Security is such a critical element of the open-source OpenStack cloud platform that there is an entire project—the OpenStack Security project—dedicated to the task of helping protect OpenStack technologies.
In a well-attended session at the OpenStack Summit in Barcelona, Spain, on Oct. 27, Rob Clark, the project technical leader of the OpenStack Security project, detailed the group’s most recent efforts.
The OpenStack Security project focuses on building security tools that help identify potential vulnerabilities in the OpenStack project code and providing guidance and secure governance.
“In many ways, we act as a group of consultants to the wider OpenStack organization,” Clark said.
The OpenStack Security project engages in threat analysis to look at potential areas of risk. A threat analysis exercise should first start by identifying any points of entry into a system, as well as assets, Clark said, adding that the threat analysis should also be able to document where data goes and what formats are used.
“A huge number of vulnerabilities come from changing from one format to another and not really thinking about what you’re doing,” Clark said. “It could be as easy as reading data from a disk into memory.”
The threat analysis exercise is also about identifying common deployment approaches as well as best practices for a given OpenStack technology. Additionally, all assets used in a project are documented in an asset catalog that helps inform an asset-oriented threat analysis. For each item, the project will look at confidentiality, integrity and availability for a given asset, Clark said.
The threat analysis process the OpenStack Security project uses employs a clear diagram methodology and makes basic assertions about the confidentiality, integrity and availability for a given asset, he said.
“The idea is to understand what’s at risk, quantify it and describe the worst-case impact.”
New Tools
The new Syntribos tool is an API fuzzing framework built specifically for OpenStack. With API fuzzing, unexpected inputs are generated and injected into an application to see what will happen, Clark said. Among the issues that fuzzing can find are Cross Site Scripting (XSS), buffer overflow and string validation risks.
So far, Syntribos has found more than 500 errors across the OpenStack Cinder (storage), Glance (image), Keystone (identity) and Neutron (networking) projects.
“At this point, OpenStack has already been through many of the good quality commercial static and dynamic analysis tools, and none of them found the issues that Syntribos did,” Clark said.
The OpenStack Security project will continue to draft guidance and build tools to help OpenStack projects, he said. There also is a new idea for a security incubator that could take shape in 2017 to bring in small security projects that are applicable for OpenStack cloud and help to provide a home and guidance.
“I hope the community as a whole finds the things we do useful,” Clark said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.