David Jorm, profile picture
Uploaded byDavid Jorm
611 views

Building world-class security response and secure development processes

The document discusses building world-class security response and secure development processes for OpenDaylight. It outlines the SDN attack surface, recent vulnerabilities in OpenDaylight, and defensive technologies. It discusses security response best practices for open source projects and secure engineering best practices. The current status of OpenDaylight security response and engineering is described, along with the vision to improve reactive security response capabilities and implement more proactive security measures like automated checks and security training.

Embed presentation

Download to read offline
Building world-class security response and secure development processes David Jorm, Senior Manager of Product Security, IIX #ODSummit
Outline • Introduction • SDN attack surface • Recent OpenDaylight vulnerabilities • Defensive technologies • Security response best practices • Secure engineering best practices • OpenDaylight security: current status • OpenDaylight security: vision #ODSummit
Introduction • Software engineer for 15 years, climatology domain • Last 5 years focusing on security, mainly Java • Led Red Hat's Java middleware security team • Currently manager of product security for IIX, and a founding member of the ODL security response team • Based in Brisbane, Australia (beautiful place, shame about the timezone) #ODSummit
SDN Attack Surface #ODSummit
SDN Attack Surface • Traditional networks conflate the control and data planes on a physical device • Software-defined networks factor the control plane out to a SDN controller • The controller uses a protocol such as OpenFlow to control switches, which are now only responsible for handling the data plane • Security advantage: easy segregation of the control plane network from the production data plane network • Security disadvantage: the SDN controller's ability to control an entire network makes it a very high value target #ODSummit
SDN Attack Surface #ODSummit
SDN Attack Surface • SDN controllers are also exposed via the data plane • When an OpenFlow switch encounters a packet that does not match any forwarding rules, it passes this packet to the controller for advice • As a result, it is possible for an attacker who is only able to send data through a switch to exploit a vulnerability on the controller • We will see a real-life example later in the presentation #ODSummit
SDN Attack Surface #ODSummit
Recent OpenDaylight Vulnerabilities #ODSummit
Netconf XXE (CVE-2014-5035) • Netconf (and restconf) API processes user-supplied XML • By default, Java XML parsers do not disable external entity processing • This led to a textbook XXE vulnerability • Example of vulnerable code, with the patch applied: controller/opendaylight/netconf/netconf- util/src/main/java/org/opendaylight/controller/netconf/util/xml/XmlUtil.java #ODSummit
Netconf XXE (CVE-2014-5035) #ODSummit
Topology spoofing via host tracking (CVE-2015-1610) • Most SDN controllers include host tracking, allowing hosts to migrate between different physical locations in the network • Host tracking is based on monitoring of Packet-In messages, and does not require any validation, authentication, or authorization to identify the host • An attacker can impersonate a host and make the SDN controller believe it has migrated to a physical network location controlled by the attacker • Data plane access is sufficient for exploitation, so long as the attacker knows the MAC address of the target host • Not patched in ODL l2switch • Paper: http://www.internetsociety.org/sites/default/files/10_4_2.pdf #ODSummit
DoS in ONOS packet deserializer (CVE-2015-1166) • When an OpenFlow switch encounters a packet that does not match any forwarding rules, it passes this packet to the controller for advice • It was found that the packet deserializers in ONOS would throw exceptions when handling malformed, truncated, or maliciously-crafted packets • The exceptions were not caught and handled properly • The top-level I/O thread exception handler would then disconnect the relevant switch • Proves that attacks from the data plane are possible! #ODSummit
Defensive Technologies #ODSummit
Topoguard • The same research team that reported the topology spoofing flaw developed topoguard to mitigate it • Doesn't add authn/authz, but instead verifies the conditions of host migrations • A legitimate host migration would involve a Port Down signal before the host migration finishes. The host would also be unreachable at its old physical network location after the migration is complete. • Currently tightly coupled to the Floodlight controller #ODSummit
Security-mode ONOS • A new feature in the ONOS Cardinal release • Effectively a mandatory access control (MAC) implementation for ONOS applications • Applications can be constrained by a policy dictating which actions they are permitted to perform • A vulnerability in an ONOS application could not be exploited to perform actions that are not permitted by security-mode ONOS. This is similar to the protection SELinux provides for applications running on Linux systems. • Could this approach be a good model for OpenDaylight? #ODSummit
Proposed Controller Shield Project #ODSummit
Security Response Best Practices #ODSummit
Open Source Security Response • All information public • Not just source code: bug trackers, mailing lists, etc. • Security requires the opposite approach – information must be kept private until patches are available • How do you handle this in the context of an open source project? • Good models: ASF, major OSS vendors like Red Hat and SuSE #ODSummit
Open Source Security Response • Dedicated mechanism for reporting security issues, separate to normal bugs • Dedicated team with a documented process for responding to these reports • Ability to quick build a patch asynchronous to normal release schedules • Clear documentation of the issue in an advisory, including references to patch commits (advantage of open source) #ODSummit
Open Source Security Response #ODSummit
Proprietary Security Response #ODSummit
Secure Engineering Best Practices #ODSummit
Open Source Secure Engineering • No well established best practices • Few good examples in the open source world. Proprietary software currently does a much better job, for example Microsoft's SDLC. • OpenStack is one good example • Separate VMT and OSSG organizations #ODSummit
Open Source Secure Engineering #ODSummit
Open Source Secure Engineering • Secure development guidelines (relies on developers to implement) • Developer training (expensive and difficult to roll out in a virtual environment with many contributors) • Automated QE/CI jobs to catch known-vulnerable dependencies • Automated QE/Ci jobs to catch security issues and enforce standards, e.g. via static analysis #ODSummit
OpenDaylight security: current status #ODSummit
OpenDaylight Security Response • Security reporting mechanism • Dedicated team with a private mailing list and documented process for handling issues • Security advisories page: https://wiki.opendaylight.org/view/Security_Advisories • Advisories sent to mailing lists #ODSummit
OpenDaylight Security Response #ODSummit
OpenDaylight Security Response • Scope currently limited to OpenDaylight code, not dependencies • Handling dependencies would involve capturing a manifest, and tracking all relevant upstreams • Based on my experience, this would require one full time resource to be feasible • Vulnerabilities in dependencies are sometimes handled when they are reported to the security response team #ODSummit
OpenDaylight Secure Engineering • Great analysis performed in May 2014: https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis • Unfortunately quite dated now, and not much progress has been made implementing the recommendations • It's a lot of work to implement things, and who has time? • Enter the OpenDaylight summer internship program! #ODSummit
OpenDaylight Secure Engineering – Intern Project #ODSummit
OpenDaylight Secure Engineering – Intern Project Establish automated QE/CI jobs to catch security issues and regressions. This will involve integrating the findsecbugs tool into Gerrit/Jenkins. Establish automated QE/CI jobs to catch known-vulnerable dependencies. This will involve integrating tools such as dependency-check and victims into Gerrit/Jenkins. Document a threat model for OpenDaylight Improve documentation to capture security best practices at installation and configuration time #ODSummit ✔ ✔ ✔ ✔ ✔
OpenDaylight security: vision #ODSummit
OpenDaylight Security Vision - Reactive High performing security response team Equipped to handle vulnerabilities in dependencies Able to co-ordinate disclosure and patches for issues across the community development team and affected vendors of OpenDaylight distributions or products Geographically distributed and able to quickly respond in all timezones #ODSummit ✔ X ✔ ✔
OpenDaylight Security Vision - Proactive Documentation of best practices, threat model, etc. Remove default credentials Security hardening features applying a sandbox or MAC to the environment Automated checks for known-vulnerable dependencies Automated static analysis checks Security training for developers: considering donating javapentesting.com course content to the community #ODSummit X ✔ X X ✔ ✔
Questions? #ODSummit

More Related Content

ODP
OpenDaylight Brisbane User Group - OpenDaylight Security
byDavid Jorm
 
ODP
Tracking vulnerable JARs
byDavid Jorm
 
PPTX
AusCERT 2016: CVE and alternatives
byDavid Jorm
 
ODP
Finding and exploiting novel flaws in Java software (SyScan 2015)
byDavid Jorm
 
PPTX
Java Exploit Analysis .
byRahul Sasi
 
PDF
44CON & Ruxcon: SDN security
byDavid Jorm
 
PDF
Exploiting Deserialization Vulnerabilities in Java
byCODE WHITE GmbH
 
PDF
Mitigating Java Deserialization attacks from within the JVM
byApostolos Giannakidis
 
OpenDaylight Brisbane User Group - OpenDaylight Security
byDavid Jorm
 
Tracking vulnerable JARs
byDavid Jorm
 
AusCERT 2016: CVE and alternatives
byDavid Jorm
 
Finding and exploiting novel flaws in Java software (SyScan 2015)
byDavid Jorm
 
Java Exploit Analysis .
byRahul Sasi
 
44CON & Ruxcon: SDN security
byDavid Jorm
 
Exploiting Deserialization Vulnerabilities in Java
byCODE WHITE GmbH
 
Mitigating Java Deserialization attacks from within the JVM
byApostolos Giannakidis
 

What's hot

PPTX
Securing your web applications a pragmatic approach
byAntonio Parata
 
PDF
Black Hat EU 2010 - Attacking Java Serialized Communication
bymsaindane
 
PDF
Csw2016 d antoine_automatic_exploitgeneration
byCanSecWest
 
PPTX
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
bymidnite_runr
 
PDF
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
byCODE WHITE GmbH
 
PDF
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
bySergey Gordeychik
 
PDF
.NET for hackers
byAntonio Parata
 
PPTX
The Veil-Framework
byVeilFramework
 
PDF
Mitigating Java Deserialization attacks from within the JVM (improved version)
byApostolos Giannakidis
 
PDF
The Log4Shell Vulnerability – explained: how to stay secure
byKaspersky
 
PDF
Secure Coding in Perl
byIan Kluft
 
PDF
Pentester++
byCTruncer
 
PDF
Higher Level Malware
byCTruncer
 
PDF
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
byCODE BLUE
 
PDF
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
byCTruncer
 
PDF
Automatic tool for static analysis
byChong-Kuan Chen
 
PDF
[Wroclaw #9] The purge - dealing with secrets in Opera Software
byOWASP
 
PDF
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
byPriyanka Aash
 
PPTX
Metasploit & Windows Kernel Exploitation
byzeroSteiner
 
PDF
AntiVirus Evasion Reconstructed - Veil 3.0
byCTruncer
 
Securing your web applications a pragmatic approach
byAntonio Parata
 
Black Hat EU 2010 - Attacking Java Serialized Communication
bymsaindane
 
Csw2016 d antoine_automatic_exploitgeneration
byCanSecWest
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
bymidnite_runr
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
byCODE WHITE GmbH
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
bySergey Gordeychik
 
.NET for hackers
byAntonio Parata
 
The Veil-Framework
byVeilFramework
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
byApostolos Giannakidis
 
The Log4Shell Vulnerability – explained: how to stay secure
byKaspersky
 
Secure Coding in Perl
byIan Kluft
 
Pentester++
byCTruncer
 
Higher Level Malware
byCTruncer
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
byCODE BLUE
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
byCTruncer
 
Automatic tool for static analysis
byChong-Kuan Chen
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
byOWASP
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
byPriyanka Aash
 
Metasploit & Windows Kernel Exploitation
byzeroSteiner
 
AntiVirus Evasion Reconstructed - Veil 3.0
byCTruncer
 

Viewers also liked

PDF
Strategic business growth—day 2 2013.09
byFullSurge
 
PDF
5 Steps to Ensure Compliance with Policies and Procedures
byConvergePoint
 
PPSX
Writing Effective Policies & Procedures
bynoha1309
 
PPTX
How to Prepare a Policy and Procedure Manual
byacrickard
 
PDF
Growth Strategies
byKamraan
 
PPT
Business Growth & Strategy
byGovernance Learning Network®
 
PPT
GROWTH STRATEGIES
bySuresh Singh
 
PPTX
Growth strategy
bySumit Rai
 
PPTX
Expansion strategies
bySandeep Kulshrestha
 
Strategic business growth—day 2 2013.09
byFullSurge
 
5 Steps to Ensure Compliance with Policies and Procedures
byConvergePoint
 
Writing Effective Policies & Procedures
bynoha1309
 
How to Prepare a Policy and Procedure Manual
byacrickard
 
Growth Strategies
byKamraan
 
Business Growth & Strategy
byGovernance Learning Network®
 
GROWTH STRATEGIES
bySuresh Singh
 
Growth strategy
bySumit Rai
 
Expansion strategies
bySandeep Kulshrestha
 

Similar to Building world-class security response and secure development processes

ODP
OWASP Brisbane - SDN Security
byDavid Jorm
 
PDF
Security of OpenDaylight platform
byOpenDaylight
 
PDF
44CON London 2015 - Software Defined Networking (SDN) Security
by44CON
 
PPT
Introduction to OpenDaylight and Hydrogen, Learnings from the Year, What's Ne...
byDavid Meyer
 
PDF
Defcon 22-gregory-pickett-abusing-software-defined-networks
byPriyanka Aash
 
PDF
Software Defined Networking: The OpenDaylight Project
byGreat Wide Open
 
PPTX
Cloud open unveillithium-odlnewrelease-2-ns
byNEC Corporation
 
PDF
OpenStack and OpenDaylight, The Evolving Relationship in Cloud Networking: a ...
byCisco DevNet
 
PPTX
OpenStack and OpenDaylight Workshop: ONUG Spring 2014
bymestery
 
PDF
OpenDaylight: an open source SDN for your OpenStack cloud
byAnees Shaikh
 
PDF
Opensource SDN slides
byssk
 
PDF
OpenDaylight Year 1
byAnees Shaikh
 
PPT
OpenDaylight nluug_november
byChristopher Price
 
PPTX
Basavaraj H - Open Day light.pptx for sdn
bykovegam542
 
PDF
OpenStack-and-OpenDaylight-Integrated-IaaS-for-SDN-and-NFV.pdf
byAjit Dash
 
PPTX
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
byBlack Duck by Synopsys
 
PDF
Open daylight openstack_meetup_20140218
byphrobb
 
PPTX
Opendaylight SDN Controller
bySumit Arora
 
PPTX
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
bylior mazor
 
DOC
Unified Security Plugin for Opendaylight Controller
bySaikat Chaudhuri
 
OWASP Brisbane - SDN Security
byDavid Jorm
 
Security of OpenDaylight platform
byOpenDaylight
 
44CON London 2015 - Software Defined Networking (SDN) Security
by44CON
 
Introduction to OpenDaylight and Hydrogen, Learnings from the Year, What's Ne...
byDavid Meyer
 
Defcon 22-gregory-pickett-abusing-software-defined-networks
byPriyanka Aash
 
Software Defined Networking: The OpenDaylight Project
byGreat Wide Open
 
Cloud open unveillithium-odlnewrelease-2-ns
byNEC Corporation
 
OpenStack and OpenDaylight, The Evolving Relationship in Cloud Networking: a ...
byCisco DevNet
 
OpenStack and OpenDaylight Workshop: ONUG Spring 2014
bymestery
 
OpenDaylight: an open source SDN for your OpenStack cloud
byAnees Shaikh
 
Opensource SDN slides
byssk
 
OpenDaylight Year 1
byAnees Shaikh
 
OpenDaylight nluug_november
byChristopher Price
 
Basavaraj H - Open Day light.pptx for sdn
bykovegam542
 
OpenStack-and-OpenDaylight-Integrated-IaaS-for-SDN-and-NFV.pdf
byAjit Dash
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
byBlack Duck by Synopsys
 
Open daylight openstack_meetup_20140218
byphrobb
 
Opendaylight SDN Controller
bySumit Arora
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
bylior mazor
 
Unified Security Plugin for Opendaylight Controller
bySaikat Chaudhuri
 

Recently uploaded

PDF
DSD-INT 2025 The Singapore Regional Model in Delft3D FM - Zijl
byDeltares
 
PDF
SCORM Cloud: The 5 categories of content distribution
byRustici Software
 
PDF
DSD-INT 2025 From Software to Impact - Water Quality Modelling for the UN Oce...
byDeltares
 
PDF
DSD-INT 2025 Thermal and chemical plumes of sea cooling water from PEM platfo...
byDeltares
 
PDF
Connecting Strategy to Delivery Teams Using OnePlan.pdf
byOnePlan Solutions
 
PDF
AOX Apps - Mobile App Development Company New York
byAOX APPS
 
PPTX
Communicating Software Architecture using Arc42 v1.1
byAshraf Fouad
 
PDF
DSD-INT 2025 REACT - Rapid E-flow Assessment and Communication Tool - Flores
byDeltares
 
PDF
AI/ML Infra Meetup | SkyPilot: Open-source System to Scale AI across Clusters...
byAlluxio, Inc.
 
PDF
How to Make Your AI Reliable: Comprehensive Guide to Testing AI Applications ...
byQATestLab Quality is a rule
 
PDF
vMix Overview & Key Features Easily Produce, Record and Live Stream
byIGM Soraing
 
PPTX
Enhance Workplace Safety with EHA Good Catch System
byEHA Soft Solutions
 
PDF
DSD-INT 2025 3D Modeling of Shallow Water Dynamics Using Delft3D FM - Martins
byDeltares
 
PDF
SWEBOK: the software engineering body of knowledge (SC25 Workshop Research So...
byHironori Washizaki
 
PPTX
Detecting Bad Apples: Understanding macOS Malware TTPs by Surya Teja
byCysinfo Cyber Security Community
 
PDF
The Evolution of Project Portfolio Management - What Modern PMOs Are Doing Di...
byOnePlan Solutions
 
PDF
DSD-INT 2025 Transport and Fate of Microplastics in Fluvial System (Rhine Riv...
byDeltares
 
PDF
AI/ML Infra Meetup | Bringing Data to GPUs Anywhere + Get Low-Latency on Obje...
byAlluxio, Inc.
 
PDF
AWS Certified Developer - Associate certificate.pdf
byGabriellaSantosRodri
 
PDF
6 Hotel Booking Trends You Can’t Ignore in 2025.pdf
byHotelogix
 
DSD-INT 2025 The Singapore Regional Model in Delft3D FM - Zijl
byDeltares
 
SCORM Cloud: The 5 categories of content distribution
byRustici Software
 
DSD-INT 2025 From Software to Impact - Water Quality Modelling for the UN Oce...
byDeltares
 
DSD-INT 2025 Thermal and chemical plumes of sea cooling water from PEM platfo...
byDeltares
 
Connecting Strategy to Delivery Teams Using OnePlan.pdf
byOnePlan Solutions
 
AOX Apps - Mobile App Development Company New York
byAOX APPS
 
Communicating Software Architecture using Arc42 v1.1
byAshraf Fouad
 
DSD-INT 2025 REACT - Rapid E-flow Assessment and Communication Tool - Flores
byDeltares
 
AI/ML Infra Meetup | SkyPilot: Open-source System to Scale AI across Clusters...
byAlluxio, Inc.
 
How to Make Your AI Reliable: Comprehensive Guide to Testing AI Applications ...
byQATestLab Quality is a rule
 
vMix Overview & Key Features Easily Produce, Record and Live Stream
byIGM Soraing
 
Enhance Workplace Safety with EHA Good Catch System
byEHA Soft Solutions
 
DSD-INT 2025 3D Modeling of Shallow Water Dynamics Using Delft3D FM - Martins
byDeltares
 
SWEBOK: the software engineering body of knowledge (SC25 Workshop Research So...
byHironori Washizaki
 
Detecting Bad Apples: Understanding macOS Malware TTPs by Surya Teja
byCysinfo Cyber Security Community
 
The Evolution of Project Portfolio Management - What Modern PMOs Are Doing Di...
byOnePlan Solutions
 
DSD-INT 2025 Transport and Fate of Microplastics in Fluvial System (Rhine Riv...
byDeltares
 
AI/ML Infra Meetup | Bringing Data to GPUs Anywhere + Get Low-Latency on Obje...
byAlluxio, Inc.
 
AWS Certified Developer - Associate certificate.pdf
byGabriellaSantosRodri
 
6 Hotel Booking Trends You Can’t Ignore in 2025.pdf
byHotelogix
 

Building world-class security response and secure development processes

  • 2.
    Building world-class securityresponse and secure development processes David Jorm, Senior Manager of Product Security, IIX #ODSummit
  • 3.
    Outline • Introduction • SDNattack surface • Recent OpenDaylight vulnerabilities • Defensive technologies • Security response best practices • Secure engineering best practices • OpenDaylight security: current status • OpenDaylight security: vision #ODSummit
  • 4.
    Introduction • Software engineerfor 15 years, climatology domain • Last 5 years focusing on security, mainly Java • Led Red Hat's Java middleware security team • Currently manager of product security for IIX, and a founding member of the ODL security response team • Based in Brisbane, Australia (beautiful place, shame about the timezone) #ODSummit
  • 5.
  • 6.
    SDN Attack Surface •Traditional networks conflate the control and data planes on a physical device • Software-defined networks factor the control plane out to a SDN controller • The controller uses a protocol such as OpenFlow to control switches, which are now only responsible for handling the data plane • Security advantage: easy segregation of the control plane network from the production data plane network • Security disadvantage: the SDN controller's ability to control an entire network makes it a very high value target #ODSummit
  • 7.
  • 8.
    SDN Attack Surface •SDN controllers are also exposed via the data plane • When an OpenFlow switch encounters a packet that does not match any forwarding rules, it passes this packet to the controller for advice • As a result, it is possible for an attacker who is only able to send data through a switch to exploit a vulnerability on the controller • We will see a real-life example later in the presentation #ODSummit
  • 9.
  • 10.
  • 11.
    Netconf XXE (CVE-2014-5035) •Netconf (and restconf) API processes user-supplied XML • By default, Java XML parsers do not disable external entity processing • This led to a textbook XXE vulnerability • Example of vulnerable code, with the patch applied: controller/opendaylight/netconf/netconf- util/src/main/java/org/opendaylight/controller/netconf/util/xml/XmlUtil.java #ODSummit
  • 12.
  • 13.
    Topology spoofing viahost tracking (CVE-2015-1610) • Most SDN controllers include host tracking, allowing hosts to migrate between different physical locations in the network • Host tracking is based on monitoring of Packet-In messages, and does not require any validation, authentication, or authorization to identify the host • An attacker can impersonate a host and make the SDN controller believe it has migrated to a physical network location controlled by the attacker • Data plane access is sufficient for exploitation, so long as the attacker knows the MAC address of the target host • Not patched in ODL l2switch • Paper: http://www.internetsociety.org/sites/default/files/10_4_2.pdf #ODSummit
  • 14.
    DoS in ONOSpacket deserializer (CVE-2015-1166) • When an OpenFlow switch encounters a packet that does not match any forwarding rules, it passes this packet to the controller for advice • It was found that the packet deserializers in ONOS would throw exceptions when handling malformed, truncated, or maliciously-crafted packets • The exceptions were not caught and handled properly • The top-level I/O thread exception handler would then disconnect the relevant switch • Proves that attacks from the data plane are possible! #ODSummit
  • 15.
  • 16.
    Topoguard • The sameresearch team that reported the topology spoofing flaw developed topoguard to mitigate it • Doesn't add authn/authz, but instead verifies the conditions of host migrations • A legitimate host migration would involve a Port Down signal before the host migration finishes. The host would also be unreachable at its old physical network location after the migration is complete. • Currently tightly coupled to the Floodlight controller #ODSummit
  • 17.
    Security-mode ONOS • Anew feature in the ONOS Cardinal release • Effectively a mandatory access control (MAC) implementation for ONOS applications • Applications can be constrained by a policy dictating which actions they are permitted to perform • A vulnerability in an ONOS application could not be exploited to perform actions that are not permitted by security-mode ONOS. This is similar to the protection SELinux provides for applications running on Linux systems. • Could this approach be a good model for OpenDaylight? #ODSummit
  • 18.
    Proposed Controller ShieldProject #ODSummit
  • 19.
    Security Response BestPractices #ODSummit
  • 20.
    Open Source SecurityResponse • All information public • Not just source code: bug trackers, mailing lists, etc. • Security requires the opposite approach – information must be kept private until patches are available • How do you handle this in the context of an open source project? • Good models: ASF, major OSS vendors like Red Hat and SuSE #ODSummit
  • 21.
    Open Source SecurityResponse • Dedicated mechanism for reporting security issues, separate to normal bugs • Dedicated team with a documented process for responding to these reports • Ability to quick build a patch asynchronous to normal release schedules • Clear documentation of the issue in an advisory, including references to patch commits (advantage of open source) #ODSummit
  • 22.
    Open Source SecurityResponse #ODSummit
  • 23.
  • 24.
    Secure Engineering BestPractices #ODSummit
  • 25.
    Open Source SecureEngineering • No well established best practices • Few good examples in the open source world. Proprietary software currently does a much better job, for example Microsoft's SDLC. • OpenStack is one good example • Separate VMT and OSSG organizations #ODSummit
  • 26.
    Open Source SecureEngineering #ODSummit
  • 27.
    Open Source SecureEngineering • Secure development guidelines (relies on developers to implement) • Developer training (expensive and difficult to roll out in a virtual environment with many contributors) • Automated QE/CI jobs to catch known-vulnerable dependencies • Automated QE/Ci jobs to catch security issues and enforce standards, e.g. via static analysis #ODSummit
  • 28.
  • 29.
    OpenDaylight Security Response •Security reporting mechanism • Dedicated team with a private mailing list and documented process for handling issues • Security advisories page: https://wiki.opendaylight.org/view/Security_Advisories • Advisories sent to mailing lists #ODSummit
  • 30.
  • 31.
    OpenDaylight Security Response •Scope currently limited to OpenDaylight code, not dependencies • Handling dependencies would involve capturing a manifest, and tracking all relevant upstreams • Based on my experience, this would require one full time resource to be feasible • Vulnerabilities in dependencies are sometimes handled when they are reported to the security response team #ODSummit
  • 32.
    OpenDaylight Secure Engineering •Great analysis performed in May 2014: https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis • Unfortunately quite dated now, and not much progress has been made implementing the recommendations • It's a lot of work to implement things, and who has time? • Enter the OpenDaylight summer internship program! #ODSummit
  • 33.
    OpenDaylight Secure Engineering– Intern Project #ODSummit
  • 34.
    OpenDaylight Secure Engineering– Intern Project Establish automated QE/CI jobs to catch security issues and regressions. This will involve integrating the findsecbugs tool into Gerrit/Jenkins. Establish automated QE/CI jobs to catch known-vulnerable dependencies. This will involve integrating tools such as dependency-check and victims into Gerrit/Jenkins. Document a threat model for OpenDaylight Improve documentation to capture security best practices at installation and configuration time #ODSummit ✔ ✔ ✔ ✔ ✔
  • 35.
  • 36.
    OpenDaylight Security Vision- Reactive High performing security response team Equipped to handle vulnerabilities in dependencies Able to co-ordinate disclosure and patches for issues across the community development team and affected vendors of OpenDaylight distributions or products Geographically distributed and able to quickly respond in all timezones #ODSummit ✔ X ✔ ✔
  • 37.
    OpenDaylight Security Vision- Proactive Documentation of best practices, threat model, etc. Remove default credentials Security hardening features applying a sandbox or MAC to the environment Automated checks for known-vulnerable dependencies Automated static analysis checks Security training for developers: considering donating javapentesting.com course content to the community #ODSummit X ✔ X X ✔ ✔
  • 38.