?   •  Bars  on  the  windows?   •  Dog?   •  Security  Cameras?   •  Move?   6   10/17/12  
  • 7. •  Alarm  system?   •  Bars  on  the  windows?   •  Dog?   •  Security  Cameras?   •  Move?   7   10/17/12  
  • 8. •  Alarm  system?   •  Bars  on  the  windows?   •  Dog?   •  Security  Cameras?   •  Move?   8   10/17/12  
  • 9. This  Is  Hard   9   10/17/12  
  • 10. SoSware  Must  Be  Easier,  Right?   10   10/17/12  
  • 11. But  Who  Wants  to  Hack  OpenStack?   11   10/17/12  
  • 12. 12   10/17/12  
  • 13. Computer  Security:  What  We  Know   Be#er   Worse   Design  for  security  from  the  start   Retrofit  security  when  it’s  important   Understand  your  threats   Just  make  it  secure   Understand  your  goals   Seriously,  just  add  some  security   Pervasive  security  culture   That  paranoid  guy  has  it  under  control   13   10/17/12  
  • 14. Current  Approach   •  Vulnerability   Management  Team     •  People  star_ng  to  think   about  security     14   10/17/12  
  • 15. OpenStack  Security  Challenges   •  Security  as  an  aSerthought   •  Security  as  silos   •  Security  by  non-­‐experts     15   10/17/12  
  • 16. OpenStack  Security  Group  (OSSG)   •  Security  expert  resource  for  OS   •  Build  security  culture  within  OS  community   16   10/17/12  
  • 17. OSSG   Game  Plan   17   10/17/12  
  • 18. OSSG  Details   •  Place  at  least  one  security  engineer  on  each  core  project   –  Code  review   –  Implement  blueprints   –  Design  blueprints   •  Have  at  least  one  person  working  cross  project   –  Write  technical  documenta_on   –  Integra_ng  security  into  con_nuous  integra_on   –  Iden_fy  cross  project  security  concerns   •  Mailing  list  to  have  security  discussions   18   10/17/12  
  • 19. Case  Study:  HTTPS  Support   19   10/17/12  
  • 20. Observations from Summit 2012 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 21. Crypt Enthusiastic Developer + Hash Algorithm + Async Crypt != Secure Design
  • 23. OSSG  Next  Steps   •  Will  require  community-­‐level  involvement   •  Now  “hiring”  for  OSSG!!   –  Security  Engineers   –  Technical  Writers   –  OpenStack  Deployment  Exper_se   23   10/17/12  
  • 24. Please  Join  Us!   hhps://launchpad.net/~openstack-­‐ossg   Bryan  D.  Payne   Robert  Clark   bryan.payne@nebula.com   robert.clark@hp.com   24   10/17/12