SlideShare une entreprise Scribd logo

OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in the Cloud-era? - Lars Kurth

OpenNebula Project
OpenNebula Project

This document discusses best practices for vulnerability disclosure processes in open source software projects. It compares the traditional "distro model" process, focused on direct users of the software, to the newer "cloud model" process, which also considers the needs of large service providers hosting many indirect users. The cloud model allows longer pre-disclosure periods so providers can test and deploy fixes before vulnerabilities are publicly announced. The document examines differences in approaches taken by various projects and outlines factors like pre-disclosure list membership, disclosure timelines, and CVE tracking that projects should consider to have robust vulnerability response processes.

Technologie
1  sur  25
Télécharger pour lire hors ligne
Lars Kurth Community Manger, Xen Project Chairman, Xen Project Advisory Board Lead CentOS Virtualization SIG Director, Open Source Business Office, Citrix lars_kurth
I I: Vulnerability Introduced D: Vulnerability Discovered Encourage discoverers to report security issues to security@yourproject Discoverers are in control You can’t stop them from releasing or using information D
A team-effort to ensure that … • All (known) doors are closed • All (known) doors are locked • All (known) windows are boarded up • Fences have no (known) weaknesses • …
XF R: Vulnerability Reported T: Triage A: Vulnerability Announced F: Fix Available X: Fix Deployed Vulnerability is known by the reporter and the security team Note: It may also be known and used by black hats Vulnerability is known publicly with no fix available Vulnerability is known publicly with fix available Basic Description R T A Patch/fix creation and validation Detailed Description, CVE allocation, …
Description, CVE allocation, … X R: Vulnerability Reported T: Triage P: Vulnerability Pre-disclosed A: Vulnerability Announced F: Fix Available X: Fix Deployed Vulnerability is known by the reporter and the security team Note: It may also be known and used by black hats Vulnerability is known about by a privileged and small group of users Vulnerability is known publicly A Pre-disclosure period R P Patch/fix creation and validation FT Typically fixed time during which the security issue is handled secretly Ideally 2-3 weeks: Depends on discoverer’s wishes What can and can’t be done with privileged information can differ significantly between projects
Linux Kernel/LXC/KVM if reported via OSS Security Linux Kernel/LXC/KVM if reported via security@kernel.org OpenStack, QEMU, … for low impact issues Full Linux Kernel/LXC/KVM if reported via OSS Security Distros Linux Distributions (both open source and commercial) QEMU, Libvirt, oVirt, ... Responsible “Distro Model” OpenStack for intermediate to high impact issues OPNFV, OpenDayLight : process modeled on OpenStack Xen Project for all issues (also handles 3rd party issues, e.g. QEMU) Responsible “Cloud Model” Not clearly stated Docker : states responsible disclosure; but policy docs empty / some CVEs Cloud Foundry : no clearly stated process; no published CVE’s CoreOS: just a mail to report issues Kubernetes: : just a mail to report issues (when I wrote this talk in Aug, no info) Approach Used by Projects
Linux Kernel/LXC/KVM if reported via OSS Security Linux Kernel/LXC/KVM if reported via security@kernel.org OpenStack, QEMU, … for low impact issues Full Linux Kernel/LXC/KVM if reported via OSS Security Distros Linux Distributions (both open source and commercial) QEMU, Libvirt, oVirt, ... Responsible “Distro Model” OpenStack for intermediate to high impact issues OPNFV, OpenDayLight : process modeled on OpenStack Xen Project for all issues (also handles 3rd party issues, e.g. QEMU) Responsible “Cloud Model” Not clearly stated Docker : states responsible disclosure; but policy docs empty / some CVEs Cloud Foundry : no clearly stated process; no published CVE’s CoreOS: just a mail to report issues Kubernetes: : just a mail to report issues (when I wrote this talk in Aug, no info) Approach Used by Projects OpenNebula
What is allowed during pre-disclosure Who is privileged and trusted to be on the pre-disclosure mailing list Pre-Disclosure Time What can and can’t be done with privileged information can differ significantly between projects
Make sure that a fix is available before disclosure Make sure that downstream projects and products (e.g. distros) can package and test the fix in their environment Allow service providers that use your Software to start planning an upgrade (at scale this can take a week) Allow service providers that use your Software to deploy an upgrade before the embargo completes
Make sure that a fix is available before disclosure Make sure that downstream projects and products (e.g. distros) can package and test the fix in their environment Allow service providers that use your Software to start planning an upgrade (at scale this can take a week) Allow service providers that use your Software to deploy an upgrade before the embargo completes Cloud Model Distro Model
Emerged recently! Recognizes the needs of service providers Pre-Cloud Computing! Services and their users are vulnerable immediately after disclosure
More Cloud/Service users than direct users of your software Example: AWS stated in 2014 that they have > 1M users (and a lot more instances) AliCloud claims that they have > 1M users …
Just imagine what the reputation damage would have been, if Xen had put AWS, Rackspace, SoftLayer, … users at real risk of a vulnerability. There were 100’s of stories at the time, despite the fact that users were never put at risk, but merely inconvenienced !
Pre-disclosure list membership: more members, more risk of leakage In the Distro Model, the number of privileged users is typically <10 In the Cloud Model, the number could be an order of magnitude higher (50-100)
Restricting pre-disclosure list membership Restricting membership to large service providers to minimize risk Opaque application criteria and process … That creates issues of “fairness” Which may be incompatible with your communities' values
Source: yanilavigne.net via domics.me
Very wide range of approaches vs. The reality that SW stacks contain many layers Consider the weakest link in your SW stack Best Practice appears to be emerging, BUT … Older projects seem slow to change New projects, don’t build security management into their culture from the beginning New Post-Snowden era pressures How to effectively deal with media Hype?
mindfulness @ Flickr
Not all projects create CVEs for all their issues Some projects don’t assign CVEs at all
CVE databases (such as www.cvedetails.com) can be used to evaluate your project This shows Xen Project CVE stats Before 2012, we didn’t have fewer vulnerabilities than after We just didn’t have a process requiring creation of CVEs
F AR Disclosure Time
Long disclosure times discredit responsible disclosure From a few days to many months Disclosure times need to contribute to your goals & be achievable Consider the goals of the ”Cloud Model” Xen Project: 1 week to prepare fix, 2 weeks pre-disclosure OpenStack: unspecified time to prepare fix, 3-5 working days pre-disclosure
Long version of this talk: www.slideshare.net/xen_com_mgr/ linuxcon-na-2015are-todays-foss-security-practices-robust-enough-in-the-cloud-era Source: Micky Aldridge via wikimedia.org

Recommandé

OSSA17 - Mixed License FOSS Projects
OSSA17 - Mixed License FOSS ProjectsOSSA17 - Mixed License FOSS Projects
OSSA17 - Mixed License FOSS Projects
The Linux Foundation
 
OpenNebulaConf2015 1.09.04 The BEACON Project: Enabling Federated Cloud Netwo...
OpenNebulaConf2015 1.09.04 The BEACON Project: Enabling Federated Cloud Netwo...OpenNebulaConf2015 1.09.04 The BEACON Project: Enabling Federated Cloud Netwo...
OpenNebulaConf2015 1.09.04 The BEACON Project: Enabling Federated Cloud Netwo...
OpenNebula Project
 
Eucalyptus, Nimbus & OpenNebula
Eucalyptus, Nimbus & OpenNebulaEucalyptus, Nimbus & OpenNebula
Eucalyptus, Nimbus & OpenNebula
Amar Myana
 
Scale14x: Are today's foss security practices robust enough in the cloud era ...
Scale14x: Are today's foss security practices robust enough in the cloud era ...Scale14x: Are today's foss security practices robust enough in the cloud era ...
Scale14x: Are today's foss security practices robust enough in the cloud era ...
The Linux Foundation
 
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
The Linux Foundation
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the Enterprise
James Wickett
 
Open Source and Security: Engineering Security by Design - Prague, December 2011
Open Source and Security: Engineering Security by Design - Prague, December 2011Open Source and Security: Engineering Security by Design - Prague, December 2011
Open Source and Security: Engineering Security by Design - Prague, December 2011
Jeremy Brown
 
XPDDS18: LCC18: Disclosure policies in the world of cloud - a look behind the...
XPDDS18: LCC18: Disclosure policies in the world of cloud - a look behind the...XPDDS18: LCC18: Disclosure policies in the world of cloud - a look behind the...
XPDDS18: LCC18: Disclosure policies in the world of cloud - a look behind the...
The Linux Foundation
 

Recommandé

OSSA17 - Mixed License FOSS Projects
OSSA17 - Mixed License FOSS ProjectsOSSA17 - Mixed License FOSS Projects
OSSA17 - Mixed License FOSS Projects
The Linux Foundation
 
OpenNebulaConf2015 1.09.04 The BEACON Project: Enabling Federated Cloud Netwo...
OpenNebulaConf2015 1.09.04 The BEACON Project: Enabling Federated Cloud Netwo...OpenNebulaConf2015 1.09.04 The BEACON Project: Enabling Federated Cloud Netwo...
OpenNebulaConf2015 1.09.04 The BEACON Project: Enabling Federated Cloud Netwo...
OpenNebula Project
 
Eucalyptus, Nimbus & OpenNebula
Eucalyptus, Nimbus & OpenNebulaEucalyptus, Nimbus & OpenNebula
Eucalyptus, Nimbus & OpenNebula
Amar Myana
 
Scale14x: Are today's foss security practices robust enough in the cloud era ...
Scale14x: Are today's foss security practices robust enough in the cloud era ...Scale14x: Are today's foss security practices robust enough in the cloud era ...
Scale14x: Are today's foss security practices robust enough in the cloud era ...
The Linux Foundation
 
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
The Linux Foundation
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the Enterprise
James Wickett
 
Open Source and Security: Engineering Security by Design - Prague, December 2011
Open Source and Security: Engineering Security by Design - Prague, December 2011Open Source and Security: Engineering Security by Design - Prague, December 2011
Open Source and Security: Engineering Security by Design - Prague, December 2011
Jeremy Brown
 
XPDDS18: LCC18: Disclosure policies in the world of cloud - a look behind the...
XPDDS18: LCC18: Disclosure policies in the world of cloud - a look behind the...XPDDS18: LCC18: Disclosure policies in the world of cloud - a look behind the...
XPDDS18: LCC18: Disclosure policies in the world of cloud - a look behind the...
The Linux Foundation
 
Deployit overview for JUG-Italy meeting
Deployit overview for JUG-Italy meetingDeployit overview for JUG-Italy meeting
Deployit overview for JUG-Italy meeting
XebiaLabs
 
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
Daniel Bryant
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
JAXLondon_Conference
 
OSSNA18: Disclosure policies in the world of cloud: a look behind the scenes
OSSNA18: Disclosure policies in the world of cloud: a look behind the scenesOSSNA18: Disclosure policies in the world of cloud: a look behind the scenes
OSSNA18: Disclosure policies in the world of cloud: a look behind the scenes
The Linux Foundation
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
Shawn Wells
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
C4Media
 
OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)
OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)
OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)
The Linux Foundation
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Kymberlee Price
 
Crash Course in Open Source Cloud Computing
Crash Course in Open Source Cloud ComputingCrash Course in Open Source Cloud Computing
Crash Course in Open Source Cloud Computing
Mark Hinkle
 
Rootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationRootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project Virtualisation
The Linux Foundation
 
What_is_DevOps.pptx
What_is_DevOps.pptxWhat_is_DevOps.pptx
What_is_DevOps.pptx
mridulsharma774687
 
First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017
gmaran23
 
What is DevOps And How It Is Useful In Real life.
What is DevOps And How It Is Useful In Real life.What is DevOps And How It Is Useful In Real life.
What is DevOps And How It Is Useful In Real life.
anilpmuvvala
 
What_is_DevOps_how_it's_very_useful_in_daily_Life.
What_is_DevOps_how_it's_very_useful_in_daily_Life.What_is_DevOps_how_it's_very_useful_in_daily_Life.
What_is_DevOps_how_it's_very_useful_in_daily_Life.
anilpmuvvala
 
Linuxcon 2011 Crash Course in Open Source Cloud Computing
Linuxcon 2011 Crash Course in Open Source Cloud ComputingLinuxcon 2011 Crash Course in Open Source Cloud Computing
Linuxcon 2011 Crash Course in Open Source Cloud Computing
Mark Hinkle
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
VeilFramework
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOps
Zane Lackey
 
Understanding DevOps
Understanding DevOpsUnderstanding DevOps
Understanding DevOps
Mathieu Mailhos
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Black Duck by Synopsys
 
OpenSolaris Introduction
OpenSolaris IntroductionOpenSolaris Introduction
OpenSolaris Introduction
satyajit_t
 
OpenNebulaConf2019 - Welcome and Project Update - Ignacio M. Llorente, Rubén ...
OpenNebulaConf2019 - Welcome and Project Update - Ignacio M. Llorente, Rubén ...OpenNebulaConf2019 - Welcome and Project Update - Ignacio M. Llorente, Rubén ...
OpenNebulaConf2019 - Welcome and Project Update - Ignacio M. Llorente, Rubén ...
OpenNebula Project
 
OpenNebulaConf2019 - Building Virtual Environments for Security Analyses of C...
OpenNebulaConf2019 - Building Virtual Environments for Security Analyses of C...OpenNebulaConf2019 - Building Virtual Environments for Security Analyses of C...
OpenNebulaConf2019 - Building Virtual Environments for Security Analyses of C...
OpenNebula Project
 

Contenu connexe

Similaire à OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in the Cloud-era? - Lars Kurth

DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
JAXLondon_Conference
 
OSSNA18: Disclosure policies in the world of cloud: a look behind the scenes
OSSNA18: Disclosure policies in the world of cloud: a look behind the scenesOSSNA18: Disclosure policies in the world of cloud: a look behind the scenes
OSSNA18: Disclosure policies in the world of cloud: a look behind the scenes
The Linux Foundation
 
OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)
OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)
OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)
The Linux Foundation
 
Rootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationRootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project Virtualisation
The Linux Foundation
 
What is DevOps And How It Is Useful In Real life.
What is DevOps And How It Is Useful In Real life.What is DevOps And How It Is Useful In Real life.
What is DevOps And How It Is Useful In Real life.
anilpmuvvala
 
What_is_DevOps_how_it's_very_useful_in_daily_Life.
What_is_DevOps_how_it's_very_useful_in_daily_Life.What_is_DevOps_how_it's_very_useful_in_daily_Life.
What_is_DevOps_how_it's_very_useful_in_daily_Life.
anilpmuvvala
 

Similaire à OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in the Cloud-era? - Lars Kurth (20)

Deployit overview for JUG-Italy meeting
Deployit overview for JUG-Italy meetingDeployit overview for JUG-Italy meeting
Deployit overview for JUG-Italy meeting
 
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
 
OSSNA18: Disclosure policies in the world of cloud: a look behind the scenes
OSSNA18: Disclosure policies in the world of cloud: a look behind the scenesOSSNA18: Disclosure policies in the world of cloud: a look behind the scenes
OSSNA18: Disclosure policies in the world of cloud: a look behind the scenes
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
 
OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)
OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)
OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
 
Crash Course in Open Source Cloud Computing
Crash Course in Open Source Cloud ComputingCrash Course in Open Source Cloud Computing
Crash Course in Open Source Cloud Computing
 
Rootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationRootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project Virtualisation
 
What_is_DevOps.pptx
What_is_DevOps.pptxWhat_is_DevOps.pptx
What_is_DevOps.pptx
 
First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017
 
What is DevOps And How It Is Useful In Real life.
What is DevOps And How It Is Useful In Real life.What is DevOps And How It Is Useful In Real life.
What is DevOps And How It Is Useful In Real life.
 
What_is_DevOps_how_it's_very_useful_in_daily_Life.
What_is_DevOps_how_it's_very_useful_in_daily_Life.What_is_DevOps_how_it's_very_useful_in_daily_Life.
What_is_DevOps_how_it's_very_useful_in_daily_Life.
 
Linuxcon 2011 Crash Course in Open Source Cloud Computing
Linuxcon 2011 Crash Course in Open Source Cloud ComputingLinuxcon 2011 Crash Course in Open Source Cloud Computing
Linuxcon 2011 Crash Course in Open Source Cloud Computing
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOps
 
Understanding DevOps
Understanding DevOpsUnderstanding DevOps
Understanding DevOps
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
 
OpenSolaris Introduction
OpenSolaris IntroductionOpenSolaris Introduction
OpenSolaris Introduction
 

Plus de OpenNebula Project

OpenNebulaConf2019 - Welcome and Project Update - Ignacio M. Llorente, Rubén ...
OpenNebulaConf2019 - Welcome and Project Update - Ignacio M. Llorente, Rubén ...OpenNebulaConf2019 - Welcome and Project Update - Ignacio M. Llorente, Rubén ...
OpenNebulaConf2019 - Welcome and Project Update - Ignacio M. Llorente, Rubén ...
OpenNebula Project
 
OpenNebulaConf2019 - Building Virtual Environments for Security Analyses of C...
OpenNebulaConf2019 - Building Virtual Environments for Security Analyses of C...OpenNebulaConf2019 - Building Virtual Environments for Security Analyses of C...
OpenNebulaConf2019 - Building Virtual Environments for Security Analyses of C...
OpenNebula Project
 
OpenNebulaConf2019 - Performant and Resilient Storage the Open Source & Linux...
OpenNebulaConf2019 - Performant and Resilient Storage the Open Source & Linux...OpenNebulaConf2019 - Performant and Resilient Storage the Open Source & Linux...
OpenNebulaConf2019 - Performant and Resilient Storage the Open Source & Linux...
OpenNebula Project
 
Performant and Resilient Storage: The Open Source & Linux Way
Performant and Resilient Storage: The Open Source & Linux WayPerformant and Resilient Storage: The Open Source & Linux Way
Performant and Resilient Storage: The Open Source & Linux Way
OpenNebula Project
 

Plus de OpenNebula Project (20)

OpenNebulaConf2019 - Welcome and Project Update - Ignacio M. Llorente, Rubén ...
OpenNebulaConf2019 - Welcome and Project Update - Ignacio M. Llorente, Rubén ...OpenNebulaConf2019 - Welcome and Project Update - Ignacio M. Llorente, Rubén ...
OpenNebulaConf2019 - Welcome and Project Update - Ignacio M. Llorente, Rubén ...
 
OpenNebulaConf2019 - Building Virtual Environments for Security Analyses of C...
OpenNebulaConf2019 - Building Virtual Environments for Security Analyses of C...OpenNebulaConf2019 - Building Virtual Environments for Security Analyses of C...
OpenNebulaConf2019 - Building Virtual Environments for Security Analyses of C...
 
OpenNebulaConf2019 - CORD and Edge computing with OpenNebula - Alfonso Aureli...
OpenNebulaConf2019 - CORD and Edge computing with OpenNebula - Alfonso Aureli...OpenNebulaConf2019 - CORD and Edge computing with OpenNebula - Alfonso Aureli...
OpenNebulaConf2019 - CORD and Edge computing with OpenNebula - Alfonso Aureli...
 
OpenNebulaConf2019 - 6 years (+) OpenNebula - Lessons learned - Sebastian Man...
OpenNebulaConf2019 - 6 years (+) OpenNebula - Lessons learned - Sebastian Man...OpenNebulaConf2019 - 6 years (+) OpenNebula - Lessons learned - Sebastian Man...
OpenNebulaConf2019 - 6 years (+) OpenNebula - Lessons learned - Sebastian Man...
 
OpenNebulaConf2019 - Performant and Resilient Storage the Open Source & Linux...
OpenNebulaConf2019 - Performant and Resilient Storage the Open Source & Linux...OpenNebulaConf2019 - Performant and Resilient Storage the Open Source & Linux...
OpenNebulaConf2019 - Performant and Resilient Storage the Open Source & Linux...
 
OpenNebulaConf2019 - Image Backups in OpenNebula - Momčilo Medić - ITAF
OpenNebulaConf2019 - Image Backups in OpenNebula - Momčilo Medić - ITAFOpenNebulaConf2019 - Image Backups in OpenNebula - Momčilo Medić - ITAF
OpenNebulaConf2019 - Image Backups in OpenNebula - Momčilo Medić - ITAF
 
OpenNebulaConf2019 - How We Use GOCA to Manage our OpenNebula Cloud - Jean-Ph...
OpenNebulaConf2019 - How We Use GOCA to Manage our OpenNebula Cloud - Jean-Ph...OpenNebulaConf2019 - How We Use GOCA to Manage our OpenNebula Cloud - Jean-Ph...
OpenNebulaConf2019 - How We Use GOCA to Manage our OpenNebula Cloud - Jean-Ph...
 
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
 
Replacing vCloud with OpenNebula
Replacing vCloud with OpenNebulaReplacing vCloud with OpenNebula
Replacing vCloud with OpenNebula
 
NTS: What We Do With OpenNebula - and Why We Do It
NTS: What We Do With OpenNebula - and Why We Do ItNTS: What We Do With OpenNebula - and Why We Do It
NTS: What We Do With OpenNebula - and Why We Do It
 
OpenNebula from the Perspective of an ISP
OpenNebula from the Perspective of an ISPOpenNebula from the Perspective of an ISP
OpenNebula from the Perspective of an ISP
 
NTS CAPTAIN / OpenNebula at Julius Blum GmbH
NTS CAPTAIN / OpenNebula at Julius Blum GmbHNTS CAPTAIN / OpenNebula at Julius Blum GmbH
NTS CAPTAIN / OpenNebula at Julius Blum GmbH
 
Performant and Resilient Storage: The Open Source & Linux Way
Performant and Resilient Storage: The Open Source & Linux WayPerformant and Resilient Storage: The Open Source & Linux Way
Performant and Resilient Storage: The Open Source & Linux Way
 
NetApp Hybrid Cloud with OpenNebula
NetApp Hybrid Cloud with OpenNebulaNetApp Hybrid Cloud with OpenNebula
NetApp Hybrid Cloud with OpenNebula
 
NSX with OpenNebula - upcoming 5.10
NSX with OpenNebula - upcoming 5.10NSX with OpenNebula - upcoming 5.10
NSX with OpenNebula - upcoming 5.10
 
Security for Private Cloud Environments
Security for Private Cloud EnvironmentsSecurity for Private Cloud Environments
Security for Private Cloud Environments
 
CheckPoint R80.30 Installation on OpenNebula
CheckPoint R80.30 Installation on OpenNebulaCheckPoint R80.30 Installation on OpenNebula
CheckPoint R80.30 Installation on OpenNebula
 
DE-CIX: CloudConnectivity
DE-CIX: CloudConnectivityDE-CIX: CloudConnectivity
DE-CIX: CloudConnectivity
 
DDC Demo
DDC DemoDDC Demo
DDC Demo
 
Cloud Disaggregation with OpenNebula
Cloud Disaggregation with OpenNebulaCloud Disaggregation with OpenNebula
Cloud Disaggregation with OpenNebula
 

Dernier

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Dernier (20)

HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in the Cloud-era? - Lars Kurth

  • 1. Lars Kurth Community Manger, Xen Project Chairman, Xen Project Advisory Board Lead CentOS Virtualization SIG Director, Open Source Business Office, Citrix lars_kurth
  • 2.
  • 3. I I: Vulnerability Introduced D: Vulnerability Discovered Encourage discoverers to report security issues to security@yourproject Discoverers are in control You can’t stop them from releasing or using information D
  • 4. A team-effort to ensure that … • All (known) doors are closed • All (known) doors are locked • All (known) windows are boarded up • Fences have no (known) weaknesses • …
  • 5. XF R: Vulnerability Reported T: Triage A: Vulnerability Announced F: Fix Available X: Fix Deployed Vulnerability is known by the reporter and the security team Note: It may also be known and used by black hats Vulnerability is known publicly with no fix available Vulnerability is known publicly with fix available Basic Description R T A Patch/fix creation and validation Detailed Description, CVE allocation, …
  • 6. Description, CVE allocation, … X R: Vulnerability Reported T: Triage P: Vulnerability Pre-disclosed A: Vulnerability Announced F: Fix Available X: Fix Deployed Vulnerability is known by the reporter and the security team Note: It may also be known and used by black hats Vulnerability is known about by a privileged and small group of users Vulnerability is known publicly A Pre-disclosure period R P Patch/fix creation and validation FT Typically fixed time during which the security issue is handled secretly Ideally 2-3 weeks: Depends on discoverer’s wishes What can and can’t be done with privileged information can differ significantly between projects
  • 7. Linux Kernel/LXC/KVM if reported via OSS Security Linux Kernel/LXC/KVM if reported via security@kernel.org OpenStack, QEMU, … for low impact issues Full Linux Kernel/LXC/KVM if reported via OSS Security Distros Linux Distributions (both open source and commercial) QEMU, Libvirt, oVirt, ... Responsible “Distro Model” OpenStack for intermediate to high impact issues OPNFV, OpenDayLight : process modeled on OpenStack Xen Project for all issues (also handles 3rd party issues, e.g. QEMU) Responsible “Cloud Model” Not clearly stated Docker : states responsible disclosure; but policy docs empty / some CVEs Cloud Foundry : no clearly stated process; no published CVE’s CoreOS: just a mail to report issues Kubernetes: : just a mail to report issues (when I wrote this talk in Aug, no info) Approach Used by Projects
  • 8. Linux Kernel/LXC/KVM if reported via OSS Security Linux Kernel/LXC/KVM if reported via security@kernel.org OpenStack, QEMU, … for low impact issues Full Linux Kernel/LXC/KVM if reported via OSS Security Distros Linux Distributions (both open source and commercial) QEMU, Libvirt, oVirt, ... Responsible “Distro Model” OpenStack for intermediate to high impact issues OPNFV, OpenDayLight : process modeled on OpenStack Xen Project for all issues (also handles 3rd party issues, e.g. QEMU) Responsible “Cloud Model” Not clearly stated Docker : states responsible disclosure; but policy docs empty / some CVEs Cloud Foundry : no clearly stated process; no published CVE’s CoreOS: just a mail to report issues Kubernetes: : just a mail to report issues (when I wrote this talk in Aug, no info) Approach Used by Projects OpenNebula
  • 9. What is allowed during pre-disclosure Who is privileged and trusted to be on the pre-disclosure mailing list Pre-Disclosure Time What can and can’t be done with privileged information can differ significantly between projects
  • 10. Make sure that a fix is available before disclosure Make sure that downstream projects and products (e.g. distros) can package and test the fix in their environment Allow service providers that use your Software to start planning an upgrade (at scale this can take a week) Allow service providers that use your Software to deploy an upgrade before the embargo completes
  • 11. Make sure that a fix is available before disclosure Make sure that downstream projects and products (e.g. distros) can package and test the fix in their environment Allow service providers that use your Software to start planning an upgrade (at scale this can take a week) Allow service providers that use your Software to deploy an upgrade before the embargo completes Cloud Model Distro Model
  • 12. Emerged recently! Recognizes the needs of service providers Pre-Cloud Computing! Services and their users are vulnerable immediately after disclosure
  • 13.
  • 14. More Cloud/Service users than direct users of your software Example: AWS stated in 2014 that they have > 1M users (and a lot more instances) AliCloud claims that they have > 1M users …
  • 15. Just imagine what the reputation damage would have been, if Xen had put AWS, Rackspace, SoftLayer, … users at real risk of a vulnerability. There were 100’s of stories at the time, despite the fact that users were never put at risk, but merely inconvenienced !
  • 16. Pre-disclosure list membership: more members, more risk of leakage In the Distro Model, the number of privileged users is typically <10 In the Cloud Model, the number could be an order of magnitude higher (50-100)
  • 17. Restricting pre-disclosure list membership Restricting membership to large service providers to minimize risk Opaque application criteria and process … That creates issues of “fairness” Which may be incompatible with your communities' values
  • 19. Very wide range of approaches vs. The reality that SW stacks contain many layers Consider the weakest link in your SW stack Best Practice appears to be emerging, BUT … Older projects seem slow to change New projects, don’t build security management into their culture from the beginning New Post-Snowden era pressures How to effectively deal with media Hype?
  • 21. Not all projects create CVEs for all their issues Some projects don’t assign CVEs at all
  • 22. CVE databases (such as www.cvedetails.com) can be used to evaluate your project This shows Xen Project CVE stats Before 2012, we didn’t have fewer vulnerabilities than after We just didn’t have a process requiring creation of CVEs
  • 24. Long disclosure times discredit responsible disclosure From a few days to many months Disclosure times need to contribute to your goals & be achievable Consider the goals of the ”Cloud Model” Xen Project: 1 week to prepare fix, 2 weeks pre-disclosure OpenStack: unspecified time to prepare fix, 3-5 working days pre-disclosure
  • 25. Long version of this talk: www.slideshare.net/xen_com_mgr/ linuxcon-na-2015are-todays-foss-security-practices-robust-enough-in-the-cloud-era Source: Micky Aldridge via wikimedia.org