Security Chapter Demo Sprint meeting – Chapter Leader – Pascal Bisson Chapter Architect – Cyril Dangerville (presenter)
Identity Management GEri: KeyRock (UPM) Achieved in Updated Academy courses Provided software: – Dockerized the component – Blueprint Updated every documentation according to the new guidelines – Open spec, user guide, programmers guide… – Read the docs – Catalogue new format Improved mailing system – To send mails to specific groups Extracted Custom Keystone extensions in packages Bug fixing – 3 bugs
Identity Management GEri: KeyRock (UPM) Planned for SSL in Keystone backend Strong authentication (2-factor) Provide software: – Scripts for image creation
Authorization PDP GEri: AuthZForce (Thales) Achieved in bugfix Implemented new XACML 3.0 higher-order bag functions: all-of, any-of, etc. REST API enhanced with simplified tenant/domain IDs Published source on Github Open Spec on wiki, API spec PDF & HTML on Github (‘gh-pages’); APIary blueprint, WADL & XSDs on Github Admin & User guides published on readthedocs.org, source on Github (‘doc’ folder) Docker image publised on FIWARE Docker account, Dockerfile on Github (‘docker’ folder) Catalogue entry update
Authorization PDP GEri: AuthZForce (Thales) Planned for Update FIWARE Academy course FILAB image deployment Update binary download (.deb) on Catalogue Improve unit tests on the new API features Migration tool to migrate from older GEi version (configuration/data file formats have changed)
PEP Proxy GEri: Wilma (UPM) Achieved in Published Academy courses Provided software: – Dockerized the component – Blueprint – Scripts for image creation Updated every documentation according to the new guidelines – Open spec, user guide, programmers guide… – Read the docs – Catalogue new format Support for HTTPS backend Bug fixing – 1 bug
PEP Proxy GEri: Wilma (UPM) Planned for Start task to support extensions for custom attribute handler for more advanced authz Maintenance and support
Trustworthy Factory (Thales) One Epic: Integrated Development Environment 2 main features – Java Factory – Certification Tool Transfer with adaptions from OPTET project outcomes
Trustworthy Factory (Thales) Achieved in Java Factory already delivered in 4.3, Certification tool in Updated every documentation according to the new guidelines – Open spec, user guide, programmers guide – Catalogue new format Updated Academy courses Provided software: – In Github – In Docker container – Blueprint
Trustworthy Factory (Thales) Planned for Following the EC recommendations, the developments of this GE are stopped.
Privacy (ZHAW) Achieved for R4 Progress still impeded by licensing issue Status as before: Software ready for release – Findbugs/checkstyle cleanups done – API documentation done (in “old” format) – User guide done (in “old” format) – Unit test documentation done Documentation needs review by Chapter lead and architect Work item for project lead to unblock
Privacy (ZHAW) Planned for Following the Chief Architect’s and EC recommendations, the developments of this GE are stopped.
CyberSecurity GEri: CyberCAPTOR (Thales) Spring – New Features: RiskManagement.DynamicRiskAnalysis : Dynamic risk analysis using IDMEF alerts. RemediationPlan.RemediationCatalogNetworkConfiguration: Proposition of network configuration remediations for Dynamic risk analysis, by changing network configuration or topology, to reduce the risk. – Deliverables Open spec with Open API blueprint Install & Admin Guide, User & Programmer Guide (readthedocs.org) Software release: Github, Docker Academy Course Catalogue entry updating/publishing (in progress)
CyberSecurity / P2DS / ZHAW & Thales Achieved for Implemented privacy-preserving data sharing (also seen in this demo) Allows shared computation of sensitive data, e.g. total number of attacks seen during a time frame, while not divulging one’s own contribution
CyberSecurity / P2DS / ZHAW & Thales Achieved for Sprint Implemented Group Manager Implemented “additive” protocol Implemented Privacy Peer Implemented Input Peer All documentation uploaded, reviewed Code uploaded
CyberSecurity GEri: CyberCAPTOR (Thales) Planned for Following the EC recommendations, the developments of this GE are stopped.
Security Chapter – THANKS! – Demo CyberSecurity
Dynamic Risk Analysis Before : – Attack graphs used only in design phase. – Vulnerability analysis to assess the paths that may be followed by attackers. Dynamic risk analysis – Take into account of the attack graph for dynamic analysis. – Receive alerts in IDMEF format (from an external standard SIEM). – Visualize the alerts taking into account the prior vulnerability knowledge. – Visualization of the paths currently followed by the attackers.
DEMO
Remediation: Network Configuration Proposition of remediations for dynamic risk analysis: – Assist the operators that are facing an attack. – Propose them network remediations to prevent occurring attacks. – For DDOS mitigation, firewall rules redirecting packets either to a DDOS mitigation server, or to a blackhole. – For other attacks, propose a generic firewall rule to block the attacker.
DEMO
Questions ?