Open Security Controller v 0.8.0 Released!

I am proud to announce that my team, and the OSC Community, have released the latest version of the Open Security Controller, version 0.8.0!

Open Security Controller (OSC) is a software-defined security orchestration solution that automates deployment of virtualized network security functions, like next-generation firewall, intrusion prevention systems and application data controllers.  This is our second release, and second release this year!

The new big features include:

• OpenStack Ocata support, and we continue to support Newton as well
• Kubernetes beta support - check it out and give us feedback
• Neutron Service Function Chaining beta support
• Multi-policy support
• Expose IP/Mac addresses for security group members
• Open source of our test automation!

Please do check out our release notes for more information, come on over to visit us on github, and join the community!

Job well done!

ICMC17: Inside the OpenSSL 1.1 FIPS Module Project

Tim Hudson, CTO Cryptsoft and Mark Minnoch from SafeLogic.

In July 2016, OpenSSL announced the commencement of a fresh attempt to do a FIPS validation of OpenSSL. There are over 244 validated products on the NIST list that obviously use OpenSSL in their validation boundaries and it's included in most (all?) operating systems - it's pervasive!  So, why is it so hard to validate?  It starts out as open source with lots of competitors/stakeholders interested in it.

Unfortunately, stakeholder goals and project goals do not always align. For example, the project wants to support many platforms - stakeholders want to focus on only one or two. The same goes for the number of algorithms supported and validated.

Previously, FIPS140 work was effectively entirely funded for the OpenSSL project from 2009-2014, as there was no long term or major sponsor at this time.  The sponsors funding OpenSSL FIPS all had different goals (other than wanting to sell into the US government), which made it very difficult to manage. This is a hard project, with many people yelling at you with different goals and wasn't very rewarding - can't just expect people to do this for "fun". [note: yes, nothing about FIPS is "fun" - practical, yes, but not fun]

The first validation was very painful for the developers, so OpenSSL knows they have to do it differently if they are ever going to do it again.  OpenSSL started their first FIPS 140-2 validation in June 2002, certificates were not received until March 2006!

There have been a total of 9 unique validations, to keep up with new hardware platforms and implementation guidance changes.

The OpenSSL FIPS 1.0 module based off of the OpenSSL-0.9.x is no longer usable, there is still a bit of life left in OpenSSL FIPS 2.0 module (#1747, #2389, #2437) as it is based off of the OpenSSL-1.0.x code. But, a major update is required for a new OpenSSL FIPS module to work with OpenSSL-1.1.x.   For this go round, goal is to make the FIPS140 related changes "less intrusive".

Current validations cover dozens (hundreds?) of platforms (OS vs hardware).

For the new validation, the only current sponsor is SafeLogic, but additional sponsors are needed to fund OpenSSL FIPS development and FIPS lab testing - resources are available now to begin work. 

This is a high risk validation, many people will be watching the validation which means people are cautious to enter - which creates a longer timeline. Keep in mind that TLS 1.3 is only available in OpenSSL 1.1.x, so if that's important to your customers, consider helping out financially to get this project going.

It's hard to get the sponsors on board, as they all want to see another sponsor already on board and to share the cost, but they still want to wield great influence over the work.

If this project doesn't happen, there are fewer options for FIPS libraries and will require you to do more of your own FIPS work.  Taking multiple versions from different companies through CAVP/CMVP is a waste of their resources as well.  Also, if everyone develops independently, the federal government will end up with inconsistent implementations.

Originally team was going to work on FIPS 140-2 work before TLSv1.3, but swapped the priorities. That was easier to get a sponsor for, as it's well defined project and now the FIPS work can happen with the TLSv1.3 in place.

OpenSSL has refactored algorithm testing approach and want to better support embedded systems, and do better with entropy generation.  Need to pick up extra NIST work and try to take SHA3 through CAVP/CMVP.

Will continue to look at improvements to POST (like defining what it means for software). Also considering add ChaCha/Poly1305.

Currently cannot commit to many requested features, just due to trying to keep a reasonable timeline.  The current schedule estimate from "start" to certificate is 18months, based on their experience taking other modules through.

Please consider sponsoring this project so it can get off of the ground!

ICMC17: Keynote: Driving Security Improvements in Critical Open Source Projects

Nicko van Someren, CTO, Linux Foundation.

Open Source is huge and it's here to stay, with nearly 4 million contributors world wide, 31 billion lines of committed open source, etc - we aren't getting away from it now! Open Source is the "roads and bridges" of the Internet, which runs on Open Source.

Sometimes open source breaks... things like heartbleed, shellshock, Poodle, etc. The Internet runs on opensource, but it's not always properly looked after. Linus's Law: "Given enough eyeballs, all bugs are shallow" - so why are there still bugs? Well, not enough eyeballs!

Open source software is not more or less secure than closed source - but different. Typically there are more diverse group of people working on the source, but serially over a long period of time. There is often a culture of "code is more important than specification" - a cultural difference from most businesses.

Major projects are very under resourced, like OpenSSL - run  by millions of businesses, but only got $2000 in support in 2013.  NTPD is run by every major stock exchange, but some of the code is 35 years old, maintained by one guy, part time.  Same for bash, GnuPG, and OpenSSH.

These open source projects are not  given the resources they deserve.

The Linux Foundation created the Core Infrastructure Initiative. The CII aims to substantially improve security outcomes in the OSS projects that underpin the Internet. The CII funds work in security engineering, security architecture, tooling and training on key OSS projects.

This market is changing quite quickly as well - who would've known 4 years ago how important node.js would be?

CII is a non profit funded by industry partners, like Intel, Microsoft, Google, Hitatchi, Dell, Cisco, Amazon, Bloomberg, Fujitsu, etc.

Open source can do all of the same things commercial enterprise does for building secure software - just harder, because there is no way to give a top-down mandate (ala Bill Gates fixing security mindset at Microsoft).

Groups and individuals must think about security early and often, it cannot be just one squeaky wheel mentioning security. It requires buy-in from the entire community. Fostering this culture of security within your open source project is the single most important thing that you can do to improve your security outcomes.  Security needs to be given equal weight with scalability, performance, usability and other design factors.

CII is trying to find out where the risks and problems are by doing the CII Census Project to discover the really critical open source projects, how responsive the developers are, historic trends for bug and vuln density and how healthy the development community is. Did a snapshot a couple of years ago and created a scorecard. working now on updating it to be a continuous evaluation.

Once critical projects have issues identified, CII is trying to focus their resources on fixing it. Maintenance work is not fun, but it is vital. They are trying to pay developers to work on key projects full time, match willing and able developers to relevant projects and encourage educational establishments to get students involved.

Additionally, working on improving open source security tools. This means funding development of new or improved OSS security tools, make sure they are usable and have a good signal to noise ratio. Problem with some of the existing tools - terrible documentation! So, there is even a need for paying people to write documentation for how to use and deploy continuous security testing.

CII also wants to drive better security process in OSS projects with their CII Badge program - an open process for evaluating security processes in your community. It's a self assessment, with the goal of avoiding security theater, so it only includes items that really improve security.

CII has a travel fund to send developers to security conferences to learn about security and additional funding to get key OSS developer teams to meet face to face to set priorities and collaborate (like OpenSSL).

If your company is building your business on open source software, you should consider funding those projects and CII to help push better security practices, etc.

Support the Ada Initiative and Drink Beer!

Two of my favorite things to talk about, all in one place! The Ada Initiative, which supports and encourages women participating in Open Technology, is holding a meetup tonight, Wednesday August 1st, at the Tied House in Mountain View, CA (which now has 14 beers on tap!) so we can all learn more about what the Ada Initiative is up to and socialize while drinking beer!

So, if you're curious about open technology, women in open tech, or just want to support this great organization, come on by!

Check out the Ada Initiative's event registration page for more details.

See you there!

GHC09: Pictures and video!

Okay, I still haven't downloaded my pictures off of my camera (if only I had more hours in the day...), but fortunately Terri Oda is more on the ball and she put this gem up on flikr:

That's me, Terri, Kathryn, Stormy, Sandy and Teresa!

Ed and Ashley have been busy as well, putting up these interviews of Sun women that attended the Grace Hopper Celebration of Women in Computing:

Deirdre Straughan and Teresa Giacomini are interviewed about community development!

Me getting interviewed about Open Source, OpenSolaris and my work at Sun Microsystems!

GHC09: Open Source Community Development: A Moderator's Perspective

I was so nervous yesterday hosting my first panel at the Grace Hopper Celebration of Women in Computing. I had put off writing my introduction until arriving at the conference, thinking I'd have plenty of time to do it... not realizing that I would be reconnecting with friends that have moved across country or students I met last year or just this year. Time, suddenly, didn't exist, so I ended up skipping the plenary session on path to executive leadership so I could take the introducion I'd written in my head & put it on paper to make sure I wasn't missing anything nor was my introduction going to take up too much time. Sure enough I had to do a couple of edits to get it right, so while I was sorry to miss out on that session, I'm glad I took the time to do so.

When I got to the room, it was a bigger space than I expected, but at least everyone could have a seat :) My OpenSolaris laptop worked right away with the projector, which made me very happy. The technician setting up the room recommended I set my computer so the screen saver wouldn't come on. I thought I'd done that before... so I didn't bother checking. Stupid hubris.

I only had two slides - which are on the GHC wiki - the first with the name of the talk and the second had the names of each panelist, in the order she was sitting, with their affiliation. After the session finished, I got a lot of positive feedback on that - it's good to know I'm not the only person that can't keep track of all of the panelists (particularly when we all seem to have last minute changes in our panel lineups).

As I started introducing each of the panelists, I had all of the advice on running a panel running through my head - terrified that I'd screw something up: mispronounce a name or affiliation, stutter or knock my paper list of intros on the floor. Fortunately, none of those things happened in the first few minutes :) I did step on Stormy's self-introduction a bit, but she forgave me and made sure she was heard.

One piece of advice I had read, which was really counterintuitive for me given my melodrama training at the Gaslighter Theatre, was to not look at your panelists when they are talking. In melodrama, you say your lines straight to the audience, then turn and face the next speaker. This draws the audience's eyes to the speaker. But, I found as I did this, just as the advice said would happen, the panelists looked at me instead of at the audience. As rude as it felt, I had to force myself to turn my gaze back to the audience. It worked!

I was so happy with how each woman on the panel had prepared their introduction and had thought about the questions from our proposal, though I was surprised when they didn't naturally follow-on to each other at first. I think this was because I said I didn't want more than 2 women answering any one question, so we could keep the flow going. :-)

About ten minutes into the talk... my screen saver started to kick in. *d'oh* I wiggled the mouse. Something happened and the display "flipped out" - it started flashing and was filled with horizontal bars. I couldn't get the console to respond, so just rebooted... which took us to a brief OpenSolaris advertisement as the system happily restarted. Thank goodness for the fast boot, though!

I did finally stop shaking about a third of the through the panel and was able to replace my forced smile with a natural one, as I could finally relax and enjoy the panelists.

I was very impressed with what some of the other communities have done to encourage women to join their community and that got me thinking about doing something for OpenSolaris. We're such a big thing - with many sub communities - any suggestions for doing this?

I was so happy with all of my panelists: Stormy Peters, Kathryn Vandiver, Sandy Payette, Teresa Giacomini and Terri Oda! Thank you, ladies!