SlideShare una empresa de Scribd logo

DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sarah Young

DevSecCon
DevSecCon

DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sarah Young

Tecnología
1 de 62
Descargar para leer sin conexión
BOSTON 10-11 SEPT 2018 My ragequit journey: configuring Netflix tools SARAH YOUNG BOSTON 10-11 SEPT 2018 My ragequit journey: configuring Netflix tools SARAH YOUNG
BOSTON 10-11 SEPT 2018
BOSTON 10-11 SEPT 2018 whoami • Sarah Young, Security Architect at Versent. • I’m from Melbourne in Australia. • I help customers move their stuff into the cloud securely. • Worked in tech for the past 9ish years. • I’ve worked in Europe, New Zealand and Australia. • I overuse memes and GIFs. • Wannabe crazy bird lady.
BOSTON 10-11 SEPT 2018 If anyone knows Justin Trudeau, please let me know.
BOSTON 10-11 SEPT 2018 I am not a Christian author
BOSTON 10-11 SEPT 2018 Firstly… • This talk is not an attack on Netflix. • I love Netflix as both an end user of their service and a consumer of their SecOps tools. • Alas, I am also not on commission from Netflix. • The aim of this talk is to demonstrate how everyone struggles with tools from time-to-time. • I want to try to reduce “FOFU”, “fear of F!%*ing up”.
BOSTON 10-11 SEPT 2018 Intro to Netflix tools • I don’t have to introduce Netflix… I hope?! • Netflix have been releasing Open Source tools since 2014. • They release numerous types of tools: • Big data • Content encoding • Insight, reliability and performance monitoring • … and much more • I’m going to focus on some of their security tools.
BOSTON 10-11 SEPT 2018 Just one more note… • I’m aware that there are talks at other conferences and meetups where companies and individuals talk about successful implementations of these tools. • This is not one of those talks. • I will link to some of the happier Hollywood stories at the end of talk.
BOSTON 10-11 SEPT 2018 Tools I’m going to look at • BLESS (Bastion's Lambda Ephemeral SSH Service) • Security Monkey • Repokid
BOSTON 10-11 SEPT 2018 The beginning of the journey… • I was equipped with: • Git Readmes. • My work’s sandbox AWS account. • Google. • Slightly rusty Linux skills. • Unlimited cans of fizzy drinks from the fridge. • My patience.
BOSTON 10-11 SEPT 2018 Don’t test the demo gods
BOSTON 10-11 SEPT 2018 BLESS – Qué? • BLESS stands for Bastion's Lambda Ephemeral SSH Service. • It’s an Internal Certificate Authority. • Inside a Lambda function. • Issues short-lived certificates for EC2 access. • Certificates have 120 seconds validity by default.
BOSTON 10-11 SEPT 2018 BLESS – awscli is not my friend • Create an AWS role, easy. • Maybe my Python version is too new for awscli? • Let’s uninstall Python3.
BOSTON 10-11 SEPT 2018 BLESS – saml2aws
BOSTON 10-11 SEPT 2018 Firstly… • Cue lengthy Slack discussion about how Brew/Python/awscli suck. • Let’s just reinstall awscli.
BOSTON 10-11 SEPT 2018 BLESS – Virtual-env is additionally not my friend • False start, let’s go now. • Have to force install virtual-env. • I’m using Docker. • All goes well here.
BOSTON 10-11 SEPT 2018 BLESS – Certificates, KMS and Lambda are dope • Generate certs just fine. • Make keys in KMS just fine. • Make Lambda function just fine. • Things are going too well… surely?! Accurate depiction of me at this point
BOSTON 10-11 SEPT 2018 BLESS – OSX, you make my life hard • BLESS should be finished. • Now to test it. • I don’t have Boto3… • … except I do. • Dammit Python dependencies!
BOSTON 10-11 SEPT 2018 BLESS – Dammit Python Credit: XKCD
BOSTON 10-11 SEPT 2018 BLESS – Dammit again Python
BOSTON 10-11 SEPT 2018 Sidenote
BOSTON 10-11 SEPT 2018 BLESS – What’s the first rule of security…? • I don’t have creds (apparently). • Turns out this is a bug in saml2aws. • I should have updated to 2.7.0 before I started. I deserve Trump shame for this fail.
BOSTON 10-11 SEPT 2018 BLESS – don’t do this
BOSTON 10-11 SEPT 2018 BLESS – do this
BOSTON 10-11 SEPT 2018 BLESS – Real-life issues • Very little guidance on how to scale BLESS. • “Deploy an Amazon Linux AMI” isn’t super helpful. • Re-scaling the application takes downtime. • Debugging BLESS sucks. • When pen testing BLESS, we had to expose Unicreds. • Defeats the object of pen testing somewhat.
BOSTON 10-11 SEPT 2018 BLESS – When devs don’t do what they’re told • Got BLESS running through Jenkins. • Devs still used our manually deployed bastion. • ”Make it easy to do the right thing and hard to do the wrong thing”. • Resources who maintained BLESS rolled off projects. • Nuances introduced by devs could cause problems.
BOSTON 10-11 SEPT 2018 BLESS - scoreboard • Instructions – 6/10 • Accuracy of instructions – 8/10 • Ease of configuration – 5/10 • Ragequit score – 7/10
BOSTON 10-11 SEPT 2018 Security Monkey – Qué? • Security Monkey is a tool that monitors/alerts/reports one or more AWS accounts for anomalies. • Part of a larger suite of tools from Netflix known as the Simian Army.
BOSTON 10-11 SEPT 2018 Security Monkey – Deployment structure
BOSTON 10-11 SEPT 2018 Security Monkey - Hurrah, instructions! • Hey, this one looks like it has a decent walkthrough on Github. • Let’s give it a go.
BOSTON 10-11 SEPT 2018 Security Monkey - Ah, maybe not yay after all. • Oh wait… it’s kind of out of date… M1 instances don’t exist any more. Decide to wing it and pick an M5. This is not free tier.
BOSTON 10-11 SEPT 2018 Security Monkey - When your lab messes things up • Pro tip: never use a lab your colleague has only half configured. • Instance was not accessible from external bastion host. • Bastion host wouldn’t forward SSH keys to the Security Monkey instance. • Cue numerous error messages and troubleshooting of security groups and NACLs.
BOSTON 10-11 SEPT 2018 Security Monkey – Let’s build this • Now for the interesting stuff. • Let’s install this thing. • Pull all the files from Git… • Oops, in my enthusiasm I ran the commands for GCP and Openstack.
BOSTON 10-11 SEPT 2018 Security Monkey - Why doesn’t my instance recognise loopback? • All going well until sudo keeps failing. • My instance does not know it’s own loopback. • Bad Ubuntu! • Change to /etc/hosts fixed this.
BOSTON 10-11 SEPT 2018 Security Monkey - Python isn’t working • When a guide posts something like this, you should probably pay attention to it: • Because when you don’t, you get this:
BOSTON 10-11 SEPT 2018 Security Monkey - Je ne parle pas anglais. • Running in the virtual environment shell now, my bad. • Run the commands to compile the web interface. • Isn’t this installed by default?! • This makes no sense. • Rage level getting critical at this point. • Accurate representation of my face.
BOSTON 10-11 SEPT 2018 Security Monkey - Who doesn’t love a 404? • No idea why, but I had to re-generate the en_US locales. • Then, success!
BOSTON 10-11 SEPT 2018 Security Monkey – I spoke too soon • Now everything should be running, right?
BOSTON 10-11 SEPT 2018 Security Monkey – Mysterious directories • NGNIX can’t find the UI pages to load. • Much searching, much raging. • Transpires that the NGNIX location path was incorrect. • Files had been copied as /usr/local/src/security_monkey/security_monkey/static… There it is
BOSTON 10-11 SEPT 2018 Security Monkey – Damn those SSL certs • Generate self-signed SSL certs. • Getting an error from Chrome, success! • STILL GETTING A 404. • Remove SSL from the config, for now. • I appreciate the irony as a security professional.
BOSTON 10-11 SEPT 2018 Security Monkey – Hello web UI! • …aaaaand:
BOSTON 10-11 SEPT 2018 Security Monkey – Dude, where’s my login server? • Pretty sure I’m supposed to have a login screen? • That red error doesn’t look great. • The Googles reveals that file permissions are a common cause of this issue. • Also need to restart the supervisor service.
BOSTON 10-11 SEPT 2018 Security Monkey – Success!
BOSTON 10-11 SEPT 2018 Security Monkey – Production issues • Issue lists aren’t very detailed. • Dashboard scores for the high score view are not update, but show fine on the summary page. • Daily summary emails don’t get sent out.
BOSTON 10-11 SEPT 2018 Security Monkey - Scoreboard • Instructions – 8/10 • Accuracy of instructions – 7/10 • Ease of configuration – 5/10 • Ragequit score – 8/10
BOSTON 10-11 SEPT 2018 Repokid - Qué? • Repokid uses Access Advisor provided by Aardvark to remove permissions granting access to unused services from the inline policies of IAM roles in an AWS account. • “When used together, Aardvark and Repokid help us get closer to the principle of least privilege without sacrificing speed or introducing heavy process.” - Netflix
BOSTON 10-11 SEPT 2018 Repokid - Wow, these instructions are pretty light. • Even by Netflix standards, these are pretty light… • Pull repo from Git. • Create database. • Create IAM roles.
BOSTON 10-11 SEPT 2018 Repokid – The downsides of using a lab • Run out of elastic IPs. • Reassign one, but now my terminal is angry with me. *sigh*
BOSTON 10-11 SEPT 2018 Repokid – More Python woes… • Instance says virtual env isn’t there (apparently). • Instance also says there is no Git. • Fair enough. • Pull Git package. • Try to pull repo from Github. • There’s already a repokid directory?! Me
BOSTON 10-11 SEPT 2018 Repokid – Only one thing to do TERMINATE
BOSTON 10-11 SEPT 2018 Repokid – Git and SSH key troubles • Wash, rinse, repeat the previous slides. • Accessing Git repo…
BOSTON 10-11 SEPT 2018 Repokid – Let’s try that again • Generate fresh SSH keys. • Add to my agent. • Upload to Github.
BOSTON 10-11 SEPT 2018 Repokid – Never mentioned I needed a database • Apparently I need a Dynamo DB. • Use a small local one for dev purposes. • Pull Java packages, etc. to run it. • This seems to be working fine.
BOSTON 10-11 SEPT 2018 Repokid – Readmes with footnotes • The footnotes for Repokid are important. • Describe what roles need to be set up for the instance to work. • Might have been useful further up the document…
BOSTON 10-11 SEPT 2018 Repokid - Fine tuning JSON • Fine tune the JSON config file. • Point at Aardvark, Dynamo DB and IAM role. • Aaaaand…
BOSTON 10-11 SEPT 2018 Repokid – Production issues • role.policies only checks inline policies. Attached policies are ignored. • Generates heaps of alerts/errors in Lightsail. • The advice for the moment is… just put up and shut up. • (unless you’re going to write your own code to fix)
BOSTON 10-11 SEPT 2018 Repokid - Scoreboard • Instructions – 2/10 • Accuracy of instructions – 2/10 • Ease of configuration – 7/10 • Ragequit score – 7/10
BOSTON 10-11 SEPT 2018 And I’m finished!
BOSTON 10-11 SEPT 2018 Lessons learned • Read what instructions you have carefully… • … but don’t be entirely beholden to them. • Get your base packages and dependencies in order with your code. • Have your supporting tools (terminal, Github, etc.) all in order. • Don’t be afraid to try to run things slightly differently if it works better for your environment. • It’s not failing to ask for help if you’re really stuck.
BOSTON 10-11 SEPT 2018 What’s next? • Diffy! • Diffy is a triage tool to help digital forensics and quickly identify compromised hosts on which to focus their response. • Diffy finds outliers among a group of very similar hosts and highlights those for a human investigator, who can then examine those hosts more closely. • So far… so little instruction.
BOSTON 10-11 SEPT 2018 Documents and links • Netflix Open Source Software Center - https://netflix.github.io/ • Netflix tech blog - https://medium.com/netflix-techblog • Netflix Git repository - https://github.com/Netflix • Lyft’s implementation of BLESS - https://www.youtube.com/watch?v=PMlT1raRMA0 • Versent’s saml2aws repository - https://github.com/Versent/saml2aws • Versent’s unicreds repository - https://github.com/Versent/unicreds • Sethkor’s BLESS repository – https://github.com/sethkor/blesskor • Risky Business #486 Repokid episode - https://risky.biz/RB486/ • Netflix Security’s YouTube Channel - https://www.youtube.com/channel/UCCic- LGj5o892PhU_xrWq-g
BOSTON 10-11 SEPT 2018 Thanks for not ragequitting on my talk and going to happy hour. Questions? @_sarahyo

Recomendados

DevSecCon Boston 2018: How come appsec is still not in the curriculum by Gabo...
DevSecCon Boston 2018: How come appsec is still not in the curriculum by Gabo...DevSecCon Boston 2018: How come appsec is still not in the curriculum by Gabo...
DevSecCon Boston 2018: How come appsec is still not in the curriculum by Gabo...DevSecCon
 
DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...
DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...
DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...DevSecCon
 
DevSecCon Boston 2018: Secure by Design by Chris Wysopal
DevSecCon Boston 2018: Secure by Design by Chris WysopalDevSecCon Boston 2018: Secure by Design by Chris Wysopal
DevSecCon Boston 2018: Secure by Design by Chris WysopalDevSecCon
 
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...DevSecCon
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon
 
i18n tech talk
i18n tech talki18n tech talk
i18n tech talkHitesh Sharma
 
Build reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressBuild reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressMaurice De Beijer [MVP]
 
Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOpsUchit Vyas ☁
 

Recomendados

DevSecCon Boston 2018: How come appsec is still not in the curriculum by Gabo...
DevSecCon Boston 2018: How come appsec is still not in the curriculum by Gabo...DevSecCon Boston 2018: How come appsec is still not in the curriculum by Gabo...
DevSecCon Boston 2018: How come appsec is still not in the curriculum by Gabo...DevSecCon
 
DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...
DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...
DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...DevSecCon
 
DevSecCon Boston 2018: Secure by Design by Chris Wysopal
DevSecCon Boston 2018: Secure by Design by Chris WysopalDevSecCon Boston 2018: Secure by Design by Chris Wysopal
DevSecCon Boston 2018: Secure by Design by Chris WysopalDevSecCon
 
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...DevSecCon
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon
 
i18n tech talk
i18n tech talki18n tech talk
i18n tech talkHitesh Sharma
 
Build reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressBuild reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressMaurice De Beijer [MVP]
 
Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOpsUchit Vyas ☁
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration SecurityDevOps.com
 
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryAttacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryJames Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSSonatype
 
Juc paris olivier lamy talk
Juc paris olivier lamy talkJuc paris olivier lamy talk
Juc paris olivier lamy talkOlivier Lamy
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOpslokori
 
Security in serverless world
Security in serverless worldSecurity in serverless world
Security in serverless worldYan Cui
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOpJames Wickett
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
Security in the FaaS Lane
Security in the FaaS LaneSecurity in the FaaS Lane
Security in the FaaS LaneJames Wickett
 
Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Matt Raible
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachSecurity as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachVMware Tanzu
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett
 
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon
 
The Path of DevOps Enlightenment for InfoSec
The Path of DevOps Enlightenment for InfoSecThe Path of DevOps Enlightenment for InfoSec
The Path of DevOps Enlightenment for InfoSecJames Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
Guy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeGuy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeDevSecCon
 
Jeff mc cune sf 2010
Jeff mc cune sf 2010Jeff mc cune sf 2010
Jeff mc cune sf 2010Puppet
 
DevSecCon Boston2018 - advanced mobile security automation with bdd
DevSecCon Boston2018 - advanced mobile security automation with bddDevSecCon Boston2018 - advanced mobile security automation with bdd
DevSecCon Boston2018 - advanced mobile security automation with bddDavide Cioccia
 

Más contenido relacionado

La actualidad más candente

360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration SecurityDevOps.com
 
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryAttacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryJames Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSSonatype
 
Juc paris olivier lamy talk
Juc paris olivier lamy talkJuc paris olivier lamy talk
Juc paris olivier lamy talkOlivier Lamy
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOpslokori
 
Security in serverless world
Security in serverless worldSecurity in serverless world
Security in serverless worldYan Cui
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOpJames Wickett
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
Security in the FaaS Lane
Security in the FaaS LaneSecurity in the FaaS Lane
Security in the FaaS LaneJames Wickett
 
Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Matt Raible
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachSecurity as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachVMware Tanzu
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett
 
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon
 
The Path of DevOps Enlightenment for InfoSec
The Path of DevOps Enlightenment for InfoSecThe Path of DevOps Enlightenment for InfoSec
The Path of DevOps Enlightenment for InfoSecJames Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
Guy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeGuy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeDevSecCon
 

La actualidad más candente (20)

360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security
 
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryAttacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 
Juc paris olivier lamy talk
Juc paris olivier lamy talkJuc paris olivier lamy talk
Juc paris olivier lamy talk
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOps
 
Security in serverless world
Security in serverless worldSecurity in serverless world
Security in serverless world
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOp
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
Security in the FaaS Lane
Security in the FaaS LaneSecurity in the FaaS Lane
Security in the FaaS Lane
 
Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachSecurity as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019
 
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
 
The Path of DevOps Enlightenment for InfoSec
The Path of DevOps Enlightenment for InfoSecThe Path of DevOps Enlightenment for InfoSec
The Path of DevOps Enlightenment for InfoSec
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating Security
 
Guy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeGuy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node Code
 

Similar a DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sarah Young

Jeff mc cune sf 2010
Jeff mc cune sf 2010Jeff mc cune sf 2010
Jeff mc cune sf 2010Puppet
 
DevSecCon Boston2018 - advanced mobile security automation with bdd
DevSecCon Boston2018 - advanced mobile security automation with bddDevSecCon Boston2018 - advanced mobile security automation with bdd
DevSecCon Boston2018 - advanced mobile security automation with bddDavide Cioccia
 
Comprehensive Monitoring for Docker
Comprehensive Monitoring for DockerComprehensive Monitoring for Docker
Comprehensive Monitoring for DockerChristian Beedgen
 
Kuby, ActiveDeployment for Rails Apps
Kuby, ActiveDeployment for Rails AppsKuby, ActiveDeployment for Rails Apps
Kuby, ActiveDeployment for Rails AppsCameron Dutro
 
Automate IBM Connections Installations and more
Automate IBM Connections Installations and moreAutomate IBM Connections Installations and more
Automate IBM Connections Installations and morepanagenda
 
Automate IBM Connections Installations and more
Automate IBM Connections Installations and moreAutomate IBM Connections Installations and more
Automate IBM Connections Installations and moreLetsConnect
 
Raspberry pi overview
Raspberry pi overview Raspberry pi overview
Raspberry pi overview Matthew Karas
 
Vinted life embetterment
Vinted life embettermentVinted life embetterment
Vinted life embettermentAgile Lietuva
 
Solutions to reduce Total Cost of Setup (TCS) and simplify your life! - #iJac...
Solutions to reduce Total Cost of Setup (TCS) and simplify your life! - #iJac...Solutions to reduce Total Cost of Setup (TCS) and simplify your life! - #iJac...
Solutions to reduce Total Cost of Setup (TCS) and simplify your life! - #iJac...Andrea Fontana
 
Ottawa unity user_group_feb13_2015
Ottawa unity user_group_feb13_2015Ottawa unity user_group_feb13_2015
Ottawa unity user_group_feb13_2015Karman Interactive
 
The Reluctant SysAdmin : 360|iDev Austin 2010
The Reluctant SysAdmin : 360|iDev Austin 2010The Reluctant SysAdmin : 360|iDev Austin 2010
The Reluctant SysAdmin : 360|iDev Austin 2010Voxilate
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
Puppet Camp New York 2014: Streamlining Puppet Development Workflow
Puppet Camp New York 2014: Streamlining Puppet Development Workflow Puppet Camp New York 2014: Streamlining Puppet Development Workflow
Puppet Camp New York 2014: Streamlining Puppet Development Workflow Puppet
 
Steamlining your puppet development workflow
Steamlining your puppet development workflowSteamlining your puppet development workflow
Steamlining your puppet development workflowTomas Doran
 
Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...
Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...
Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...Anne Nicolas
 
Introduction to the rapid prototyping with python and linux for embedded systems
Introduction to the rapid prototyping with python and linux for embedded systemsIntroduction to the rapid prototyping with python and linux for embedded systems
Introduction to the rapid prototyping with python and linux for embedded systemsNaohiko Shimizu
 
Zero to the Cloud with @NetflixOSS
Zero to the Cloud with @NetflixOSSZero to the Cloud with @NetflixOSS
Zero to the Cloud with @NetflixOSSMike McGarr
 
Python Experience in KKBOX Group
Python Experience in KKBOX GroupPython Experience in KKBOX Group
Python Experience in KKBOX GroupShuen-Huei Guan
 

Similar a DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sarah Young (20)

Jeff mc cune sf 2010
Jeff mc cune sf 2010Jeff mc cune sf 2010
Jeff mc cune sf 2010
 
DevSecCon Boston2018 - advanced mobile security automation with bdd
DevSecCon Boston2018 - advanced mobile security automation with bddDevSecCon Boston2018 - advanced mobile security automation with bdd
DevSecCon Boston2018 - advanced mobile security automation with bdd
 
Comprehensive Monitoring for Docker
Comprehensive Monitoring for DockerComprehensive Monitoring for Docker
Comprehensive Monitoring for Docker
 
Kuby, ActiveDeployment for Rails Apps
Kuby, ActiveDeployment for Rails AppsKuby, ActiveDeployment for Rails Apps
Kuby, ActiveDeployment for Rails Apps
 
Automate IBM Connections Installations and more
Automate IBM Connections Installations and moreAutomate IBM Connections Installations and more
Automate IBM Connections Installations and more
 
Plone on Amazon EC2
Plone on Amazon EC2Plone on Amazon EC2
Plone on Amazon EC2
 
Automate IBM Connections Installations and more
Automate IBM Connections Installations and moreAutomate IBM Connections Installations and more
Automate IBM Connections Installations and more
 
Raspberry pi overview
Raspberry pi overview Raspberry pi overview
Raspberry pi overview
 
Vinted life embetterment
Vinted life embettermentVinted life embetterment
Vinted life embetterment
 
Solutions to reduce Total Cost of Setup (TCS) and simplify your life! - #iJac...
Solutions to reduce Total Cost of Setup (TCS) and simplify your life! - #iJac...Solutions to reduce Total Cost of Setup (TCS) and simplify your life! - #iJac...
Solutions to reduce Total Cost of Setup (TCS) and simplify your life! - #iJac...
 
Ottawa unity user_group_feb13_2015
Ottawa unity user_group_feb13_2015Ottawa unity user_group_feb13_2015
Ottawa unity user_group_feb13_2015
 
The Reluctant SysAdmin : 360|iDev Austin 2010
The Reluctant SysAdmin : 360|iDev Austin 2010The Reluctant SysAdmin : 360|iDev Austin 2010
The Reluctant SysAdmin : 360|iDev Austin 2010
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
Puppet Camp New York 2014: Streamlining Puppet Development Workflow
Puppet Camp New York 2014: Streamlining Puppet Development Workflow Puppet Camp New York 2014: Streamlining Puppet Development Workflow
Puppet Camp New York 2014: Streamlining Puppet Development Workflow
 
Steamlining your puppet development workflow
Steamlining your puppet development workflowSteamlining your puppet development workflow
Steamlining your puppet development workflow
 
Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...
Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...
Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...
 
Introduction to the rapid prototyping with python and linux for embedded systems
Introduction to the rapid prototyping with python and linux for embedded systemsIntroduction to the rapid prototyping with python and linux for embedded systems
Introduction to the rapid prototyping with python and linux for embedded systems
 
Zero to the Cloud with @NetflixOSS
Zero to the Cloud with @NetflixOSSZero to the Cloud with @NetflixOSS
Zero to the Cloud with @NetflixOSS
 
Python Experience in KKBOX Group
Python Experience in KKBOX GroupPython Experience in KKBOX Group
Python Experience in KKBOX Group
 
Git and Github workshop
Git and Github workshopGit and Github workshop
Git and Github workshop
 

Más de DevSecCon

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon
 

Más de DevSecCon (20)

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for Kubernetes
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heel
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificates
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
 

Último

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Último (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sarah Young

  • 1. BOSTON 10-11 SEPT 2018 My ragequit journey: configuring Netflix tools SARAH YOUNG BOSTON 10-11 SEPT 2018 My ragequit journey: configuring Netflix tools SARAH YOUNG
  • 3. BOSTON 10-11 SEPT 2018 whoami • Sarah Young, Security Architect at Versent. • I’m from Melbourne in Australia. • I help customers move their stuff into the cloud securely. • Worked in tech for the past 9ish years. • I’ve worked in Europe, New Zealand and Australia. • I overuse memes and GIFs. • Wannabe crazy bird lady.
  • 4. BOSTON 10-11 SEPT 2018 If anyone knows Justin Trudeau, please let me know.
  • 5. BOSTON 10-11 SEPT 2018 I am not a Christian author
  • 6. BOSTON 10-11 SEPT 2018 Firstly… • This talk is not an attack on Netflix. • I love Netflix as both an end user of their service and a consumer of their SecOps tools. • Alas, I am also not on commission from Netflix. • The aim of this talk is to demonstrate how everyone struggles with tools from time-to-time. • I want to try to reduce “FOFU”, “fear of F!%*ing up”.
  • 7. BOSTON 10-11 SEPT 2018 Intro to Netflix tools • I don’t have to introduce Netflix… I hope?! • Netflix have been releasing Open Source tools since 2014. • They release numerous types of tools: • Big data • Content encoding • Insight, reliability and performance monitoring • … and much more • I’m going to focus on some of their security tools.
  • 8. BOSTON 10-11 SEPT 2018 Just one more note… • I’m aware that there are talks at other conferences and meetups where companies and individuals talk about successful implementations of these tools. • This is not one of those talks. • I will link to some of the happier Hollywood stories at the end of talk.
  • 9. BOSTON 10-11 SEPT 2018 Tools I’m going to look at • BLESS (Bastion's Lambda Ephemeral SSH Service) • Security Monkey • Repokid
  • 10. BOSTON 10-11 SEPT 2018 The beginning of the journey… • I was equipped with: • Git Readmes. • My work’s sandbox AWS account. • Google. • Slightly rusty Linux skills. • Unlimited cans of fizzy drinks from the fridge. • My patience.
  • 11. BOSTON 10-11 SEPT 2018 Don’t test the demo gods
  • 12. BOSTON 10-11 SEPT 2018 BLESS – Qué? • BLESS stands for Bastion's Lambda Ephemeral SSH Service. • It’s an Internal Certificate Authority. • Inside a Lambda function. • Issues short-lived certificates for EC2 access. • Certificates have 120 seconds validity by default.
  • 13. BOSTON 10-11 SEPT 2018 BLESS – awscli is not my friend • Create an AWS role, easy. • Maybe my Python version is too new for awscli? • Let’s uninstall Python3.
  • 14. BOSTON 10-11 SEPT 2018 BLESS – saml2aws
  • 15. BOSTON 10-11 SEPT 2018 Firstly… • Cue lengthy Slack discussion about how Brew/Python/awscli suck. • Let’s just reinstall awscli.
  • 16. BOSTON 10-11 SEPT 2018 BLESS – Virtual-env is additionally not my friend • False start, let’s go now. • Have to force install virtual-env. • I’m using Docker. • All goes well here.
  • 17. BOSTON 10-11 SEPT 2018 BLESS – Certificates, KMS and Lambda are dope • Generate certs just fine. • Make keys in KMS just fine. • Make Lambda function just fine. • Things are going too well… surely?! Accurate depiction of me at this point
  • 18. BOSTON 10-11 SEPT 2018 BLESS – OSX, you make my life hard • BLESS should be finished. • Now to test it. • I don’t have Boto3… • … except I do. • Dammit Python dependencies!
  • 19. BOSTON 10-11 SEPT 2018 BLESS – Dammit Python Credit: XKCD
  • 20. BOSTON 10-11 SEPT 2018 BLESS – Dammit again Python
  • 21. BOSTON 10-11 SEPT 2018 Sidenote
  • 22. BOSTON 10-11 SEPT 2018 BLESS – What’s the first rule of security…? • I don’t have creds (apparently). • Turns out this is a bug in saml2aws. • I should have updated to 2.7.0 before I started. I deserve Trump shame for this fail.
  • 23. BOSTON 10-11 SEPT 2018 BLESS – don’t do this
  • 24. BOSTON 10-11 SEPT 2018 BLESS – do this
  • 25. BOSTON 10-11 SEPT 2018 BLESS – Real-life issues • Very little guidance on how to scale BLESS. • “Deploy an Amazon Linux AMI” isn’t super helpful. • Re-scaling the application takes downtime. • Debugging BLESS sucks. • When pen testing BLESS, we had to expose Unicreds. • Defeats the object of pen testing somewhat.
  • 26. BOSTON 10-11 SEPT 2018 BLESS – When devs don’t do what they’re told • Got BLESS running through Jenkins. • Devs still used our manually deployed bastion. • ”Make it easy to do the right thing and hard to do the wrong thing”. • Resources who maintained BLESS rolled off projects. • Nuances introduced by devs could cause problems.
  • 27. BOSTON 10-11 SEPT 2018 BLESS - scoreboard • Instructions – 6/10 • Accuracy of instructions – 8/10 • Ease of configuration – 5/10 • Ragequit score – 7/10
  • 28. BOSTON 10-11 SEPT 2018 Security Monkey – Qué? • Security Monkey is a tool that monitors/alerts/reports one or more AWS accounts for anomalies. • Part of a larger suite of tools from Netflix known as the Simian Army.
  • 29. BOSTON 10-11 SEPT 2018 Security Monkey – Deployment structure
  • 30. BOSTON 10-11 SEPT 2018 Security Monkey - Hurrah, instructions! • Hey, this one looks like it has a decent walkthrough on Github. • Let’s give it a go.
  • 31. BOSTON 10-11 SEPT 2018 Security Monkey - Ah, maybe not yay after all. • Oh wait… it’s kind of out of date… M1 instances don’t exist any more. Decide to wing it and pick an M5. This is not free tier.
  • 32. BOSTON 10-11 SEPT 2018 Security Monkey - When your lab messes things up • Pro tip: never use a lab your colleague has only half configured. • Instance was not accessible from external bastion host. • Bastion host wouldn’t forward SSH keys to the Security Monkey instance. • Cue numerous error messages and troubleshooting of security groups and NACLs.
  • 33. BOSTON 10-11 SEPT 2018 Security Monkey – Let’s build this • Now for the interesting stuff. • Let’s install this thing. • Pull all the files from Git… • Oops, in my enthusiasm I ran the commands for GCP and Openstack.
  • 34. BOSTON 10-11 SEPT 2018 Security Monkey - Why doesn’t my instance recognise loopback? • All going well until sudo keeps failing. • My instance does not know it’s own loopback. • Bad Ubuntu! • Change to /etc/hosts fixed this.
  • 35. BOSTON 10-11 SEPT 2018 Security Monkey - Python isn’t working • When a guide posts something like this, you should probably pay attention to it: • Because when you don’t, you get this:
  • 36. BOSTON 10-11 SEPT 2018 Security Monkey - Je ne parle pas anglais. • Running in the virtual environment shell now, my bad. • Run the commands to compile the web interface. • Isn’t this installed by default?! • This makes no sense. • Rage level getting critical at this point. • Accurate representation of my face.
  • 37. BOSTON 10-11 SEPT 2018 Security Monkey - Who doesn’t love a 404? • No idea why, but I had to re-generate the en_US locales. • Then, success!
  • 38. BOSTON 10-11 SEPT 2018 Security Monkey – I spoke too soon • Now everything should be running, right?
  • 39. BOSTON 10-11 SEPT 2018 Security Monkey – Mysterious directories • NGNIX can’t find the UI pages to load. • Much searching, much raging. • Transpires that the NGNIX location path was incorrect. • Files had been copied as /usr/local/src/security_monkey/security_monkey/static… There it is
  • 40. BOSTON 10-11 SEPT 2018 Security Monkey – Damn those SSL certs • Generate self-signed SSL certs. • Getting an error from Chrome, success! • STILL GETTING A 404. • Remove SSL from the config, for now. • I appreciate the irony as a security professional.
  • 41. BOSTON 10-11 SEPT 2018 Security Monkey – Hello web UI! • …aaaaand:
  • 42. BOSTON 10-11 SEPT 2018 Security Monkey – Dude, where’s my login server? • Pretty sure I’m supposed to have a login screen? • That red error doesn’t look great. • The Googles reveals that file permissions are a common cause of this issue. • Also need to restart the supervisor service.
  • 43. BOSTON 10-11 SEPT 2018 Security Monkey – Success!
  • 44. BOSTON 10-11 SEPT 2018 Security Monkey – Production issues • Issue lists aren’t very detailed. • Dashboard scores for the high score view are not update, but show fine on the summary page. • Daily summary emails don’t get sent out.
  • 45. BOSTON 10-11 SEPT 2018 Security Monkey - Scoreboard • Instructions – 8/10 • Accuracy of instructions – 7/10 • Ease of configuration – 5/10 • Ragequit score – 8/10
  • 46. BOSTON 10-11 SEPT 2018 Repokid - Qué? • Repokid uses Access Advisor provided by Aardvark to remove permissions granting access to unused services from the inline policies of IAM roles in an AWS account. • “When used together, Aardvark and Repokid help us get closer to the principle of least privilege without sacrificing speed or introducing heavy process.” - Netflix
  • 47. BOSTON 10-11 SEPT 2018 Repokid - Wow, these instructions are pretty light. • Even by Netflix standards, these are pretty light… • Pull repo from Git. • Create database. • Create IAM roles.
  • 48. BOSTON 10-11 SEPT 2018 Repokid – The downsides of using a lab • Run out of elastic IPs. • Reassign one, but now my terminal is angry with me. *sigh*
  • 49. BOSTON 10-11 SEPT 2018 Repokid – More Python woes… • Instance says virtual env isn’t there (apparently). • Instance also says there is no Git. • Fair enough. • Pull Git package. • Try to pull repo from Github. • There’s already a repokid directory?! Me
  • 50. BOSTON 10-11 SEPT 2018 Repokid – Only one thing to do TERMINATE
  • 51. BOSTON 10-11 SEPT 2018 Repokid – Git and SSH key troubles • Wash, rinse, repeat the previous slides. • Accessing Git repo…
  • 52. BOSTON 10-11 SEPT 2018 Repokid – Let’s try that again • Generate fresh SSH keys. • Add to my agent. • Upload to Github.
  • 53. BOSTON 10-11 SEPT 2018 Repokid – Never mentioned I needed a database • Apparently I need a Dynamo DB. • Use a small local one for dev purposes. • Pull Java packages, etc. to run it. • This seems to be working fine.
  • 54. BOSTON 10-11 SEPT 2018 Repokid – Readmes with footnotes • The footnotes for Repokid are important. • Describe what roles need to be set up for the instance to work. • Might have been useful further up the document…
  • 55. BOSTON 10-11 SEPT 2018 Repokid - Fine tuning JSON • Fine tune the JSON config file. • Point at Aardvark, Dynamo DB and IAM role. • Aaaaand…
  • 56. BOSTON 10-11 SEPT 2018 Repokid – Production issues • role.policies only checks inline policies. Attached policies are ignored. • Generates heaps of alerts/errors in Lightsail. • The advice for the moment is… just put up and shut up. • (unless you’re going to write your own code to fix)
  • 57. BOSTON 10-11 SEPT 2018 Repokid - Scoreboard • Instructions – 2/10 • Accuracy of instructions – 2/10 • Ease of configuration – 7/10 • Ragequit score – 7/10
  • 58. BOSTON 10-11 SEPT 2018 And I’m finished!
  • 59. BOSTON 10-11 SEPT 2018 Lessons learned • Read what instructions you have carefully… • … but don’t be entirely beholden to them. • Get your base packages and dependencies in order with your code. • Have your supporting tools (terminal, Github, etc.) all in order. • Don’t be afraid to try to run things slightly differently if it works better for your environment. • It’s not failing to ask for help if you’re really stuck.
  • 60. BOSTON 10-11 SEPT 2018 What’s next? • Diffy! • Diffy is a triage tool to help digital forensics and quickly identify compromised hosts on which to focus their response. • Diffy finds outliers among a group of very similar hosts and highlights those for a human investigator, who can then examine those hosts more closely. • So far… so little instruction.
  • 61. BOSTON 10-11 SEPT 2018 Documents and links • Netflix Open Source Software Center - https://netflix.github.io/ • Netflix tech blog - https://medium.com/netflix-techblog • Netflix Git repository - https://github.com/Netflix • Lyft’s implementation of BLESS - https://www.youtube.com/watch?v=PMlT1raRMA0 • Versent’s saml2aws repository - https://github.com/Versent/saml2aws • Versent’s unicreds repository - https://github.com/Versent/unicreds • Sethkor’s BLESS repository – https://github.com/sethkor/blesskor • Risky Business #486 Repokid episode - https://risky.biz/RB486/ • Netflix Security’s YouTube Channel - https://www.youtube.com/channel/UCCic- LGj5o892PhU_xrWq-g
  • 62. BOSTON 10-11 SEPT 2018 Thanks for not ragequitting on my talk and going to happy hour. Questions? @_sarahyo