Let me add my thanks to Luke for his hard work on this, as well as the PTLs
who mobilized to fix these threats, the external researchers who alerted us
to an issue we hadn't noticed, and the entire security team.
It was also exciting for me to see the vulnerability management process in
action. It worked exactly as it's supposed to work and it made the quality
of our code and processes better.
And I'll finally echo Luke's call for participation -- as we move to a more
virtualized and software-based infrastructure, security becomes even more
important. Security is sometimes like eating your vegetables: everyone says
it's important but very few people actually do. Let's make OPNFV a healthy
community that eats its vegetables (and also drinks its beer) and stays
On Wed, Sep 21, 2016 at 12:04 PM, Sona Sarmadi <sona.sarm...@enea.com>
> Well done, Thanks Luke :)
> On 2016-09-21 16:49, Luke Hinds wrote:
> Hello All,
> An update on the results of the Security Threat Analysis for Colorado.
> All projects were given a cursory scan using our security lint tool
> 'anteater', and I then took an in-depth manual review and released
> individual project reports to the PTL's, with each containing
> recommended code remediation's to address issues that were found.
> The whole process resulted in twelve patches being merged into nine
> https://gerrit.opnfv.org/gerrit/#/c/20751 master
> branchhttps://gerrit.opnfv.org/gerrit/#/c/21995 master
> branchhttps://gerrit.opnfv.org/gerrit/#/c/20911 master
> branchhttps://gerrit.opnfv.org/gerrit/#/c/20693 master
> branchhttps://gerrit.opnfv.org/gerrit/#/c/21541 master
> branchhttps://gerrit.opnfv.org/gerrit/#/c/22139 master
> branchhttps://gerrit.opnfv.org/gerrit/#/c/21997 master
> branchhttps://gerrit.opnfv.org/gerrit/#/c/21985 master
> branchhttps://gerrit.opnfv.org/gerrit/#/c/21499 master
> branchhttps://gerrit.opnfv.org/gerrit/#/c/21799 master
> branchhttps://gerrit.opnfv.org/gerrit/#/c/21437 master
> branchhttps://gerrit.opnfv.org/gerrit/#/c/22007 stable/brahmaputra
> A vulnerability was also discovered in Brahmaputra release and handled
> under our vulnerability management process. This is now patched in
> c-release and backported to b.
> Overall the highlight of the key threats found were:
> * Cross site scripting attacks 
> * Unsafe use of eval 
> * Unsafe yaml handling 
> * Possible shell executions 
> * Leakage of private keys .
> * Running flask in debug mode. 
> A lot of false positives were also present, what with the OPNFV being
> test oriented.
> I personally want to thank everyone involved in the above patches, who
> mobilized with speed and handled the situation with a level head and
> professionalism. Many thanks, you know who you all are.
> Also a thanks to Michael Lazar & Alexander of DataArt who contacted me
> with an issue they found while researching OPNFV security.
> Looking forward
> So the threat analysis has definitely proved very useful, but very time
> consuming too - analyzing thousands of lines of code, over many projects
> meant many a late night. I now have a tool to automate this, so I will
> seek to integrate this as a gerrit / CI gate / job.
> However, you can all really help here, by using the gerrit tag
> ‘SecurityImpact’ we have.
> All you need to do is mention ‘SecurityImpact’ anywhere in a gerrit
> review and it will automatically notify the Security group members, to
> come in and provide feedback in your gerrit patch. As a general rule,
> use this if ever in doubt on a change (or even not). The group are happy
> to get any requests come in. More details can be found on our secure
> code page:
> One other key point is the use of private keys / passwords in projects.
> This I understand can be challenging, as we automate a lot of black box
> style testing which is hands off. I am of the mind to set up a working
> group to look at this topic and help formulate some guidance on handling
> SSH / TLS keys, certs. Any volunteers, please do let me know.
> Last of all, we really need more folk helping in security. A lot of
> 'hand wringing' happens in the industry on security being a top concern,
> but very little are willing to put boots on the ground. It would be
> really nice to see that happen, so if you know of anyone in your
> company, encourage them (or even yourself) to come to our meetings and
> get involved.
>  https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
>  http://lucumr.pocoo.org/2011/2/1/exec-in-python/
>  https://security.openstack.org/guidelines/dg_avoid-shell-true.html
> Luke - Security Group PTL
> opnfv-tech-discuss mailing
> opnfv-tech-discuss mailing list
Email/Google Talk: hkirk...@linuxfoundation.org
opnfv-tech-discuss mailing list