Thanks for all your hard work, Luke! On Wed, Sep 21, 2016 at 7:49 AM, Luke Hinds <lhi...@redhat.com> wrote:
> Hello All, > > An update on the results of the Security Threat Analysis for Colorado. > > All projects were given a cursory scan using our security lint tool > 'anteater', and I then took an in-depth manual review and released > individual project reports to the PTL's, with each containing > recommended code remediation's to address issues that were found. > > The whole process resulted in twelve patches being merged into nine > projects: > > https://gerrit.opnfv.org/gerrit/#/c/20751 master branch > https://gerrit.opnfv.org/gerrit/#/c/21995 master branch > https://gerrit.opnfv.org/gerrit/#/c/20911 master branch > https://gerrit.opnfv.org/gerrit/#/c/20693 master branch > https://gerrit.opnfv.org/gerrit/#/c/21541 master branch > https://gerrit.opnfv.org/gerrit/#/c/22139 master branch > https://gerrit.opnfv.org/gerrit/#/c/21997 master branch > https://gerrit.opnfv.org/gerrit/#/c/21985 master branch > https://gerrit.opnfv.org/gerrit/#/c/21499 master branch > https://gerrit.opnfv.org/gerrit/#/c/21799 master branch > https://gerrit.opnfv.org/gerrit/#/c/21437 master branch > https://gerrit.opnfv.org/gerrit/#/c/22007 stable/brahmaputra > > A vulnerability was also discovered in Brahmaputra release and handled > under our vulnerability management process. This is now patched in > c-release and backported to b. > > Overall the highlight of the key threats found were: > > * Cross site scripting attacks [1] > * Unsafe use of eval [2] > * Unsafe yaml handling [3] > * Possible shell executions [4] > * Leakage of private keys [5]. > * Running flask in debug mode. [6] > > A lot of false positives were also present, what with the OPNFV being > test oriented. > > I personally want to thank everyone involved in the above patches, who > mobilized with speed and handled the situation with a level head and > professionalism. Many thanks, you know who you all are. > > Also a thanks to Michael Lazar & Alexander of DataArt who contacted me > with an issue they found while researching OPNFV security. > > Looking forward > ---------------------- > > So the threat analysis has definitely proved very useful, but very time > consuming too - analyzing thousands of lines of code, over many projects > meant many a late night. I now have a tool to automate this, so I will > seek to integrate this as a gerrit / CI gate / job. > > However, you can all really help here, by using the gerrit tag > ‘SecurityImpact’ we have. > > All you need to do is mention ‘SecurityImpact’ anywhere in a gerrit > review and it will automatically notify the Security group members, to > come in and provide feedback in your gerrit patch. As a general rule, > use this if ever in doubt on a change (or even not). The group are happy > to get any requests come in. More details can be found on our secure > code page: > > https://wiki.opnfv.org/display/security/Securecode > > One other key point is the use of private keys / passwords in projects. > This I understand can be challenging, as we automate a lot of black box > style testing which is hands off. I am of the mind to set up a working > group to look at this topic and help formulate some guidance on handling > SSH / TLS keys, certs. Any volunteers, please do let me know. > > Last of all, we really need more folk helping in security. A lot of > 'hand wringing' happens in the industry on security being a top concern, > but very little are willing to put boots on the ground. It would be > really nice to see that happen, so if you know of anyone in your > company, encourage them (or even yourself) to come to our meetings and > get involved. > > References: > > [1] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) > [2] http://lucumr.pocoo.org/2011/2/1/exec-in-python/ > [3] > https://security.openstack.org/guidelines/dg_avoid- > dangerous-input-parsing-libraries.html > [4] https://security.openstack.org/guidelines/dg_avoid-shell-true.html > [5] > http://security.stackexchange.com/questions/55525/how-can- > an-attacker-use-a-leaked-private-key > [6] > https://labs.detectify.com/2015/10/02/how-patreon-got- > hacked-publicly-exposed-werkzeug-debugger/ > [5] > > Regards, > > Luke - Security Group PTL > -- > Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat > e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | > t: +44 12 52 36 2483 > > _______________________________________________ > opnfv-tsc mailing list > opnfv-...@lists.opnfv.org > https://lists.opnfv.org/mailman/listinfo/opnfv-tsc > >
_______________________________________________ opnfv-tech-discuss mailing list opnfv-tech-discuss@lists.opnfv.org https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
