Building an OpenStack Security Group.pdf

transcript

Bryan D. Payne, Nebula Robert Clark, HP

Building an OpenStack Security Group

10/17/12 2

10/17/12 3

•  Alarm system? •  Bars on the windows? •  Dog? •  Security Cameras? •  Move?

10/17/12 4

10/17/12 5

10/17/12 6

10/17/12 7

10/17/12 8

This Is Hard

10/17/12 9

SoSware Must Be Easier, Right?

10/17/12 10

But Who Wants to Hack OpenStack?

10/17/12 11

10/17/12 12

Computer Security: What We Know Be#er Worse

Design for security from the start Retrofit security when it’s important

Understand your threats Just make it secure

Understand your goals Seriously, just add some security

Pervasive security culture That paranoid guy has it under control

10/17/12 13

Current Approach •  Vulnerability Management Team

•  People star_ng to think about security

10/17/12 14

OpenStack Security Challenges

•  Security as an aSerthought •  Security as silos •  Security by non-‐experts

10/17/12 15

OpenStack Security Group (OSSG)

•  Security expert resource for OS •  Build security culture within OS community

10/17/12 16

10/17/12 17

OSSG Game Plan

OSSG Details •  Place at least one security engineer on each core project

–  Code review –  Implement blueprints –  Design blueprints

•  Have at least one person working cross project –  Write technical documenta_on –  Integra_ng security into con_nuous integra_on –  Iden_fy cross project security concerns

•  Mailing list to have security discussions

10/17/12 18

Case Study: HTTPS Support

10/17/12 19

Observations from Summit 2012

Enthusiastic Developer + Hash Algorithm + Async Crypt != Secure Design

Common Mistakes

Let us help

OSSG Next Steps •  Will require community-‐level involvement •  Now “hiring” for OSSG!!

– Security Engineers – Technical Writers – OpenStack Deployment Exper_se

10/17/12 23

hhps://launchpad.net/~openstack-‐ossg

10/17/12 24

Please Join Us!

Bryan D. Payne bryan.payne@nebula.com

Robert Clark robert.clark@hp.com

Building an OpenStack Security Group.pdf

Documents