Your fuzzy ally, better reviews and more.

The OpenStack Security Project team has been very busy since the Newton Design Summit in Austin last spring. In August, we held our fifth consecutive Security Project mid-cycle with a dozen security-focused developers from HPE, IBM and Rackspace. A lot has changed since our first mid-cycle in the Summer of 2014. Several of our first projects have reached maturity, namely: Bandit, Anchor and the Security Guide. With less active development required for these projects, our attention has shifted to new goals. We’re building a security review process for OpenStack and doing lots of development work on Syntribos, our API fuzzing tool. If you have no idea what fuzzing is, don’t worry, read on.

The “security development lifecycle” describes security activities that should occur in parallel to the software development lifecycle that most developers are familiar with. Any time the design of software changes significantly, a security design review should occur to make sure that changes haven’t introduced new security issues. Many OpenStack Security Project members have become experts at applying threat modeling, threat analysis and security design reviews at our day jobs. Now we’re focusing our attention on building a process for security reviews in upstream OpenStack that:

  • Identifies assets (and the risks against them).
  • Skips tedious “box checking.”
  • Prioritizes areas for additional security attention (manual code review and penetration
  • testing, for example).
  • Can be applied to continuously developed projects.
  • Doesn’t require face-to-face meetings to complete.

As we refine our process, we’re collaborating with highly security-conscious OpenStack teams such as Barbican and Kolla. When we’re completely comfortable applying and teaching the process to others, we’ll expand our scope to begin covering more OpenStack projects, similar to the approach we took when introducing Bandit coverage for projects.

We’re also very excited about the newest member of the OpenStack Security Project tools collection: Syntribos. OpenStack is designed as a collection of micro-services; each micro-service exposes its own representational state transfer API (REST API). From a developer perspective, this means that the REST API is the front door for the service. Malicious users may attempt to exploit a REST API by sending intentionally long input, sending malformed input, calling functions they aren’t authorized to call and a plethora of other attack patterns.

With the recognition that REST API security is vital for OpenStack, the OpenStack Security Project has created Syntribos, a tool that tests REST APIs for resilience to known attacks such as those mentioned above and many more. To do this, Syntribos takes a fuzzing approach. Syntribos launches its entire library of attack types at a target and watches for unexpected behavior. That may mean an operation returning an unexpected status code or it may mean that the service becomes unstable. These findings are useful to developers who can study the behavior and find issues with their code prior to release in the same way that developers use Bandit scans to find issues in Python code.

As always, we’re looking for security enthusiasts to join the OpenStack Security Project and our mission to help make OpenStack more secure. Whether you’re interested in working on one of our existing projects or have a completely new idea, we’d love to speak with you. You can find us on Freenode IRC in the #openstack-security room or on the OpenStack Developer Mailing List (please include a [security] tag).

 

This article first appeared in the print edition of Superuser magazine, distributed at the Barcelona Summit. If you’d like to contribute to the next one, get in touch: [email protected]

Cover Photo // CC BY NC