OpenStack Security Project Continues to Help Secure the Cloud
The leader of the OpenStack Security Project details technologies and processes now in place to help build, configure and deploy the cloud securely.AUSTIN, Texas—There are a lot of projects, configurations and code that make up an OpenStack cloud, presenting what could potentially be an attractive attack surface to a hacker. At the OpenStack Summit here, Robert Clark, leader of the OpenStack Security Project, detailed the different ways that security is addressed by OpenStack. Clark is a familiar face at OpenStack Summit events, having presented on security efforts since the 2013 OpenStack Summit in Portland, Ore., and at multiple summits since. The fundamental process in place in 2016 isn't all that different from what Clark outlined at the OpenStack Summit in Vancouver in May 2015, though there are some additions with new tools for helping to secure code. "OpenStack security is like herding angry cats that just want to write code," he said. There are several core elements that make up the OpenStack Security Project's efforts. There are security advisories that define issues for which there are patches, and there are also security notes that provide direction on configuration for security issues that aren't patched. Among the most recent security notes is OSSN-0064, which is a bug in the OpenStack Keynote authentication service that could potentially allow a default admin password to be exploited.
To help prevent insecure code from landing in OpenStack in the first place, the security group continues to work on ways to help developers. Among those efforts are the secure development guidelines, which Clark noted help developers write secure code.