[opnfv-tech-discuss] Results of Security Threat Analysis for Colorado.
Hello All, An update on the results of the Security Threat Analysis for Colorado. All projects were given a cursory scan using our security lint tool 'anteater', and I then took an in-depth manual review and released individual project reports to the PTL's, with each containing recommended code remediation's to address issues that were found. The whole process resulted in twelve patches being merged into nine projects: https://gerrit.opnfv.org/gerrit/#/c/20751 master branch https://gerrit.opnfv.org/gerrit/#/c/21995 master branch https://gerrit.opnfv.org/gerrit/#/c/20911 master branch https://gerrit.opnfv.org/gerrit/#/c/20693 master branch https://gerrit.opnfv.org/gerrit/#/c/21541 master branch https://gerrit.opnfv.org/gerrit/#/c/22139 master branch https://gerrit.opnfv.org/gerrit/#/c/21997 master branch https://gerrit.opnfv.org/gerrit/#/c/21985 master branch https://gerrit.opnfv.org/gerrit/#/c/21499 master branch https://gerrit.opnfv.org/gerrit/#/c/21799 master branch https://gerrit.opnfv.org/gerrit/#/c/21437 master branch https://gerrit.opnfv.org/gerrit/#/c/22007 stable/brahmaputra A vulnerability was also discovered in Brahmaputra release and handled under our vulnerability management process. This is now patched in c-release and backported to b. Overall the highlight of the key threats found were: * Cross site scripting attacks [1] * Unsafe use of eval [2] * Unsafe yaml handling [3] * Possible shell executions [4] * Leakage of private keys [5]. * Running flask in debug mode. [6] A lot of false positives were also present, what with the OPNFV being test oriented. I personally want to thank everyone involved in the above patches, who mobilized with speed and handled the situation with a level head and professionalism. Many thanks, you know who you all are. Also a thanks to Michael Lazar & Alexander of DataArt who contacted me with an issue they found while researching OPNFV security. Looking forward -- So the threat analysis has definitely proved very useful, but very time consuming too - analyzing thousands of lines of code, over many projects meant many a late night. I now have a tool to automate this, so I will seek to integrate this as a gerrit / CI gate / job. However, you can all really help here, by using the gerrit tag ‘SecurityImpact’ we have. All you need to do is mention ‘SecurityImpact’ anywhere in a gerrit review and it will automatically notify the Security group members, to come in and provide feedback in your gerrit patch. As a general rule, use this if ever in doubt on a change (or even not). The group are happy to get any requests come in. More details can be found on our secure code page: https://wiki.opnfv.org/display/security/Securecode One other key point is the use of private keys / passwords in projects. This I understand can be challenging, as we automate a lot of black box style testing which is hands off. I am of the mind to set up a working group to look at this topic and help formulate some guidance on handling SSH / TLS keys, certs. Any volunteers, please do let me know. Last of all, we really need more folk helping in security. A lot of 'hand wringing' happens in the industry on security being a top concern, but very little are willing to put boots on the ground. It would be really nice to see that happen, so if you know of anyone in your company, encourage them (or even yourself) to come to our meetings and get involved. References: [1] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) [2] http://lucumr.pocoo.org/2011/2/1/exec-in-python/ [3] https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html [4] https://security.openstack.org/guidelines/dg_avoid-shell-true.html [5] http://security.stackexchange.com/questions/55525/how-can-an-attacker-use-a-leaked-private-key [6] https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/ [5] Regards, Luke - Security Group PTL -- Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44 12 52 36 2483 0x3C202614.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature ___ opnfv-tech-discuss mailing list opnfv-tech-discuss@lists.opnfv.org https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
Re: [opnfv-tech-discuss] Results of Security Threat Analysis for Colorado.
Well done, Thanks Luke :) On 2016-09-21 16:49, Luke Hinds wrote: > Hello All, > > An update on the results of the Security Threat Analysis for Colorado. > > All projects were given a cursory scan using our security lint tool > 'anteater', and I then took an in-depth manual review and released > individual project reports to the PTL's, with each containing > recommended code remediation's to address issues that were found. > > The whole process resulted in twelve patches being merged into nine > projects: > > https://gerrit.opnfv.org/gerrit/#/c/20751 master branch > https://gerrit.opnfv.org/gerrit/#/c/21995 master branch > https://gerrit.opnfv.org/gerrit/#/c/20911 master branch > https://gerrit.opnfv.org/gerrit/#/c/20693 master branch > https://gerrit.opnfv.org/gerrit/#/c/21541 master branch > https://gerrit.opnfv.org/gerrit/#/c/22139 master branch > https://gerrit.opnfv.org/gerrit/#/c/21997 master branch > https://gerrit.opnfv.org/gerrit/#/c/21985 master branch > https://gerrit.opnfv.org/gerrit/#/c/21499 master branch > https://gerrit.opnfv.org/gerrit/#/c/21799 master branch > https://gerrit.opnfv.org/gerrit/#/c/21437 master branch > https://gerrit.opnfv.org/gerrit/#/c/22007 stable/brahmaputra > > A vulnerability was also discovered in Brahmaputra release and handled > under our vulnerability management process. This is now patched in > c-release and backported to b. > > Overall the highlight of the key threats found were: > > * Cross site scripting attacks [1] > * Unsafe use of eval [2] > * Unsafe yaml handling [3] > * Possible shell executions [4] > * Leakage of private keys [5]. > * Running flask in debug mode. [6] > > A lot of false positives were also present, what with the OPNFV being > test oriented. > > I personally want to thank everyone involved in the above patches, who > mobilized with speed and handled the situation with a level head and > professionalism. Many thanks, you know who you all are. > > Also a thanks to Michael Lazar & Alexander of DataArt who contacted me > with an issue they found while researching OPNFV security. > > Looking forward > -- > > So the threat analysis has definitely proved very useful, but very time > consuming too - analyzing thousands of lines of code, over many projects > meant many a late night. I now have a tool to automate this, so I will > seek to integrate this as a gerrit / CI gate / job. > > However, you can all really help here, by using the gerrit tag > ‘SecurityImpact’ we have. > > All you need to do is mention ‘SecurityImpact’ anywhere in a gerrit > review and it will automatically notify the Security group members, to > come in and provide feedback in your gerrit patch. As a general rule, > use this if ever in doubt on a change (or even not). The group are happy > to get any requests come in. More details can be found on our secure > code page: > > https://wiki.opnfv.org/display/security/Securecode > > One other key point is the use of private keys / passwords in projects. > This I understand can be challenging, as we automate a lot of black box > style testing which is hands off. I am of the mind to set up a working > group to look at this topic and help formulate some guidance on handling > SSH / TLS keys, certs. Any volunteers, please do let me know. > > Last of all, we really need more folk helping in security. A lot of > 'hand wringing' happens in the industry on security being a top concern, > but very little are willing to put boots on the ground. It would be > really nice to see that happen, so if you know of anyone in your > company, encourage them (or even yourself) to come to our meetings and > get involved. > > References: > > [1] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) > [2] http://lucumr.pocoo.org/2011/2/1/exec-in-python/ > [3] > https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html > [4] https://security.openstack.org/guidelines/dg_avoid-shell-true.html > [5] > http://security.stackexchange.com/questions/55525/how-can-an-attacker-use-a-leaked-private-key > [6] > https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/ > [5] > > Regards, > > Luke - Security Group PTL > > > ___ > opnfv-tech-discuss mailing list > opnfv-tech-discuss@lists.opnfv.org > https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss ___ opnfv-tech-discuss mailing list opnfv-tech-discuss@lists.opnfv.org https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
Re: [opnfv-tech-discuss] Results of Security Threat Analysis for Colorado.
Let me add my thanks to Luke for his hard work on this, as well as the PTLs who mobilized to fix these threats, the external researchers who alerted us to an issue we hadn't noticed, and the entire security team. It was also exciting for me to see the vulnerability management process in action. It worked exactly as it's supposed to work and it made the quality of our code and processes better. And I'll finally echo Luke's call for participation -- as we move to a more virtualized and software-based infrastructure, security becomes even more important. Security is sometimes like eating your vegetables: everyone says it's important but very few people actually do. Let's make OPNFV a healthy community that eats its vegetables (and also drinks its beer) and stays strong! Heather On Wed, Sep 21, 2016 at 12:04 PM, Sona Sarmadi wrote: > Well done, Thanks Luke :) > > On 2016-09-21 16:49, Luke Hinds wrote: > > Hello All, > > An update on the results of the Security Threat Analysis for Colorado. > > All projects were given a cursory scan using our security lint tool > 'anteater', and I then took an in-depth manual review and released > individual project reports to the PTL's, with each containing > recommended code remediation's to address issues that were found. > > The whole process resulted in twelve patches being merged into nine > projects: > https://gerrit.opnfv.org/gerrit/#/c/20751 master > branchhttps://gerrit.opnfv.org/gerrit/#/c/21995 master > branchhttps://gerrit.opnfv.org/gerrit/#/c/20911 master > branchhttps://gerrit.opnfv.org/gerrit/#/c/20693 master > branchhttps://gerrit.opnfv.org/gerrit/#/c/21541 master > branchhttps://gerrit.opnfv.org/gerrit/#/c/22139 master > branchhttps://gerrit.opnfv.org/gerrit/#/c/21997 master > branchhttps://gerrit.opnfv.org/gerrit/#/c/21985 master > branchhttps://gerrit.opnfv.org/gerrit/#/c/21499 master > branchhttps://gerrit.opnfv.org/gerrit/#/c/21799 master > branchhttps://gerrit.opnfv.org/gerrit/#/c/21437 master > branchhttps://gerrit.opnfv.org/gerrit/#/c/22007 stable/brahmaputra > > A vulnerability was also discovered in Brahmaputra release and handled > under our vulnerability management process. This is now patched in > c-release and backported to b. > > Overall the highlight of the key threats found were: > > * Cross site scripting attacks [1] > * Unsafe use of eval [2] > * Unsafe yaml handling [3] > * Possible shell executions [4] > * Leakage of private keys [5]. > * Running flask in debug mode. [6] > > A lot of false positives were also present, what with the OPNFV being > test oriented. > > I personally want to thank everyone involved in the above patches, who > mobilized with speed and handled the situation with a level head and > professionalism. Many thanks, you know who you all are. > > Also a thanks to Michael Lazar & Alexander of DataArt who contacted me > with an issue they found while researching OPNFV security. > > Looking forward > -- > > So the threat analysis has definitely proved very useful, but very time > consuming too - analyzing thousands of lines of code, over many projects > meant many a late night. I now have a tool to automate this, so I will > seek to integrate this as a gerrit / CI gate / job. > > However, you can all really help here, by using the gerrit tag > ‘SecurityImpact’ we have. > > All you need to do is mention ‘SecurityImpact’ anywhere in a gerrit > review and it will automatically notify the Security group members, to > come in and provide feedback in your gerrit patch. As a general rule, > use this if ever in doubt on a change (or even not). The group are happy > to get any requests come in. More details can be found on our secure > code page: > https://wiki.opnfv.org/display/security/Securecode > > One other key point is the use of private keys / passwords in projects. > This I understand can be challenging, as we automate a lot of black box > style testing which is hands off. I am of the mind to set up a working > group to look at this topic and help formulate some guidance on handling > SSH / TLS keys, certs. Any volunteers, please do let me know. > > Last of all, we really need more folk helping in security. A lot of > 'hand wringing' happens in the industry on security being a top concern, > but very little are willing to put boots on the ground. It would be > really nice to see that happen, so if you know of anyone in your > company, encourage them (or even yourself) to come to our meetings and > get involved. > > References: > > [1] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) > [2] http://lucumr.pocoo.org/2011/2/1/exec-in-python/ > [3]https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html > [4] https://security.openstack.org/guidelines/dg_avoid-shell-true.html > [5]http://security.stackexchange.com/questions/55525/how-can-an-attacker-use-a-leaked-private-key > [6]https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed
