Breakfast tacos, Bandit and the “most stealthy” project experts worked on.

A castle is the perfect place to talk about OpenStack security.

Some 30 people gathered in the Rackspace Castle in San Antonio — ok, it was previously a mall — for the recent Mitaka Mid-cycle Security Meetup. Experts from companies including Hewlett Packard Enterprise, Rackspace, VMWare, IBM, Mirantis and Symantec participated.

Superuser talked to Rob Clark, lead security architect for Hewlett-Packard Cloud Service and project team lead (PTL) of the OpenStack Security Project and Travis McPeak, security architect at Hewlett-Packard Helion about Ansible, cleaning up Bandit’s pesky config file and Anchor, the “most stealthy” project they’re working on.

In all, there were 24 attendees from the OpenStack Security Project and six attendees from the Barbican Project, which deliberately overlapped with the Security project Mid-Cycle. Although there was no moat or drawbridge, host Rackspace offered the group a large space and kept the Texas barbecue and breakfast tacos coming over the course of the Meetup held January 12-15.

What makes the event unique, say Clark and McPeak, is this kind of cross-project collaboration. A large number of the people working on OpenStack Security who are cores or contributors on other key OpenStack projects link brains to solve common issues. “The fact that we all come together to share our cross-domain expertise makes this group particularly special,” they added.

pjg71axwkkuptfipj6an
Mitakta Mid-Cycle security participants gather in the Rackspace Castle.

Clark kicked off the unconference by inviting people to write topics of interest on Post-it notes and stick them up on the whiteboard. Participants then voted on which topics were most interesting and votes were tallied. Topics were allotted time by how much interest they earned and to ensure everyone had something they wanted to work on.  “The unconference format allows us to follow interesting threads more easily than a traditional time-boxed conference style,” McPeak adds.

xzx70ykeclupheppat1g
Participants produced several action items on an Etherpad and written a couple of blog posts so far with more to come: https://etherpad.openstack.org/p/security-mitaka-midcycle They also walked away with the cool shield stickers (in honor of the Castle?) at left.

Here are some of the other Mid-Cyle takeaways from Clark and McPeak:

  • Bandit development sessions. We’re in the process of tweaking Bandit to remove a common source of user frustration: the config file.  We’re also cleaning up documentation, writing unit tests and ensuring stability ahead of our upcoming Bandit 1.0 release.

  • Security project outreach. The Security Project has grown steadily over the last few years.  We’ve got a great group of people participating now, but we’re always looking for new colleagues.  This session was aimed at refining our “security evangelism” presentation, creating a new blog location for security project posts and figuring out how to utilize resources like Superuser.

  • Threat Analysis. Threat Analysis is a critical part of the secure development lifecycle yet isn’t being done upstream.  This session focused on taking some of the best elements of the threat analysis that both HPE and Rackspace are already doing and standardizing them into a format that is easy to use for project teams.  For more information, please see this blog post.
  • OpenStack Security Ansible. The OpenStack Security Ansible project is Ansible to automatically make security enhancements on deployed systems.  This session covered the work that has already been done, came up with a few enhancements and generally educated the attendees about the project.

  • Anchor. This is probably the most stealthy of our technology projects. It’s a public key infrastructure (PKI) system that uses short-life certificates to achieve “passive revocation” – side stepping the pitfalls of certificate revocation list (CRL) distribution and online certificate status protocol (OCSP) availability that hinders most cloud scale PKI deployments. It’s the technology that we hope will enable OpenStack to deploy “TLS Everywhere” for secure internal communication. The mid-cycle focussed on the core technology and as a result other projects (namely openstack-ansible-security) are interested in leveraging it. There’s a draft blog post on Anchor here: https://openstack-security.github.io/tooling/2016/01/20/ephemeral-pki.html

How to get involved

The best way to get started? Drop in on one of the security team’s weekly IRC meetings Thursdays on Freenode at #openstack-meeting-alt 17:00 UTC.  “Otherwise come introduce yourself anytime on #openstack-security,” McPeak says, we’re always happy to meet new people!”

Cover Photo // CC BY NC