At the OPNFV Summit in Berlin, I explained how the OPNFV Security group has integrated security scans in the Continuous Integration (CI) process. This means that now the Platform Build Tests execute automatic vulnerability checks on the multiple integration environments deployed worldwide as part of the Pharos labs. Here’s a video of the presentation we gave at the summit.
My colleague, Marcos (and co-author of this post) explains the OPNFV Security group’s mission: Improve OPNFV security through architecture recommendations, better documentation, code reviews, upstream collaboration, vulnerability management and security research. It provides an umbrella group to encourage development of security-centric functions within the OPNFV ecosystem and the upstream communities to handle vulnerability and threats in a coordinated manner.
The CI-driven Security initiative was started in March 2016 to include automatic Security Scanning to the testing toolchain. The project is being developed in the functest suite, and its goal is to meet security compliance standards, like DISA STIG, PCI-DSS, NIAP, USGCB, FedRAMP, FISMA. By leveraging multiple open-source projects, and continuously executing security scans in the Jenkins CI jobs, OPNFV can now proactively detect security threats and improve the overall design of the NFV platform.
The first milestone leverages the Security Content Automation Protocol (SCAP) from the National Institute of Standards and Technology (NIST), which is an open repository of standardized XML documents that describe security checks to enable automated vulnerability alerts (from CVE, XCCDF, OVAL, etc), threat measurement, and policy compliance (notably NIST’s Federal Information Security Management Act, or FISMA, also DoD STIG). Red Hat is one of the contributors of OpenSCAP, a NIST-certified open-source reference implementation of SCAP 1.2. This scanning tool consumes SCAP files, allowing the OPNFV CI toolchain to check for compliance at various levels, continuously, in an automated manner, in all the Pharos labs.
Additionally, the OPNFV security group has started the process to achieve the Best Practices Badge at the Linux Foundation (LF) Core Infrastructure Initiative (CII); currently 92 percent complete. This badge is a way to show OPNFV has security best practices and follows a secure and mature development model. The LF CII program is a multi-million dollar project to identify and fund open source projects in need of assistance in order to harden the security of open source software, founded by Linux Foundation after the Heartbleed chaos in April 2014. The badge program is meant to allow end users an easy way to evaluate open source projects based on security, quality, and stability.
If you have time, do watch the presentation in full, and let us know your thoughts in the comments section below!