DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud containers

•Descargar como PPTX, PDF•

2 recomendaciones•414 vistas

Rahul Kumar & Rupali Dash In the current era of blockchain technology, mining crypto currency is one of the biggest hit. The talk covers how the attackers use the insecure containers to mine crypto currency and earn million dollar profits. Cryptojacking activity surged to its peak in December 2017, when more than 8 million cryptojacking events were blocked by many intrusion detection companies. While there have seen a slight fall in activity in 2018, it is still at an elevated level, with total cryptojacking events blocked in July 2018 totalling just less than 5 million. The talk will cover how the mining activities has been done using browsers as well as cloud containers. We will also discuss how the cloud provides like amazon, azure and go are detecting such kind of activities and how minor misconfigurations leads to million dollar currency mining. The talk will also cover how 3rd party security providers like symantec and z-scalar and other intrusion detection system has configured signatures to block such kind of attacks. As well as from a sec-ops prospective what configuration checks should be done to prevent against such kind of attacks as well as detection of attacks. It will also cover some case studies and attack scenarios of mining Monero and the huge financial losses because of this attacks.

Tecnología

Singapore | 28 Feb - 01 Mar 2019
Cryptojacking
RAHUL KUMAR & RUPALI DASH

Singapore | 28 Feb - 01 Mar 2019
Who are we?
Rahul Kumar
• Security Engineer, DSRE, Microsoft
India R&D
• Vulnerability Management &
Research
• Security Researcher @ DSLabs
Trend Micro
• Security solution developer
Rupali Dash
•Pentester at AXL.net
•Specialist in Web and Mobile app
security
•SecOps Consultant

Singapore | 28 Feb - 01 Mar 2019
Why Cryptojacking… why now?

Singapore | 28 Feb - 01 Mar 2019
What we will be talking…
• Intro to cryptojacking
• Types of cryptojacking
• The story time
• Cloud misconfigurations leading to
cryptojacking
• Detection/Evasion techniques
• Mitigation
• Security Solutions

Singapore | 28 Feb - 01 Mar 2019
Cryptomining
Vs
Cryptojacking
•

Singapore | 28 Feb - 01 Mar 2019
Types of cryptojacking
• Browser based mining
• Server based mining
• Containerized mining
• Microsecvice oriented mining

Singapore | 28 Feb - 01 Mar 2019
The Story time
The attack flow
• Infection
• Bootstrapping
• Mining
• Discovery
• Spreading the infection

Singapore | 28 Feb - 01 Mar 2019
Infection
• By Default docker enables unix socket .
• Docker used port 2375/2376 over TCP for remote access to docker services.
• The infection spreads across hosts using misconfigured or loosely configured docker
services that exposes its REST management APIs through open and unauthenticated TCP
ports .

Singapore | 28 Feb - 01 Mar 2019
Bootstrapping & mining

Singapore | 28 Feb - 01 Mar 2019
Discovery and spreading the infection

Singapore | 28 Feb - 01 Mar 2019
Last but not the least . . .

Singapore | 28 Feb - 01 Mar 2019
Cloud misconfigurations leading to cryptomining
• Open kubernetes console or Docker registries
(Docker Hub)
• Attackers can find open dockers registries and
registries with default creds
• They can build docker image with malicious
code
• And push that malicious image to registry

Singapore | 28 Feb - 01 Mar 2019
Cloud misconfigurations leading to cryptomining
• Use of Un-patched components
• The attacker can scan for unmatched
components/services .
• They can use exploits to gain privilege and inject
their mining code
• WebLogic RCE: CVE-2017-10271

Singapore | 28 Feb - 01 Mar 2019
Cloud misconfigurations leading to cryptomining
• Writable AWS S3 bucket

Singapore | 28 Feb - 01 Mar 2019
Cloud misconfigurations leading to cryptomining
• Use of malicious 3rd party libraries
• Attacker can inject malicious code to 3rd
party libraries
• Whoever uses this malicious library will
get infected
• Browsealoud JavaScript library

Singapore | 28 Feb - 01 Mar 2019
Detection Techniques
• Signature based (Unique identifier
string/Wallet address)
• Domain based detection, Blacklisting
domains/IP which are hosting
cryptomining scripts
• Anomalous CPU utilisation
• Analysis of DNS client traffic
• Monitoring IRC communication
• http://cryptoioc.ch/api

Singapore | 28 Feb - 01 Mar 2019
Evasion techniques used by morden crypto-malwares
• Use of proxy and URL Randomisation
• Use of legitimate code hosting services
like Github and PasteBin
• Use of obfuscation
• Throttling

Singapore | 28 Feb - 01 Mar 2019
Mitigation Techniques
• Keep containers patched and updated. Have a continuous patch cycle.
• Ensure that the container images are authenticated, signed and drawn from
a trusted registry. (Docker Trusted Registry)
• Employ encrypted communication protocols when exposing Docker’s
daemon to network. Enable TLS by specifying the tlsverify flag and pointing
Docker’s tlscacert flag to trusted CA certificate
• Properly configure how much resources a container is allowed to use.
• Don’t use the default configuration

Singapore | 28 Feb - 01 Mar 2019
Solution providers

Singapore | 28 Feb - 01 Mar 2019
Thank you

Singapore | 28 Feb - 01 Mar 2019
References:
• https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-dec-2018.pdf
• https://media.kasperskycontenthub.com/wp-content/uploads/sites/58/2018/06/27125925/KSN-
report_Ransomware-and-malicious-cryptominers_2016-2018_ENG.pdf
• https://www.trendmicro.com/vinfo/us/security/news/security-technology/security-by-design-a-checklist-for-
safeguarding-virtual-machines-and-containers
• https://docs.docker.com/develop/dev-best-practices/
• https://docs.docker.com/engine/security/https/

Más contenido relacionado

La actualidad más candente

As presented on 22th of November 2018 in Prague. Modern applications leverage a variety of services, and often span across on premises, IaaS, PaaS and SaaS. Monitoring these environments is different from traditional systems. We have more and more data available from the platform with the likes of ARM Activity Logs, Azure Monitor, Log Analytics and Application Insights. With a massive amount of signal and noise being generated in all these systems, how do we get our arms around what is happening? Is my application impacted in an ongoing Azure outage? Are my integrations intact? Which services from Azure should I use to monitor my application end-to-end? Come and hear how to answer these questions. After the session, you’ll have deeper understanding of end-to-end monitoring techniques in Azure solutions and know which services to choose for which scenario.

UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...

Karl Ots

What are your APIs Worth?

Apigee | Google Cloud

Modern applications leverage a variety of services, and often span across on premises, IaaS, PaaS and SaaS. Monitoring these environments is different from traditional systems. We have more and more data available from the platform with the likes of ARM Activity Logs, Azure Monitor, Log Analytics and Application Insights. With a massive amount of signal and noise being generated in all these systems, how do we get our arms around what is happening? Is my application impacted in an ongoing Azure outage? Are my integrations intact? Which services from Azure should I use to monitor my application end-to-end? Come and hear how to answer these questions. After the session, you’ll have deeper understanding of end-to-end monitoring techniques in Azure solutions and know which services to choose for which scenario. As presented in Rotterdam at Azure Low Lands 2019.

Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...

Karl Ots

Sri monthly presentation 2016

Akash Rajguru

Building Resilient Microservices

IndicThreads

STIX CyBox Creator Application STIX is a language developed for specify, capture, characterize and communicate the Cyber Threat Information. More information can be found on: http://stixproject.github.io/about/ About application: STIX CyBox Creator application is developed using python as a back end programming language. Is a client based application which allows user (e.g. Cyber Security Analyst) to connect with IMAP server (e.g. gmail sever) using email account credentials and also enables to create a STIX CyBox document for selected email.

Sri monthly presentation 2015

Akash Rajguru

I Love APIs 2015: Apigee and Node.js Building Mock Backends Fast

Apigee | Google Cloud

Presentation from the technology track at I Love APIs London 2016 featuring Sridhar Rajagopalan, Apigee. Organisations have been using layered threat protection techniques to protect their crown jewels from cyber criminals. Security protection approaches encompass identification, detection, protection and response to threats. However, these approaches typically address "Known Knowns" threats and are not adequate for protecting your backend and APIs from sophisticated "Known Unknowns" attack vectors. Hackers are exploiting weak mobile apps, stolen keys, and information scrappers (bots) that emulate human behavior to exfiltrate data from your backend. How can you mitigate security threats that are adaptive and blend with legitimate traffic? In this session, we'll present Apigee's innovative data driven security approach that detects intelligent Bots, transaction anomalies and help protect your APIs from cyberthreats, in real-time.

Data Driven Security

Apigee | Google Cloud

Bradford Stephens, Developer Evangelist, Ping Identity APIs are the glue of the web, and Enterprise APIs are driving innovation inside and out of the cloud. Now that information is being shared more freely, how can we secure those APIs? Data silos are falling across the enterprise and needs for interoperability are rising -- but how do you manage access in a de-siloed world? This talk will mix best practices and real-world examples for examining how to secure your APIs.

CIS13: APIs, Identity, and Securing the Enterprise

CloudIDSummit

Serverless integration - Logic Apps the most comprehensive integration service

BizTalk360

Will ServerLess kill containers and Operations

Stephane Woillez

API Design Workflows

Jakub Nesetril

Protecting your pricing strategy from bad bots employed by your competitors, requires a data-driven approach to identify and stop bad bots—automatically. In this webcast, we'll explore ways to stop bad bots from impacting your enterprise applications, including: - understanding the nature of bot attacks and typical use cases - techniques to detect and stop bad bots, while allowing good bots in - implementing technologies in your security stack to protect against bots

Protect your APIs from Cyber Threats

Apigee | Google Cloud

APIs provide both an extraordinary opportunity for both building engaging customer experiences and for strengthening your relationship with key business partners, but they also provide potential openings for savvy hackers to get unauthorized access to customer data and perhaps even to compromise your key business systems. This presentation covers: - API security fundamentals - how to proactively watch for trouble - protection and mitigation strategies to keep your customers and your business safe

APIs: The New Security Layer

Apigee | Google Cloud

apidays LIVE Paris - Principles for API security by Alan Glickenhouse

apidays

2 SPEAKERS IN A SINGLE SERVERLESS MEETUP: 1st) Bhavana Srinivas (https://twitter.com/bhavana1110), Solutions Engineer at Netlify.com; (2nd) Mark McQuade (https://www.linkedin.com/in/mark-mcquade/), Cloud Solution Architect at Onica.com 1. Bhavana showed us how to bring alive static sites with Functions. She dived deeper into building sites the JAMstack.org way and demoed how to hook up these sites with Serverless Hello Worlds to more useful 3rd party services. (recording at https://www.youtube.com/watch?v=l0oWGGctKZc) 2. Mark gave an AWS "This is My Architecture"-style talk, about stitching Serverless components to implement Audio Transcription and Sentiment Analysis Pipeline for a Call Centre client who was exploring the benefits of AI & Machine Learning (ML) in the Cloud. (recording at https://www.youtube.com/watch?v=l0oWGGctKZc&t=2310s) P.S. Special thanks to Myplanet (https://www.myplanet.com/) for providing the space, and Thundra (https://www.thundra.io/) for providing pizza and refreshments! P.P.S. If you'd like to speak at any of the upcoming Serverless Toronto User Group events, our Slack community (via http://slack.ServerlessToronto.org) and add your topic to the #want-to-present channel.

Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...

Daniel Zivkovic

Move Fast;Stay Safe:Developing & Deploying the Netflix API

Sangeeta Narayanan

APIs and the Connected Home - Connections 3scale2014

3scale

Sitaraman Lakshminarayanan Sr Security Architect at Pure Storage Authorization has two components – Policy Definition and Policy Enforcement. Traditionally both used to be centralized and we spent all the time Integrating products- Built or Bought with Centralized Access Management. This typically led to increased cycle time to change any access policy or change software/deployment to fit into one particular authorization model. When that doesn’t fit, we would end up with multiple authorization enforcements written in different languages with or without any adherence to any standards such as XACML or others. Imagine building few different or hundreds of products or services or micro services and you have to centrally manage all possible access policies. It’s definitely not a scalable solution in fast moving CI/CD world. Now imagine a way where every developers or products can externalize its authorization and we can modify authorization enforcement in a consistent manner? Imagine where developers can write their own implementation of how authorization should be enforced for their environment? Remember there is no one size fits all authorization policy. A policy that works for your environment does not work for my environment – for any number of reasons from Risk management to type of business applications. Open Policy Agent provides a consistent way to write authorization logic and expose it as REST API. Applications can easily integrate with OPA and can also write their own authroziation logics. Whether you are shipping products to customers or integrating a Product or Service into your environment, how awesome it would be to enforce your own authorization rules instead of changing your business process of who can gain access to what features. In this talk we will explore the benefits of Decentralized Authorization and how to use Open Policy Agent to achieve decentralized authorization. A closer look at few applications /integrations whether it is REST API /Micro Services, or Kubernetes to control various authorization policies as to who can deploy/what can you deploy. We will also look at how to build Integration tests to check our authorization policies.

DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...

DevSecCon

Backend-as-a-Service (BaaS) has become essential technology for mobile developers. By enabling drastically shorter mobile app implementation timelines, BaaS continues to be a developer's best bet to simplify and scale app development. In our deep-dive technical series, we look at Apigee Edge API BaaS, which enables web and mobile app developers to link their apps to a cloud datastore and provide features including user management, push notifications, geolocation services, and more. Listen to the podcast version here: http://bit.ly/1BRNKaw

Edge API BaaS Deep-Dive: Streamline app development

Apigee | Google Cloud

La actualidad más candente (20)

UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...

What are your APIs Worth?

Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...

Sri monthly presentation 2016

Building Resilient Microservices

Sri monthly presentation 2015

I Love APIs 2015: Apigee and Node.js Building Mock Backends Fast

Data Driven Security

CIS13: APIs, Identity, and Securing the Enterprise

Serverless integration - Logic Apps the most comprehensive integration service

Will ServerLess kill containers and Operations

API Design Workflows

Protect your APIs from Cyber Threats

APIs: The New Security Layer

apidays LIVE Paris - Principles for API security by Alan Glickenhouse

Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...

Move Fast;Stay Safe:Developing & Deploying the Netflix API

APIs and the Connected Home - Connections 3scale2014

DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...

Edge API BaaS Deep-Dive: Streamline app development

Similar a DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud containers

Cloud Conputing Basics and some Related Research Topics

Tharindu Weerasinghe

Zerotrusting serverless applications protecting microservices using secure d...

Trupti Shiralkar, CISSP

A successful API strategy requires a strong partnership between the business, IT, and security functions. Rather than as a hindrance, security increasingly is viewed as a business enabler, with CISOs and CSOs playing a critical role in implementing “guardrails” for safe, secure and compliant API services and security architectures free of unnecessary complexity. Ultimately, a secure API platform enables developers and DevOps to focus on innovation—by improving the mobile user experience and deploying apps in the cloud, with appropriate security controls built-in. In this webcast, Apigee’s Subra Kumaraswamy and Saba Software CSO Randy Barr will explore how CISOs and CSOs partner with IT and business leaders for a safe and secure journey to cloud, SaaS, and mobile services. Join to learn about: - The role of the security officer in helping IT and business meet objectives - How smart and secure API guardrails remove friction in consuming APIs while protecting sensitive data exposed via APIs. - Best practices that work for an API centric enterprise Download podcast: http://bit.ly/1B6h3TR

Security as an Enabler for the Digital World - CISO Perspective

Apigee | Google Cloud

501 ch 4 securing your network

gocybersec

Until recently, major public cloud providers have offered relatively basic toolsets for identifying suspicious activity occurring inside customer accounts that may indicate a compromise. Some organizations have invested significant resources to build their own tools or have leveraged industry vendor offerings to provide this visibility. The reality is, that barrier has meant that a large number of organizations haven't dedicated those resources to this problem and therefore operate without sufficient detection and response capabilities that monitor their cloud accounts for compromise. Amazon Web Services, Google Cloud Platform, and Microsoft Azure have recently launched a new set of native platform threat and anomalous behavior detection services to help their customers better identify and respond to certain issues and activities occurring inside their cloud accounts. From detecting crypto-currency mining to identifying bot-infected systems to alerting on suspicious cloud credential usage to triggering on cloud-specific methods of data exfiltration, these new services aim to make these kinds of detections much easier and simpler to centrally manage. But what new and unique insights do they offer? What configuration is required to achieve the full benefits of these detections? What types of activities are not yet covered? What attack methods and techniques can avoid detection by these systems and still be successful? What practical guidelines can be followed to make the best use of these services in an organization? Follow along as we attempt to answer these questions using practical demonstrations that highlight the real threats facing cloud account owners and how the new threat detection capabilities perform in reducing the risks of operating workloads in the public cloud.

Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...

Priyanka Aash

Shifting security left simplifying security for k8s open shift environments

LibbySchulze

Microservices Architecture

Thang Nguyen

How to make the move towards hybrid cloud computing

David Strom

Microservices security CSA meetup ppt 10_21_2015_v2-2

Vishwas Manral

Protecting microservices using secure design patterns 1.0

Trupti Shiralkar, CISSP

Offensive cyber security engineer pragram course agenda

ShivamSharma909

Offensive cyber security engineer

ShivamSharma909

Offensive cyber security engineer updated

InfosecTrain

Cryptography

1326OmkarKamble

Sensitive data is vulnerable when it is stored insecurely and transmitted over open networks. The PCI Security Council takes a hard line on protecting cardholder data and describes specific methods to comply with its standards. Attend this webinar to better understand methods that make data theft more difficult for attackers and render stolen data unusable. Topics covered include: • Properly protecting stored cardholder data - encryption, hashing, masking and truncation • Securing data during transmission - using strong cipher suites, valid certificates, and strong TLS security • How to identify and mitigate missing encryption

Protecting Sensitive Data (and be PCI Compliant too!)

Security Innovation

Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015

Sina Manavi

NUS-ISS Learning Day 2018- Designing software to make the most of cloud platf...

NUS-ISS

PAUL SCHWARZENBERGER Access keys in GitHub, open security group rules, misconfigured Identity and Access Management roles, private SSL certificate keys kept in code repositories and open S3 buckets. Just some of the security issues which led to a journey towards automated compliance solutions for cloud infrastructure and applications. Paul describes a framework for Continuous Cloud Compliance, and demonstrates some of the techniques and tools he has used while working on cloud migration projects and operational cloud applications for both public and private sector organisations.

DevSecCon London 2018: A Journey to Continuous Cloud Compliance

DevSecCon

Building a strong security strategy

Singtel

This slide was prepared for the purpose of a meetup of Azure Bootcamp in Bhubaneswar area, India. It describes microservices, its uses and the approach for implementing it. It differentiates a monolithic and a microservice architecture clearly. It describes what a web application is and how it can be designed and deployed as well. It describes the tools and terminologies that a microservice learner comes across and gives a proper explanation of it.

Microservices

Priyabrata Pati

Similar a DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud containers (20)

Cloud Conputing Basics and some Related Research Topics

Zerotrusting serverless applications protecting microservices using secure d...

Security as an Enabler for the Digital World - CISO Perspective

501 ch 4 securing your network

Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...

Shifting security left simplifying security for k8s open shift environments

Microservices Architecture

How to make the move towards hybrid cloud computing

Microservices security CSA meetup ppt 10_21_2015_v2-2

Protecting microservices using secure design patterns 1.0

Offensive cyber security engineer pragram course agenda

Offensive cyber security engineer

Offensive cyber security engineer updated

Cryptography

Protecting Sensitive Data (and be PCI Compliant too!)

Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015

NUS-ISS Learning Day 2018- Designing software to make the most of cloud platf...

DevSecCon London 2018: A Journey to Continuous Cloud Compliance

Building a strong security strategy

Microservices

Más de DevSecCon

Xavier Garceau-Aranda Senior Security Consultant at NCC Group With the steady rise of cloud adoption, a number of organizations find themselves splitting their resources between multiple cloud providers. While the readiness to deal with security in cloud native environments has been improving, the multi-cloud paradigm poses new challenges. The workshop will aim to familiarize attendees with Scout Suite (https://github.com/nccgroup/ScoutSuite), a key component of NCC Group’s cloud agnostic approach to security assurance. Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than pouring through dozens of pages on the web consoles, Scout Suite provides a clear view of the attack surface automatically. The following cloud providers are currently supported: - Amazon Web Services - Microsoft Azure - Google Cloud Platform - Oracle Cloud Infrastructure - Alibaba Cloud During the workshop, attendees will leverage Scout Suite to assess a number of cloud environments designed to simulate typical flaws. We will display how the tool can be leveraged to quickly identify and help with remediation of security misconfigurations.

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...

DevSecCon

Mitun Zavery Senior Engineer at Sonatype Bad actors have recognized the power of open source and are now beginning to create their own attack opportunities. This new form of assault, where OSS project credentials are compromised and malicious code is intentionally injected into open source libraries, allows hackers to poison the well. In this session, Mitun will explain how both security and developers must work together to stop this trend. Or, risk losing the entire open source ecosystem. Analyze, and detail, the events leading to today’s “all-out” attack on the OSS industry Define what the future of open source looks like in today’s new normal Outline how developers can step into the role of security, to protect themselves, and the millions of people depending on them

DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?

DevSecCon

Jan Harrie Security Analyst at ERNW GmbH OpenShift by Red Hat is one of the major Platform as a Service (PaaS) solutions on the market. It is used to automatically deploy Kubernetes clusters and provides useful extensions for cluster management mixed with some magic under the hood. Instantiating a Kubernetes cluster is often a crucial step in setting up a modern application stack. But be aware – a lot of configuration parameters are awaiting you. And here several misconfigurations may occur that can lead up to a compromise of the cluster. Privileged containers, tainting of masters and executing workloads on them, missing role-based access controls, and misconfigured Service Accounts are part of the problem. In this talk, I will explain which configuration parameters of an OpenShift environment are critical to ensure the overall security of the deployed Kubernetes clusters. Implications of misconfigurations will be demonstrated during live demos. Finally, recommendations for a secure configuration are provided.

DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...

DevSecCon

Matt Carroll Infrastructure Security Engineer at Yelp "Attestation is hard" is something you might hear from security researchers tracking nation states and APTs, but it's actually pretty true for most network-connected systems! Modern deployment methodologies mean that disparate teams create workloads for shared worker-hosts (ranging from Jenkins to Kubernetes and all the other orchestrators and CI tools in-between), meaning that at any given moment your hosts could be running any one of a number of services, connecting to who-knows-what on the internet. So when your network-based intrusion detection system (IDS) opaquely declares that one of these machines has made an "anomalous" network connection, how do you even determine if it's business as usual? Sure you can log on to the host to try and figure it out, but (in case you hadn't noticed) computers are pretty fast these days, and once the connection is closed it might as well not have happened... Assuming it wasn't actually a reverse shell... At Yelp we turned to the Linux kernel to tell us whodunit! Utilizing the Linux kernel's eBPF subsystem - an in-kernel VM with syscall hooking capabilities - we're able to aggregate metadata about the calling process tree for any internet-bound TCP connection by filtering IPs and ports in-kernel and enriching with process tree information in userland. The result is "pidtree-bcc": a supplementary IDS. Now whenever there's an alert for a suspicious connection, we just search for it in our SIEM (spoiler alert: it's nearly always an engineer doing something "innovative")! And the cherry on top? It's stupid fast with negligible overhead, creating a much higher signal-to-noise ratio than the kernels firehose-like audit subsystems. This talk will look at how you can tune the signal-to-noise ratio of your IDS by making it reflect your business logic and common usage patterns, get more work done by reducing MTTR for false positives, use eBPF and the kernel to do all the hard work for you, accidentally load test your new IDS by not filtering all RFC-1918 addresses, and abuse Docker to get to production ASAP! As well as looking at some of the technologies that the kernel puts at your disposal, this talk will also tell pidtree-bcc's road from hackathon project to production system and how focus on demonstrating business value early on allowed the organization to give us buy-in to build and deploy a brand new project from scratch.

DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...

DevSecCon

Kristóf Tóth Software Engineer at Avatao The world is getting eaten alive by software. At this point, almost nothing can be done without interacting with some sort of software system. Not even buying your groceries. As we keep dumping out huge piles of code like there is no tomorrow, our far from perfect systems keep getting worse and worse from a security standpoint. What could possibly go wrong? We believe that education is the missing link. As appsec is still a curiosity topic on top universities, freshly graduated engineers simply have no clue. And how could they? The number of programmers keeps on doubling every few years and generations of software professionals are stuck without a proper background in ITSec. As this trend continues, our responsibility to do something about this is on the rise. In hopes of fighting this trend, we, at Avatao, have decided to share some of our dreams with the community. Our Tutorial Framework allows you to easily create interactive learning environments running inside Docker containers. These environments are capable of automatically guiding users through a set of topics by allowing them to interact with real software through a simple web browser. Users can attack webservices, write code to fix them or use a terminal to deploy websites by creating and pushing git tags. Nothing here is a mock-up: Every software component is real. In this talk, I am going to demonstrate the capabilities of the framework, talk about the technology behind it and explore some use cases for it. During the session we will open source the framework with the hope of creating a better, secure future together.

DevSecCon Seattle 2019: Containerizing IT Security Knowledge

DevSecCon

DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...

DevSecCon

Matt Lavin Software Architect at LifeOmic It's possible to have rapid feature delivery and happy developers without sacrificing high security and compliance. At LifeOmic, we've built an automated change management system that allows production deployments without slow human approval. We maintain HIPAA and HITRUST compliance while still allowing continuous delivery. I'll show how to collect data from BitBucket, Jenkins, and security scan tools to ensure that the approved processes have been followed. You'll hear how fast production approval incentivizes developers to follow good practices, and become advocates for following the process instead of pushing against it. Automating process checks as a gate to deployments is a great framework for promoting the behavior you want in your organization. Don't give up on rapid feature delivery just because you work in a regulated industry.

DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...

DevSecCon

Julian Berton Preventing a company from becoming the newest data breach statistic can be a daunting prospect. Especially working within a company that employs hundreds of engineers pushing code to production daily, it often feels like everything is on fire and the holy grail of producing a security inspired product is but a dim light growing further and further away. The same feeling is true for security aware engineers being pushed to develop products quickly but also expected to consider quality assurance, operations, security and the reliability of their application or service. To help reduce the bleeding and build more security aware applications at scale, a balance of firefighting, preventative initiatives, automation and "JIT" education is required. So strap yourself in while we take you on a journey through 4 years of security successes and epic failures: * Automation - Implementing a secure-by-default build system (Buildkite) that makes detecting vulnerable dependencies (Snyk), storing secrets (AWS Secrets Manager) and scanning Docker containers, an effortless process. * Prevention - Eradicate several classes of bugs by selecting secure architectural patterns and using automated scripts to detect operational misconfigurations like dangling DNS entries, open S3 buckets, secrets checked into source code and repositories that have been made accidentally public. * "JIT” Education - Changing a companies security culture with RFC's for security standards, security integrated PIR via bug bounty program reports, visibility through security maturity frameworks (BSIMM).

DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...

DevSecCon

Trinh Tran & Dennis Stötzel Are you trying to stay secure while developing and running a bunch of services and applications every day? So are we and it’s a huge pain in the… pipeline. We have been juggling these aspects while working with one of the biggest insurance companies in the world. In this talk, we will share our experiences of the last three years: Trinh, as a software engineer in Vietnam and Dennis, as a security engineer in Germany. We will present our experiences of making "dev", "sec" and "ops" coexist – without sparing any dirty details. Our goal has always been fast delivery and secure applications using pipelines, containers, orchestration, and the cloud. Let us explain which of these goals we have met and which remain goals, where we messed up and where we found glory. We will cover the following topics in our talk: * Evolution of our project, from beginning with four engineers running in one office, to expanding to fifty engineers coming from three continents and different backgrounds, * Development, delivery and security as a requirement in an agile project, * The good, the bad and the ugly in technology, architecture and infrastructure.

DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...

DevSecCon

Sanoop Thomas & Samandeep Singh Burp suite is the de-facto proxy application for web security testers. This hands-on workshop will explore the different capabilities of burp proxy application, also dive into the extensions and tooling options to perform improved application security test cases. The workshop will start with a quick overview of burp usage, different settings, features, some commonly useful extensions and then explore deep into its extension APIs to build your own custom extensions. We will provide a suitable development environment in Java and Python platforms. This will be a hands-on workshop and participants will learn how to automate different application security test scenarios and build burp extensions with the help of templates.

DevSecCon Singapore 2019: Workshop - Burp extension writing workshop

DevSecCon

Cameron Townshend Today’s pace of innovation and need to out “innovate” competitors can often cause developers to bypass key portions of Gene Kim’s Three Ways of DevOps - specifically to never pass a known defect downstream and emphasize performance of the entire system. As we embrace movements like CI, CD and Devops to cut down on release cycles - and innovate faster, we as developers must also embrace the reality that the risk landscape is too complex to leave “security” to just those with security in their title. Traditional methods do not cut it anymore – it’s time for DevSecOps. Instinctively, we understand how critical this is. In Sonatype’s recent 2018 DevSecOps Community report, where 2,076 IT professionals were surveyed, 48% of respondents admitted that developers know application security is important, but they don’t have the time to spend on it. Done properly, DevSecOps practices shouldn’t interrupt the DevOps pipeline - but instead aid it - preventing costly rebuilds and build breaks, down the road. By creating automated governance and compliance guardrails that are embedded early and throughout the software development lifecycle, developers have transparent access to digital guardrails integrated within our native tools — an approach that ensures security is being built in without slowing us down. These instant feedback loops detailing good or bad components have been shown to increase developer productivity by as much as 48%. Over time, this approach ensures developers procure the best components from the best suppliers, while continuously tracking components across the entire lifecycle. Attendees of this session will walk away with: Real-world examples of how large and small companies are implementing DevSecOps practices in their own delivery pipelines, and increasing developer awareness to risks Key insights from 2,076 of their peers who participated in the 2018 DevSecOps community report - including where most mature DevOps practices are focusing their security efforts A walkthrough of how security principles have been embedded in a CICD pipeline and what standards for implementation are beginning to follow suite

DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape

DevSecCon

Nadira Bajrei IT Continuous Improvement and Knowledge Management at Bank Mandiri Tbk We all know that the Banking industry is highly regulated. But due to recent changing factors, we had to trigger something we call transformation. Two of the most important reasons why we need transformation are firstly digital disruption, a wave our industry is hard pushed to follow, and secondly the evolving customer expectation and competitive environment, which are impacting the way organisations are delivering value. We need a new way of working to help us stay relevant in the market. This session will focus on our journey as one of the biggest banks in Indonesia to do digital transformation into DevOps while maintaining security compliance requirements. I will elaborate on the main reason why we need transformation, our journey roadmap, the step by step adoption of CALMS Values in our organisation and how we faced challenges from internal and external site.

DevSecCon Singapore 2019: The journey of digital transformation through DevSe...

DevSecCon

Liz Rice The latest Kubernetes version provides many security-related enhancements and controls, but it is far from being secure by default. Kubernetes is a complex orchestration platform with many different implementations, across multi-cloud/hybrid environments. Configuring it to comply with security best practices and specific security requires time and expertise that most organizations don’t possess. Aqua’s open source tools arm Kubernetes administrators and developers with an easy way to identify weaknesses in their deployments so that they can address those issues before they are exploited by attackers. During this presentation, we’ll review how these open source tools offer preventive security for Kubernetes: Kube-Bench: checks a Kubernetes cluster against 100+ checks documented in the CIS Kubernetes Benchmark. Kube-Hunter: conducts penetration tests against Kubernetes clusters that hunt for exploitable vulnerabilities and misconfiguration - both from outside the cluster as well as inside it (running as a pod)

DevSecCon Singapore 2019: Preventative Security for Kubernetes

DevSecCon

COLIN DOMONEY The advent of DevOps and large scale automation of software construction and delivery has elevated the software supply chain – and its underpinning delivery pipeline – to mission critical status in any modern enterprise. The increased velocity of modern pipelines and the removal of manual checks and balances has meant that modern pipelines are potential single points of failure in the delivery of secure software. Automotive and consumer electronics industries have long understood the need for both provenance (understanding the origin of materials) and veracity (ensuring the integrity of their manufacturing processes) in their supply chains; this presentation will address threats to software supply chains and practical approaches to reducing the fragility of your supply chain. Several examples of software supply chain failures will be presented and deconstructed to understand the typical failure modes. At the most elementary level many pipelines are poorly constructed with low levels of repeatability and poor test coverage, in other organisations there is a lack of governance over the supply chain allowing careless or willingly negligent actors to subvert or bypass controls or testing within the pipeline. There is also no standard mechanism to ensure a ‘chain of custody’ within a pipeline due to a lack common interchange format between tools, or a standard manner to represent the steps within a pipeline build process. This presentation will cover approaches (using ‘people and process’) in enforcing governance within a supply chain by describing best practices used in large-scale AppSec programmes. Several emerging technology initiatives will be presented: Google’s Grafeas is a means to ensure vulnerability information is represented in a uniform manner across all steps of a pipeline process, while In-Toto is a project to formally enforce the integrity of a pipeline process. A reference secure pipeline will be presented demonstrating both tools working in symphony, along with standard open source and commercial AppSec tools. Finally the pipeline itself may become the Achille’s Heel in an organisation – many pipelines are not sufficiently hardened and are themselves open to attack by use of vulnerable components and their extensible nature, often along with very wide open permissions. Guidance will be given on hardening of typical pipelines, and a fully secured ephemeral Jenkins pipeline will be demonstrated. Benefits of this Session: The attendee will gain an increased awareness of the pivotal importance of the software supply chain, and gain an understanding of some common failure modes and weaknesses. Most importantly the attendee will come away with practical guidance on enforcing higher levels of governance on their supply chain without reducing delivery velocity, as well as how to harden the pipeline infrastructure itself.

DevSecCon London 2018: Is your supply chain your achille's heel

DevSecCon

Paweł Krawczyk Most network services and daemons now offer TLS transport protection and their managing certificates and TLS configuration for server farms may use more resources than actual configuration of these services. What if you could get rid of all this complexity and replace it by single transport protection protocol, securing all of the traffic between your servers trasparently and with single centralized key and configuration management? This will be a story of a successful implementation of IPSec protocols, largely and undeservedly forgotten in that purpose, for securing a farm of production cloud servers, with configuration centrally managed with Ansible.

DevSecCon London 2018: Get rid of these TLS certificates

DevSecCon

PETKO D. PETKOV Thanks to the DevSecOps philosophy a growing number of organisations around the world are ensuring their businesses are set up with the security in mind from the get-go. DevSecOps is taking the world by storm. This talk is about how to introduce DevSecOps in your organisation with ready-made, zero-cost, open source templates accessible to everyone. The talk will introduce the OpenDevSecOps project and show many practical examples of how to easily deploy security testing infrastructure on top of existing and well-established development tools.

DevSecCon London 2018: Open DevSecOps

DevSecCon

MIKE SHEMA Effective appsec emerges from DevSecOps tactics like feedback loops, automation, and the flexibility to respond to situations quickly. These tactics emphasize process and tools, sometimes neglecting the knowledge and skills of working with others to build and maintain apps. And the solutions they strive for don’t always catch the importance of how different users can have different threat models. On the technology side of appsec we have clouds, top 10 lists, and tools. But we haven’t built up equivalent resources, references, or models for the people we build apps with and who we build them for. This presentation dives into specific techniques and references for working with people and building threat models that go beyond basic technical concerns. Tabletop role-playing games are a great model for understanding and building skills that are important to DevSecOps teams. They encourage communication, collaboration, and the achievement of shared goals. And they also face the same challenges in solving conflicts, avoiding derailing behaviors, and ensuring everyone participates. Come discover how RPGs can positively influence your security teams. Security is an integral part of DevSecOps. And, yes, it’s made of people.

DevSecCon London 2018: Building effective DevSecOps teams through role-playin...

DevSecCon

KEVIN BACKHOUSE With the increasing awareness and adoption of DevSecOps, organisations are beginning to fully understand the crucial role that security plays, integrating it into every part of the development and deployment process, from start to finish. New processes such as vulnerability disclosures & bug bounty programs, red team exercises, pen-testing initiatives and static & dynamic code analysis are putting security front and center. These initiatives are proving to be an incredible source for discovering previously unknown vulnerabilities, and fixes are generally implemented and deployed pretty quickly. However, this response is often not quite enough. In software development, we frequently see the same logical coding mistakes being made repeatedly over the course of a project’s lifetime, and sometimes across multiple projects. Sometimes there are a number of simultaneously active instances of these mistakes, and sometimes there’s only ever one active instance at a time, but it keeps reappearing. When these mistakes lead to security vulnerabilities, the consequences can be severe. With each vulnerability discovered or reported, if the root cause was a bug in the code, we’re presented with an opportunity to investigate how often this mistake is repeated, whether there are any other unknown vulnerabilities as a result, and implement a process to prevent it reappearing. In this talk, I’ll be introducing Variant Analysis, a process for doing just this, and discuss how it can be integrated into your development and security operations. I’ll also be sharing real-world stories of what has happened when variant analysis was neglected, as well as stories of when it’s saved the day.

DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...

DevSecCon

NICK DRAGE The popularity of DevSecCon, and the enthusiasm for DevSecOps as a concept, shows that there is a desire for significant change within the IT industry – that merely improving our abilities, and our tooling, hasn’t provided the gains we expected and hoped for. This presentation will demonstrate the value of ideas from diverse areas, providing a range of examples where others have faced similar situations regarding conflict, training, adversaries, or complexity, and showing how we can use those ideas to improve our own processes and practice.

DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)

DevSecCon

YAN CUI AWS has taken over the responsibilities of patching the OS and securing the underlying physical infrastructure that runs your serverless application, so what’s left for you to secure? Quite a bit it turns out. The OWASP top 10 is as relevant to you as ever; DOS attacks are still a threat even if you can probably brute force your way through it as AWS auto-scales Lambda functions automatically; and did you know attackers can easily steal your AWS credentials via your application dependencies? In addition to the traditional threats, serverless applications have more granular deployment units and therefore there are more things to configure and secure, and the tools and practices are still catching up with this fast changing world. Join us in this talk to learn more about the security threats that will affect your serverless application and some leading practices that help you combat these threats.

DevSecCon London 2018: Security in the serverless world

DevSecCon

Más de DevSecCon (20)