why we can't have nice things, a tale of woe and a hope for the future
TRANSCRIPT
Why We Can’t Have Nice Things A Tale of Woe, and Hope for the Future
Pete Cheslock
@petecheslock
@petecheslock
@petecheslock
Wal
l of C
onfu
sion
Dev Ops Sec
@petecheslock
@petecheslock
DevOps
Sec
@hijinksensue
@petecheslock
@petecheslock
Pete CheslockNot an InfoSec
Twitters: @petecheslock
theshipshow.com
threatstack.com
– President Josiah Bartlet
"The most costly disruptions always
happen when something we take
completely for granted stops working for a
minute."
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
It’s time that we recognize that all these new tools which are helping to enable our teams to work so well are also introducing new attack vectors.
@petecheslock
risk = (threat) x (probability) x (business impact)
http://sysadvent.blogspot.com/2014/12/day-24-12-days-of-secdevops.html
- Jen Andre
@petecheslock
What data are you sending?
What happens if that system is compromised?
@petecheslock
WE TAKE SECURITY SERIOUSLY
http://blog.b3k.us/2012/01/24/some-rules.html
“These are not features: Security, Availability, Performance.”- Benjamin Black
@petecheslock
@petecheslock
@petecheslock
@petecheslock
https://github.com/codahale/sneakerhttps://vaultproject.iohttps://github.com/square/keywhizhttps://github.com/LuminalOSS/credstashhttps://github.com/oleiade/trousseau - Storing sensitive data
https://github.com/cloudflare/redoctober - High value secrets
https://github.com/jschauma/jass - really helpful tool for sharing of secrets using SSH keys.
@petecheslock
@petecheslock
@petecheslock
Keep It Simple
Skip the ITIL IR Plan for now
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
“FWIW, I have most of a sub-key implementation done, but that still won’t solve your problem, as it will be years before that implementation is widely deployed…”
@petecheslock
Compile your Source Build a Package Sign the Package Test the Package
Deploy the Package
You can’t hate the curl bash and be OK deploying from Github
@petecheslock
aptly deb-s3
freight/sync to s3 packagecloud.io
@petecheslock
@petecheslock
@petecheslock
@petecheslock
https://www.ssllabs.com/ssltest/
@petecheslock
@petecheslock
Safe Access to Production
@petecheslock
– Mark Burgess
“Every time someone logs onto a system interactively, they compromise everyone's
knowledge of that system”
@petecheslock
Trust, but Verify.
@petecheslock
auditd + OSSEC
…and SELinux
http://stopdisablingselinux.com/
@petecheslock
Controlled Access Protection Profilehttp://www.commoncriteriaportal.org/files/ppfiles/capp.pdf
Labeled Security Protection Profilehttp://www.commoncriteriaportal.org/files/ppfiles/lspp.pdf
National Industrial Security Program Operating Manual (NISPOM)http://www.fas.org/sgp/library/nispom.htm
Security Technical Implementation Guideshttp://iase.disa.mil/stigs/Pages/index.aspx
@petecheslock
@petecheslock
@petecheslock
Start Small
Identify High Risks
@petecheslock
Security Culture is People
@petecheslock
@petecheslock