AUSTIN, Texas—There are a lot of projects, configurations and code that make up an OpenStack cloud, presenting what could potentially be an attractive attack surface to a hacker. At the OpenStack Summit here, Robert Clark, leader of the OpenStack Security Project, detailed the different ways that security is addressed by OpenStack.
Clark is a familiar face at OpenStack Summit events, having presented on security efforts since the 2013 OpenStack Summit in Portland, Ore., and at multiple summits since. The fundamental process in place in 2016 isn't all that different from what Clark outlined at the OpenStack Summit in Vancouver in May 2015, though there are some additions with new tools for helping to secure code.
"OpenStack security is like herding angry cats that just want to write code," he said.
There are several core elements that make up the OpenStack Security Project's efforts. There are security advisories that define issues for which there are patches, and there are also security notes that provide direction on configuration for security issues that aren't patched. Among the most recent security notes is OSSN-0064, which is a bug in the OpenStack Keynote authentication service that could potentially allow a default admin password to be exploited.
To help prevent insecure code from landing in OpenStack in the first place, the security group continues to work on ways to help developers. Among those efforts are the secure development guidelines, which Clark noted help developers write secure code.
Tools are also very important, and to that end the OpenStack Security Project has a number of efforts. The most successful tool to date for the project is Bandit, a static analysis engine for python code.
"It's a very quick tool with good defaults, and it is finding and stopping vulnerabilities from entering the OpenStack codebase today," Clark said.
Among the newest tools is Syntribos, which is a fuzzer for OpenStack code. A fuzzer is a class of security testing tool that throws unexpected code and parameters against an application in an effort to trigger a potentially exploitable error. Clark noted that with Syntribos, OpenStack hopes to help identify unknown security defects.
Overall, the OpenStack Security Project has 250 listed members, though Clark said that only approximately 25 are active at any one time and he's looking for more people to participate.
"A few companies like IBM, HPE [Hewlett Packard Enterprise] and Rackspace invest money to make security work," he said. "But it requires more effort from more contributors to really get it to the point of making everyone happy that we can deliver on security."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.