Re: [openstack-dev] [barbican] Cryptography audit by OSSG
On 04/18/2014 06:55 AM, Lisa Clark wrote: Barbicaneers, Is anyone following the openstack-security list and/or part of the OpenStack Security Group (OSSG)? This sounds like another group and list we should keep our eyes on. In the below thread on the security list, Nathan Kinder is conducting a security audit of the various integrated OpenStack projects. He's answering questions such as what crypto libraries are being used in the projects, algorithms used, sensitive data, and potential improvements that can be made. Check the links out in the below thread. Though we're not yet integrated, it might be beneficial to put together our security audit page under Security/Icehouse/Barbican. I've started a page for you (but for Juno). There is a lot to fill in still (by folks more familiar with the Barbican code than I), but it's a start. https://wiki.openstack.org/wiki/Security/Juno/Barbican It would be great if the Barbican team can fill this in and keep it up to date as development continues. I've also added the rest of the projects currently in incubation on the top-level Security page for Juno in case other projects are interested in filling in their info as well: https://wiki.openstack.org/wiki/Security/Juno Thanks, -NGK Another thing to consider as you're reviewing the security audit pages of Keystone and Heat (and others as they are added): Would Barbican help to solve any of the security concerns/issues that these projects are experiencing? -Lisa Message: 5 Date: Thu, 17 Apr 2014 16:27:30 -0700 From: Nathan Kinder nkin...@redhat.com To: Bryan D. Payne bdpa...@acm.org, Clark, Robert Graham robert.cl...@hp.com Cc: openstack-secur...@lists.openstack.org openstack-secur...@lists.openstack.org Subject: Re: [Openstack-security] Cryptographic Export Controls and OpenStack Message-ID: 53506362.3020...@redhat.com Content-Type: text/plain; charset=windows-1252 On 04/16/2014 10:28 AM, Bryan D. Payne wrote: I'm not aware of a list of the specific changes, but this seems quite related to the work that Nathan has started played with... discussed on his blog here: https://blog-nkinder.rhcloud.com/?p=51 This is definitely related to the security audit effort that I'm driving. It's hard to make recommendations on configurations and deployment architectures from a security perspective when we don't even have a clear picture of the current state of things are in the code from a security standpoint. This clear picture is what I'm trying to get to right now (along with keeping this picture up to date so it doesn't get stale). Once we know things such as what crypto algorithms are used and how sensitive data is being handled, we can see what is configurable and make recommendations. We'll surely find that not everything is configurable and sensitive data isn't well protected in areas, which are things that we can turn into blueprints and bugs and work on improving in development. It's still up in the air as to where this information should be published once it's been compiled. It might be on the wiki, or possibly in the documentation (Security Guide seems like a likely candidate). There was some discussion of this with the PTLs from the Project Meeting from 2 weeks ago: http://eavesdrop.openstack.org/meetings/project/2014/project.2014-04-08-21 .03.html I'm not so worried myself about where this should be published, as that doesn't matter if we don't have accurate and comprehensive information collected in the first place. My current focus is on the collection and maintenance of this info on a project by project basis. Keystone and Heat have started, which is great!: https://wiki.openstack.org/wiki/Security/Icehouse/Keystone https://wiki.openstack.org/wiki/Security/Icehouse/Heat If any other OSSG members are developers on any of the projects, it would be great if you could help drive this effort within your project. Thanks, -NGK Cheers, -bryan On Tue, Apr 15, 2014 at 1:38 AM, Clark, Robert Graham robert.cl...@hp.com mailto:robert.cl...@hp.com wrote: Does anyone have a documented run-down of changes that must be made to OpenStack configurations to allow them to comply with EAR requirements? http://www.bis.doc.gov/index.php/policy-guidance/encryption It seems like something we should consider putting into the security guide. I realise that most of the time it?s just ?don?t use your own libraries, call to others, make algorithms configurable? etc but it?s a question I?m seeing more and more, the security guide?s compliance section looks like a great place to have something about EAR. -Rob ___ Openstack-security mailing list openstack-secur...@lists.openstack.org mailto:openstack-secur...@lists.openstack.org
Re: [openstack-dev] [barbican] Cryptography audit by OSSG
On 04/18/2014 09:27 AM, Bryan D. Payne wrote: Is anyone following the openstack-security list and/or part of the OpenStack Security Group (OSSG)? This sounds like another group and list we should keep our eyes on. I'm one of the OSSG leads. We'd certainly welcome your involvement in OSSG. In fact, there has been much interest in OSSG about the Barbican project. And I believe that many people from the group are contributing to Barbican. In the below thread on the security list, Nathan Kinder is conducting a security audit of the various integrated OpenStack projects. He's answering questions such as what crypto libraries are being used in the projects, algorithms used, sensitive data, and potential improvements that can be made. Check the links out in the below thread. Though we're not yet integrated, it might be beneficial to put together our security audit page under Security/Icehouse/Barbican. This would be very helpful. If there's anything I can do to help facilitate this, just let me know. I'd definitely welcome this as well. The integrated projects seemed like a good place to start to me, but getting on board early with incubated projects like Barbican would be great. I'm happy to assist in any way I can. -NGK Cheers, -bryan ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [barbican] Cryptography audit by OSSG
Barbicaneers, Is anyone following the openstack-security list and/or part of the OpenStack Security Group (OSSG)? This sounds like another group and list we should keep our eyes on. In the below thread on the security list, Nathan Kinder is conducting a security audit of the various integrated OpenStack projects. He's answering questions such as what crypto libraries are being used in the projects, algorithms used, sensitive data, and potential improvements that can be made. Check the links out in the below thread. Though we're not yet integrated, it might be beneficial to put together our security audit page under Security/Icehouse/Barbican. Another thing to consider as you're reviewing the security audit pages of Keystone and Heat (and others as they are added): Would Barbican help to solve any of the security concerns/issues that these projects are experiencing? -Lisa Message: 5 Date: Thu, 17 Apr 2014 16:27:30 -0700 From: Nathan Kinder nkin...@redhat.com To: Bryan D. Payne bdpa...@acm.org, Clark, Robert Graham robert.cl...@hp.com Cc: openstack-secur...@lists.openstack.org openstack-secur...@lists.openstack.org Subject: Re: [Openstack-security] Cryptographic Export Controls and OpenStack Message-ID: 53506362.3020...@redhat.com Content-Type: text/plain; charset=windows-1252 On 04/16/2014 10:28 AM, Bryan D. Payne wrote: I'm not aware of a list of the specific changes, but this seems quite related to the work that Nathan has started played with... discussed on his blog here: https://blog-nkinder.rhcloud.com/?p=51 This is definitely related to the security audit effort that I'm driving. It's hard to make recommendations on configurations and deployment architectures from a security perspective when we don't even have a clear picture of the current state of things are in the code from a security standpoint. This clear picture is what I'm trying to get to right now (along with keeping this picture up to date so it doesn't get stale). Once we know things such as what crypto algorithms are used and how sensitive data is being handled, we can see what is configurable and make recommendations. We'll surely find that not everything is configurable and sensitive data isn't well protected in areas, which are things that we can turn into blueprints and bugs and work on improving in development. It's still up in the air as to where this information should be published once it's been compiled. It might be on the wiki, or possibly in the documentation (Security Guide seems like a likely candidate). There was some discussion of this with the PTLs from the Project Meeting from 2 weeks ago: http://eavesdrop.openstack.org/meetings/project/2014/project.2014-04-08-21 .03.html I'm not so worried myself about where this should be published, as that doesn't matter if we don't have accurate and comprehensive information collected in the first place. My current focus is on the collection and maintenance of this info on a project by project basis. Keystone and Heat have started, which is great!: https://wiki.openstack.org/wiki/Security/Icehouse/Keystone https://wiki.openstack.org/wiki/Security/Icehouse/Heat If any other OSSG members are developers on any of the projects, it would be great if you could help drive this effort within your project. Thanks, -NGK Cheers, -bryan On Tue, Apr 15, 2014 at 1:38 AM, Clark, Robert Graham robert.cl...@hp.com mailto:robert.cl...@hp.com wrote: Does anyone have a documented run-down of changes that must be made to OpenStack configurations to allow them to comply with EAR requirements? http://www.bis.doc.gov/index.php/policy-guidance/encryption It seems like something we should consider putting into the security guide. I realise that most of the time it?s just ?don?t use your own libraries, call to others, make algorithms configurable? etc but it?s a question I?m seeing more and more, the security guide?s compliance section looks like a great place to have something about EAR. -Rob ___ Openstack-security mailing list openstack-secur...@lists.openstack.org mailto:openstack-secur...@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security ___ Openstack-security mailing list openstack-secur...@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [barbican] Cryptography audit by OSSG
Is anyone following the openstack-security list and/or part of the OpenStack Security Group (OSSG)? This sounds like another group and list we should keep our eyes on. I'm one of the OSSG leads. We'd certainly welcome your involvement in OSSG. In fact, there has been much interest in OSSG about the Barbican project. And I believe that many people from the group are contributing to Barbican. In the below thread on the security list, Nathan Kinder is conducting a security audit of the various integrated OpenStack projects. He's answering questions such as what crypto libraries are being used in the projects, algorithms used, sensitive data, and potential improvements that can be made. Check the links out in the below thread. Though we're not yet integrated, it might be beneficial to put together our security audit page under Security/Icehouse/Barbican. This would be very helpful. If there's anything I can do to help facilitate this, just let me know. Cheers, -bryan ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev