Hello All, An update on the results of the Security Threat Analysis for Colorado.
All projects were given a cursory scan using our security lint tool 'anteater', and I then took an in-depth manual review and released individual project reports to the PTL's, with each containing recommended code remediation's to address issues that were found. The whole process resulted in twelve patches being merged into nine projects: https://gerrit.opnfv.org/gerrit/#/c/20751 master branch https://gerrit.opnfv.org/gerrit/#/c/21995 master branch https://gerrit.opnfv.org/gerrit/#/c/20911 master branch https://gerrit.opnfv.org/gerrit/#/c/20693 master branch https://gerrit.opnfv.org/gerrit/#/c/21541 master branch https://gerrit.opnfv.org/gerrit/#/c/22139 master branch https://gerrit.opnfv.org/gerrit/#/c/21997 master branch https://gerrit.opnfv.org/gerrit/#/c/21985 master branch https://gerrit.opnfv.org/gerrit/#/c/21499 master branch https://gerrit.opnfv.org/gerrit/#/c/21799 master branch https://gerrit.opnfv.org/gerrit/#/c/21437 master branch https://gerrit.opnfv.org/gerrit/#/c/22007 stable/brahmaputra A vulnerability was also discovered in Brahmaputra release and handled under our vulnerability management process. This is now patched in c-release and backported to b. Overall the highlight of the key threats found were: * Cross site scripting attacks [1] * Unsafe use of eval [2] * Unsafe yaml handling [3] * Possible shell executions [4] * Leakage of private keys [5]. * Running flask in debug mode. [6] A lot of false positives were also present, what with the OPNFV being test oriented. I personally want to thank everyone involved in the above patches, who mobilized with speed and handled the situation with a level head and professionalism. Many thanks, you know who you all are. Also a thanks to Michael Lazar & Alexander of DataArt who contacted me with an issue they found while researching OPNFV security. Looking forward ---------------------- So the threat analysis has definitely proved very useful, but very time consuming too - analyzing thousands of lines of code, over many projects meant many a late night. I now have a tool to automate this, so I will seek to integrate this as a gerrit / CI gate / job. However, you can all really help here, by using the gerrit tag ‘SecurityImpact’ we have. All you need to do is mention ‘SecurityImpact’ anywhere in a gerrit review and it will automatically notify the Security group members, to come in and provide feedback in your gerrit patch. As a general rule, use this if ever in doubt on a change (or even not). The group are happy to get any requests come in. More details can be found on our secure code page: https://wiki.opnfv.org/display/security/Securecode One other key point is the use of private keys / passwords in projects. This I understand can be challenging, as we automate a lot of black box style testing which is hands off. I am of the mind to set up a working group to look at this topic and help formulate some guidance on handling SSH / TLS keys, certs. Any volunteers, please do let me know. Last of all, we really need more folk helping in security. A lot of 'hand wringing' happens in the industry on security being a top concern, but very little are willing to put boots on the ground. It would be really nice to see that happen, so if you know of anyone in your company, encourage them (or even yourself) to come to our meetings and get involved. References: [1] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) [2] http://lucumr.pocoo.org/2011/2/1/exec-in-python/ [3] https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html [4] https://security.openstack.org/guidelines/dg_avoid-shell-true.html [5] http://security.stackexchange.com/questions/55525/how-can-an-attacker-use-a-leaked-private-key [6] https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/ [5] Regards, Luke - Security Group PTL -- Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44 12 52 36 2483
0x3C202614.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ opnfv-tech-discuss mailing list opnfv-tech-discuss@lists.opnfv.org https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
