SlideShare a Scribd company logo
OpenStack Security Project
Securing the world’s largest, fastest moving open-source project
Agenda
- Intro to OpenStack
- State of OpenStack Security
- Security Group Projects
- About the Security Group
Intro to OpenStack
Open source cloud platform
Started in 2010 by NASA and Rackspace
Today: > 2.5 million LoC + 1800 contributors
~77% Python
Cloud?
IaaS Typically Includes:
Compute
Storage
Network
Identity
OpenStack - How Product People See It:
Nova Swift
Neutron
Glance Keystone Horizon
Cinder
OpenStack - How Security People See It:
Nova Swift
Neutron
Glance Keystone Horizon
Cinder
DNS
Metering
Automation
LoadBalancing
Monitoring
Billing
Databases
Orchestration
Alarming
Messaging
AccountMaintenance
Certificate
Authorities
State of OpenStack Security
2010 Nasa and Rackspace
Launch OpenStack
Bexar
02/11
Cactus
04/11
Diablo
09/11
Essex
04/12
Folsom
09/12
Grizzly
04/13
Havana
10/13
Icehouse
04/14
Juno
10/14
Kilo
04/15
Examples
Directory traversal → Arbitrary File Creation (2012)
Improper sanitization in instance name → XSS (2013)
Missing SSL certificate check (2014)
Glance store DoS through disk space exhaustion (2014)
Unauthorized delete of versioned Swift object (2015)
Security Issues
XSS (web interface)
Directory traversal
Missing auth check
Information leakage
DoS
...
Security Project Initiatives
Security Notes
● Written and managed by OpenStack Security Project
● Compliment advisories (OSSA)
● Can be found on the Security Note Wiki
○ https://wiki.openstack.org/wiki/Security_Notes
Security Notes
One-stop-shop for cloud deployers
Issues without a patch
Insecure defaults
Common insecure configurations
Over 60 listed notes as of December 2015
Security Notes - Examples
OSSN-0056 - Cached keystone tokens may be accepted
after revocation
OSSN-0049 - Nova Ironic driver logs sensitive information in
DEBUG mode
and python-swiftclient
Pecan (for some services)
Security Notes - Process
● Writing
○ Number Assignment
○ Template Use
● Testing
○ Researching - Reproducing Issue
● Review Process
○ Peer Review Process Using Gerrit/Git Review
● Get Published
Security Guide
Created in June 2013 + living document
Provides best practices and conceptual information about
securing an OpenStack cloud
● Reflects the current state of security within the OpenStack
community
● Maintained by OpenStack Security project
Security Guide - Process
● Bugs in Launchpad
○ Tracks bugs against the guide, and their severity
○ Can assign yourself a sec-guide bug just like code
● Get the doc source
○ Clone the security guide git repo
● Update
○ In RST format it’s security-guide/source/<chaptername>/
● Review
Security Guide
Example topics:
● Hypervisor selection
● Instance security management
● Tenant data privacy
Available in HTML (current) and print (v1.0) form
http://docs.openstack.org/security-guide
Bandit - a Python security linter
Finds common security issues in Python code:
Command injection
Insecure temp file usage
Promiscuous file permissions
Usage of unsafe functions/libraries
Binding to all interfaces
Bandit Example
Bandit
Open source
Easy to write new plugins
Low resource requirements
Runs quickly
Vulnerability Management
● Ensure that vulnerabilities are dealt with quickly
and responsibly.
● When situation requires it, produce OpenStack
Security Advisories (OSSAs) - similar to CVEs.
Vulnerability Management Process
Example: OSSA-2013-036
11-03-2013: XSS in instance name reported by Cisco
employee
11-14-2013: Fix publicly disclosed, bug marked public
11-28-2013: Backports completed
12-04-2013: CVE-2013-6858 Assigned
12-11-2013: Advisory published
Secure Coding Guidelines
● Examples of common tasks that are often done
insecurely
● Written for developers in conversational tone
● With examples on how to perform the tasks
securely
● Designed to eventually be linked to by Bandit
findings
Anchor - Ephemeral PKI System
Existing PKI is broken outside of the browser
● Revocation does not work in most crypto libraries
○ CRLs are hard to distribute deterministically
○ OCSP doesn’t work in many client TLS libraries
● Provisioning certificates at scale is non-trivial
Anchor - Ephemeral PKI System
Automatically Verifies and Issues Short-Life Certificates
● Authenticates the requestor (TLS)
● Validates the Certificate Signing Request
● Issues a Certificate
● Then uses Passive Revocation
○ Revoke by denying future requests
○ Certificate life shorter than typical OCSP caches, so there is a
Anchor - Ephemeral PKI System
Ephemeral CA
ReST Interface
Decision Engine
Certificate
Authority
Pluggable
Authentication
Shared Secret
LDAP Lookup
Keystone Service
Reverse DNS Verification
CMDB System Role
Reversed IP in Valid Range
Name(s) match scheme
Role matches FQDN prefix
Extendable Rule Set
Dogtag/FreeIPA
Killick (WIP)
etc...
Syntribos - API Security Testing Tool
Finds security issues in restful API
Fuzz payload, HTTP headers, URL, query string
Log all requests and responses
Support keystone authentication
Detect common security defects
Help identify unknown security defects
Syntribos ‘Payload’ Example
Syntribos Summary Output
2015-08-18 14:44:12,466: INFO: root: ========================================================
2015-08-18 14:44:12,466: INFO: root: Test Case......: test_case
2015-08-18 14:44:12,466: INFO: root: Result.........: Passed
2015-08-18 14:44:12,466: INFO: root: Start Time.....: 2015-08-18 14:44:12.464843
2015-08-18 14:44:12,466: INFO: root: Elapsed Time...: 0:00:00.001203
2015-08-18 14:44:12,466: INFO: root: ========================================================
2015-08-18 14:44:12,467: INFO: root: ========================================================
2015-08-18 14:44:12,467: INFO: root: Fixture........: syntribos.tests.fuzz.all_attacks.(agent_patch.txt)_(ALL_ATTACKS_BODY)_(all-attacks.txt)_str1_model1
2015-08-18 14:44:12,467: INFO: root: Result.........: Passed
2015-08-18 14:44:12,467: INFO: root: Start Time.....: 2015-08-18 14:44:11.139070
2015-08-18 14:44:12,467: INFO: root: Elapsed Time...: 0:00:01.328030
2015-08-18 14:44:12,468: INFO: root: Total Tests....: 1
2015-08-18 14:44:12,468: INFO: root: Total Passed...: 1
2015-08-18 14:44:12,468: INFO: root: Total Failed...: 0
2015-08-18 14:44:12,468: INFO: root: Total Errored..: 0
2015-08-18 14:44:12,468: INFO: root: ========================================================
Syntribos
Open source
Easy to extend
Support in-depth fuzzing
Automatic logging
http://git.openstack.org/cgit/openstack/syntribos
OpenStack Security Project
OpenStack Security Project
250 listed members ~ 20 active at any time + you?
Lots of ways to participate:
- Write notes/documentation (gets you a technical contributor credit)
- Hack on existing tools: Bandit, Anchor, Syntribos
- Write your own tool (Ansible-security / Tempest checks)
- Pentesting / code review / deployment bugs
- Threat Analysis
Join Us
#openstack-security on Freenode
#openstack-meeting-alt @ 1700 UTC Thur
openstack-dev ML with [Security] tag
Or Jump Right In...
Security Project Page: https://security.openstack.org/
Security Advisories: https://security.openstack.org/ossalist.html
Security Notes: https://wiki.openstack.org/wiki/Security_Notes
Bandit: https://wiki.openstack.org/wiki/Security/Projects/Bandit
Developer Guidelines: https://security.openstack.org/#secure-development-guidelines
Anchor: https://wiki.openstack.org/wiki/Security/Projects/Anchor
Syntribos: http://git.openstack.org/cgit/openstack/syntribos
Security Guide: http://docs.openstack.org/sec/
OpenStack Ansible Security: https://github.com/openstack/openstack-ansible-security
Thank you!
Eric Brown - VMware - browne on Freenode
Travis McPeak - HPE - tmcpeak on Freenode

More Related Content

What's hot

Workshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, VirtualizationWorkshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, Virtualization
Jayaprakash R
 
Join FIWARE Lab
Join FIWARE LabJoin FIWARE Lab
Join FIWARE Lab
Federico Michele Facca
 
Fiware cloud capabilities_and_setting_up_your_environment
Fiware cloud capabilities_and_setting_up_your_environmentFiware cloud capabilities_and_setting_up_your_environment
Fiware cloud capabilities_and_setting_up_your_environment
Miguel García González
 
FIWARE Lab
FIWARE LabFIWARE Lab
FIWARE Lab
Miguel González
 
Container Security
Container SecurityContainer Security
Container Security
Amazon Web Services
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
openstackindia
 
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
Edureka!
 
Cloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningCloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit Planning
Valdez Ladd MBA, CISSP, CISA,
 
Cloud-native applications with Java and Kubernetes - Yehor Volkov
 Cloud-native applications with Java and Kubernetes - Yehor Volkov Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Kuberton
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
Lorenzo Carnevale
 
key aggregate cryptosystem for scalable data sharing in cloud storage abstract
key aggregate cryptosystem for scalable data sharing in cloud storage abstractkey aggregate cryptosystem for scalable data sharing in cloud storage abstract
key aggregate cryptosystem for scalable data sharing in cloud storage abstract
Sanjana Yemajala
 
Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"
CREATE-NET
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the Enterprise
Keith Tobin
 
Key aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storage Key aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storage
Adz91 Digital Ads Pvt Ltd
 
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
Edureka!
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
Prasad Mukhedkar
 
Fiware cloud developers week brussels
Fiware cloud developers week brusselsFiware cloud developers week brussels
Fiware cloud developers week brussels
Fernando Lopez Aguilar
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
NotSoSecure Global Services
 
Cloud_Security_Final
Cloud_Security_FinalCloud_Security_Final
Cloud_Security_Final
Bhavin Shah
 
Key aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storageKey aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storage
Mugesh Mukkandan
 

What's hot (20)

Workshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, VirtualizationWorkshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, Virtualization
 
Join FIWARE Lab
Join FIWARE LabJoin FIWARE Lab
Join FIWARE Lab
 
Fiware cloud capabilities_and_setting_up_your_environment
Fiware cloud capabilities_and_setting_up_your_environmentFiware cloud capabilities_and_setting_up_your_environment
Fiware cloud capabilities_and_setting_up_your_environment
 
FIWARE Lab
FIWARE LabFIWARE Lab
FIWARE Lab
 
Container Security
Container SecurityContainer Security
Container Security
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
 
Cloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningCloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit Planning
 
Cloud-native applications with Java and Kubernetes - Yehor Volkov
 Cloud-native applications with Java and Kubernetes - Yehor Volkov Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
 
key aggregate cryptosystem for scalable data sharing in cloud storage abstract
key aggregate cryptosystem for scalable data sharing in cloud storage abstractkey aggregate cryptosystem for scalable data sharing in cloud storage abstract
key aggregate cryptosystem for scalable data sharing in cloud storage abstract
 
Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the Enterprise
 
Key aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storage Key aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storage
 
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
 
Fiware cloud developers week brussels
Fiware cloud developers week brusselsFiware cloud developers week brussels
Fiware cloud developers week brussels
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
 
Cloud_Security_Final
Cloud_Security_FinalCloud_Security_Final
Cloud_Security_Final
 
Key aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storageKey aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storage
 

Viewers also liked

India Aviation ICT Forum 2013 - Ahmad Seblini, SITA
India Aviation ICT Forum 2013 - Ahmad Seblini, SITAIndia Aviation ICT Forum 2013 - Ahmad Seblini, SITA
India Aviation ICT Forum 2013 - Ahmad Seblini, SITA
SITA
 
Göteborg
GöteborgGöteborg
Göteborg
Frank Calberg
 
Carlos Kaduoka - Session C: Creating a sense of place - airports get personal
Carlos Kaduoka - Session C: Creating a sense of place - airports get personalCarlos Kaduoka - Session C: Creating a sense of place - airports get personal
Carlos Kaduoka - Session C: Creating a sense of place - airports get personal
SITA
 
The capacity for innovation: Andrew O'Connor, Product Director, Airport Solut...
The capacity for innovation: Andrew O'Connor, Product Director, Airport Solut...The capacity for innovation: Andrew O'Connor, Product Director, Airport Solut...
The capacity for innovation: Andrew O'Connor, Product Director, Airport Solut...
SITA
 
Syntribos API Security Test Automation
Syntribos API Security Test AutomationSyntribos API Security Test Automation
Syntribos API Security Test Automation
Matthew Valdes
 
How airlines use technology to improve passenger experience by 2016 - The Air...
How airlines use technology to improve passenger experience by 2016 - The Air...How airlines use technology to improve passenger experience by 2016 - The Air...
How airlines use technology to improve passenger experience by 2016 - The Air...
Tom Knierim
 
The Airport of the Future
The Airport of the FutureThe Airport of the Future
The Airport of the Future
Dimitris Bountolos
 

Viewers also liked (7)

India Aviation ICT Forum 2013 - Ahmad Seblini, SITA
India Aviation ICT Forum 2013 - Ahmad Seblini, SITAIndia Aviation ICT Forum 2013 - Ahmad Seblini, SITA
India Aviation ICT Forum 2013 - Ahmad Seblini, SITA
 
Göteborg
GöteborgGöteborg
Göteborg
 
Carlos Kaduoka - Session C: Creating a sense of place - airports get personal
Carlos Kaduoka - Session C: Creating a sense of place - airports get personalCarlos Kaduoka - Session C: Creating a sense of place - airports get personal
Carlos Kaduoka - Session C: Creating a sense of place - airports get personal
 
The capacity for innovation: Andrew O'Connor, Product Director, Airport Solut...
The capacity for innovation: Andrew O'Connor, Product Director, Airport Solut...The capacity for innovation: Andrew O'Connor, Product Director, Airport Solut...
The capacity for innovation: Andrew O'Connor, Product Director, Airport Solut...
 
Syntribos API Security Test Automation
Syntribos API Security Test AutomationSyntribos API Security Test Automation
Syntribos API Security Test Automation
 
How airlines use technology to improve passenger experience by 2016 - The Air...
How airlines use technology to improve passenger experience by 2016 - The Air...How airlines use technology to improve passenger experience by 2016 - The Air...
How airlines use technology to improve passenger experience by 2016 - The Air...
 
The Airport of the Future
The Airport of the FutureThe Airport of the Future
The Airport of the Future
 

Similar to OpenStack Security Project

OpenStack for VMware Administrators
OpenStack for VMware AdministratorsOpenStack for VMware Administrators
OpenStack for VMware Administrators
Trevor Roberts Jr.
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Openstack: security beyond firewalls
Openstack: security beyond firewallsOpenstack: security beyond firewalls
Openstack: security beyond firewalls
GARL
 
Presentation on Japanese doc sprint
Presentation on Japanese doc sprintPresentation on Japanese doc sprint
Presentation on Japanese doc sprint
Go Chiba
 
Dissecting Open Source Cloud Evolution: An OpenStack Case Study
Dissecting Open Source Cloud Evolution: An OpenStack Case StudyDissecting Open Source Cloud Evolution: An OpenStack Case Study
Dissecting Open Source Cloud Evolution: An OpenStack Case Study
Salman Baset
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release update
Alex Pop
 
Framework for IoT Interoperability
Framework for IoT InteroperabilityFramework for IoT Interoperability
Framework for IoT Interoperability
Samsung Open Source Group
 
Openstack workshop @ Kalasalingam
Openstack workshop @ KalasalingamOpenstack workshop @ Kalasalingam
Openstack workshop @ Kalasalingam
Beny Raja
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
FernandoVizer
 
Open stack ocata summit enabling aws lambda-like functionality with openstac...
Open stack ocata summit  enabling aws lambda-like functionality with openstac...Open stack ocata summit  enabling aws lambda-like functionality with openstac...
Open stack ocata summit enabling aws lambda-like functionality with openstac...
Shaun Murakami
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
Fedir RYKHTIK
 
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Priyanka Aash
 
Just one-shade-of-openstack
Just one-shade-of-openstackJust one-shade-of-openstack
Just one-shade-of-openstack
Roberto Polli
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsA Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container Platforms
Salman Baset
 
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
PROIDEA
 
Everything you wanted to know about writing async, concurrent http apps in java
Everything you wanted to know about writing async, concurrent http apps in java Everything you wanted to know about writing async, concurrent http apps in java
Everything you wanted to know about writing async, concurrent http apps in java
Baruch Sadogursky
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
RootedCON
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
Toni de la Fuente
 
Operate with an openstack deployment by code
Operate with an openstack deployment by codeOperate with an openstack deployment by code
Operate with an openstack deployment by code
Alessandro Martellone
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information Exchange
Cybera Inc.
 

Similar to OpenStack Security Project (20)

OpenStack for VMware Administrators
OpenStack for VMware AdministratorsOpenStack for VMware Administrators
OpenStack for VMware Administrators
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Openstack: security beyond firewalls
Openstack: security beyond firewallsOpenstack: security beyond firewalls
Openstack: security beyond firewalls
 
Presentation on Japanese doc sprint
Presentation on Japanese doc sprintPresentation on Japanese doc sprint
Presentation on Japanese doc sprint
 
Dissecting Open Source Cloud Evolution: An OpenStack Case Study
Dissecting Open Source Cloud Evolution: An OpenStack Case StudyDissecting Open Source Cloud Evolution: An OpenStack Case Study
Dissecting Open Source Cloud Evolution: An OpenStack Case Study
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release update
 
Framework for IoT Interoperability
Framework for IoT InteroperabilityFramework for IoT Interoperability
Framework for IoT Interoperability
 
Openstack workshop @ Kalasalingam
Openstack workshop @ KalasalingamOpenstack workshop @ Kalasalingam
Openstack workshop @ Kalasalingam
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Open stack ocata summit enabling aws lambda-like functionality with openstac...
Open stack ocata summit  enabling aws lambda-like functionality with openstac...Open stack ocata summit  enabling aws lambda-like functionality with openstac...
Open stack ocata summit enabling aws lambda-like functionality with openstac...
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
 
Just one-shade-of-openstack
Just one-shade-of-openstackJust one-shade-of-openstack
Just one-shade-of-openstack
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsA Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container Platforms
 
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
 
Everything you wanted to know about writing async, concurrent http apps in java
Everything you wanted to know about writing async, concurrent http apps in java Everything you wanted to know about writing async, concurrent http apps in java
Everything you wanted to know about writing async, concurrent http apps in java
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 
Operate with an openstack deployment by code
Operate with an openstack deployment by codeOperate with an openstack deployment by code
Operate with an openstack deployment by code
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information Exchange
 

Recently uploaded

Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
LucaBarbaro3
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
Data Hops
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
Intelisync
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Precisely
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 

Recently uploaded (20)

Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 

OpenStack Security Project

  • 1. OpenStack Security Project Securing the world’s largest, fastest moving open-source project
  • 2. Agenda - Intro to OpenStack - State of OpenStack Security - Security Group Projects - About the Security Group
  • 3. Intro to OpenStack Open source cloud platform Started in 2010 by NASA and Rackspace Today: > 2.5 million LoC + 1800 contributors ~77% Python
  • 5. OpenStack - How Product People See It: Nova Swift Neutron Glance Keystone Horizon Cinder
  • 6. OpenStack - How Security People See It: Nova Swift Neutron Glance Keystone Horizon Cinder DNS Metering Automation LoadBalancing Monitoring Billing Databases Orchestration Alarming Messaging AccountMaintenance Certificate Authorities
  • 7. State of OpenStack Security 2010 Nasa and Rackspace Launch OpenStack Bexar 02/11 Cactus 04/11 Diablo 09/11 Essex 04/12 Folsom 09/12 Grizzly 04/13 Havana 10/13 Icehouse 04/14 Juno 10/14 Kilo 04/15
  • 8. Examples Directory traversal → Arbitrary File Creation (2012) Improper sanitization in instance name → XSS (2013) Missing SSL certificate check (2014) Glance store DoS through disk space exhaustion (2014) Unauthorized delete of versioned Swift object (2015)
  • 9. Security Issues XSS (web interface) Directory traversal Missing auth check Information leakage DoS ...
  • 11. Security Notes ● Written and managed by OpenStack Security Project ● Compliment advisories (OSSA) ● Can be found on the Security Note Wiki ○ https://wiki.openstack.org/wiki/Security_Notes
  • 12. Security Notes One-stop-shop for cloud deployers Issues without a patch Insecure defaults Common insecure configurations Over 60 listed notes as of December 2015
  • 13. Security Notes - Examples OSSN-0056 - Cached keystone tokens may be accepted after revocation OSSN-0049 - Nova Ironic driver logs sensitive information in DEBUG mode and python-swiftclient Pecan (for some services)
  • 14. Security Notes - Process ● Writing ○ Number Assignment ○ Template Use ● Testing ○ Researching - Reproducing Issue ● Review Process ○ Peer Review Process Using Gerrit/Git Review ● Get Published
  • 15. Security Guide Created in June 2013 + living document Provides best practices and conceptual information about securing an OpenStack cloud ● Reflects the current state of security within the OpenStack community ● Maintained by OpenStack Security project
  • 16. Security Guide - Process ● Bugs in Launchpad ○ Tracks bugs against the guide, and their severity ○ Can assign yourself a sec-guide bug just like code ● Get the doc source ○ Clone the security guide git repo ● Update ○ In RST format it’s security-guide/source/<chaptername>/ ● Review
  • 17. Security Guide Example topics: ● Hypervisor selection ● Instance security management ● Tenant data privacy Available in HTML (current) and print (v1.0) form http://docs.openstack.org/security-guide
  • 18. Bandit - a Python security linter Finds common security issues in Python code: Command injection Insecure temp file usage Promiscuous file permissions Usage of unsafe functions/libraries Binding to all interfaces
  • 20. Bandit Open source Easy to write new plugins Low resource requirements Runs quickly
  • 21. Vulnerability Management ● Ensure that vulnerabilities are dealt with quickly and responsibly. ● When situation requires it, produce OpenStack Security Advisories (OSSAs) - similar to CVEs.
  • 23. Example: OSSA-2013-036 11-03-2013: XSS in instance name reported by Cisco employee 11-14-2013: Fix publicly disclosed, bug marked public 11-28-2013: Backports completed 12-04-2013: CVE-2013-6858 Assigned 12-11-2013: Advisory published
  • 24. Secure Coding Guidelines ● Examples of common tasks that are often done insecurely ● Written for developers in conversational tone ● With examples on how to perform the tasks securely ● Designed to eventually be linked to by Bandit findings
  • 25. Anchor - Ephemeral PKI System Existing PKI is broken outside of the browser ● Revocation does not work in most crypto libraries ○ CRLs are hard to distribute deterministically ○ OCSP doesn’t work in many client TLS libraries ● Provisioning certificates at scale is non-trivial
  • 26. Anchor - Ephemeral PKI System Automatically Verifies and Issues Short-Life Certificates ● Authenticates the requestor (TLS) ● Validates the Certificate Signing Request ● Issues a Certificate ● Then uses Passive Revocation ○ Revoke by denying future requests ○ Certificate life shorter than typical OCSP caches, so there is a
  • 27. Anchor - Ephemeral PKI System Ephemeral CA ReST Interface Decision Engine Certificate Authority Pluggable Authentication Shared Secret LDAP Lookup Keystone Service Reverse DNS Verification CMDB System Role Reversed IP in Valid Range Name(s) match scheme Role matches FQDN prefix Extendable Rule Set Dogtag/FreeIPA Killick (WIP) etc...
  • 28. Syntribos - API Security Testing Tool Finds security issues in restful API Fuzz payload, HTTP headers, URL, query string Log all requests and responses Support keystone authentication Detect common security defects Help identify unknown security defects
  • 30. Syntribos Summary Output 2015-08-18 14:44:12,466: INFO: root: ======================================================== 2015-08-18 14:44:12,466: INFO: root: Test Case......: test_case 2015-08-18 14:44:12,466: INFO: root: Result.........: Passed 2015-08-18 14:44:12,466: INFO: root: Start Time.....: 2015-08-18 14:44:12.464843 2015-08-18 14:44:12,466: INFO: root: Elapsed Time...: 0:00:00.001203 2015-08-18 14:44:12,466: INFO: root: ======================================================== 2015-08-18 14:44:12,467: INFO: root: ======================================================== 2015-08-18 14:44:12,467: INFO: root: Fixture........: syntribos.tests.fuzz.all_attacks.(agent_patch.txt)_(ALL_ATTACKS_BODY)_(all-attacks.txt)_str1_model1 2015-08-18 14:44:12,467: INFO: root: Result.........: Passed 2015-08-18 14:44:12,467: INFO: root: Start Time.....: 2015-08-18 14:44:11.139070 2015-08-18 14:44:12,467: INFO: root: Elapsed Time...: 0:00:01.328030 2015-08-18 14:44:12,468: INFO: root: Total Tests....: 1 2015-08-18 14:44:12,468: INFO: root: Total Passed...: 1 2015-08-18 14:44:12,468: INFO: root: Total Failed...: 0 2015-08-18 14:44:12,468: INFO: root: Total Errored..: 0 2015-08-18 14:44:12,468: INFO: root: ========================================================
  • 31. Syntribos Open source Easy to extend Support in-depth fuzzing Automatic logging http://git.openstack.org/cgit/openstack/syntribos
  • 33. OpenStack Security Project 250 listed members ~ 20 active at any time + you? Lots of ways to participate: - Write notes/documentation (gets you a technical contributor credit) - Hack on existing tools: Bandit, Anchor, Syntribos - Write your own tool (Ansible-security / Tempest checks) - Pentesting / code review / deployment bugs - Threat Analysis
  • 34. Join Us #openstack-security on Freenode #openstack-meeting-alt @ 1700 UTC Thur openstack-dev ML with [Security] tag
  • 35. Or Jump Right In... Security Project Page: https://security.openstack.org/ Security Advisories: https://security.openstack.org/ossalist.html Security Notes: https://wiki.openstack.org/wiki/Security_Notes Bandit: https://wiki.openstack.org/wiki/Security/Projects/Bandit Developer Guidelines: https://security.openstack.org/#secure-development-guidelines Anchor: https://wiki.openstack.org/wiki/Security/Projects/Anchor Syntribos: http://git.openstack.org/cgit/openstack/syntribos Security Guide: http://docs.openstack.org/sec/ OpenStack Ansible Security: https://github.com/openstack/openstack-ansible-security
  • 36. Thank you! Eric Brown - VMware - browne on Freenode Travis McPeak - HPE - tmcpeak on Freenode

Editor's Notes

  1. Pulled June 2015
  2. 726359 - earliest vuln could find (https://www.youtube.com/watch?v=YYPawaekKys) Cactus timeframe - proposal for a Security group from Rackspace VMT was introduced around the early Diablo timeframe (again, per https://www.youtube.com/watch?v=YYPawaekKys) Security group started around the Folsom timeframe (HP/Nebula) and was incorporated into the Juno timeframe (group -> project)
  3. lp bug#’s: Arbitrary file creation - 1015531 Improper sanitization - 1247975 Missing SSL certificate check - 1199783 Glance DoS - 1315321 Swift object delete - 1430645
  4. Tallies of vulns per year, and topics they cover (2015 actually coming in just below so far) actual 2015 advisories was 21
  5. There are 63 total, but 5 are Work-In-Progress (atm)
  6. Lulu book version is still 1.0 (migration to RST broke Sphinx which was producing PDF which was to be submitted to Lulu); HTML is current
  7. - openstack/barbican - openstack/keystone (VOTING) - openstack/keystonemiddleware (VOTING) - openstack/magnum - openstack/oslo.vmware - openstack/python-keystoneclient (VOTING) - openstack/python-magnumclient - openstack/sahara
  8. Each solution should be evaluated for your environment
  9. VMT needs to update this image to include OSSN/ OSSP
  10. How to get notifications? Better example required.
  11. Summary output shows pass/fail - other output is much more detailed - full request/response data in named log files
  12. Restfuzz was new as of Oct/Nov 2015; developed by Tristan from VMT
  13. Killick, Leeson WIP