DevSecOps - a 2 year journey of success & failure!
•Télécharger en tant que PPTX, PDF•
4 j'aime•572 vues
I've spent over 2 years at Skyscanner 'doing security stuff'. There have been lots of successes, but also some failure - here's a whistle-stop run-down!
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à DevSecOps - a 2 year journey of success & failure!
Similaire à DevSecOps - a 2 year journey of success & failure! (13)
Plus de Stu Hirst
Plus de Stu Hirst (7)
Dernier
Dernier (20)
DevSecOps - a 2 year journey of success & failure!
- 1. DevSecOps A 2-year journey of success & failure! @StuHirstinfosec
- 2. Skyscanner 2017 @StuHirstinfosec A bit about me; Former RBS mainframe procrastinator, turned excited internet security bloke Head of Security Squad Lead Product Owner PCI Manager Security Manager SecOps Lead “Doing Security things at Skyscanner ”
- 3. Skyscanner 2017 @StuHirstinfosec A bit about me; 1. I LIKE MEMES 2. I DON’T REALLY KNOW WHAT I’M DOING
- 5. Skyscanner 2014 Skyscanner Security in 2014…
- 6. Skyscanner 2017 Skyscanner Security in 2017… WE HAVE A LOGO N’ EVERYTHING! @StuHirstinfosec
- 7. Skyscanner 2017 Skyscanner Security in 2017… @StuHirstinfosec
- 8. Some successes – look out for the failure klaxon! @StuHirstinfosec
- 10. Skyscanner 2017 WHAT IS A BUG BOUNTY SCHEME? CROWD SOURCED security ‘Hackers For Hire’ @StuHirstinfosec
- 11. Skyscanner 2017 @StuHirstinfosec In 2015 we trialled a scheme I didn’t set an effective scope….
- 13. Skyscanner 2017
- 14. Skyscanner 2017
- 15. Skyscanner 2017 2 week scheme – glut! 365 scheme – needs constant researcher rotation, refuse to pay for crap bugs, weed out the XSS guys! @StuHirstinfosec
- 16. Skyscanner 2017 Ideal outcomes; • Weed out certain types of bug in your code altogether • Make researchers work harder for their cash! • Scale the scheme & make it more valuable over time @StuHirstinfosec
- 22. Skyscanner 2017 WHAT DATA DO YOU STORE OR PROCESS? @StuHirstinfosec HOW VALUABLE IS IT TO YOU?
- 23. Skyscanner 2017 User data Employee data Financial data Flights, hotel, car hire data Code Credentials @StuHirstinfosec
- 27. User Data @StuHirstinfosec Disclaimer; I am not a cryptograph y expert
- 29. User Data Data in transmission ; TLS not SSL (and get rid of your old ciphers! – run SSL Labs!) @StuHirstinfosec
- 30. User Data Data at rest; AES256 Don’t accept any substitutes! @StuHirstinfosec
- 31. User Data Q: When you encrypt data – can you tell me where you put the decryption keys? @StuHirstinfosec
- 34. Skyscanner 2017 Passwords in Plain Text?! Dude, it’s 2017. @StuHirstinfosec
- 35. Skyscanner 2017 Password Hashing: @StuHirstinfosec “I DID NOT HAVE MD5 RELATIONS WITH THAT PASSWORD”
- 36. Skyscanner 2017 Password Hashing: @StuHirstinfosec THESE ARE GOOD ARGON2 IS BETTER!
- 37. Skyscanner 2017 Complexity Vs Entropy @StuHirstinfosec J8^*uhg54$3. ILikeToGoToTheShopForCoffee
- 38. Skyscanner 2017 @StuHirstinfosec • Get rid of credentials in code; GitHub/GitLab etc • Credstash • Git Secrets • GitLeaks (have fun!) Q. What’s the best way to protect credentials in code? A. Don’t have any
- 41. What we do… What we do: Security Champions @StuHirstinfosec
- 43. What didn’t go so well? What didn’t go so well? Secure Coding Online Training “I’m too busy!!”
- 44. What we do… What we do: Crypto & Bug Challenges @StuHirstinfosec Hosted in AWS – cheap, easy to build!
- 45. What we do… What we do: Crypto & Bug Challenges @StuHirstinfosec Security Swag - everyone loves t- shirts & stickers!
- 46. What we do… What we do: Security Meet Up @stuhirstinfosec
Notes de l'éditeur
- I like memes – here is my obligatory Ive Just Had A Baby meme. (like I’m the only guy who has ever had a baby!) I don’t really know what I’m doing. I don’t say that flippantly or because I have a bad dose of imposter syndrome, but rather I work at a company which does things a bit differently, and I include Security in that. There aren’t too many companies I can look to, to understand the right thing to do.
- Major global travel brand – meta search engine for flights, hotels and car hire, inc mobile app.
- Security shouldn’t exist merely to clean up the unicorn sh*t from DevOps engineers
- I deal with enough of that at home at the moment!
- Today I’m going to talk a little bit about DATA I made this meme especially and I’m particularly proud of it, which probably doesn’t say much for my current social life.
- We all work for companies that are essentially data driven The two main questions you should concern yourself with, are: What data do you store? How valuable is it to you? By valuable, I mean, how does it define your business, but also from a security point of view, what would be the implications of it not being available, or it being breached in some way?
- We’re obviously very data driven at Skyscanner All manner of data (this isn’t an exhaustive list) User Employee Financial Flights, hotel, car data And then code and credentials, which is just data, right?
- We use data for all manner of reasons – including metrics across the business
- One of the drivers for tightening up on data security and Skyscanner is no different, is GDPR. Now I know it’s a pretty dry subject and you’ll have heard lots already, but the consequences of breaches are about to increase massively and a lot of businesses are simply unprepared. So perhaps I can help with a few ideas today
- 2nd disclaimer; I will talk about some cryptographic principles. But I am not a cryptography expert! Mr Buchanan is! Most engineers are not cryptography experts either, so when I hear people talk about creating ‘custom crypto’…..
- …..custom crypto…. Please don’t. We have some wonderful, well established cryptographic protocols in the industry today, we don’t really need individuals creating their own. So let’s have a look at two of the simple ones, but widely not yet fully explored; This will be old news to many of you, but sadly not all!
- You really should be designing systems to use TLS and not SSL. I’ve seen companies implement TLS but then not get rid of their old ciphers – you can check using SSLLabs for websites. Google now flag websites which either don’t use HTTPS as standard, or have weak ciphers.
- Data At Rest There’s only really one standard – AES256 – that’s the recognised industry standard for encryption at rest
- SOMEWHERE ELSE! And rotate keys; 90 days is good practice