[openstack-dev] [OSSG] Best tool for simple security gate checks

Brant Knudson blk at acm.org
Thu Jun 19 20:49:37 UTC 2014


On Thu, Jun 19, 2014 at 1:37 PM, Clint Byrum <clint at fewbar.com> wrote:

> A large majority of the failures I've seen OSSG report have been privilege
> escalation in each service.. Trusts not scoping down properly, quotas
> not being applied, or cross-project/tenant boundaries not being honored.
>
> I don't think we've had many (if any) SQL or shell injection attacks or
> buffer overflows or anything like that. We're all pretty well trained to
> spot these issues and python makes you have to try pretty hard to
> implement some of them.
>
>
There was a shell injection attack recently, "Remote Code Execution in
Sheepdog backend"[1], and there have been other issues with trusting
input/escaping too: "www-authenticate value isn't quoted"[2] and "XSS in
Horizon-Orchestration"[3].

[1] https://bugs.launchpad.net/ossa/+bug/1298698
[2] https://bugs.launchpad.net/ossa/+bug/1327414
[3] https://bugs.launchpad.net/ossa/+bug/1289033

- Brant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140619/79b3d392/attachment.html>


More information about the OpenStack-dev mailing list