OpenStack Security CI/CD Way
-
Upload
michaelxin2015 -
Category
Technology
-
view
157 -
download
7
Transcript of OpenStack Security CI/CD Way
2
Jim FreemanDirector of Security Engineering
Michael Xin Manager of Security Engineering
Software Development Methodologies
Waterfall Methodology
Agile Development Methodology
Continuous Integration/Continuous Deployment (CI/CD)
DevelopersVersion Control Server
Continuous Integration
Server
Configure
Static Analysis / Security
Unit/functional/ Security/
tests
Report
Report
Deploy
Smoke /Security/
Performance tests
commits triggers runs
runs
runs
logs
logs
logs
FAIL
Successlogs
FAIL
Success
•Reduce test time from weeks to hours
•Security defect fix time reduced from weeks to days
•Better security testing–Repeatable
–Consistent
–Auditable
•Build great working relationships
CI/CD Security Engineering Advantages
•Reduce test time from weeks to hours
•Security defect fix time reduced from weeks to days
•Better security testing–Repeatable
–Consistent
–Auditable
•Build great working relationships
CI/CD Security Engineering Advantages
Test Time: Weeks -> Days
Defect Fix time: Weeks-> Days
Better Security Tests
Test Time: Months -> Weeks
•Reduce test time from weeks to hours
•Security defect fix time reduced from weeks to days
•Better security testing–Repeatable
–Consistent
–Auditable
•Build great working relationships
CI/CD Security Engineering Advantages
Test Time: Weeks -> Days
Defect Fix time: Weeks-> Days
Better Security Tests
Defect Fix time: Weeks-> Days
Bandit a framework for performing security analysis of Python source code!
https://wiki.openstack.org/wiki/Security/Projects/Bandit
OpenStack Security Group
>> Issue: subprocess call without a subshell.
Severity: Low Confidence: High
Location: ./solum/worker/handlers/shell.py:494
493 try:
494 runtest = subprocess.Popen(command, env=user_env,
495 stdout=subprocess.PIPE)
496 returncode = runtest.wait()
>> Issue: Use of random is not suitable for security/cryptographic purposes.
Severity: Low Confidence: High
Location: ./solum/worker/handlers/shell.py:141
140 else:
141 str_assem = (''.join(random.choice(string.ascii_uppercase)
142 for i in range(20)))
143 user_env['ASSEMBLY_ID'] = str_assem
Customize the Configuration File: bandit.yaml
# optional: plugins discovery name pattern
plugin_name_pattern: '*.py’
exclude_dirs:
- '/tests/’
ShellInjection:
include:
- subprocess_popen_with_shell_equals_true
- start_process_with_no_shell
exclude:
SqlInjection:
include:
- hardcoded_sql_expressions
Extend Bandit using plugins
@takes_config('shell_injection')
@checks('Call')
def subprocess_popen_with_shell_equals_true(context, config):
if config and context.call_function_name_qual in config['subprocess']:
if context.check_call_arg_value('shell', 'True'):
return bandit.Issue(
severity=bandit.HIGH,
confidence=bandit.HIGH,
text="subprocess call with shell=True identified, security "
"issue. %s" % context.call_args_string
)
@tags("authorization", "security") def test_get_network_of_other_user(self): resp = self.one_network_client.get_network(self.two_network_id) assert resp.status_code != 200
@tags("authorization", "security") def test_update_network_of_other_user(self): resp = self.one_network_client.update_network(self.two_network_id, name="newname") assert resp.status_code != 200
POST /v2.0/subnets HTTP/1.1User-Agent: curl/7.30.0Host: xxx.xxx.xxx.xxxContent-Type: application/jsonAccept: application/jsonContent-Length: 189
{"subnet": {"network_id": "fc795965-cdad-40b5-8e7b-73ee174a9451", "name": "Sectest", "cidr": "11.168.200.0/24", "ip_version": 4, "dns_nameservers": ["11111111111111111111111111111111111"]}}
HTTP/1.1 503 Service Unavailable
Via: 1.1 Repose (Repose/2.12)
Content-Length: 0
Server: Jetty(8.0.y.z-SNAPSHOT)
CVE-2014-7821 (http://lists.openstack.org/pipermail/openstack-announce/2014-November/
000303.html )
CI/CD Evolve
Automate Contribute
Lessons Learned
CI/CD Opportunities
Automation Bandit
Collaboration
WE’RE HIRING!
bit.ly/RackerTalent
Expo Hall Booth P-11Python OpenStack EngineersC, C++ Linux Systems EngineersRuby DevOps EngineersJava Frontend & Backend Developers
C#, .NET Software Developer in TestJavaScript, CSS, HTML iOS/Android Development
Twisted, Backhone Data ScientistAngular.JS, Ember.js, Node.js Field Sales Specialist
Restful/JSON/XML Strategic Account ExecutiveClosure, Scala, Erlang
Hadoop, MongoDB, MySQLSolution Architect Data Visualization