[openstack-dev] [barbican] Cryptography audit by OSSG

Lisa Clark lisa.clark at rackspace.com
Fri Apr 18 13:55:05 UTC 2014


Barbicaneers,

   Is anyone following the openstack-security list and/or part of the
OpenStack Security Group (OSSG)?  This sounds like another group and list
we should keep our eyes on.

   In the below thread on the security list, Nathan Kinder is conducting a
security audit of the various integrated OpenStack projects.  He's
answering questions such as what crypto libraries are being used in the
projects, algorithms used, sensitive data, and potential improvements that
can be made.  Check the links out in the below thread.

   Though we're not yet integrated, it might be beneficial to put together
our security audit page under Security/Icehouse/Barbican.

   Another thing to consider as you're reviewing the security audit pages
of Keystone and Heat (and others as they are added): Would Barbican help
to solve any of the security concerns/issues that these projects are
experiencing?

-Lisa

>
>Message: 5
>Date: Thu, 17 Apr 2014 16:27:30 -0700
>From: Nathan Kinder <nkinder at redhat.com>
>To: "Bryan D. Payne" <bdpayne at acm.org>, "Clark, Robert Graham"
>	<robert.clark at hp.com>
>Cc: "openstack-security at lists.openstack.org"
>	<openstack-security at lists.openstack.org>
>Subject: Re: [Openstack-security] Cryptographic Export Controls and
>	OpenStack
>Message-ID: <53506362.3020106 at redhat.com>
>Content-Type: text/plain; charset=windows-1252
>
>On 04/16/2014 10:28 AM, Bryan D. Payne wrote:
>> I'm not aware of a list of the specific changes, but this seems quite
>> related to the work that Nathan has started played with... discussed on
>> his blog here:
>> 
>> https://blog-nkinder.rhcloud.com/?p=51
>
>This is definitely related to the security audit effort that I'm
>driving.  It's hard to make recommendations on configurations and
>deployment architectures from a security perspective when we don't even
>have a clear picture of the current state of things are in the code from
>a security standpoint.  This clear picture is what I'm trying to get to
>right now (along with keeping this picture up to date so it doesn't get
>stale).
>
>Once we know things such as what crypto algorithms are used and how
>sensitive data is being handled, we can see what is configurable and
>make recommendations.  We'll surely find that not everything is
>configurable and sensitive data isn't well protected in areas, which are
>things that we can turn into blueprints and bugs and work on improving
>in development.
>
>It's still up in the air as to where this information should be
>published once it's been compiled.  It might be on the wiki, or possibly
>in the documentation (Security Guide seems like a likely candidate).
>There was some discussion of this with the PTLs from the Project Meeting
>from 2 weeks ago:
>
>
>http://eavesdrop.openstack.org/meetings/project/2014/project.2014-04-08-21
>.03.html
>
>I'm not so worried myself about where this should be published, as that
>doesn't matter if we don't have accurate and comprehensive information
>collected in the first place.  My current focus is on the collection and
>maintenance of this info on a project by project basis.  Keystone and
>Heat have started, which is great!:
>
>  https://wiki.openstack.org/wiki/Security/Icehouse/Keystone
>  https://wiki.openstack.org/wiki/Security/Icehouse/Heat
>
>If any other OSSG members are developers on any of the projects, it
>would be great if you could help drive this effort within your project.
>
>Thanks,
>-NGK
>> 
>> Cheers,
>> -bryan
>> 
>> 
>> 
>> On Tue, Apr 15, 2014 at 1:38 AM, Clark, Robert Graham
>> <robert.clark at hp.com <mailto:robert.clark at hp.com>> wrote:
>> 
>>     Does anyone have a documented run-down of changes that must be made
>>     to OpenStack configurations to allow them to comply with EAR
>>     requirements?
>>     http://www.bis.doc.gov/index.php/policy-guidance/encryption
>> 
>>     It seems like something we should consider putting into the security
>>     guide. I realise that most of the time it?s just ?don?t use your own
>>     libraries, call to others, make algorithms configurable? etc but
>>     it?s a question I?m seeing more and more, the security guide?s
>>     compliance section looks like a great place to have something about
>>EAR.
>> 
>>     -Rob
>> 
>>     _______________________________________________
>>     Openstack-security mailing list
>>     Openstack-security at lists.openstack.org
>>     <mailto:Openstack-security at lists.openstack.org>
>>     
>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Openstack-security mailing list
>> Openstack-security at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security




More information about the OpenStack-dev mailing list