SlideShare una empresa de Scribd logo

Security in the deployment stack

Chris Westin
Chris Westin

Jo Rhett's talk from http://www.meetup.com/SF-Bay-Area-Large-Scale-Production-Engineering/events/129859602/

Tecnología
1 de 26
Where fans buy & sell tickets™ Security in the Deployment Stack SF Bay Area Large Scale Production Engineering October 17th, 2013 Jo Rhett Senior Operations Architect
Disclaimer: No StubHub! solutions are being discussed in this presentation, because: 1.  I’m drawing from 20+ years of experience. 2.  I’m an FNG at StubHub! and I haven’t learned all the great things we do yet. 3.  We’ve got even more entertaining ways to break things.
Common Security Paradigms: 1)  Analyze every decision for security benefits. 2)  Hard exterior, “soft and gooey interior” 3)  Strict (or not) host level security 4)  Strict (or not) application level security
These Paradigms are incomplete: 1)  Only small sites can be understood completely. 2)  Applications require differing levels of network access, which creates “gooey spots” in supposedly crunchy exterior. 3)  Doesn’t account for insecure by design: - Wikipedia, Craigslist 4)  Doesn’t account for center-less design: - BitTorrent 5)  Insecure by ignorance: “You could do that?”
Insecure by Protecting One Layer: Hardened network prevents external logins §  Application hacked to create outbound console reverse shell §  Application hacked to change data without login SQL injection, remote file inclusion Hardened application enforces security paradigm – versus – §  Network attacks disable service slowloris, slowpost §  Network attack bypasses authentication session hijacking, replay attacks, authorization sniffer
Insecure by Ignorance: Easy to laugh about, much harder to solve. 1)  Network security is aimed at protecting protocols. 2)  Most things are done on the same protocol today. 3)  Decisions made in different teams create an interwoven mesh of security expectations. - Network only allows HTTPS access - Web API allows DB access via HTTPS
Insecure by Design: 1)  Each web service provides one or more “features” 2)  Security has to identify every approach vector, and the intersections between each feature. 3)  An attacker only has to find one feature that provides data or hook which makes it possible to meet the expectations of a different feature. 4)  Complete security review requires N^N-1 analysis.
Insecure by Politics: 1)  Draconian security controls frustrate teams and produce “outside” or “bypass” implementations 2)  Failure to understand the value of cracking your application. If the attacker can make/save money, they will be very persistent.
Access versus Authorization: “If we all have root, anyone can fix a problem...” 1)  Most security instruments deal with authentication, not authorization. 2)  Static files, DB Lookups, LDAP, Java Keystore… 3)  Many implementations use “if can access” as the authorization scheme. 4)  Projects require more access to enable Mobile and batch processing clients.
“If Can Access” Authorization: Real e-mail: Hey guys, this is #####. So I built out our application stack in the office and took it home on my laptop. Turns out, I can test the entire thing from home if you’ll give me direct database access… This was possible because every dependency was a Tomcat application available on an exposed role. But wait… It gets better! Followup e-mail: Nevermind, I realized I can point at our production gateway for the DB API calls and it works fine…
You can’t lock them out: 1)  Application service providers often must expose APIs to customers 2)  Mobile customers don’t use “trusted networks” 3)  The consumer provides valuable content - Wikipedia - Craigslist - StubHub! to some extent
What the Business Wants: Security 1)  Lots of eyeballs 2)  Careful analysis 3)  Stability is paramount == Slow
What the Business Wants: Agility 1)  Lean teams 2)  Respond to market quickly 3)  “Let’s break things!” == Fast
Every person in this room stands between these points every day: 1)  Keep it up no matter what. 2)  Move faster! Let’s break things! Feels real comfortable, doesn’t it?
Security in the Deployment Stack We’ve discussed the problem. Now it is time to talk about solutions.
If every component must be secure, How can you do it better and faster? 1)  You make it smaller. 2)  You make it simpler. 3)  You do it more often.
Smaller Security Evaluation 1)  Security lead from each team evaluates proposal 2)  Evaluate each intersection -- the small points 3)  Build shared knowledge This collaboration allows each person to focus on the components they know best.
Simpler Design Theory 1)  Make each component as small as possible 2)  Use components that can be reused. --avoids “what the heck is this again?” 3)  Less moving parts with common dependencies
Test More Often 1)  Test for new potentials identified in review 2)  Test previous release concerns, every time 3)  Test production too 4)  Automated testing required humans get bored
Deployment -- devOps 1)  Application security needs and deployment needs are not the same 2)  Automated is better: manual deployments lead to inconsistent deployment human mind: didn’t I do that already? 3)  Operations Developer writes code/policy to deploy application stack a.  Kickstart / Cobbler / Foreman / Razor b.  Cfengine / Puppet / Chef c.  Mcollective / Capistrano d.  …custom built 4)  Commit the deployment code with the release branch
Security in the Deployment Stack Keystores Common Security Keystores 1.  Static files 2.  Database lookups 3.  LDAP 4.  Java Keystores 5.  SSL Certificates All of these can be installed during your application installation, or outside of it (system build or side load)
Security in the Deployment Stack Install during System Image Install security keystores during system build Advantages: 1.  only needs to be tested as a unit Disadvantages: 1.  no updates to an existing role without rebuild
Security in the Deployment Stack Install with System Packages Install security keystores with system packages Advantages 1.  only needs to be tested as a unit 2.  simple redeploy with system packages Disadvantages: 1.  requires package rebuild for simple changes 2.  limited scripting language for install/uninstall
Security in the Deployment Stack Install with Config Management Implement security keystore as policy implemented by configuration management. Advantages: 1.  Configuration change can be pushed 2.  Incremental upgrades are possible 3.  Complex upgrade procedure can be implemented 4.  Failover, failback process can be employed Disadvantages: 1.  must test the deployment as well as the unit
SUMMARY 1)  Security models don’t match modern expectations. 2)  Security failures are not usually Apps or APIs, but the intersection of access between several of them. 3)  evaluate Smaller, build Simpler, test More Often. 4)  Develop deployment code/policy as carefully as you do the application. Commit it with the release branch of the application. 5)  Automate your tests. Automate your deployment. Automate failure analysis.
Where fans buy & sell tickets™ We are hiring! Operations Architects Tools & Automation devOps Site Operations Network Operations

Recomendados

Mangena M - 41197547.pdf SAIOSH
Mangena M - 41197547.pdf SAIOSHMangena M - 41197547.pdf SAIOSH
Mangena M - 41197547.pdf SAIOSHMichack Mangena
 
Universidad hispanoamericana de panama
Universidad hispanoamericana de panamaUniversidad hispanoamericana de panama
Universidad hispanoamericana de panamaglady25
 
He student profiles in 2014 15 prospectus page-22
He student profiles in 2014 15 prospectus page-22He student profiles in 2014 15 prospectus page-22
He student profiles in 2014 15 prospectus page-22bwcelearning
 
Captive Insurance Company eBook
Captive Insurance Company eBookCaptive Insurance Company eBook
Captive Insurance Company eBookGlenn Peake
 
Aavellon ecdchev spain
Aavellon ecdchev spainAavellon ecdchev spain
Aavellon ecdchev spainAna Avellón
 
Data torrent meetup-productioneng
Data torrent meetup-productionengData torrent meetup-productioneng
Data torrent meetup-productionengChris Westin
 
Sadigh Gallery Autumn Ancient Art Sale 2016
Sadigh Gallery Autumn Ancient Art Sale 2016Sadigh Gallery Autumn Ancient Art Sale 2016
Sadigh Gallery Autumn Ancient Art Sale 2016Sadigh Gallery Ancient Art, Inc.
 
How to Prepare Your Candidates for Job Interviews
How to Prepare Your Candidates for Job InterviewsHow to Prepare Your Candidates for Job Interviews
How to Prepare Your Candidates for Job InterviewsSravan Kumar
 

Recomendados

Mangena M - 41197547.pdf SAIOSH
Mangena M - 41197547.pdf SAIOSHMangena M - 41197547.pdf SAIOSH
Mangena M - 41197547.pdf SAIOSHMichack Mangena
 
Universidad hispanoamericana de panama
Universidad hispanoamericana de panamaUniversidad hispanoamericana de panama
Universidad hispanoamericana de panamaglady25
 
He student profiles in 2014 15 prospectus page-22
He student profiles in 2014 15 prospectus page-22He student profiles in 2014 15 prospectus page-22
He student profiles in 2014 15 prospectus page-22bwcelearning
 
Captive Insurance Company eBook
Captive Insurance Company eBookCaptive Insurance Company eBook
Captive Insurance Company eBookGlenn Peake
 
Aavellon ecdchev spain
Aavellon ecdchev spainAavellon ecdchev spain
Aavellon ecdchev spainAna Avellón
 
Data torrent meetup-productioneng
Data torrent meetup-productionengData torrent meetup-productioneng
Data torrent meetup-productionengChris Westin
 
Sadigh Gallery Autumn Ancient Art Sale 2016
Sadigh Gallery Autumn Ancient Art Sale 2016Sadigh Gallery Autumn Ancient Art Sale 2016
Sadigh Gallery Autumn Ancient Art Sale 2016Sadigh Gallery Ancient Art, Inc.
 
How to Prepare Your Candidates for Job Interviews
How to Prepare Your Candidates for Job InterviewsHow to Prepare Your Candidates for Job Interviews
How to Prepare Your Candidates for Job InterviewsSravan Kumar
 
Publicación donaciones v2
Publicación donaciones v2Publicación donaciones v2
Publicación donaciones v2eloymparra
 
Sentences and its Kinds
Sentences and its KindsSentences and its Kinds
Sentences and its KindsShahzaib Mahesar
 
Open source for a successful business
Open source for a successful businessOpen source for a successful business
Open source for a successful businessMichelangelo van Dam
 
Impact of technology on a law firm's growth
Impact of technology on a law firm's growthImpact of technology on a law firm's growth
Impact of technology on a law firm's growthPractice-League
 
Cronograma escolar, regimen sierra y amazonia 2016 2017
Cronograma escolar, regimen sierra y amazonia 2016 2017Cronograma escolar, regimen sierra y amazonia 2016 2017
Cronograma escolar, regimen sierra y amazonia 2016 2017Grijalva Omar
 
Portada tarea 8
Portada tarea 8Portada tarea 8
Portada tarea 8mikahakki44
 
Cuadrículas para trazar polígonos y figuras sólidas
Cuadrículas para trazar polígonos y figuras sólidasCuadrículas para trazar polígonos y figuras sólidas
Cuadrículas para trazar polígonos y figuras sólidasmikahakki44
 
Restaurant Recommender Exsys. - CORVID
Restaurant Recommender Exsys. - CORVIDRestaurant Recommender Exsys. - CORVID
Restaurant Recommender Exsys. - CORVIDEsraa Fathy
 
Disoluciones resueltos
Disoluciones resueltosDisoluciones resueltos
Disoluciones resueltosFran García García
 
Gripshort
GripshortGripshort
GripshortChris Westin
 
Ambari hadoop-ops-meetup-2013-09-19.final
Ambari hadoop-ops-meetup-2013-09-19.finalAmbari hadoop-ops-meetup-2013-09-19.final
Ambari hadoop-ops-meetup-2013-09-19.finalChris Westin
 
Cluster management and automation with cloudera manager
Cluster management and automation with cloudera managerCluster management and automation with cloudera manager
Cluster management and automation with cloudera managerChris Westin
 
Building low latency java applications with ehcache
Building low latency java applications with ehcacheBuilding low latency java applications with ehcache
Building low latency java applications with ehcacheChris Westin
 
SDN/OpenFlow #lspe
SDN/OpenFlow #lspeSDN/OpenFlow #lspe
SDN/OpenFlow #lspeChris Westin
 
cfengine3 at #lspe
cfengine3 at #lspecfengine3 at #lspe
cfengine3 at #lspeChris Westin
 
mongodb-aggregation-may-2012
mongodb-aggregation-may-2012mongodb-aggregation-may-2012
mongodb-aggregation-may-2012Chris Westin
 
Nimbula lspe-2012-04-19
Nimbula lspe-2012-04-19Nimbula lspe-2012-04-19
Nimbula lspe-2012-04-19Chris Westin
 
mongodb-brief-intro-february-2012
mongodb-brief-intro-february-2012mongodb-brief-intro-february-2012
mongodb-brief-intro-february-2012Chris Westin
 
Stingray - Riverbed Technology
Stingray - Riverbed TechnologyStingray - Riverbed Technology
Stingray - Riverbed TechnologyChris Westin
 
MongoDB's New Aggregation framework
MongoDB's New Aggregation frameworkMongoDB's New Aggregation framework
MongoDB's New Aggregation frameworkChris Westin
 
Replication and replica sets
Replication and replica setsReplication and replica sets
Replication and replica setsChris Westin
 
Architecting a Scale Out Cloud Storage Solution
Architecting a Scale Out Cloud Storage SolutionArchitecting a Scale Out Cloud Storage Solution
Architecting a Scale Out Cloud Storage SolutionChris Westin
 

Más contenido relacionado

Destacado

Publicación donaciones v2
Publicación donaciones v2Publicación donaciones v2
Publicación donaciones v2eloymparra
 
Open source for a successful business
Open source for a successful businessOpen source for a successful business
Open source for a successful businessMichelangelo van Dam
 
Impact of technology on a law firm's growth
Impact of technology on a law firm's growthImpact of technology on a law firm's growth
Impact of technology on a law firm's growthPractice-League
 
Cronograma escolar, regimen sierra y amazonia 2016 2017
Cronograma escolar, regimen sierra y amazonia 2016 2017Cronograma escolar, regimen sierra y amazonia 2016 2017
Cronograma escolar, regimen sierra y amazonia 2016 2017Grijalva Omar
 
Cuadrículas para trazar polígonos y figuras sólidas
Cuadrículas para trazar polígonos y figuras sólidasCuadrículas para trazar polígonos y figuras sólidas
Cuadrículas para trazar polígonos y figuras sólidasmikahakki44
 
Restaurant Recommender Exsys. - CORVID
Restaurant Recommender Exsys. - CORVIDRestaurant Recommender Exsys. - CORVID
Restaurant Recommender Exsys. - CORVIDEsraa Fathy
 

Destacado (9)

Publicación donaciones v2
Publicación donaciones v2Publicación donaciones v2
Publicación donaciones v2
 
Sentences and its Kinds
Sentences and its KindsSentences and its Kinds
Sentences and its Kinds
 
Open source for a successful business
Open source for a successful businessOpen source for a successful business
Open source for a successful business
 
Impact of technology on a law firm's growth
Impact of technology on a law firm's growthImpact of technology on a law firm's growth
Impact of technology on a law firm's growth
 
Cronograma escolar, regimen sierra y amazonia 2016 2017
Cronograma escolar, regimen sierra y amazonia 2016 2017Cronograma escolar, regimen sierra y amazonia 2016 2017
Cronograma escolar, regimen sierra y amazonia 2016 2017
 
Portada tarea 8
Portada tarea 8Portada tarea 8
Portada tarea 8
 
Cuadrículas para trazar polígonos y figuras sólidas
Cuadrículas para trazar polígonos y figuras sólidasCuadrículas para trazar polígonos y figuras sólidas
Cuadrículas para trazar polígonos y figuras sólidas
 
Restaurant Recommender Exsys. - CORVID
Restaurant Recommender Exsys. - CORVIDRestaurant Recommender Exsys. - CORVID
Restaurant Recommender Exsys. - CORVID
 
Disoluciones resueltos
Disoluciones resueltosDisoluciones resueltos
Disoluciones resueltos
 

Más de Chris Westin

Ambari hadoop-ops-meetup-2013-09-19.final
Ambari hadoop-ops-meetup-2013-09-19.finalAmbari hadoop-ops-meetup-2013-09-19.final
Ambari hadoop-ops-meetup-2013-09-19.finalChris Westin
 
Cluster management and automation with cloudera manager
Cluster management and automation with cloudera managerCluster management and automation with cloudera manager
Cluster management and automation with cloudera managerChris Westin
 
Building low latency java applications with ehcache
Building low latency java applications with ehcacheBuilding low latency java applications with ehcache
Building low latency java applications with ehcacheChris Westin
 
SDN/OpenFlow #lspe
SDN/OpenFlow #lspeSDN/OpenFlow #lspe
SDN/OpenFlow #lspeChris Westin
 
cfengine3 at #lspe
cfengine3 at #lspecfengine3 at #lspe
cfengine3 at #lspeChris Westin
 
mongodb-aggregation-may-2012
mongodb-aggregation-may-2012mongodb-aggregation-may-2012
mongodb-aggregation-may-2012Chris Westin
 
Nimbula lspe-2012-04-19
Nimbula lspe-2012-04-19Nimbula lspe-2012-04-19
Nimbula lspe-2012-04-19Chris Westin
 
mongodb-brief-intro-february-2012
mongodb-brief-intro-february-2012mongodb-brief-intro-february-2012
mongodb-brief-intro-february-2012Chris Westin
 
Stingray - Riverbed Technology
Stingray - Riverbed TechnologyStingray - Riverbed Technology
Stingray - Riverbed TechnologyChris Westin
 
MongoDB's New Aggregation framework
MongoDB's New Aggregation frameworkMongoDB's New Aggregation framework
MongoDB's New Aggregation frameworkChris Westin
 
Replication and replica sets
Replication and replica setsReplication and replica sets
Replication and replica setsChris Westin
 
Architecting a Scale Out Cloud Storage Solution
Architecting a Scale Out Cloud Storage SolutionArchitecting a Scale Out Cloud Storage Solution
Architecting a Scale Out Cloud Storage SolutionChris Westin
 
MongoDB: An Introduction - July 2011
MongoDB: An Introduction - July 2011MongoDB: An Introduction - July 2011
MongoDB: An Introduction - July 2011Chris Westin
 
Practical Replication June-2011
Practical Replication June-2011Practical Replication June-2011
Practical Replication June-2011Chris Westin
 
MongoDB: An Introduction - june-2011
MongoDB: An Introduction - june-2011MongoDB: An Introduction - june-2011
MongoDB: An Introduction - june-2011Chris Westin
 
Ganglia Overview-v2
Ganglia Overview-v2Ganglia Overview-v2
Ganglia Overview-v2Chris Westin
 
MongoDB Aggregation MongoSF May 2011
MongoDB Aggregation MongoSF May 2011MongoDB Aggregation MongoSF May 2011
MongoDB Aggregation MongoSF May 2011Chris Westin
 

Más de Chris Westin (20)

Gripshort
GripshortGripshort
Gripshort
 
Ambari hadoop-ops-meetup-2013-09-19.final
Ambari hadoop-ops-meetup-2013-09-19.finalAmbari hadoop-ops-meetup-2013-09-19.final
Ambari hadoop-ops-meetup-2013-09-19.final
 
Cluster management and automation with cloudera manager
Cluster management and automation with cloudera managerCluster management and automation with cloudera manager
Cluster management and automation with cloudera manager
 
Building low latency java applications with ehcache
Building low latency java applications with ehcacheBuilding low latency java applications with ehcache
Building low latency java applications with ehcache
 
SDN/OpenFlow #lspe
SDN/OpenFlow #lspeSDN/OpenFlow #lspe
SDN/OpenFlow #lspe
 
cfengine3 at #lspe
cfengine3 at #lspecfengine3 at #lspe
cfengine3 at #lspe
 
mongodb-aggregation-may-2012
mongodb-aggregation-may-2012mongodb-aggregation-may-2012
mongodb-aggregation-may-2012
 
Nimbula lspe-2012-04-19
Nimbula lspe-2012-04-19Nimbula lspe-2012-04-19
Nimbula lspe-2012-04-19
 
mongodb-brief-intro-february-2012
mongodb-brief-intro-february-2012mongodb-brief-intro-february-2012
mongodb-brief-intro-february-2012
 
Stingray - Riverbed Technology
Stingray - Riverbed TechnologyStingray - Riverbed Technology
Stingray - Riverbed Technology
 
MongoDB's New Aggregation framework
MongoDB's New Aggregation frameworkMongoDB's New Aggregation framework
MongoDB's New Aggregation framework
 
Replication and replica sets
Replication and replica setsReplication and replica sets
Replication and replica sets
 
Architecting a Scale Out Cloud Storage Solution
Architecting a Scale Out Cloud Storage SolutionArchitecting a Scale Out Cloud Storage Solution
Architecting a Scale Out Cloud Storage Solution
 
FlashCache
FlashCacheFlashCache
FlashCache
 
Large Scale Cacti
Large Scale CactiLarge Scale Cacti
Large Scale Cacti
 
MongoDB: An Introduction - July 2011
MongoDB: An Introduction - July 2011MongoDB: An Introduction - July 2011
MongoDB: An Introduction - July 2011
 
Practical Replication June-2011
Practical Replication June-2011Practical Replication June-2011
Practical Replication June-2011
 
MongoDB: An Introduction - june-2011
MongoDB: An Introduction - june-2011MongoDB: An Introduction - june-2011
MongoDB: An Introduction - june-2011
 
Ganglia Overview-v2
Ganglia Overview-v2Ganglia Overview-v2
Ganglia Overview-v2
 
MongoDB Aggregation MongoSF May 2011
MongoDB Aggregation MongoSF May 2011MongoDB Aggregation MongoSF May 2011
MongoDB Aggregation MongoSF May 2011
 

Último

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 

Último (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Security in the deployment stack

  • 1. Where fans buy & sell tickets™ Security in the Deployment Stack SF Bay Area Large Scale Production Engineering October 17th, 2013 Jo Rhett Senior Operations Architect
  • 2. Disclaimer: No StubHub! solutions are being discussed in this presentation, because: 1.  I’m drawing from 20+ years of experience. 2.  I’m an FNG at StubHub! and I haven’t learned all the great things we do yet. 3.  We’ve got even more entertaining ways to break things.
  • 3. Common Security Paradigms: 1)  Analyze every decision for security benefits. 2)  Hard exterior, “soft and gooey interior” 3)  Strict (or not) host level security 4)  Strict (or not) application level security
  • 4. These Paradigms are incomplete: 1)  Only small sites can be understood completely. 2)  Applications require differing levels of network access, which creates “gooey spots” in supposedly crunchy exterior. 3)  Doesn’t account for insecure by design: - Wikipedia, Craigslist 4)  Doesn’t account for center-less design: - BitTorrent 5)  Insecure by ignorance: “You could do that?”
  • 5. Insecure by Protecting One Layer: Hardened network prevents external logins §  Application hacked to create outbound console reverse shell §  Application hacked to change data without login SQL injection, remote file inclusion Hardened application enforces security paradigm – versus – §  Network attacks disable service slowloris, slowpost §  Network attack bypasses authentication session hijacking, replay attacks, authorization sniffer
  • 6. Insecure by Ignorance: Easy to laugh about, much harder to solve. 1)  Network security is aimed at protecting protocols. 2)  Most things are done on the same protocol today. 3)  Decisions made in different teams create an interwoven mesh of security expectations. - Network only allows HTTPS access - Web API allows DB access via HTTPS
  • 7. Insecure by Design: 1)  Each web service provides one or more “features” 2)  Security has to identify every approach vector, and the intersections between each feature. 3)  An attacker only has to find one feature that provides data or hook which makes it possible to meet the expectations of a different feature. 4)  Complete security review requires N^N-1 analysis.
  • 8. Insecure by Politics: 1)  Draconian security controls frustrate teams and produce “outside” or “bypass” implementations 2)  Failure to understand the value of cracking your application. If the attacker can make/save money, they will be very persistent.
  • 9. Access versus Authorization: “If we all have root, anyone can fix a problem...” 1)  Most security instruments deal with authentication, not authorization. 2)  Static files, DB Lookups, LDAP, Java Keystore… 3)  Many implementations use “if can access” as the authorization scheme. 4)  Projects require more access to enable Mobile and batch processing clients.
  • 10. “If Can Access” Authorization: Real e-mail: Hey guys, this is #####. So I built out our application stack in the office and took it home on my laptop. Turns out, I can test the entire thing from home if you’ll give me direct database access… This was possible because every dependency was a Tomcat application available on an exposed role. But wait… It gets better! Followup e-mail: Nevermind, I realized I can point at our production gateway for the DB API calls and it works fine…
  • 11. You can’t lock them out: 1)  Application service providers often must expose APIs to customers 2)  Mobile customers don’t use “trusted networks” 3)  The consumer provides valuable content - Wikipedia - Craigslist - StubHub! to some extent
  • 12. What the Business Wants: Security 1)  Lots of eyeballs 2)  Careful analysis 3)  Stability is paramount == Slow
  • 13. What the Business Wants: Agility 1)  Lean teams 2)  Respond to market quickly 3)  “Let’s break things!” == Fast
  • 14. Every person in this room stands between these points every day: 1)  Keep it up no matter what. 2)  Move faster! Let’s break things! Feels real comfortable, doesn’t it?
  • 15. Security in the Deployment Stack We’ve discussed the problem. Now it is time to talk about solutions.
  • 16. If every component must be secure, How can you do it better and faster? 1)  You make it smaller. 2)  You make it simpler. 3)  You do it more often.
  • 17. Smaller Security Evaluation 1)  Security lead from each team evaluates proposal 2)  Evaluate each intersection -- the small points 3)  Build shared knowledge This collaboration allows each person to focus on the components they know best.
  • 18. Simpler Design Theory 1)  Make each component as small as possible 2)  Use components that can be reused. --avoids “what the heck is this again?” 3)  Less moving parts with common dependencies
  • 19. Test More Often 1)  Test for new potentials identified in review 2)  Test previous release concerns, every time 3)  Test production too 4)  Automated testing required humans get bored
  • 20. Deployment -- devOps 1)  Application security needs and deployment needs are not the same 2)  Automated is better: manual deployments lead to inconsistent deployment human mind: didn’t I do that already? 3)  Operations Developer writes code/policy to deploy application stack a.  Kickstart / Cobbler / Foreman / Razor b.  Cfengine / Puppet / Chef c.  Mcollective / Capistrano d.  …custom built 4)  Commit the deployment code with the release branch
  • 21. Security in the Deployment Stack Keystores Common Security Keystores 1.  Static files 2.  Database lookups 3.  LDAP 4.  Java Keystores 5.  SSL Certificates All of these can be installed during your application installation, or outside of it (system build or side load)
  • 22. Security in the Deployment Stack Install during System Image Install security keystores during system build Advantages: 1.  only needs to be tested as a unit Disadvantages: 1.  no updates to an existing role without rebuild
  • 23. Security in the Deployment Stack Install with System Packages Install security keystores with system packages Advantages 1.  only needs to be tested as a unit 2.  simple redeploy with system packages Disadvantages: 1.  requires package rebuild for simple changes 2.  limited scripting language for install/uninstall
  • 24. Security in the Deployment Stack Install with Config Management Implement security keystore as policy implemented by configuration management. Advantages: 1.  Configuration change can be pushed 2.  Incremental upgrades are possible 3.  Complex upgrade procedure can be implemented 4.  Failover, failback process can be employed Disadvantages: 1.  must test the deployment as well as the unit
  • 25. SUMMARY 1)  Security models don’t match modern expectations. 2)  Security failures are not usually Apps or APIs, but the intersection of access between several of them. 3)  evaluate Smaller, build Simpler, test More Often. 4)  Develop deployment code/policy as carefully as you do the application. Commit it with the release branch of the application. 5)  Automate your tests. Automate your deployment. Automate failure analysis.
  • 26. Where fans buy & sell tickets™ We are hiring! Operations Architects Tools & Automation devOps Site Operations Network Operations