Hello All,

An update on the results of the Security Threat Analysis for Colorado.

All projects were given a cursory scan using our security lint tool
'anteater', and I then took an in-depth manual review and released
individual project reports to the PTL's, with each containing
recommended code remediation's to address issues that were found.

The whole process resulted in twelve patches being merged into nine

https://gerrit.opnfv.org/gerrit/#/c/20751 master branch
https://gerrit.opnfv.org/gerrit/#/c/21995 master branch
https://gerrit.opnfv.org/gerrit/#/c/20911 master branch
https://gerrit.opnfv.org/gerrit/#/c/20693 master branch
https://gerrit.opnfv.org/gerrit/#/c/21541 master branch
https://gerrit.opnfv.org/gerrit/#/c/22139 master branch
https://gerrit.opnfv.org/gerrit/#/c/21997 master branch
https://gerrit.opnfv.org/gerrit/#/c/21985 master branch
https://gerrit.opnfv.org/gerrit/#/c/21499 master branch
https://gerrit.opnfv.org/gerrit/#/c/21799 master branch
https://gerrit.opnfv.org/gerrit/#/c/21437 master branch
https://gerrit.opnfv.org/gerrit/#/c/22007 stable/brahmaputra

A vulnerability was also discovered in Brahmaputra release and handled
under our vulnerability management process. This is now patched in
c-release and backported to b.

Overall the highlight of the key threats found were:

* Cross site scripting attacks [1]
* Unsafe use of eval [2]
* Unsafe yaml handling [3]
* Possible shell executions [4]
* Leakage of private keys [5].
* Running flask in debug mode. [6]

A lot of false positives were also present, what with the OPNFV being
test oriented.

I personally want to thank everyone involved in the above patches, who
mobilized with speed and handled the situation with a level head and
professionalism. Many thanks, you know who you all are.

Also a thanks to Michael Lazar & Alexander of DataArt who contacted me
with an issue they found while researching OPNFV security.

Looking forward

So the threat analysis has definitely proved very useful, but very time
consuming too - analyzing thousands of lines of code, over many projects
meant many a late night. I now have a tool to automate this, so I will
seek to integrate this as a gerrit / CI gate / job.

However, you can all really help here, by using the gerrit tag
‘SecurityImpact’ we have.

All you need to do is mention ‘SecurityImpact’ anywhere in a gerrit
review and it will automatically notify the Security group members, to
come in and provide feedback in your gerrit patch. As a general rule,
use this if ever in doubt on a change (or even not). The group are happy
to get any requests come in. More details can be found on our secure
code page:


One other key point is the use of private keys / passwords in projects.
This I understand can be challenging, as we automate a lot of black box
style testing which is hands off. I am of the mind to set up a working
group to look at this topic and help formulate some guidance on handling
SSH / TLS keys, certs. Any volunteers, please do let me know.

Last of all, we really need more folk helping in security. A lot of
'hand wringing' happens in the industry on security being a top concern,
but very little are willing to put boots on the ground. It would be
really nice to see that happen, so if you know of anyone in your
company, encourage them (or even yourself) to come to our meetings and
get involved.


[1] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
[2] http://lucumr.pocoo.org/2011/2/1/exec-in-python/
[4] https://security.openstack.org/guidelines/dg_avoid-shell-true.html


Luke - Security Group PTL
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 |
t: +44 12 52 36 2483

Attachment: 0x3C202614.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

opnfv-tech-discuss mailing list

Reply via email to