How OPNFV Earned Its Security Stripes and Received a CII Best Practices Badge

227

Security is always a hot-button issue, and one the folks at the OPNFV project take seriously. In fact, the project — an integrated open platform for facilitating NFV deployments — is among a handful of open source organizations to recently earn a CII Best Practices Badge for security compliance.  

(The Core Infrastructure Initiative (CII), run by The Linux Foundation, is a multi-million dollar project to fund and support critical elements of the global information infrastructure, and, among other resources, the project offers a Best Practices Badge program.  While serving as an open source secure development model, projects earning the badge demonstrate a commitment to security and must meet strict requirements and criteria.)

OPNFV works upstream to leverage a variety of existing code bases from leading open source projects across compute, storage, and networking to fill gaps where needed to meet carrier-grade end user requirements. The project also is still relatively young (approaching its second birthday), all of which makes earning the best practices badge no small feat. But with security an increasing concern among the telco industry, especially as NFV begins to scale and quickly transform network infrastructures, it was an important step for the project that signals the project’s commitment to secure-aware development.

To find out more about the process and what it took for OPNFV to earn the badge, we sat down with members of the OPNFV Security Working Group, including Sona Sarmadi (Security Responsible at Enea Software AB), Luke Hinds (Principal Software Engineer at RedHat) and Ashlee Young (Distinguished Strategist/Engineer, Standards & Open Source at Huawei).

Why did OPNFV pursue CII certification?

There is no doubt that security is one of the most important features in all software today, including open source and NFV in particular. In fact, security was recently cited as one area the telco industry would like to see OPNFV focus on more moving forward.

During the course of creating the NFV standards, a key discussion point was how we would ensure the code we leveraged from so many open source projects would be secure. CII provided a scope and a framework from which we could approach this topic within OPNFV. Earning the best practices badge is also a very tangible way for us to assure the industry of our commitment to security and quality. It also provides a necessary guideline for project leads to follow to achieve due diligence and ensure their portion of the overall solution is secure. By sharing the responsibility throughout our community, we can all help do our part.

What did you need to do to meet the requirements and what was the hardest part?

The requirements to get the badge are quite extensive, so we had some work to do in order to become compliant. For example, we removed support for crypto algorithms that are no longer considered secure (e.g., MD5) and also updated the OPNFV wiki pages with more specific and clear instructions on how to report security incidents. But probably the hardest part of the process was corralling input from all of the developers in a timely fashion.

It’s also worth noting that while earning the badge was an exciting challenge in itself, the real challenge will be in following these practices to ensure that a high level of security is maintained, which depends on involvement from everybody in the project, from developers to management. In any environment, security can never be achieved by an isolated security group.

What impact will this have on OPNFV security in general?

Earning the CII badge will have a HUGE impact on OPNFV’s general approach to building security into the development model (something all open source projects should model). Statistics show that around 50 percent of vulnerabilities in a software are “flaws” (usually design fault/defective design, which is hard to fix after software has been released) and 50 percent bugs (implementation fault). Following these best practices will hopefully address both design and implementation faults before they become vulnerabilities.

What will the community do moving forward to stay compliant?

To ensure we maintain compliance, the OPNFV Security Working Group is developing a tool to automate checks — such as code lint scanning — and checking for insecure crypto use. This tool has been made available to our community and to our Project Technical Leads (PTLs), but we are also investigating the best way to incorporate it into our overall continuous integration process.  

What are you most proud of regarding certification?

I’d have to say our collaboration and teamwork. We are a small team with limited time and resources located in different parts of the world, so earning the CII certification was no small feat! Our experience was also a great example of the power of collaborative open source communities in action; whenever I got stuck, there was always someone willing to lend quick feedback.