SlideShare uma empresa Scribd logo

Building world-class security response and secure development processes

David Jorm
David Jorm

The document discusses building world-class security response and secure development processes for OpenDaylight. It outlines the SDN attack surface, recent vulnerabilities in OpenDaylight, and defensive technologies. It discusses security response best practices for open source projects and secure engineering best practices. The current status of OpenDaylight security response and engineering is described, along with the vision to improve reactive security response capabilities and implement more proactive security measures like automated checks and security training.

Software
1 de 38
Baixar para ler offline
Building world-class security response and secure development processes David Jorm, Senior Manager of Product Security, IIX #ODSummit
Outline • Introduction • SDN attack surface • Recent OpenDaylight vulnerabilities • Defensive technologies • Security response best practices • Secure engineering best practices • OpenDaylight security: current status • OpenDaylight security: vision #ODSummit
Introduction • Software engineer for 15 years, climatology domain • Last 5 years focusing on security, mainly Java • Led Red Hat's Java middleware security team • Currently manager of product security for IIX, and a founding member of the ODL security response team • Based in Brisbane, Australia (beautiful place, shame about the timezone) #ODSummit
SDN Attack Surface #ODSummit
SDN Attack Surface • Traditional networks conflate the control and data planes on a physical device • Software-defined networks factor the control plane out to a SDN controller • The controller uses a protocol such as OpenFlow to control switches, which are now only responsible for handling the data plane • Security advantage: easy segregation of the control plane network from the production data plane network • Security disadvantage: the SDN controller's ability to control an entire network makes it a very high value target #ODSummit
SDN Attack Surface #ODSummit
SDN Attack Surface • SDN controllers are also exposed via the data plane • When an OpenFlow switch encounters a packet that does not match any forwarding rules, it passes this packet to the controller for advice • As a result, it is possible for an attacker who is only able to send data through a switch to exploit a vulnerability on the controller • We will see a real-life example later in the presentation #ODSummit
SDN Attack Surface #ODSummit
Recent OpenDaylight Vulnerabilities #ODSummit
Netconf XXE (CVE-2014-5035) • Netconf (and restconf) API processes user-supplied XML • By default, Java XML parsers do not disable external entity processing • This led to a textbook XXE vulnerability • Example of vulnerable code, with the patch applied: controller/opendaylight/netconf/netconf- util/src/main/java/org/opendaylight/controller/netconf/util/xml/XmlUtil.java #ODSummit
Netconf XXE (CVE-2014-5035) #ODSummit
Topology spoofing via host tracking (CVE-2015-1610) • Most SDN controllers include host tracking, allowing hosts to migrate between different physical locations in the network • Host tracking is based on monitoring of Packet-In messages, and does not require any validation, authentication, or authorization to identify the host • An attacker can impersonate a host and make the SDN controller believe it has migrated to a physical network location controlled by the attacker • Data plane access is sufficient for exploitation, so long as the attacker knows the MAC address of the target host • Not patched in ODL l2switch • Paper: http://www.internetsociety.org/sites/default/files/10_4_2.pdf #ODSummit
DoS in ONOS packet deserializer (CVE-2015-1166) • When an OpenFlow switch encounters a packet that does not match any forwarding rules, it passes this packet to the controller for advice • It was found that the packet deserializers in ONOS would throw exceptions when handling malformed, truncated, or maliciously-crafted packets • The exceptions were not caught and handled properly • The top-level I/O thread exception handler would then disconnect the relevant switch • Proves that attacks from the data plane are possible! #ODSummit
Defensive Technologies #ODSummit
Topoguard • The same research team that reported the topology spoofing flaw developed topoguard to mitigate it • Doesn't add authn/authz, but instead verifies the conditions of host migrations • A legitimate host migration would involve a Port Down signal before the host migration finishes. The host would also be unreachable at its old physical network location after the migration is complete. • Currently tightly coupled to the Floodlight controller #ODSummit
Security-mode ONOS • A new feature in the ONOS Cardinal release • Effectively a mandatory access control (MAC) implementation for ONOS applications • Applications can be constrained by a policy dictating which actions they are permitted to perform • A vulnerability in an ONOS application could not be exploited to perform actions that are not permitted by security-mode ONOS. This is similar to the protection SELinux provides for applications running on Linux systems. • Could this approach be a good model for OpenDaylight? #ODSummit
Proposed Controller Shield Project #ODSummit
Security Response Best Practices #ODSummit
Open Source Security Response • All information public • Not just source code: bug trackers, mailing lists, etc. • Security requires the opposite approach – information must be kept private until patches are available • How do you handle this in the context of an open source project? • Good models: ASF, major OSS vendors like Red Hat and SuSE #ODSummit
Open Source Security Response • Dedicated mechanism for reporting security issues, separate to normal bugs • Dedicated team with a documented process for responding to these reports • Ability to quick build a patch asynchronous to normal release schedules • Clear documentation of the issue in an advisory, including references to patch commits (advantage of open source) #ODSummit
Open Source Security Response #ODSummit
Proprietary Security Response #ODSummit
Secure Engineering Best Practices #ODSummit
Open Source Secure Engineering • No well established best practices • Few good examples in the open source world. Proprietary software currently does a much better job, for example Microsoft's SDLC. • OpenStack is one good example • Separate VMT and OSSG organizations #ODSummit
Open Source Secure Engineering #ODSummit
Open Source Secure Engineering • Secure development guidelines (relies on developers to implement) • Developer training (expensive and difficult to roll out in a virtual environment with many contributors) • Automated QE/CI jobs to catch known-vulnerable dependencies • Automated QE/Ci jobs to catch security issues and enforce standards, e.g. via static analysis #ODSummit
OpenDaylight security: current status #ODSummit
OpenDaylight Security Response • Security reporting mechanism • Dedicated team with a private mailing list and documented process for handling issues • Security advisories page: https://wiki.opendaylight.org/view/Security_Advisories • Advisories sent to mailing lists #ODSummit
OpenDaylight Security Response #ODSummit
OpenDaylight Security Response • Scope currently limited to OpenDaylight code, not dependencies • Handling dependencies would involve capturing a manifest, and tracking all relevant upstreams • Based on my experience, this would require one full time resource to be feasible • Vulnerabilities in dependencies are sometimes handled when they are reported to the security response team #ODSummit
OpenDaylight Secure Engineering • Great analysis performed in May 2014: https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis • Unfortunately quite dated now, and not much progress has been made implementing the recommendations • It's a lot of work to implement things, and who has time? • Enter the OpenDaylight summer internship program! #ODSummit
OpenDaylight Secure Engineering – Intern Project #ODSummit
OpenDaylight Secure Engineering – Intern Project Establish automated QE/CI jobs to catch security issues and regressions. This will involve integrating the findsecbugs tool into Gerrit/Jenkins. Establish automated QE/CI jobs to catch known-vulnerable dependencies. This will involve integrating tools such as dependency-check and victims into Gerrit/Jenkins. Document a threat model for OpenDaylight Improve documentation to capture security best practices at installation and configuration time #ODSummit ✔ ✔ ✔ ✔ ✔
OpenDaylight security: vision #ODSummit
OpenDaylight Security Vision - Reactive High performing security response team Equipped to handle vulnerabilities in dependencies Able to co-ordinate disclosure and patches for issues across the community development team and affected vendors of OpenDaylight distributions or products Geographically distributed and able to quickly respond in all timezones #ODSummit ✔ X ✔ ✔
OpenDaylight Security Vision - Proactive Documentation of best practices, threat model, etc. Remove default credentials Security hardening features applying a sandbox or MAC to the environment Automated checks for known-vulnerable dependencies Automated static analysis checks Security training for developers: considering donating javapentesting.com course content to the community #ODSummit X ✔ X X ✔ ✔
Questions? #ODSummit

Recomendados

OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityDavid Jorm
 
Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARsDavid Jorm
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesDavid Jorm
 
Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)David Jorm
 
Java Exploit Analysis .
Java Exploit Analysis .Java Exploit Analysis .
Java Exploit Analysis .Rahul Sasi
 
44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN security44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN securityDavid Jorm
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMApostolos Giannakidis
 

Recomendados

OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityDavid Jorm
 
Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARsDavid Jorm
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesDavid Jorm
 
Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)David Jorm
 
Java Exploit Analysis .
Java Exploit Analysis .Java Exploit Analysis .
Java Exploit Analysis .Rahul Sasi
 
44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN security44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN securityDavid Jorm
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMApostolos Giannakidis
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communicationmsaindane
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCanSecWest
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
.NET for hackers
.NET for hackers.NET for hackers
.NET for hackersAntonio Parata
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-FrameworkVeilFramework
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureKaspersky
 
Secure Coding in Perl
Secure Coding in PerlSecure Coding in Perl
Secure Coding in PerlIan Kluft
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level MalwareCTruncer
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysisChong-Kuan Chen
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Priyanka Aash
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationzeroSteiner
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0CTruncer
 
Strategic business growth—day 2 2013.09
Strategic business growth—day 2 2013.09Strategic business growth—day 2 2013.09
Strategic business growth—day 2 2013.09FullSurge
 
5 Steps to Ensure Compliance with Policies and Procedures
5 Steps to Ensure Compliance with Policies and Procedures5 Steps to Ensure Compliance with Policies and Procedures
5 Steps to Ensure Compliance with Policies and ProceduresConvergePoint
 

Mais conteúdo relacionado

Mais procurados

Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communicationmsaindane
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCanSecWest
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureKaspersky
 
Secure Coding in Perl
Secure Coding in PerlSecure Coding in Perl
Secure Coding in PerlIan Kluft
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level MalwareCTruncer
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysisChong-Kuan Chen
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Priyanka Aash
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationzeroSteiner
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0CTruncer
 

Mais procurados (20)

Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communication
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgeneration
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
.NET for hackers
.NET for hackers.NET for hackers
.NET for hackers
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
 
Secure Coding in Perl
Secure Coding in PerlSecure Coding in Perl
Secure Coding in Perl
 
Pentester++
Pentester++Pentester++
Pentester++
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level Malware
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
 

Destaque

Strategic business growth—day 2 2013.09
Strategic business growth—day 2 2013.09Strategic business growth—day 2 2013.09
Strategic business growth—day 2 2013.09FullSurge
 
5 Steps to Ensure Compliance with Policies and Procedures
5 Steps to Ensure Compliance with Policies and Procedures5 Steps to Ensure Compliance with Policies and Procedures
5 Steps to Ensure Compliance with Policies and ProceduresConvergePoint
 
Writing Effective Policies & Procedures
Writing Effective Policies & ProceduresWriting Effective Policies & Procedures
Writing Effective Policies & Proceduresnoha1309
 
How to Prepare a Policy and Procedure Manual
How to Prepare a Policy and Procedure ManualHow to Prepare a Policy and Procedure Manual
How to Prepare a Policy and Procedure Manualacrickard
 
Growth Strategies
Growth StrategiesGrowth Strategies
Growth StrategiesKamraan
 
Growth strategy
Growth strategyGrowth strategy
Growth strategySumit Rai
 

Destaque (9)

Strategic business growth—day 2 2013.09
Strategic business growth—day 2 2013.09Strategic business growth—day 2 2013.09
Strategic business growth—day 2 2013.09
 
5 Steps to Ensure Compliance with Policies and Procedures
5 Steps to Ensure Compliance with Policies and Procedures5 Steps to Ensure Compliance with Policies and Procedures
5 Steps to Ensure Compliance with Policies and Procedures
 
Writing Effective Policies & Procedures
Writing Effective Policies & ProceduresWriting Effective Policies & Procedures
Writing Effective Policies & Procedures
 
How to Prepare a Policy and Procedure Manual
How to Prepare a Policy and Procedure ManualHow to Prepare a Policy and Procedure Manual
How to Prepare a Policy and Procedure Manual
 
Growth Strategies
Growth StrategiesGrowth Strategies
Growth Strategies
 
Business Growth & Strategy
Business Growth & StrategyBusiness Growth & Strategy
Business Growth & Strategy
 
GROWTH STRATEGIES
GROWTH STRATEGIESGROWTH STRATEGIES
GROWTH STRATEGIES
 
Growth strategy
Growth strategyGrowth strategy
Growth strategy
 
Expansion strategies
Expansion strategiesExpansion strategies
Expansion strategies
 

Semelhante a Building world-class security response and secure development processes

OWASP Brisbane - SDN Security
OWASP Brisbane - SDN SecurityOWASP Brisbane - SDN Security
OWASP Brisbane - SDN SecurityDavid Jorm
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summaryKarun Chennuri
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdfVishwas N
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Qualcomm Developer Network
 
Security of OpenDaylight platform
Security of OpenDaylight platformSecurity of OpenDaylight platform
Security of OpenDaylight platformOpenDaylight
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
Application Security from the Inside Out
Application Security from the Inside OutApplication Security from the Inside Out
Application Security from the Inside OutUlisses Albuquerque
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Sqreen
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 

Semelhante a Building world-class security response and secure development processes (20)

OWASP Brisbane - SDN Security
OWASP Brisbane - SDN SecurityOWASP Brisbane - SDN Security
OWASP Brisbane - SDN Security
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdf
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
Security of OpenDaylight platform
Security of OpenDaylight platformSecurity of OpenDaylight platform
Security of OpenDaylight platform
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
Application Security from the Inside Out
Application Security from the Inside OutApplication Security from the Inside Out
Application Security from the Inside Out
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 

Último

Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 

Último (20)

Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 

Building world-class security response and secure development processes

  • 1.
  • 2. Building world-class security response and secure development processes David Jorm, Senior Manager of Product Security, IIX #ODSummit
  • 3. Outline • Introduction • SDN attack surface • Recent OpenDaylight vulnerabilities • Defensive technologies • Security response best practices • Secure engineering best practices • OpenDaylight security: current status • OpenDaylight security: vision #ODSummit
  • 4. Introduction • Software engineer for 15 years, climatology domain • Last 5 years focusing on security, mainly Java • Led Red Hat's Java middleware security team • Currently manager of product security for IIX, and a founding member of the ODL security response team • Based in Brisbane, Australia (beautiful place, shame about the timezone) #ODSummit
  • 6. SDN Attack Surface • Traditional networks conflate the control and data planes on a physical device • Software-defined networks factor the control plane out to a SDN controller • The controller uses a protocol such as OpenFlow to control switches, which are now only responsible for handling the data plane • Security advantage: easy segregation of the control plane network from the production data plane network • Security disadvantage: the SDN controller's ability to control an entire network makes it a very high value target #ODSummit
  • 8. SDN Attack Surface • SDN controllers are also exposed via the data plane • When an OpenFlow switch encounters a packet that does not match any forwarding rules, it passes this packet to the controller for advice • As a result, it is possible for an attacker who is only able to send data through a switch to exploit a vulnerability on the controller • We will see a real-life example later in the presentation #ODSummit
  • 11. Netconf XXE (CVE-2014-5035) • Netconf (and restconf) API processes user-supplied XML • By default, Java XML parsers do not disable external entity processing • This led to a textbook XXE vulnerability • Example of vulnerable code, with the patch applied: controller/opendaylight/netconf/netconf- util/src/main/java/org/opendaylight/controller/netconf/util/xml/XmlUtil.java #ODSummit
  • 13. Topology spoofing via host tracking (CVE-2015-1610) • Most SDN controllers include host tracking, allowing hosts to migrate between different physical locations in the network • Host tracking is based on monitoring of Packet-In messages, and does not require any validation, authentication, or authorization to identify the host • An attacker can impersonate a host and make the SDN controller believe it has migrated to a physical network location controlled by the attacker • Data plane access is sufficient for exploitation, so long as the attacker knows the MAC address of the target host • Not patched in ODL l2switch • Paper: http://www.internetsociety.org/sites/default/files/10_4_2.pdf #ODSummit
  • 14. DoS in ONOS packet deserializer (CVE-2015-1166) • When an OpenFlow switch encounters a packet that does not match any forwarding rules, it passes this packet to the controller for advice • It was found that the packet deserializers in ONOS would throw exceptions when handling malformed, truncated, or maliciously-crafted packets • The exceptions were not caught and handled properly • The top-level I/O thread exception handler would then disconnect the relevant switch • Proves that attacks from the data plane are possible! #ODSummit
  • 16. Topoguard • The same research team that reported the topology spoofing flaw developed topoguard to mitigate it • Doesn't add authn/authz, but instead verifies the conditions of host migrations • A legitimate host migration would involve a Port Down signal before the host migration finishes. The host would also be unreachable at its old physical network location after the migration is complete. • Currently tightly coupled to the Floodlight controller #ODSummit
  • 17. Security-mode ONOS • A new feature in the ONOS Cardinal release • Effectively a mandatory access control (MAC) implementation for ONOS applications • Applications can be constrained by a policy dictating which actions they are permitted to perform • A vulnerability in an ONOS application could not be exploited to perform actions that are not permitted by security-mode ONOS. This is similar to the protection SELinux provides for applications running on Linux systems. • Could this approach be a good model for OpenDaylight? #ODSummit
  • 18. Proposed Controller Shield Project #ODSummit
  • 19. Security Response Best Practices #ODSummit
  • 20. Open Source Security Response • All information public • Not just source code: bug trackers, mailing lists, etc. • Security requires the opposite approach – information must be kept private until patches are available • How do you handle this in the context of an open source project? • Good models: ASF, major OSS vendors like Red Hat and SuSE #ODSummit
  • 21. Open Source Security Response • Dedicated mechanism for reporting security issues, separate to normal bugs • Dedicated team with a documented process for responding to these reports • Ability to quick build a patch asynchronous to normal release schedules • Clear documentation of the issue in an advisory, including references to patch commits (advantage of open source) #ODSummit
  • 22. Open Source Security Response #ODSummit
  • 24. Secure Engineering Best Practices #ODSummit
  • 25. Open Source Secure Engineering • No well established best practices • Few good examples in the open source world. Proprietary software currently does a much better job, for example Microsoft's SDLC. • OpenStack is one good example • Separate VMT and OSSG organizations #ODSummit
  • 26. Open Source Secure Engineering #ODSummit
  • 27. Open Source Secure Engineering • Secure development guidelines (relies on developers to implement) • Developer training (expensive and difficult to roll out in a virtual environment with many contributors) • Automated QE/CI jobs to catch known-vulnerable dependencies • Automated QE/Ci jobs to catch security issues and enforce standards, e.g. via static analysis #ODSummit
  • 28. OpenDaylight security: current status #ODSummit
  • 29. OpenDaylight Security Response • Security reporting mechanism • Dedicated team with a private mailing list and documented process for handling issues • Security advisories page: https://wiki.opendaylight.org/view/Security_Advisories • Advisories sent to mailing lists #ODSummit
  • 31. OpenDaylight Security Response • Scope currently limited to OpenDaylight code, not dependencies • Handling dependencies would involve capturing a manifest, and tracking all relevant upstreams • Based on my experience, this would require one full time resource to be feasible • Vulnerabilities in dependencies are sometimes handled when they are reported to the security response team #ODSummit
  • 32. OpenDaylight Secure Engineering • Great analysis performed in May 2014: https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis • Unfortunately quite dated now, and not much progress has been made implementing the recommendations • It's a lot of work to implement things, and who has time? • Enter the OpenDaylight summer internship program! #ODSummit
  • 33. OpenDaylight Secure Engineering – Intern Project #ODSummit
  • 34. OpenDaylight Secure Engineering – Intern Project Establish automated QE/CI jobs to catch security issues and regressions. This will involve integrating the findsecbugs tool into Gerrit/Jenkins. Establish automated QE/CI jobs to catch known-vulnerable dependencies. This will involve integrating tools such as dependency-check and victims into Gerrit/Jenkins. Document a threat model for OpenDaylight Improve documentation to capture security best practices at installation and configuration time #ODSummit ✔ ✔ ✔ ✔ ✔
  • 36. OpenDaylight Security Vision - Reactive High performing security response team Equipped to handle vulnerabilities in dependencies Able to co-ordinate disclosure and patches for issues across the community development team and affected vendors of OpenDaylight distributions or products Geographically distributed and able to quickly respond in all timezones #ODSummit ✔ X ✔ ✔
  • 37. OpenDaylight Security Vision - Proactive Documentation of best practices, threat model, etc. Remove default credentials Security hardening features applying a sandbox or MAC to the environment Automated checks for known-vulnerable dependencies Automated static analysis checks Security training for developers: considering donating javapentesting.com course content to the community #ODSummit X ✔ X X ✔ ✔