SlideShare una empresa de Scribd logo

DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops tools

DevSecCon
DevSecCon

DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops tools

Presentaciones y charlas públicas
1 de 44
Descargar para leer sin conexión
Summary 1. Ansible 2. Vagrant/Packer 3. Going of ine
IRMA (Incident Response and Malware Analysis) https://github.com/quarkslab/irma Private platform (as it's open-source) Multi-Analysis engine Extendable
Summary 1. From one week to two days 2. From two days to 6 hours 3. From 6 hours to few minutes
1. From one week to two days
What's Ansible? Agentless Automation platform (and Open-source) Use SSH to access servers/… Run tasks (written in yaml) in sequence
Where's the problem? Role example: - name: Install Software shell: curl http://get.mysoftware.com | sudo bash
CVE-2016-9587 CVE-2016-9587 is rated as HIGH in risk, as a compromised remote system being managed via Ansible can lead to commands being run on the Ansible controller (as the user running the ansible or ansible-playbook command).
2. From two days to 6 hours (Virtual Machines O The Shelf)
Vagrant
What's a Vagrant Box? $ tar -tf ~/libvirt.box box.img metadata.json
How to connect to a Vagrant box out-of- the-box? At rst it was a good idea to set up some common SSH keys...
One year later…
And three years later, some progress has been made!
Best practice from mitchellh: ( )https://github.com/mitchellh/vagrant/tree/master/keys “If you're working with a team or company or with a custom box and you want more secure SSH, you should create your own keypair and con gure the private key in the Vagrant le with 'con g.ssh.private_key_path'.”
Home-made boxes
I'll use Packer, and even more, boxcutter because they're so famous! But I shouldn't have... because of that: $ cd boxcutter/debian/script && grep http: * cmtool.sh: wget -O - http://bootstrap.saltstack.org | sudo sh cmtool.sh: curl -L http://bootstrap.saltstack.org | sudo sh -s -- git $CM_VERSION cmtool.sh: wget http://apt.puppetlabs.com/${DEB_NAME}
Boxes in the rightful cloud
Atlas Cloud
$ vagrant box add ubuntu/trusty64 ==> box: Loading metadata for box 'ubuntu/trusty64' box: URL: https://atlas.hashicorp.com/ubuntu/trusty64 ==> box: Adding box 'ubuntu/trusty64' (v20170208.0.0) for provider: virtualbox box: Downloading: https://atlas.hashicorp.com/ubuntu/boxes /trusty64/versions/20170208.0.0/providers/virtualbox.box ==> box: Successfully added box 'ubuntu/trusty64' (v20170208.0.0) for 'virtualbox'!
From https://www.vagrantup.com/docs/cli/box.html “For boxes from HashiCorp's Atlas, the checksums are embedded in the metadata of the box. The metadata itself is served over TLS and its format is validated.”
But wait... Let's look at this checksum story...
From https://www.vagrantup.com/docs/boxes/format.html “You do not need to manually make the metadata. If you have an account with HashiCorp's Atlas, you can create boxes there, and HashiCorp's Atlas automatically creates the metadata for you.”
From https://www.vagrantup.com/docs/boxes/format.html It is a JSON document, structured in the following way:” {"name": "hashicorp/precise64", "description": "This box contains Ubuntu 12.04 LTS 64-bit.", "versions": [{ "version": "0.1.0", "providers": [{ "name": "virtualbox", "url": "http://somewhere.com/precise64_010_virtualbox.box" "checksum_type": "sha1", "checksum": "foo" }]}]}
Great, I like that, so I should nd it here for example on : Nope... https://atlas.hashicorp.com/ubuntu/boxes/trusty64.json
Erf, let's look into some Hashicorp box instead on Still nope... https://atlas.hashicorp.com/hashicorp/boxes/precise64.json
Let's try one last thing... $ cat imdesperate.json {"name": "hashicorp/precise64", "versions": [{ "version": "1.1.0", "providers": [{ "name": "virtualbox", "url": "https://atlas.hashicorp.com/hashicorp/boxes/pre cise64/versions/1.1.0/providers/virtualbox.box", "checksum_type": "sha1", "checksum": "imdesperate"}]}]} $ vagrant box add imdesperate.json ==> box: Loading metadata for box 'imdesperate.json' box: URL: file:///home/user/imdesperate.json ==> box: Adding box 'hashicorp/precise64' (v1.1.0) for provider: virtualbox box: Downloading: https://atlas.hashicorp.com/hashicorp/box es/precise64/versions/1.1.0/providers/virtualbox.box ...
... box: Calculating and comparing box checksum... The checksum of the downloaded box did not match the expected value. Please verify that you have the proper URL setup and that you're downloading the proper file. Expected: imdesperate Received: 034f4af281e648cd65ca6e8d731128b7d2b3ed40
We did it better GPG signed checksums data Metadata les served over TLS with checksum information https://github.com/quarkslab/packer-ubuntu#security
3. From 6 hours to few minutes
DevOps: when the Internet is on
DevOps: when the Internet is broken
You can save a bunch of minutes with o ine mode! No more latency No more bandwidth bottleneck No more side-effect
Worst error of the dev people?
Pip dependencies Freeze speci c versions and do not upgrade unless you check the new versions Do not download exotic packages even from PyPi Do not rely on Github repos or things like that Use of ine package $ mkdir toto $ pip install -d ./toto mypackage #move the folder on the offline node $ pip install --no-index --find-links ./toto mypackage
Apt dependencies Just use It will be: Quickier More secure More stable https://packages.debian.org/jessie/apt-of ine
The result $ git clone https://github.com/quarkslab/irma.git $ cd ansible && vagrant up
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops tools

Recomendados

DevOps(2) : Vagrant - (MOSG)
DevOps(2) : Vagrant - (MOSG)DevOps(2) : Vagrant - (MOSG)
DevOps(2) : Vagrant - (MOSG)Soshi Nemoto
 
Ubic
UbicUbic
UbicVyacheslav Matyukhin
 
Docker puppetcamp london 2013
Docker puppetcamp london 2013Docker puppetcamp london 2013
Docker puppetcamp london 2013Tomas Doran
 
Preparation study of_docker - (MOSG)
Preparation study of_docker - (MOSG)Preparation study of_docker - (MOSG)
Preparation study of_docker - (MOSG)Soshi Nemoto
 
Making environment for_infrastructure_as_code
Making environment for_infrastructure_as_codeMaking environment for_infrastructure_as_code
Making environment for_infrastructure_as_codeSoshi Nemoto
 
Perl: Coro asynchronous
Perl: Coro asynchronous Perl: Coro asynchronous
Perl: Coro asynchronous Shmuel Fomberg
 
Ansible - Swiss Army Knife Orchestration
Ansible - Swiss Army Knife OrchestrationAnsible - Swiss Army Knife Orchestration
Ansible - Swiss Army Knife Orchestrationbcoca
 
Fabric workshop(1) - (MOSG)
Fabric workshop(1) - (MOSG)Fabric workshop(1) - (MOSG)
Fabric workshop(1) - (MOSG)Soshi Nemoto
 

Recomendados

DevOps(2) : Vagrant - (MOSG)
DevOps(2) : Vagrant - (MOSG)DevOps(2) : Vagrant - (MOSG)
DevOps(2) : Vagrant - (MOSG)Soshi Nemoto
 
Ubic
UbicUbic
UbicVyacheslav Matyukhin
 
Docker puppetcamp london 2013
Docker puppetcamp london 2013Docker puppetcamp london 2013
Docker puppetcamp london 2013Tomas Doran
 
Preparation study of_docker - (MOSG)
Preparation study of_docker - (MOSG)Preparation study of_docker - (MOSG)
Preparation study of_docker - (MOSG)Soshi Nemoto
 
Making environment for_infrastructure_as_code
Making environment for_infrastructure_as_codeMaking environment for_infrastructure_as_code
Making environment for_infrastructure_as_codeSoshi Nemoto
 
Perl: Coro asynchronous
Perl: Coro asynchronous Perl: Coro asynchronous
Perl: Coro asynchronous Shmuel Fomberg
 
Ansible - Swiss Army Knife Orchestration
Ansible - Swiss Army Knife OrchestrationAnsible - Swiss Army Knife Orchestration
Ansible - Swiss Army Knife Orchestrationbcoca
 
Fabric workshop(1) - (MOSG)
Fabric workshop(1) - (MOSG)Fabric workshop(1) - (MOSG)
Fabric workshop(1) - (MOSG)Soshi Nemoto
 
DevOps(3) : Ansible - (MOSG)
DevOps(3) : Ansible - (MOSG)DevOps(3) : Ansible - (MOSG)
DevOps(3) : Ansible - (MOSG)Soshi Nemoto
 
Instruction: dev environment
Instruction: dev environmentInstruction: dev environment
Instruction: dev environmentSoshi Nemoto
 
DevOps(4) : Ansible(2) - (MOSG)
DevOps(4) : Ansible(2) - (MOSG)DevOps(4) : Ansible(2) - (MOSG)
DevOps(4) : Ansible(2) - (MOSG)Soshi Nemoto
 
The Unbearable Lightness: Extending the Bash shell
The Unbearable Lightness: Extending the Bash shellThe Unbearable Lightness: Extending the Bash shell
The Unbearable Lightness: Extending the Bash shellRoberto Reale
 
Asynchronous Programming FTW! 2 (with AnyEvent)
Asynchronous Programming FTW! 2 (with AnyEvent)Asynchronous Programming FTW! 2 (with AnyEvent)
Asynchronous Programming FTW! 2 (with AnyEvent)xSawyer
 
Any event intro
Any event introAny event intro
Any event introqiang
 
Using Ansible Dynamic Inventory with Amazon EC2
Using Ansible Dynamic Inventory with Amazon EC2Using Ansible Dynamic Inventory with Amazon EC2
Using Ansible Dynamic Inventory with Amazon EC2Brian Schott
 
Java Streams Interview short reminder with examples
Java Streams Interview short reminder with examplesJava Streams Interview short reminder with examples
Java Streams Interview short reminder with examplesMark Papis
 
Infrastructure Deployment with Docker & Ansible
Infrastructure Deployment with Docker & AnsibleInfrastructure Deployment with Docker & Ansible
Infrastructure Deployment with Docker & AnsibleRobert Reiz
 
Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.Idan Tohami
 
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012Gosuke Miyashita
 
使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台NUTC, imac
 
Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloudNUTC, imac
 
Using Node.js to Build Great Streaming Services - HTML5 Dev Conf
Using Node.js to Build Great Streaming Services - HTML5 Dev ConfUsing Node.js to Build Great Streaming Services - HTML5 Dev Conf
Using Node.js to Build Great Streaming Services - HTML5 Dev ConfTom Croucher
 
Ansible, Simplicity, and the Zen of Python
Ansible, Simplicity, and the Zen of PythonAnsible, Simplicity, and the Zen of Python
Ansible, Simplicity, and the Zen of Pythontoddmowen
 
Ansible for beginners ...?
Ansible for beginners ...?Ansible for beginners ...?
Ansible for beginners ...?shirou wakayama
 
Vert.x clustering on Docker, CoreOS and ETCD
Vert.x clustering on Docker, CoreOS and ETCDVert.x clustering on Docker, CoreOS and ETCD
Vert.x clustering on Docker, CoreOS and ETCDTim Nolet
 
System Updates with Ansible - Ansible Brno #1 - Vincent van Scherpenseel
System Updates with Ansible - Ansible Brno #1 - Vincent van ScherpenseelSystem Updates with Ansible - Ansible Brno #1 - Vincent van Scherpenseel
System Updates with Ansible - Ansible Brno #1 - Vincent van Scherpenseelansiblebrno
 
Docker 基本概念與指令操作
Docker 基本概念與指令操作Docker 基本概念與指令操作
Docker 基本概念與指令操作NUTC, imac
 
Microarmy - by J2 Labs
Microarmy - by J2 LabsMicroarmy - by J2 Labs
Microarmy - by J2 LabsJames Dennis
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon
 
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...DevSecCon
 

Más contenido relacionado

La actualidad más candente

DevOps(3) : Ansible - (MOSG)
DevOps(3) : Ansible - (MOSG)DevOps(3) : Ansible - (MOSG)
DevOps(3) : Ansible - (MOSG)Soshi Nemoto
 
Instruction: dev environment
Instruction: dev environmentInstruction: dev environment
Instruction: dev environmentSoshi Nemoto
 
DevOps(4) : Ansible(2) - (MOSG)
DevOps(4) : Ansible(2) - (MOSG)DevOps(4) : Ansible(2) - (MOSG)
DevOps(4) : Ansible(2) - (MOSG)Soshi Nemoto
 
The Unbearable Lightness: Extending the Bash shell
The Unbearable Lightness: Extending the Bash shellThe Unbearable Lightness: Extending the Bash shell
The Unbearable Lightness: Extending the Bash shellRoberto Reale
 
Asynchronous Programming FTW! 2 (with AnyEvent)
Asynchronous Programming FTW! 2 (with AnyEvent)Asynchronous Programming FTW! 2 (with AnyEvent)
Asynchronous Programming FTW! 2 (with AnyEvent)xSawyer
 
Any event intro
Any event introAny event intro
Any event introqiang
 
Using Ansible Dynamic Inventory with Amazon EC2
Using Ansible Dynamic Inventory with Amazon EC2Using Ansible Dynamic Inventory with Amazon EC2
Using Ansible Dynamic Inventory with Amazon EC2Brian Schott
 
Java Streams Interview short reminder with examples
Java Streams Interview short reminder with examplesJava Streams Interview short reminder with examples
Java Streams Interview short reminder with examplesMark Papis
 
Infrastructure Deployment with Docker & Ansible
Infrastructure Deployment with Docker & AnsibleInfrastructure Deployment with Docker & Ansible
Infrastructure Deployment with Docker & AnsibleRobert Reiz
 
Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.Idan Tohami
 
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012Gosuke Miyashita
 
使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台NUTC, imac
 
Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloudNUTC, imac
 
Using Node.js to Build Great Streaming Services - HTML5 Dev Conf
Using Node.js to Build Great Streaming Services - HTML5 Dev ConfUsing Node.js to Build Great Streaming Services - HTML5 Dev Conf
Using Node.js to Build Great Streaming Services - HTML5 Dev ConfTom Croucher
 
Ansible, Simplicity, and the Zen of Python
Ansible, Simplicity, and the Zen of PythonAnsible, Simplicity, and the Zen of Python
Ansible, Simplicity, and the Zen of Pythontoddmowen
 
Ansible for beginners ...?
Ansible for beginners ...?Ansible for beginners ...?
Ansible for beginners ...?shirou wakayama
 
Vert.x clustering on Docker, CoreOS and ETCD
Vert.x clustering on Docker, CoreOS and ETCDVert.x clustering on Docker, CoreOS and ETCD
Vert.x clustering on Docker, CoreOS and ETCDTim Nolet
 
System Updates with Ansible - Ansible Brno #1 - Vincent van Scherpenseel
System Updates with Ansible - Ansible Brno #1 - Vincent van ScherpenseelSystem Updates with Ansible - Ansible Brno #1 - Vincent van Scherpenseel
System Updates with Ansible - Ansible Brno #1 - Vincent van Scherpenseelansiblebrno
 
Docker 基本概念與指令操作
Docker 基本概念與指令操作Docker 基本概念與指令操作
Docker 基本概念與指令操作NUTC, imac
 
Microarmy - by J2 Labs
Microarmy - by J2 LabsMicroarmy - by J2 Labs
Microarmy - by J2 LabsJames Dennis
 

La actualidad más candente (20)

DevOps(3) : Ansible - (MOSG)
DevOps(3) : Ansible - (MOSG)DevOps(3) : Ansible - (MOSG)
DevOps(3) : Ansible - (MOSG)
 
Instruction: dev environment
Instruction: dev environmentInstruction: dev environment
Instruction: dev environment
 
DevOps(4) : Ansible(2) - (MOSG)
DevOps(4) : Ansible(2) - (MOSG)DevOps(4) : Ansible(2) - (MOSG)
DevOps(4) : Ansible(2) - (MOSG)
 
The Unbearable Lightness: Extending the Bash shell
The Unbearable Lightness: Extending the Bash shellThe Unbearable Lightness: Extending the Bash shell
The Unbearable Lightness: Extending the Bash shell
 
Asynchronous Programming FTW! 2 (with AnyEvent)
Asynchronous Programming FTW! 2 (with AnyEvent)Asynchronous Programming FTW! 2 (with AnyEvent)
Asynchronous Programming FTW! 2 (with AnyEvent)
 
Any event intro
Any event introAny event intro
Any event intro
 
Using Ansible Dynamic Inventory with Amazon EC2
Using Ansible Dynamic Inventory with Amazon EC2Using Ansible Dynamic Inventory with Amazon EC2
Using Ansible Dynamic Inventory with Amazon EC2
 
Java Streams Interview short reminder with examples
Java Streams Interview short reminder with examplesJava Streams Interview short reminder with examples
Java Streams Interview short reminder with examples
 
Infrastructure Deployment with Docker & Ansible
Infrastructure Deployment with Docker & AnsibleInfrastructure Deployment with Docker & Ansible
Infrastructure Deployment with Docker & Ansible
 
Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.
 
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
 
使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台
 
Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloud
 
Using Node.js to Build Great Streaming Services - HTML5 Dev Conf
Using Node.js to Build Great Streaming Services - HTML5 Dev ConfUsing Node.js to Build Great Streaming Services - HTML5 Dev Conf
Using Node.js to Build Great Streaming Services - HTML5 Dev Conf
 
Ansible, Simplicity, and the Zen of Python
Ansible, Simplicity, and the Zen of PythonAnsible, Simplicity, and the Zen of Python
Ansible, Simplicity, and the Zen of Python
 
Ansible for beginners ...?
Ansible for beginners ...?Ansible for beginners ...?
Ansible for beginners ...?
 
Vert.x clustering on Docker, CoreOS and ETCD
Vert.x clustering on Docker, CoreOS and ETCDVert.x clustering on Docker, CoreOS and ETCD
Vert.x clustering on Docker, CoreOS and ETCD
 
System Updates with Ansible - Ansible Brno #1 - Vincent van Scherpenseel
System Updates with Ansible - Ansible Brno #1 - Vincent van ScherpenseelSystem Updates with Ansible - Ansible Brno #1 - Vincent van Scherpenseel
System Updates with Ansible - Ansible Brno #1 - Vincent van Scherpenseel
 
Docker 基本概念與指令操作
Docker 基本概念與指令操作Docker 基本概念與指令操作
Docker 基本概念與指令操作
 
Microarmy - by J2 Labs
Microarmy - by J2 LabsMicroarmy - by J2 Labs
Microarmy - by J2 Labs
 

Destacado

DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon
 
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...DevSecCon
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon
 
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...DevSecCon
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenryDevSecCon
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon
 
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon
 
DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon
 
DevSecCon Asia 2017 Sergiu Bodiu: From resilient to antifragile
DevSecCon Asia 2017 Sergiu Bodiu: From resilient to antifragileDevSecCon Asia 2017 Sergiu Bodiu: From resilient to antifragile
DevSecCon Asia 2017 Sergiu Bodiu: From resilient to antifragileDevSecCon
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon
 
Segregation of Duties and Continuous Delivery
Segregation of Duties and Continuous DeliverySegregation of Duties and Continuous Delivery
Segregation of Duties and Continuous DeliverySriram Narayanan
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015Shannon Lietz
 
Justin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application deliveryJustin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application deliveryDevSecCon
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
S360 2015 dev_secops_program
S360 2015 dev_secops_programS360 2015 dev_secops_program
S360 2015 dev_secops_programShannon Lietz
 
Ransomware - TAIT knowledge Series
Ransomware - TAIT knowledge SeriesRansomware - TAIT knowledge Series
Ransomware - TAIT knowledge SeriesJoel Divekar
 
The DevOps Panel - Innotech Austin CD Summit
The DevOps Panel - Innotech Austin CD SummitThe DevOps Panel - Innotech Austin CD Summit
The DevOps Panel - Innotech Austin CD SummitErnest Mueller
 
11 Tools for your Open Source devops stack
11 Tools for your Open Source devops stack 11 Tools for your Open Source devops stack
11 Tools for your Open Source devops stack Kris Buytaert
 
How to choose tools for DevOps
How to choose tools for DevOpsHow to choose tools for DevOps
How to choose tools for DevOpsMatthew Skelton
 
Warum die it nicht um new work herumkommt
Warum die it nicht um new work herumkommtWarum die it nicht um new work herumkommt
Warum die it nicht um new work herumkommtJohann-Peter Hartmann
 

Destacado (20)

DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
 
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
 
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William Henry
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
 
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
 
DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatops
 
DevSecCon Asia 2017 Sergiu Bodiu: From resilient to antifragile
DevSecCon Asia 2017 Sergiu Bodiu: From resilient to antifragileDevSecCon Asia 2017 Sergiu Bodiu: From resilient to antifragile
DevSecCon Asia 2017 Sergiu Bodiu: From resilient to antifragile
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
 
Segregation of Duties and Continuous Delivery
Segregation of Duties and Continuous DeliverySegregation of Duties and Continuous Delivery
Segregation of Duties and Continuous Delivery
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
 
Justin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application deliveryJustin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application delivery
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
S360 2015 dev_secops_program
S360 2015 dev_secops_programS360 2015 dev_secops_program
S360 2015 dev_secops_program
 
Ransomware - TAIT knowledge Series
Ransomware - TAIT knowledge SeriesRansomware - TAIT knowledge Series
Ransomware - TAIT knowledge Series
 
The DevOps Panel - Innotech Austin CD Summit
The DevOps Panel - Innotech Austin CD SummitThe DevOps Panel - Innotech Austin CD Summit
The DevOps Panel - Innotech Austin CD Summit
 
11 Tools for your Open Source devops stack
11 Tools for your Open Source devops stack 11 Tools for your Open Source devops stack
11 Tools for your Open Source devops stack
 
How to choose tools for DevOps
How to choose tools for DevOpsHow to choose tools for DevOps
How to choose tools for DevOps
 
Warum die it nicht um new work herumkommt
Warum die it nicht um new work herumkommtWarum die it nicht um new work herumkommt
Warum die it nicht um new work herumkommt
 

Similar a DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops tools

Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierCarlos Sanchez
 
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013Carlos Sanchez
 
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...POSSCON
 
Create Development and Production Environments with Vagrant
Create Development and Production Environments with VagrantCreate Development and Production Environments with Vagrant
Create Development and Production Environments with VagrantBrian Hogan
 
Packer, where DevOps begins
Packer, where DevOps beginsPacker, where DevOps begins
Packer, where DevOps beginsJeff Hung
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context ConstraintsAlessandro Arrichiello
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefMatt Ray
 
Couch to OpenStack: Nova - July, 30, 2013
Couch to OpenStack: Nova - July, 30, 2013Couch to OpenStack: Nova - July, 30, 2013
Couch to OpenStack: Nova - July, 30, 2013Trevor Roberts Jr.
 
Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant Ricardo Amaro
 
OpenSource ToolChain for the Hybrid Cloud
OpenSource ToolChain for the Hybrid CloudOpenSource ToolChain for the Hybrid Cloud
OpenSource ToolChain for the Hybrid CloudIsaac Christoffersen
 
Puppet and the HashiStack
Puppet and the HashiStackPuppet and the HashiStack
Puppet and the HashiStackBram Vogelaar
 
A Deeper Look at Cargo
A Deeper Look at CargoA Deeper Look at Cargo
A Deeper Look at CargoAnton Weiss
 
Create your very own Development Environment with Vagrant and Packer
Create your very own Development Environment with Vagrant and PackerCreate your very own Development Environment with Vagrant and Packer
Create your very own Development Environment with Vagrant and Packerfrastel
 
Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Ricardo Amaro
 
AWS Study Group - Chapter 03 - Elasticity and Scalability Concepts [Solution ...
AWS Study Group - Chapter 03 - Elasticity and Scalability Concepts [Solution ...AWS Study Group - Chapter 03 - Elasticity and Scalability Concepts [Solution ...
AWS Study Group - Chapter 03 - Elasticity and Scalability Concepts [Solution ...QCloudMentor
 
Server(less) Swift at SwiftCloudWorkshop 3
Server(less) Swift at SwiftCloudWorkshop 3Server(less) Swift at SwiftCloudWorkshop 3
Server(less) Swift at SwiftCloudWorkshop 3kognate
 

Similar a DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops tools (20)

Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next Frontier
 
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013
 
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...
 
Create Development and Production Environments with Vagrant
Create Development and Production Environments with VagrantCreate Development and Production Environments with Vagrant
Create Development and Production Environments with Vagrant
 
Packer, where DevOps begins
Packer, where DevOps beginsPacker, where DevOps begins
Packer, where DevOps begins
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and Chef
 
Couch to OpenStack: Nova - July, 30, 2013
Couch to OpenStack: Nova - July, 30, 2013Couch to OpenStack: Nova - July, 30, 2013
Couch to OpenStack: Nova - July, 30, 2013
 
Composer
ComposerComposer
Composer
 
Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant
 
OpenSource ToolChain for the Hybrid Cloud
OpenSource ToolChain for the Hybrid CloudOpenSource ToolChain for the Hybrid Cloud
OpenSource ToolChain for the Hybrid Cloud
 
Puppet and the HashiStack
Puppet and the HashiStackPuppet and the HashiStack
Puppet and the HashiStack
 
A Deeper Look at Cargo
A Deeper Look at CargoA Deeper Look at Cargo
A Deeper Look at Cargo
 
Create your very own Development Environment with Vagrant and Packer
Create your very own Development Environment with Vagrant and PackerCreate your very own Development Environment with Vagrant and Packer
Create your very own Development Environment with Vagrant and Packer
 
Intro to vagrant
Intro to vagrantIntro to vagrant
Intro to vagrant
 
Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant
 
One-Man Ops
One-Man OpsOne-Man Ops
One-Man Ops
 
AWS Study Group - Chapter 03 - Elasticity and Scalability Concepts [Solution ...
AWS Study Group - Chapter 03 - Elasticity and Scalability Concepts [Solution ...AWS Study Group - Chapter 03 - Elasticity and Scalability Concepts [Solution ...
AWS Study Group - Chapter 03 - Elasticity and Scalability Concepts [Solution ...
 
Packer
Packer Packer
Packer
 
Server(less) Swift at SwiftCloudWorkshop 3
Server(less) Swift at SwiftCloudWorkshop 3Server(less) Swift at SwiftCloudWorkshop 3
Server(less) Swift at SwiftCloudWorkshop 3
 

Más de DevSecCon

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon
 

Más de DevSecCon (20)

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for Kubernetes
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heel
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificates
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
 

Último

SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardsticksaastr
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCamilleBoulbin1
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lodhisaajjda
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Kayode Fayemi
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Chameera Dedduwage
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...Sheetaleventcompany
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatmentnswingard
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsaqsarehman5055
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Hasting Chen
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfSenaatti-kiinteistöt
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxraffaeleoman
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxNikitaBankoti2
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Vipesco
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Delhi Call girls
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar TrainingKylaCullinane
 

Último (20)

SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptx
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animals
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 

DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops tools

  • 1.
  • 3.
  • 4. IRMA (Incident Response and Malware Analysis) https://github.com/quarkslab/irma Private platform (as it's open-source) Multi-Analysis engine Extendable
  • 5.
  • 6.
  • 7. Summary 1. From one week to two days 2. From two days to 6 hours 3. From 6 hours to few minutes
  • 8. 1. From one week to two days
  • 9. What's Ansible? Agentless Automation platform (and Open-source) Use SSH to access servers/… Run tasks (written in yaml) in sequence
  • 10. Where's the problem? Role example: - name: Install Software shell: curl http://get.mysoftware.com | sudo bash
  • 11. CVE-2016-9587 CVE-2016-9587 is rated as HIGH in risk, as a compromised remote system being managed via Ansible can lead to commands being run on the Ansible controller (as the user running the ansible or ansible-playbook command).
  • 12. 2. From two days to 6 hours (Virtual Machines O The Shelf)
  • 14. What's a Vagrant Box? $ tar -tf ~/libvirt.box box.img metadata.json
  • 15. How to connect to a Vagrant box out-of- the-box? At rst it was a good idea to set up some common SSH keys...
  • 17. And three years later, some progress has been made!
  • 18. Best practice from mitchellh: ( )https://github.com/mitchellh/vagrant/tree/master/keys “If you're working with a team or company or with a custom box and you want more secure SSH, you should create your own keypair and con gure the private key in the Vagrant le with 'con g.ssh.private_key_path'.”
  • 20.
  • 21. I'll use Packer, and even more, boxcutter because they're so famous! But I shouldn't have... because of that: $ cd boxcutter/debian/script && grep http: * cmtool.sh: wget -O - http://bootstrap.saltstack.org | sudo sh cmtool.sh: curl -L http://bootstrap.saltstack.org | sudo sh -s -- git $CM_VERSION cmtool.sh: wget http://apt.puppetlabs.com/${DEB_NAME}
  • 22. Boxes in the rightful cloud
  • 24. $ vagrant box add ubuntu/trusty64 ==> box: Loading metadata for box 'ubuntu/trusty64' box: URL: https://atlas.hashicorp.com/ubuntu/trusty64 ==> box: Adding box 'ubuntu/trusty64' (v20170208.0.0) for provider: virtualbox box: Downloading: https://atlas.hashicorp.com/ubuntu/boxes /trusty64/versions/20170208.0.0/providers/virtualbox.box ==> box: Successfully added box 'ubuntu/trusty64' (v20170208.0.0) for 'virtualbox'!
  • 25. From https://www.vagrantup.com/docs/cli/box.html “For boxes from HashiCorp's Atlas, the checksums are embedded in the metadata of the box. The metadata itself is served over TLS and its format is validated.”
  • 26.
  • 27. But wait... Let's look at this checksum story...
  • 28. From https://www.vagrantup.com/docs/boxes/format.html “You do not need to manually make the metadata. If you have an account with HashiCorp's Atlas, you can create boxes there, and HashiCorp's Atlas automatically creates the metadata for you.”
  • 29. From https://www.vagrantup.com/docs/boxes/format.html It is a JSON document, structured in the following way:” {"name": "hashicorp/precise64", "description": "This box contains Ubuntu 12.04 LTS 64-bit.", "versions": [{ "version": "0.1.0", "providers": [{ "name": "virtualbox", "url": "http://somewhere.com/precise64_010_virtualbox.box" "checksum_type": "sha1", "checksum": "foo" }]}]}
  • 30. Great, I like that, so I should nd it here for example on : Nope... https://atlas.hashicorp.com/ubuntu/boxes/trusty64.json
  • 31. Erf, let's look into some Hashicorp box instead on Still nope... https://atlas.hashicorp.com/hashicorp/boxes/precise64.json
  • 32.
  • 33. Let's try one last thing... $ cat imdesperate.json {"name": "hashicorp/precise64", "versions": [{ "version": "1.1.0", "providers": [{ "name": "virtualbox", "url": "https://atlas.hashicorp.com/hashicorp/boxes/pre cise64/versions/1.1.0/providers/virtualbox.box", "checksum_type": "sha1", "checksum": "imdesperate"}]}]} $ vagrant box add imdesperate.json ==> box: Loading metadata for box 'imdesperate.json' box: URL: file:///home/user/imdesperate.json ==> box: Adding box 'hashicorp/precise64' (v1.1.0) for provider: virtualbox box: Downloading: https://atlas.hashicorp.com/hashicorp/box es/precise64/versions/1.1.0/providers/virtualbox.box ...
  • 34. ... box: Calculating and comparing box checksum... The checksum of the downloaded box did not match the expected value. Please verify that you have the proper URL setup and that you're downloading the proper file. Expected: imdesperate Received: 034f4af281e648cd65ca6e8d731128b7d2b3ed40
  • 35. We did it better GPG signed checksums data Metadata les served over TLS with checksum information https://github.com/quarkslab/packer-ubuntu#security
  • 36. 3. From 6 hours to few minutes
  • 37. DevOps: when the Internet is on
  • 38. DevOps: when the Internet is broken
  • 39. You can save a bunch of minutes with o ine mode! No more latency No more bandwidth bottleneck No more side-effect
  • 40. Worst error of the dev people?
  • 41. Pip dependencies Freeze speci c versions and do not upgrade unless you check the new versions Do not download exotic packages even from PyPi Do not rely on Github repos or things like that Use of ine package $ mkdir toto $ pip install -d ./toto mypackage #move the folder on the offline node $ pip install --no-index --find-links ./toto mypackage
  • 42. Apt dependencies Just use It will be: Quickier More secure More stable https://packages.debian.org/jessie/apt-of ine
  • 43. The result $ git clone https://github.com/quarkslab/irma.git $ cd ansible && vagrant up