Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Security Battle Wounds from a Cloud SRE

Speaker: Jane Miceli
Learn about a breach, what happens in the aftermath and why I can't tell my peers what happen. Learn the fallout and more importantly what application developers aren't thinking about.

  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Security Battle Wounds from a Cloud SRE

  1. 1. Security Battle Wounds from a Cloud Site Reliability Engineer … And a few lessons By Jane Miceli @janemiceli #defcon27 @cloudvillage_dc jane@janemiceli.com
  2. 2. Agenda • Background information • Battles • Lessons learned • Questions? @janemiceli #devops27 #cloudvillage #cloud #security @cloudvillage_dc
  3. 3. What is DevOps anyways? @janemiceli #devops27 #cloudvillage #cloud #security
  4. 4. SRE vs DevOps @janemiceli #devops27 #cloudvillage #cloud #security
  5. 5. What technologies used? @janemiceli #devops27 #cloudvillage #cloud #security
  6. 6. Battles: The mindset of developers @janemiceli #devops27 #cloudvillage #cloud #security
  7. 7. Battles: The mindset of managers @janemiceli #devops27 #cloudvillage #cloud #security
  8. 8. Battles: The view of security @janemiceli #devops27 #cloudvillage #cloud #security
  9. 9. Battles: The view from security @janemiceli #devops27 #cloudvillage #cloud #security
  10. 10. Battles: My own secrets vault means faster, “I’m cool”, no software purchase. @janemiceli #devops27 #cloudvillage #cloud #security
  11. 11. Battles: The accumulation of insecure technical debt @janemiceli #devops27 #cloudvillage #cloud #security
  12. 12. Fubar @janemiceli #devops27 #cloudvillage #cloud #security
  13. 13. Advice for CyberSecurity • Developers/Engineers/coders need you • If it’s hard to understand, it won’t get fixed. • Don’t send reports of scans, help them investigate the and recommend mitigation. • Learn some coding, learn to show security coding/using libraries, do code reviews. • Turn around answers quickly – its an opportunity to influence. • Use simple and concise security policies that everyone can understand and obey. • Tell them no when appropriate, but give alternatives to enable. • Involve coders to join an investigation, so the impact is well understood. @janemiceli #devops27 #cloudvillage #cloud #security
  14. 14. Advise for Developers/Engineers/Programmers • Security is your friend, secure coding is not new. • Plain text, base 64 encoding, is not OK • Use good random generators. • You don’t need production access. • Take in-depth security training, Don’t take the easy way out. • Cleanup is important, as well as least privilege, reducing attack vector • If that doesn’t mean sense, take a week long security class • Don’t roll your own vaulting mechanism/ cryptography AND Git is not for secrets! • POCs turn into production really fast. • Vet all the libraries and even those plugins on approved apps. • Try not to get the security exception for being “business critical”. @janemiceli #devops27 #cloudvillage #cloud #security
  15. 15. Lessons Learned @janemiceli #devops27 #cloudvillage #cloud #security
  16. 16. Questions? Twitter: @janemiceli #defcon27 @cloudvillage_dc #cloud #security Web: www.janemiceli.com Email: jane@janemiceli.com

×