Friday, March 1, 2013

Building Security In

In a cloud environment, where resource virtualization and multi-tenancy are some of the key features, security is something that simply cannot be ignored. In Eucalyptus, we invest a lot of effort into building software that is not only robust and easy to use, but is also secure and allows for building secure clouds. We also believe that the most effective way of building secure software is to be proactive about it and address security concerns before they become vulnerabilities.

There is no such thing as perfect security, just like quality and robustness, software security is something that has to be worked on continuously and systematically. Even if there are no ways to get to a perfection, a desired level of security can be achieved through careful risk management. Bruce Schneier said in his famous essay that "security is a process, not a product." Following this school of thought and the best practices of building security into software, in Eucalyptus, we started taking security consideration into account throughout the software development lifecycle. We are working on incorporating threat modeling and risk analysis, design and code reviews, static analysis scans, and security testing into the development process.

Eucalyptus also follows an open source development model and its source code and design docs are widely available. We believe that integrating closer with the open source community and having more people activity engaged with our software will help us in multiple areas of software development, including security. We encourage our community to pay close attention to security aspects in Eucalyptus.

No security process is complete without a process for managing security bugs, especially in the open source/development environment when bugs and fixes are generally publicly open. Security issues can be reported to the Eucalyptus Security Team following instructions on the security procedures page. All new security issues, reported both internally and externally, are assessed, assigned a risk score, and prioritized. Security issues that are classified as vulnerabilities are carefully managed internally to prevent premature disclosure of information before fixes are made available to current users. Also, to protect our users running supported version of Eucalyptus from potential attacks and give them time to upgrade, all vulnerabilities are first fixed in maintenance releases and details of a vulnerability and sources of the fix are not made public until about 2 weeks after the software becomes available. At the time of the public announcement, a Eucalyptus Security Advisory (ESA) is published on the Eucalyptus advisories page for each vulnerability.  All vulnerabilities are also assigned a CVE score and published on the Common Vulnerabilities and Exposures website.


  1. Can't find any sign of Excalibur on Eucalyptus proof of concept. Demonstrated on the 21st Usenix Security Symposium, Bellevue, WA, August 2012.
    Where did that minimal modifications to the Eucalyptus codebase vanished?

    1. Excalibur is not a part of the Eucalyptus product and has not been contributed to Eucalyptus. I suggest you to contact the authors on how to obtain the code.