[openstack-dev] [OSSG] OpenStack Security Group Task List

Adam Young ayoung at redhat.com
Fri Oct 26 03:19:17 UTC 2012 

On 10/25/2012 10:24 PM, Adam Young wrote:
> On 10/25/2012 04:41 PM, David Kranz wrote:
>> On 10/23/2012 8:34 PM, Bryan D. Payne wrote:
>>> As the OpenStack Security Group (OSSG) begins to take shape, we are
>>> looking to identify what work needs to be done.  We have lots of
>>> things in our heads, but I know others have similar lists in their
>>> heads as well.  I'd like to start this thread to collect security
>>> related issues for any OpenStack core project.  These can be things
>>> with existing bug reports, or things that have just been sitting in
>>> your head without actually making it into a bug report yet.
>>>
>>> The idea is to have a list of problems where it would be useful for
>>> security people to help.  I'll start with the following to get us
>>> going.
>>>
>>> * Fix problems with clients using SSL (see slide 19 of
>>> http://www.bryanpayne.org/storage/ossg-oct2012.pdf)
>>> * Start a hardening guide
>>> * Work with swift team on Swift Message Authentication
>>> * Work with nova team on Nova RPC signing
>>> * Work with keystone team on new PKI tokens and related code
>>> * Work with oslo team on rootwrap code
>>> * Add a 'SecurityImpact' tag to mark pull requests as needing a review
>>> by someone in OSSG
>>>
>>> Please help us out by replying with your additions.
>>>
>>> Cheers,
>>> -bryan
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> Is the first bullet related to this 
>> http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf?
>
> Still reading that, but it sounds like the #1 thing we need to make 
> sure all of the client code is doing is hostname validation.

Also interesting to note that there was no reference to NSS anywhere in 
the document.  NSS is the Crypto library of choice at Red Hat, due to 
(among other things) the fact that it was the only thing that was fips 
compliant.  It is a pain to work with,  but it is solid. Of course, that 
paper points out that poor API design is the cause of a lot of the 
problems:  using OpenSSL correctly means that you are secure, it is just 
difficult to use correctly.  I suspect the same is true of NSS as well.

>
>>
>> The Most Dangerous Code in the World:
>> Validating SSL Certificates in Non-Browser Software
>>
>>  -David
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list