OpenStack Mid-Cycle Session Leads to Collaborative Production

Co-locating two OpenStack mid-cycle sessions — Security and Barbican — at Rackspace last month ended up with the two groups collaborating so productively that by the end, whiteboards overflowed with data flow diagrams, threat models and documentation.

The Barbicaneers and the OpenStack Security group vowed to continue their joint planning and delivery on the Barbican Federation and Bring Your Own Key workflows that started in Tokyo.

The goal of an OpenStack mid-cycle was achieved in San Antonio: to foster intense collaborative efforts on active projects in the community. It’s an opportunity to review project status, bridge the gaps with face-to-face collaboration, strategize for the next conference and to focus on deadlines and major tasks.

The sessions are intensive and task driven, and they’re imperative to keeping the momentum moving forward on efforts proposed at OpenStack conferences.

More than 43 developers attended this mid-cycle, which kicked off Jan. 12, from Rackspace, Hewlett-Packard, IBM, Cisco, RedHat, VMWare, Mirantis, Symantec, John Hopkins University and many individual contributors. Rackspace’s sponsorship was possible thanks to the support and dedication of Paul Voccio, vice president of Rackspace OpenStack Development and Gigi Geofferion, vice president of Software Development and Quality Engineering.

The OpenStack Security group is responsible for leading and implementing initiatives that improve and ensure the overall security of OpenStack. During this session, they focused on several security development projects:

  • Bandit: a Python AST-based code security analyzer designed to identify and report security issues by sifting through large volumes of code efficiently, rapidly identifying potential flaws; for example, unsafe function calls or the use of outdated/unsafe libraries.
  • Anchor: a lightweight open source Public Key Infrastructure tool that uses automated provisioning of short-term certificates to enable cryptographic trust in OpenStack services.
  • Syntribos: an open source API-fuzzing tool created to detect new input sanitization, denial of service and other interesting attack vectors. It will automate a majority of our current manual testing protocols for OpenStack APIs.
  • OpenStack-Ansible Security: an Ansible role that provides a simple, configurable method for applying STIG hardening standards to OpenStack deployments, enabling users to build environments that meet the requirements of various compliance programs, such as the Payment Card Industry Data Security Standard.
  • Threat Analysis Project: designed to proactively identify threats and weaknesses in OpenStack cloud and contribute to building a secure and robust platform. Threat modeling takes a comprehensive look at the system at hand — components, protocols and code — against the existence and capability of an adversary looking for known vulnerabilities.

The Security session also included a Syntribos demonstration by Michael Dong of Rackspace against an OpenStack API. Racker Major Hayden demonstrated how to run the OpenStack-Ansible Security tool to check systems for security misconfigurations and how to fix the issues automatically. Tim Kelsey from HPE gave the team a deep dive into creating plugins for Bandit and hacking Bandit for bug fixing, feature enhancement and plugin creation. Finally, the OpenStack Security group developed an improved threat analysis process and a security reference list.

More than 20 Barbicaneers worked tirelessly to improve Barbican, a REST API designed for the secure storage, provisioning and management of passwords, encryption keys and X.509 certificates The goal is to make it useful for all environments, including large ephemeral clouds. The Barbicaneers focused on simplifying deployment, improving performance, planning for the future of certificate provisioning, improving management tooling of the Barbican database and improving gate checks.

The team also added auditing capabilities for requests made to Barbican and stricter validation requirements for API requests.

Sheena Gregson shows off the giant cookie team Barbican devoured after a job well done.

Co-locating the two mid-cycle sessions provided a lot of insight to the teams on how to improve their collaborative efforts. The groups joined forces to discuss improvements on certificate management, complete a threat analysis on Barbican, and write related threat analysis documentation. Look for more from these two groups during the OpenStack Summit, to be held in Austin April 25-29.

What’s next?

In the upcoming weeks contributors from both OpenStack Security and Barbican will work on a cross-project initiative to document and blueprint the work needed to bring push-model BYOK to OpenStack clouds.

This effort will require participation from the greater OpenStack community, since it will involve changes across a handful of projects that are currently providing or will soon provide encryption services. The goal is to nail down the requirements ahead of the Austin summit, so they can present their findings to the larger community during the cross-project sessions at the Design Summit.

Michael Xin is an active contributor to the OpenStack Security Project. He is also a OWASP chapter leader. Michael is working as a manager of security engineering in Rackspace. Before that, he worked as a senior application security engineer in Scottrade Inc. Michael is interested in web application/web service/API security, mobile application security and cloud security. Michael has years of experience with application security assessment, security code review and security SDLC.


Please enter your comment!
Please enter your name here