[Openstack-security] Security Anti-Patterns

Clark, Robert Graham robert.clark at hp.com
Fri May 30 08:29:59 UTC 2014 

On 30/05/2014 09:25, "Thierry Carrez" <thierry at openstack.org> wrote:


>Kurt Seifried wrote:
>> On 05/29/2014 12:47 AM, Clark, Robert Graham wrote:
>>> I certainly share your frustration, I think the idea with the
>>> anti-patterns is to document the things that get done badly most
>>> often in OpenStack and format them in a way that¹s easily
>>> consumable by core devs and PTLs. The list should be short enough
>>> that they can refer back to it while reviewing new features.
>> 
>>> It¹s not going to fix anything on it¹s own but anything we can do
>>> to help developers not make the same mistakes which, as you point
>>> out, have been made for the last 20 years - is a good thing.
>> 
>>> -Rob
>> 
>> So a concrete example, I wrote this in 2012? Nothing new, all this
>> goes back a few decades:
>> 
>> https://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/
>> 
>> Then I checkout all the source code:
>> [...]
>
>Yes, it's frustrating. We run those greps from time to time, fix stuff,
>but then some new are added, or some new component appears with its own
>share.
>
>Ideally we would write a hacking-style test that we would gate against
>(to prevent reintroduction) and run those greps at incubation time (to
>prevent new components from inserting them).
>
>The problem is, to make it part of gating we'd have to come with an
>automated detection that would be right most of the time (and that you
>can actively disable in remaining cases). However we receive a lot of
>automated reports at the VMT lately, and more than half of them are
>actually shallow and do not represent a real vulnerability -- automated
>detection is hard.
>
>So this is not a simple problem.
>
>-- 
>Thierry Carrez (ttx)

I think there’s a lot to be gained by having tests that just flag lines as
being interesting but give only a 0 score, an advisory note that something
fishy was noticed and core-devs should take that into consideration as
part of their review.

Such tests are very much on the OSSG roadmap and we hope to get some
written up at the mid-cycle meet up if not before.

-Rob

More information about the Openstack-security mailing list