SlideShare a Scribd company logo

OpenStack Security Project

Download as PPTX, PDF
T
Travis McPeak

Learn about the OpenStack Security Project, the projects we're working on, and how you can get involved.

Technology
1 of 36
OpenStack Security Project Securing the world’s largest, fastest moving open-source project
Agenda - Intro to OpenStack - State of OpenStack Security - Security Group Projects - About the Security Group
Intro to OpenStack Open source cloud platform Started in 2010 by NASA and Rackspace Today: > 2.5 million LoC + 1800 contributors ~77% Python
Cloud? IaaS Typically Includes: Compute Storage Network Identity
OpenStack - How Product People See It: Nova Swift Neutron Glance Keystone Horizon Cinder
OpenStack - How Security People See It: Nova Swift Neutron Glance Keystone Horizon Cinder DNS Metering Automation LoadBalancing Monitoring Billing Databases Orchestration Alarming Messaging AccountMaintenance Certificate Authorities
State of OpenStack Security 2010 Nasa and Rackspace Launch OpenStack Bexar 02/11 Cactus 04/11 Diablo 09/11 Essex 04/12 Folsom 09/12 Grizzly 04/13 Havana 10/13 Icehouse 04/14 Juno 10/14 Kilo 04/15
Examples Directory traversal → Arbitrary File Creation (2012) Improper sanitization in instance name → XSS (2013) Missing SSL certificate check (2014) Glance store DoS through disk space exhaustion (2014) Unauthorized delete of versioned Swift object (2015)
Security Issues XSS (web interface) Directory traversal Missing auth check Information leakage DoS ...
Security Project Initiatives
Security Notes ● Written and managed by OpenStack Security Project ● Compliment advisories (OSSA) ● Can be found on the Security Note Wiki ○ https://wiki.openstack.org/wiki/Security_Notes
Security Notes One-stop-shop for cloud deployers Issues without a patch Insecure defaults Common insecure configurations Over 60 listed notes as of December 2015
Security Notes - Examples OSSN-0056 - Cached keystone tokens may be accepted after revocation OSSN-0049 - Nova Ironic driver logs sensitive information in DEBUG mode and python-swiftclient Pecan (for some services)
Security Notes - Process ● Writing ○ Number Assignment ○ Template Use ● Testing ○ Researching - Reproducing Issue ● Review Process ○ Peer Review Process Using Gerrit/Git Review ● Get Published
Security Guide Created in June 2013 + living document Provides best practices and conceptual information about securing an OpenStack cloud ● Reflects the current state of security within the OpenStack community ● Maintained by OpenStack Security project
Security Guide - Process ● Bugs in Launchpad ○ Tracks bugs against the guide, and their severity ○ Can assign yourself a sec-guide bug just like code ● Get the doc source ○ Clone the security guide git repo ● Update ○ In RST format it’s security-guide/source/<chaptername>/ ● Review
Security Guide Example topics: ● Hypervisor selection ● Instance security management ● Tenant data privacy Available in HTML (current) and print (v1.0) form http://docs.openstack.org/security-guide
Bandit - a Python security linter Finds common security issues in Python code: Command injection Insecure temp file usage Promiscuous file permissions Usage of unsafe functions/libraries Binding to all interfaces
Bandit Example
Bandit Open source Easy to write new plugins Low resource requirements Runs quickly
Vulnerability Management ● Ensure that vulnerabilities are dealt with quickly and responsibly. ● When situation requires it, produce OpenStack Security Advisories (OSSAs) - similar to CVEs.
Vulnerability Management Process
Example: OSSA-2013-036 11-03-2013: XSS in instance name reported by Cisco employee 11-14-2013: Fix publicly disclosed, bug marked public 11-28-2013: Backports completed 12-04-2013: CVE-2013-6858 Assigned 12-11-2013: Advisory published
Secure Coding Guidelines ● Examples of common tasks that are often done insecurely ● Written for developers in conversational tone ● With examples on how to perform the tasks securely ● Designed to eventually be linked to by Bandit findings
Anchor - Ephemeral PKI System Existing PKI is broken outside of the browser ● Revocation does not work in most crypto libraries ○ CRLs are hard to distribute deterministically ○ OCSP doesn’t work in many client TLS libraries ● Provisioning certificates at scale is non-trivial
Anchor - Ephemeral PKI System Automatically Verifies and Issues Short-Life Certificates ● Authenticates the requestor (TLS) ● Validates the Certificate Signing Request ● Issues a Certificate ● Then uses Passive Revocation ○ Revoke by denying future requests ○ Certificate life shorter than typical OCSP caches, so there is a
Anchor - Ephemeral PKI System Ephemeral CA ReST Interface Decision Engine Certificate Authority Pluggable Authentication Shared Secret LDAP Lookup Keystone Service Reverse DNS Verification CMDB System Role Reversed IP in Valid Range Name(s) match scheme Role matches FQDN prefix Extendable Rule Set Dogtag/FreeIPA Killick (WIP) etc...
Syntribos - API Security Testing Tool Finds security issues in restful API Fuzz payload, HTTP headers, URL, query string Log all requests and responses Support keystone authentication Detect common security defects Help identify unknown security defects
Syntribos ‘Payload’ Example
Syntribos Summary Output 2015-08-18 14:44:12,466: INFO: root: ======================================================== 2015-08-18 14:44:12,466: INFO: root: Test Case......: test_case 2015-08-18 14:44:12,466: INFO: root: Result.........: Passed 2015-08-18 14:44:12,466: INFO: root: Start Time.....: 2015-08-18 14:44:12.464843 2015-08-18 14:44:12,466: INFO: root: Elapsed Time...: 0:00:00.001203 2015-08-18 14:44:12,466: INFO: root: ======================================================== 2015-08-18 14:44:12,467: INFO: root: ======================================================== 2015-08-18 14:44:12,467: INFO: root: Fixture........: syntribos.tests.fuzz.all_attacks.(agent_patch.txt)_(ALL_ATTACKS_BODY)_(all-attacks.txt)_str1_model1 2015-08-18 14:44:12,467: INFO: root: Result.........: Passed 2015-08-18 14:44:12,467: INFO: root: Start Time.....: 2015-08-18 14:44:11.139070 2015-08-18 14:44:12,467: INFO: root: Elapsed Time...: 0:00:01.328030 2015-08-18 14:44:12,468: INFO: root: Total Tests....: 1 2015-08-18 14:44:12,468: INFO: root: Total Passed...: 1 2015-08-18 14:44:12,468: INFO: root: Total Failed...: 0 2015-08-18 14:44:12,468: INFO: root: Total Errored..: 0 2015-08-18 14:44:12,468: INFO: root: ========================================================
Syntribos Open source Easy to extend Support in-depth fuzzing Automatic logging http://git.openstack.org/cgit/openstack/syntribos
OpenStack Security Project
OpenStack Security Project 250 listed members ~ 20 active at any time + you? Lots of ways to participate: - Write notes/documentation (gets you a technical contributor credit) - Hack on existing tools: Bandit, Anchor, Syntribos - Write your own tool (Ansible-security / Tempest checks) - Pentesting / code review / deployment bugs - Threat Analysis
Join Us #openstack-security on Freenode #openstack-meeting-alt @ 1700 UTC Thur openstack-dev ML with [Security] tag
Or Jump Right In... Security Project Page: https://security.openstack.org/ Security Advisories: https://security.openstack.org/ossalist.html Security Notes: https://wiki.openstack.org/wiki/Security_Notes Bandit: https://wiki.openstack.org/wiki/Security/Projects/Bandit Developer Guidelines: https://security.openstack.org/#secure-development-guidelines Anchor: https://wiki.openstack.org/wiki/Security/Projects/Anchor Syntribos: http://git.openstack.org/cgit/openstack/syntribos Security Guide: http://docs.openstack.org/sec/ OpenStack Ansible Security: https://github.com/openstack/openstack-ansible-security
Thank you! Eric Brown - VMware - browne on Freenode Travis McPeak - HPE - tmcpeak on Freenode

Recommended

Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Brief
openfly
 
Holistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsHolistic Security for OpenStack Clouds
Holistic Security for OpenStack Clouds
Major Hayden
 
Openstack security presentation 2013
Openstack security presentation 2013Openstack security presentation 2013
Openstack security presentation 2013
brian_chong
 
Security Issues in OpenStack
Security Issues in OpenStackSecurity Issues in OpenStack
Security Issues in OpenStack
oldbam
 
OpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsOpenStack: Security Beyond Firewalls
OpenStack: Security Beyond Firewalls
Giuseppe Paterno'
 
CIS13: OpenStack API Security
CIS13: OpenStack API SecurityCIS13: OpenStack API Security
CIS13: OpenStack API Security
CloudIDSummit
 
OpenStack Security
OpenStack SecurityOpenStack Security
OpenStack Security
openstackindia
 
Zdlra copy to cloud
Zdlra copy to cloudZdlra copy to cloud
Zdlra copy to cloud
SubramanyaUdupa3
 

Recommended

Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Brief
openfly
 
Holistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsHolistic Security for OpenStack Clouds
Holistic Security for OpenStack Clouds
Major Hayden
 
Openstack security presentation 2013
Openstack security presentation 2013Openstack security presentation 2013
Openstack security presentation 2013
brian_chong
 
Security Issues in OpenStack
Security Issues in OpenStackSecurity Issues in OpenStack
Security Issues in OpenStack
oldbam
 
OpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsOpenStack: Security Beyond Firewalls
OpenStack: Security Beyond Firewalls
Giuseppe Paterno'
 
CIS13: OpenStack API Security
CIS13: OpenStack API SecurityCIS13: OpenStack API Security
CIS13: OpenStack API Security
CloudIDSummit
 
OpenStack Security
OpenStack SecurityOpenStack Security
OpenStack Security
openstackindia
 
Zdlra copy to cloud
Zdlra copy to cloudZdlra copy to cloud
Zdlra copy to cloud
SubramanyaUdupa3
 
Workshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, VirtualizationWorkshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, Virtualization
Jayaprakash R
 
Join FIWARE Lab
Join FIWARE LabJoin FIWARE Lab
Join FIWARE Lab
Federico Michele Facca
 
Fiware cloud capabilities_and_setting_up_your_environment
Fiware cloud capabilities_and_setting_up_your_environmentFiware cloud capabilities_and_setting_up_your_environment
Fiware cloud capabilities_and_setting_up_your_environment
Miguel García González
 
FIWARE Lab
FIWARE LabFIWARE Lab
FIWARE Lab
Miguel González
 
Container Security
Container SecurityContainer Security
Container Security
Amazon Web Services
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
openstackindia
 
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
Edureka!
 
Cloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningCloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit Planning
Valdez Ladd MBA, CISSP, CISA,
 
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Kuberton
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
Lorenzo Carnevale
 
key aggregate cryptosystem for scalable data sharing in cloud storage abstract
key aggregate cryptosystem for scalable data sharing in cloud storage abstractkey aggregate cryptosystem for scalable data sharing in cloud storage abstract
key aggregate cryptosystem for scalable data sharing in cloud storage abstract
Sanjana Yemajala
 
Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"
CREATE-NET
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the Enterprise
Keith Tobin
 
Key aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storage Key aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storage
Adz91 Digital Ads Pvt Ltd
 
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
Edureka!
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
Prasad Mukhedkar
 
Fiware cloud developers week brussels
Fiware cloud developers week brusselsFiware cloud developers week brussels
Fiware cloud developers week brussels
Fernando Lopez Aguilar
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
NotSoSecure Global Services
 
Cloud_Security_Final
Cloud_Security_FinalCloud_Security_Final
Cloud_Security_Final
Bhavin Shah
 
Key aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storageKey aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storage
Mugesh Mukkandan
 
India Aviation ICT Forum 2013 - Ahmad Seblini, SITA
India Aviation ICT Forum 2013 - Ahmad Seblini, SITAIndia Aviation ICT Forum 2013 - Ahmad Seblini, SITA
India Aviation ICT Forum 2013 - Ahmad Seblini, SITA
SITA
 
Göteborg
GöteborgGöteborg
Göteborg
Frank Calberg
 

More Related Content

What's hot

OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
openstackindia
 
key aggregate cryptosystem for scalable data sharing in cloud storage abstract
key aggregate cryptosystem for scalable data sharing in cloud storage abstractkey aggregate cryptosystem for scalable data sharing in cloud storage abstract
key aggregate cryptosystem for scalable data sharing in cloud storage abstract
Sanjana Yemajala
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the Enterprise
Keith Tobin
 
Cloud_Security_Final
Cloud_Security_FinalCloud_Security_Final
Cloud_Security_Final
Bhavin Shah
 
Key aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storageKey aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storage
Mugesh Mukkandan
 

What's hot (20)

Workshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, VirtualizationWorkshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, Virtualization
 
Join FIWARE Lab
Join FIWARE LabJoin FIWARE Lab
Join FIWARE Lab
 
Fiware cloud capabilities_and_setting_up_your_environment
Fiware cloud capabilities_and_setting_up_your_environmentFiware cloud capabilities_and_setting_up_your_environment
Fiware cloud capabilities_and_setting_up_your_environment
 
FIWARE Lab
FIWARE LabFIWARE Lab
FIWARE Lab
 
Container Security
Container SecurityContainer Security
Container Security
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
 
Cloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningCloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit Planning
 
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
 
key aggregate cryptosystem for scalable data sharing in cloud storage abstract
key aggregate cryptosystem for scalable data sharing in cloud storage abstractkey aggregate cryptosystem for scalable data sharing in cloud storage abstract
key aggregate cryptosystem for scalable data sharing in cloud storage abstract
 
Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the Enterprise
 
Key aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storage Key aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storage
 
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
 
Fiware cloud developers week brussels
Fiware cloud developers week brusselsFiware cloud developers week brussels
Fiware cloud developers week brussels
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
 
Cloud_Security_Final
Cloud_Security_FinalCloud_Security_Final
Cloud_Security_Final
 
Key aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storageKey aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storage
 

Viewers also liked

The capacity for innovation: Andrew O'Connor, Product Director, Airport Solut...
The capacity for innovation: Andrew O'Connor, Product Director, Airport Solut...The capacity for innovation: Andrew O'Connor, Product Director, Airport Solut...
The capacity for innovation: Andrew O'Connor, Product Director, Airport Solut...
SITA
 
How airlines use technology to improve passenger experience by 2016 - The Air...
How airlines use technology to improve passenger experience by 2016 - The Air...How airlines use technology to improve passenger experience by 2016 - The Air...
How airlines use technology to improve passenger experience by 2016 - The Air...
Tom Knierim
 

Viewers also liked (7)

India Aviation ICT Forum 2013 - Ahmad Seblini, SITA
India Aviation ICT Forum 2013 - Ahmad Seblini, SITAIndia Aviation ICT Forum 2013 - Ahmad Seblini, SITA
India Aviation ICT Forum 2013 - Ahmad Seblini, SITA
 
Göteborg
GöteborgGöteborg
Göteborg
 
Carlos Kaduoka - Session C: Creating a sense of place - airports get personal
Carlos Kaduoka - Session C: Creating a sense of place - airports get personalCarlos Kaduoka - Session C: Creating a sense of place - airports get personal
Carlos Kaduoka - Session C: Creating a sense of place - airports get personal
 
The capacity for innovation: Andrew O'Connor, Product Director, Airport Solut...
The capacity for innovation: Andrew O'Connor, Product Director, Airport Solut...The capacity for innovation: Andrew O'Connor, Product Director, Airport Solut...
The capacity for innovation: Andrew O'Connor, Product Director, Airport Solut...
 
Syntribos API Security Test Automation
Syntribos API Security Test AutomationSyntribos API Security Test Automation
Syntribos API Security Test Automation
 
How airlines use technology to improve passenger experience by 2016 - The Air...
How airlines use technology to improve passenger experience by 2016 - The Air...How airlines use technology to improve passenger experience by 2016 - The Air...
How airlines use technology to improve passenger experience by 2016 - The Air...
 
The Airport of the Future
The Airport of the FutureThe Airport of the Future
The Airport of the Future
 

Similar to OpenStack Security Project

Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Open stack ocata summit enabling aws lambda-like functionality with openstac...
Open stack ocata summit enabling aws lambda-like functionality with openstac...Open stack ocata summit enabling aws lambda-like functionality with openstac...
Open stack ocata summit enabling aws lambda-like functionality with openstac...
Shaun Murakami
 
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Priyanka Aash
 
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
PROIDEA
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
RootedCON
 

Similar to OpenStack Security Project (20)

OpenStack for VMware Administrators
OpenStack for VMware AdministratorsOpenStack for VMware Administrators
OpenStack for VMware Administrators
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Openstack: security beyond firewalls
Openstack: security beyond firewallsOpenstack: security beyond firewalls
Openstack: security beyond firewalls
 
Presentation on Japanese doc sprint
Presentation on Japanese doc sprintPresentation on Japanese doc sprint
Presentation on Japanese doc sprint
 
Dissecting Open Source Cloud Evolution: An OpenStack Case Study
Dissecting Open Source Cloud Evolution: An OpenStack Case StudyDissecting Open Source Cloud Evolution: An OpenStack Case Study
Dissecting Open Source Cloud Evolution: An OpenStack Case Study
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release update
 
Framework for IoT Interoperability
Framework for IoT InteroperabilityFramework for IoT Interoperability
Framework for IoT Interoperability
 
Openstack workshop @ Kalasalingam
Openstack workshop @ KalasalingamOpenstack workshop @ Kalasalingam
Openstack workshop @ Kalasalingam
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Open stack ocata summit enabling aws lambda-like functionality with openstac...
Open stack ocata summit enabling aws lambda-like functionality with openstac...Open stack ocata summit enabling aws lambda-like functionality with openstac...
Open stack ocata summit enabling aws lambda-like functionality with openstac...
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
 
Just one-shade-of-openstack
Just one-shade-of-openstackJust one-shade-of-openstack
Just one-shade-of-openstack
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsA Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container Platforms
 
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
 
Everything you wanted to know about writing async, concurrent http apps in java
Everything you wanted to know about writing async, concurrent http apps in java Everything you wanted to know about writing async, concurrent http apps in java
Everything you wanted to know about writing async, concurrent http apps in java
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 
Operate with an openstack deployment by code
Operate with an openstack deployment by codeOperate with an openstack deployment by code
Operate with an openstack deployment by code
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information Exchange
 

Recently uploaded

Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 

Recently uploaded (20)

Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 

OpenStack Security Project

  • 1. OpenStack Security Project Securing the world’s largest, fastest moving open-source project
  • 2. Agenda - Intro to OpenStack - State of OpenStack Security - Security Group Projects - About the Security Group
  • 3. Intro to OpenStack Open source cloud platform Started in 2010 by NASA and Rackspace Today: > 2.5 million LoC + 1800 contributors ~77% Python
  • 5. OpenStack - How Product People See It: Nova Swift Neutron Glance Keystone Horizon Cinder
  • 6. OpenStack - How Security People See It: Nova Swift Neutron Glance Keystone Horizon Cinder DNS Metering Automation LoadBalancing Monitoring Billing Databases Orchestration Alarming Messaging AccountMaintenance Certificate Authorities
  • 7. State of OpenStack Security 2010 Nasa and Rackspace Launch OpenStack Bexar 02/11 Cactus 04/11 Diablo 09/11 Essex 04/12 Folsom 09/12 Grizzly 04/13 Havana 10/13 Icehouse 04/14 Juno 10/14 Kilo 04/15
  • 8. Examples Directory traversal → Arbitrary File Creation (2012) Improper sanitization in instance name → XSS (2013) Missing SSL certificate check (2014) Glance store DoS through disk space exhaustion (2014) Unauthorized delete of versioned Swift object (2015)
  • 9. Security Issues XSS (web interface) Directory traversal Missing auth check Information leakage DoS ...
  • 11. Security Notes ● Written and managed by OpenStack Security Project ● Compliment advisories (OSSA) ● Can be found on the Security Note Wiki ○ https://wiki.openstack.org/wiki/Security_Notes
  • 12. Security Notes One-stop-shop for cloud deployers Issues without a patch Insecure defaults Common insecure configurations Over 60 listed notes as of December 2015
  • 13. Security Notes - Examples OSSN-0056 - Cached keystone tokens may be accepted after revocation OSSN-0049 - Nova Ironic driver logs sensitive information in DEBUG mode and python-swiftclient Pecan (for some services)
  • 14. Security Notes - Process ● Writing ○ Number Assignment ○ Template Use ● Testing ○ Researching - Reproducing Issue ● Review Process ○ Peer Review Process Using Gerrit/Git Review ● Get Published
  • 15. Security Guide Created in June 2013 + living document Provides best practices and conceptual information about securing an OpenStack cloud ● Reflects the current state of security within the OpenStack community ● Maintained by OpenStack Security project
  • 16. Security Guide - Process ● Bugs in Launchpad ○ Tracks bugs against the guide, and their severity ○ Can assign yourself a sec-guide bug just like code ● Get the doc source ○ Clone the security guide git repo ● Update ○ In RST format it’s security-guide/source/<chaptername>/ ● Review
  • 17. Security Guide Example topics: ● Hypervisor selection ● Instance security management ● Tenant data privacy Available in HTML (current) and print (v1.0) form http://docs.openstack.org/security-guide
  • 18. Bandit - a Python security linter Finds common security issues in Python code: Command injection Insecure temp file usage Promiscuous file permissions Usage of unsafe functions/libraries Binding to all interfaces
  • 20. Bandit Open source Easy to write new plugins Low resource requirements Runs quickly
  • 21. Vulnerability Management ● Ensure that vulnerabilities are dealt with quickly and responsibly. ● When situation requires it, produce OpenStack Security Advisories (OSSAs) - similar to CVEs.
  • 23. Example: OSSA-2013-036 11-03-2013: XSS in instance name reported by Cisco employee 11-14-2013: Fix publicly disclosed, bug marked public 11-28-2013: Backports completed 12-04-2013: CVE-2013-6858 Assigned 12-11-2013: Advisory published
  • 24. Secure Coding Guidelines ● Examples of common tasks that are often done insecurely ● Written for developers in conversational tone ● With examples on how to perform the tasks securely ● Designed to eventually be linked to by Bandit findings
  • 25. Anchor - Ephemeral PKI System Existing PKI is broken outside of the browser ● Revocation does not work in most crypto libraries ○ CRLs are hard to distribute deterministically ○ OCSP doesn’t work in many client TLS libraries ● Provisioning certificates at scale is non-trivial
  • 26. Anchor - Ephemeral PKI System Automatically Verifies and Issues Short-Life Certificates ● Authenticates the requestor (TLS) ● Validates the Certificate Signing Request ● Issues a Certificate ● Then uses Passive Revocation ○ Revoke by denying future requests ○ Certificate life shorter than typical OCSP caches, so there is a
  • 27. Anchor - Ephemeral PKI System Ephemeral CA ReST Interface Decision Engine Certificate Authority Pluggable Authentication Shared Secret LDAP Lookup Keystone Service Reverse DNS Verification CMDB System Role Reversed IP in Valid Range Name(s) match scheme Role matches FQDN prefix Extendable Rule Set Dogtag/FreeIPA Killick (WIP) etc...
  • 28. Syntribos - API Security Testing Tool Finds security issues in restful API Fuzz payload, HTTP headers, URL, query string Log all requests and responses Support keystone authentication Detect common security defects Help identify unknown security defects
  • 30. Syntribos Summary Output 2015-08-18 14:44:12,466: INFO: root: ======================================================== 2015-08-18 14:44:12,466: INFO: root: Test Case......: test_case 2015-08-18 14:44:12,466: INFO: root: Result.........: Passed 2015-08-18 14:44:12,466: INFO: root: Start Time.....: 2015-08-18 14:44:12.464843 2015-08-18 14:44:12,466: INFO: root: Elapsed Time...: 0:00:00.001203 2015-08-18 14:44:12,466: INFO: root: ======================================================== 2015-08-18 14:44:12,467: INFO: root: ======================================================== 2015-08-18 14:44:12,467: INFO: root: Fixture........: syntribos.tests.fuzz.all_attacks.(agent_patch.txt)_(ALL_ATTACKS_BODY)_(all-attacks.txt)_str1_model1 2015-08-18 14:44:12,467: INFO: root: Result.........: Passed 2015-08-18 14:44:12,467: INFO: root: Start Time.....: 2015-08-18 14:44:11.139070 2015-08-18 14:44:12,467: INFO: root: Elapsed Time...: 0:00:01.328030 2015-08-18 14:44:12,468: INFO: root: Total Tests....: 1 2015-08-18 14:44:12,468: INFO: root: Total Passed...: 1 2015-08-18 14:44:12,468: INFO: root: Total Failed...: 0 2015-08-18 14:44:12,468: INFO: root: Total Errored..: 0 2015-08-18 14:44:12,468: INFO: root: ========================================================
  • 31. Syntribos Open source Easy to extend Support in-depth fuzzing Automatic logging http://git.openstack.org/cgit/openstack/syntribos
  • 33. OpenStack Security Project 250 listed members ~ 20 active at any time + you? Lots of ways to participate: - Write notes/documentation (gets you a technical contributor credit) - Hack on existing tools: Bandit, Anchor, Syntribos - Write your own tool (Ansible-security / Tempest checks) - Pentesting / code review / deployment bugs - Threat Analysis
  • 34. Join Us #openstack-security on Freenode #openstack-meeting-alt @ 1700 UTC Thur openstack-dev ML with [Security] tag
  • 35. Or Jump Right In... Security Project Page: https://security.openstack.org/ Security Advisories: https://security.openstack.org/ossalist.html Security Notes: https://wiki.openstack.org/wiki/Security_Notes Bandit: https://wiki.openstack.org/wiki/Security/Projects/Bandit Developer Guidelines: https://security.openstack.org/#secure-development-guidelines Anchor: https://wiki.openstack.org/wiki/Security/Projects/Anchor Syntribos: http://git.openstack.org/cgit/openstack/syntribos Security Guide: http://docs.openstack.org/sec/ OpenStack Ansible Security: https://github.com/openstack/openstack-ansible-security
  • 36. Thank you! Eric Brown - VMware - browne on Freenode Travis McPeak - HPE - tmcpeak on Freenode

Editor's Notes

  1. Pulled June 2015
  2. 726359 - earliest vuln could find (https://www.youtube.com/watch?v=YYPawaekKys) Cactus timeframe - proposal for a Security group from Rackspace VMT was introduced around the early Diablo timeframe (again, per https://www.youtube.com/watch?v=YYPawaekKys) Security group started around the Folsom timeframe (HP/Nebula) and was incorporated into the Juno timeframe (group -> project)
  3. lp bug#’s: Arbitrary file creation - 1015531 Improper sanitization - 1247975 Missing SSL certificate check - 1199783 Glance DoS - 1315321 Swift object delete - 1430645
  4. Tallies of vulns per year, and topics they cover (2015 actually coming in just below so far) actual 2015 advisories was 21
  5. There are 63 total, but 5 are Work-In-Progress (atm)
  6. Lulu book version is still 1.0 (migration to RST broke Sphinx which was producing PDF which was to be submitted to Lulu); HTML is current
  7. - openstack/barbican - openstack/keystone (VOTING) - openstack/keystonemiddleware (VOTING) - openstack/magnum - openstack/oslo.vmware - openstack/python-keystoneclient (VOTING) - openstack/python-magnumclient - openstack/sahara
  8. Each solution should be evaluated for your environment
  9. VMT needs to update this image to include OSSN/ OSSP
  10. How to get notifications? Better example required.
  11. Summary output shows pass/fail - other output is much more detailed - full request/response data in named log files
  12. Restfuzz was new as of Oct/Nov 2015; developed by Tristan from VMT
  13. Killick, Leeson WIP