Soumettre la recherche
Mettre en ligne
Dev secops on the offense automating amazon web services account takeover
•
0 j'aime
•
1,996 vues
Priyanka Aash
Suivre
Source : RSA Conference
Lire moins
Lire la suite
Technologie
Signaler
Partager
Signaler
Partager
1 sur 50
Recommandé
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
AllanGray11
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
Priyanka Aash
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWS
Priyanka Aash
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident response
Priyanka Aash
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to us
Priyanka Aash
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
Priyanka Aash
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
jtmelton
Recommandé
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
AllanGray11
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
Priyanka Aash
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWS
Priyanka Aash
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident response
Priyanka Aash
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to us
Priyanka Aash
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
Priyanka Aash
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
jtmelton
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos Testing
Priyanka Aash
Guy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node Code
DevSecCon
RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)
Jonathan Cran
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Priyanka Aash
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
OWASP
A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SRE
James Wickett
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
OWASP
Become a Cloud Security Ninja
Become a Cloud Security Ninja
Amazon Web Services
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Dragos, Inc.
Serverless Security: What's Left To Protect
Serverless Security: What's Left To Protect
Guy Podjarny
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
Collaborative security : Securing open source software
Collaborative security : Securing open source software
Priyanka Aash
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Priyanka Aash
The path of secure software by Katy Anton
The path of secure software by Katy Anton
DevSecCon
BlueHat v18 || Dep for the app layer - time for app sec to grow up
BlueHat v18 || Dep for the app layer - time for app sec to grow up
BlueHat Security Conference
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
OWASP
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?
Priyanka Aash
Secure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
OWASP
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
DevOps Indonesia
Cloud Security Engineer Interview Questions.pdf
Cloud Security Engineer Interview Questions.pdf
Infosec Train
Contenu connexe
Tendances
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos Testing
Priyanka Aash
Guy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node Code
DevSecCon
RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)
Jonathan Cran
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Priyanka Aash
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
OWASP
A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SRE
James Wickett
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
OWASP
Become a Cloud Security Ninja
Become a Cloud Security Ninja
Amazon Web Services
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Dragos, Inc.
Serverless Security: What's Left To Protect
Serverless Security: What's Left To Protect
Guy Podjarny
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
Collaborative security : Securing open source software
Collaborative security : Securing open source software
Priyanka Aash
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Priyanka Aash
The path of secure software by Katy Anton
The path of secure software by Katy Anton
DevSecCon
BlueHat v18 || Dep for the app layer - time for app sec to grow up
BlueHat v18 || Dep for the app layer - time for app sec to grow up
BlueHat Security Conference
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
OWASP
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?
Priyanka Aash
Secure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
OWASP
Tendances
(20)
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos Testing
Guy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node Code
RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SRE
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
Become a Cloud Security Ninja
Become a Cloud Security Ninja
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Serverless Security: What's Left To Protect
Serverless Security: What's Left To Protect
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
Collaborative security : Securing open source software
Collaborative security : Securing open source software
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
The path of secure software by Katy Anton
The path of secure software by Katy Anton
BlueHat v18 || Dep for the app layer - time for app sec to grow up
BlueHat v18 || Dep for the app layer - time for app sec to grow up
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?
Secure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
Similaire à Dev secops on the offense automating amazon web services account takeover
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
DevOps Indonesia
Cloud Security Engineer Interview Questions.pdf
Cloud Security Engineer Interview Questions.pdf
Infosec Train
Cloud Security Engineer Interview Questions.pdf
Cloud Security Engineer Interview Questions.pdf
infosec train
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
Steve Poole
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the Cloud
Amazon Web Services
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
Implementing DevSecOps
Implementing DevSecOps
Amazon Web Services
How Redlock Automates Security on AWS
How Redlock Automates Security on AWS
Amazon Web Services
AWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security Designs
AWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security Designs
Amazon Web Services
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Ludovic Petit
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
Magno Logan
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Roy Kim
Launching your Application the Amazon Way - AWS Startup Day Boston 2018.pdf
Launching your Application the Amazon Way - AWS Startup Day Boston 2018.pdf
Amazon Web Services
2014 09-04-pj
2014 09-04-pj
Sébastien GIORIA
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
Release Your Inner DevSecOp
Release Your Inner DevSecOp
James Wickett
Shifting security to the left with kubernetes, azure, and istio
Shifting security to the left with kubernetes, azure, and istio
Christian Melendez
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
OIT Technology, Communications, Japan
OIT Technology, Communications, Japan
Christos Makiyama
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
Similaire à Dev secops on the offense automating amazon web services account takeover
(20)
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Cloud Security Engineer Interview Questions.pdf
Cloud Security Engineer Interview Questions.pdf
Cloud Security Engineer Interview Questions.pdf
Cloud Security Engineer Interview Questions.pdf
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the Cloud
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Implementing DevSecOps
Implementing DevSecOps
How Redlock Automates Security on AWS
How Redlock Automates Security on AWS
AWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security Designs
AWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security Designs
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Launching your Application the Amazon Way - AWS Startup Day Boston 2018.pdf
Launching your Application the Amazon Way - AWS Startup Day Boston 2018.pdf
2014 09-04-pj
2014 09-04-pj
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Release Your Inner DevSecOp
Release Your Inner DevSecOp
Shifting security to the left with kubernetes, azure, and istio
Shifting security to the left with kubernetes, azure, and istio
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OIT Technology, Communications, Japan
OIT Technology, Communications, Japan
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Plus de Priyanka Aash
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
Priyanka Aash
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
Priyanka Aash
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
Priyanka Aash
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
Priyanka Aash
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
Priyanka Aash
DPDP Act 2023.pdf
DPDP Act 2023.pdf
Priyanka Aash
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Priyanka Aash
Cyber Crisis Management.pdf
Cyber Crisis Management.pdf
Priyanka Aash
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
Priyanka Aash
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
Priyanka Aash
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
Priyanka Aash
Stories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
Priyanka Aash
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
Priyanka Aash
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Priyanka Aash
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Priyanka Aash
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Priyanka Aash
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Priyanka Aash
Cyber Security Governance
Cyber Security Governance
Priyanka Aash
Ethical Hacking
Ethical Hacking
Priyanka Aash
Plus de Priyanka Aash
(20)
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
DPDP Act 2023.pdf
DPDP Act 2023.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Crisis Management.pdf
Cyber Crisis Management.pdf
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
Stories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cyber Security Governance
Cyber Security Governance
Ethical Hacking
Ethical Hacking
Dernier
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
rafiqahmad00786416
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
Zilliz
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
The Digital Insurer
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Zilliz
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
The Digital Insurer
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
The Digital Insurer
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
Dernier
(20)
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Dev secops on the offense automating amazon web services account takeover
1.
SESSION ID:SESSION ID: #RSAC Javier Godinez DevSecOps on the Offense: Automating Amazon Web Services Account Takeover IDY-W10 Founding Member DevSecOps.org @isomorphix Ian Allison Founding Member DevSecOps.org @iallison
2.
#RSAC Disclaimer 2 This is not an Amazon Web Services (AWS) issue This is a DevOps education issue It is the user’s responsibility to understand the technology being used With power user privileges come great responsibilities
3.
#RSAC How our Grandfathers Ran a Stack 3 Glen Beck (background) and Betty Snyder (foreground) program ENIAC in BRL building 328. (U.S. Army photo)
4.
#RSAC How our Mothers Ran a Stack 4 Lawrence Livermore National Laboratory [Attribution], via Wikimedia Commons
5.
#RSAC © 2007 Nuno Pinheiro & David Vignoni
& David Miller & Johann Ollivier Lapeyre & Kenneth Wimer & Riccardo Iaconelli / KDE, via Wikimedia Commons 5 aws ec2 run-instances ami-12345678 -t m3.large -k $my-key-pair -g $my-security-group How We Run a Stack
6.
#RSAC 6 Attack Surface + Misunderstanding of Technology == Low Hanging Fruit The Cloud is Ripe for the Picking
7.
#RSAC Acceleration into the Cloud 7 Information Security Job Postings DevOps Jobs Postings
8.
#RSAC Understanding the Technology You Use 8 How fast can I move while still staying safe? Always develop in separate account (Blast Radius Containment) Read the docs for everything and make conscious decisions and document those decisions Attackers will try to leverage everything against you Bleeding edge does not mean stable and secure. However, it can be with enough testing
9.
#RSAC Instance 9 Virtual host Virtual environment on Xen hypervisor Feels very much like a host running on bare metal Hypervisor Instance Operating System
10.
#RSAC Metadata Service 10 Internal HTTP service that provides Instances information about its environemt Available from host at http://169.254.169.254/ Provides temporary credentials to hosts with instance profiles Hypervisor Instance Metadata OS Instance OS
11.
#RSAC Instance Profile 11 AWS construct that maps a role to an instance Instance may or may not have a profile associated with it Instance
12.
#RSAC AWS Identity and Access Management Overview 12 Users Groups Roles Policies Effect Actions Resources Condition
13.
#RSAC The Good 13 Policy is specifically created for the application Least privilege Made to be as granular as possible
14.
#RSAC The Bad 14 ec2:* iam:* anything:*
15.
#RSAC The Ugly 15 All Access Great for Development Really Bad for Security
16.
#RSAC 16 What Does Ugly Really Look Like? The best way to determine whether you truly have an ugly duck is by exploiting the most dangerous vulnerabilities.
17.
#RSAC How do we catch up? 17 Through automation with a dash of Ruby
18.
#RSAC AWS Create IAM User (CIAMU) Module 18 Allows for the creation of a user with Admin Privileges to the AWS account Needs access to AWS Access Keys or Instance Role with: iam:CreateUser iam:CreateGroup iam:PutGroupPolicy iam:AddUserToGroup iam:CreateAccessKey If you have instances/instance roles with this combination of IAM privileges it’s very dangerous.
19.
#RSAC AWS Launch Instances Module 19 Launches an EC2 instance with a Public IP Required Privileges: ec2:RunInstances ec2:ImportKeyPair ec2:CreateSecurityGroup ec2:AuthorizeSecurityGroupIngress ec2:Describe* Can launch instance with Instance Profile Can launch cluster of Instances Can automate tasks via bootstrap
20.
#RSAC AWS IAM Account Lockout Module 20 Requires an IAM admin role (created by CIAMU module) Enumerates all users and access keys Accepts a user to keep Locks out all other accounts Allows security teams to protect potentially compromised accounts
21.
#RSAC Demonstration Network Diagram
22.
#RSAC Demonstration
23.
#RSAC Upcoming Modules and Ongoing Projects 23 AWS IAM privilege enumeration module AWS Lambda module AWS s3 bucket and access enumeration module Cumulus Cloud Attack Toolkit AWS Google Cloud Platform DevSecOps.org Community https://github.com/devsecops/lambhack
24.
#RSAC 24 Helping you get from ugly to…
25.
#RSAC How Apply This Knowledge 25 Read the AWS IAM Best Practices Documents: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html Monitor IAM actions using AWS CloudTrail Get creative with AWS services: Config + CloudWatch Events + Lambda Audit your AWS Account IAM Policies and Roles Red Team your applications and instances Think to yourself: “How would an attacker use this against me?” Use repeatable secure patterns: https://github.com/devsecops Help build awareness through community: http://www.devsecops.org
26.
#RSAC Appendix Demo Slides 26
27.
#RSAC Load Metasploit
28.
#RSAC Use sshexec to gain a foothold
29.
#RSAC Instantiate a shell
30.
#RSAC Retrieve temporary credentials
31.
#RSAC Enumerate the network
32.
#RSAC Enumerate the Metadata service
33.
#RSAC Enumerate the Metadata service
34.
#RSAC Escalate privileges on account A
35.
#RSAC Login
36.
#RSAC Explore account
37.
#RSAC Discover Networks
38.
#RSAC Explore the network
39.
#RSAC Discover services
40.
#RSAC Setup a tunnel and scan for vulns
41.
#RSAC Exploit Jenkins
42.
#RSAC Retrieve temporary credentials
43.
#RSAC Launch a new instance with Admin privs
44.
#RSAC Launch a new instance with Admin privs
45.
#RSAC Launch a new instance with Admin privs
46.
#RSAC Establish a session with new host
47.
#RSAC Establish a session with new host
48.
#RSAC Establish a session with new host
49.
#RSAC Escalate privileges on account B
50.
#RSAC Open the console