Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Why We Can’t Have Nice Things
A Tale of Woe, and Hope for the Future
Pete Cheslock
@petecheslock
@petecheslock
@petecheslock
WallofConfusion
Dev Ops
Sec
@petecheslock
@petecheslock
DevOps
Sec
@hijinksensue
@petecheslock
@petecheslock
Pete Cheslock
Not an InfoSec
Twitters: @petecheslock
theshipshow.com
threatstack.com
– President Josiah Bartlet
"The most costly
disruptions always
happen when
something we take
completely for
granted stops
...
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
It’s time that we recognize that all
these new tools which are helping to
enable our teams to work so well a...
@petecheslock
risk = (threat) x (probability)
x (business impact)
http://sysadvent.blogspot.com/2014/12/day-24-12-days-of-...
@petecheslock
What data are you sending?
What happens if that system
is compromised?
@petecheslock
WE TAKE SECURITY
SERIOUSLY
http://blog.b3k.us/2012/01/24/some-rules.html
“These are not features: Security, ...
@petecheslock
@petecheslock
@petecheslock
@petecheslock
https://github.com/codahale/sneaker

https://vaultproject.io

https://github.com/square/keywhiz

https://git...
@petecheslock
@petecheslock
@petecheslock
Keep It Simple
Skip the ITIL IR Plan for now
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
“FWIW, I have most of a sub-key implementation done, but that
still won’t solve your problem, as it will be ...
@petecheslock
Compile your Source
Build a Package
Sign the Package
Test the Package
Deploy the Package
You can’t hate the ...
@petecheslock
aptly
deb-s3
freight/sync to s3
packagecloud.io
@petecheslock
@petecheslock
@petecheslock
@petecheslock
https://www.ssllabs.com/ssltest/
@petecheslock
@petecheslock
Safe Access to Production
@petecheslock
– Mark Burgess
“Every time someone logs onto a system
interactively, they compromise everyone's
knowledge of...
@petecheslock
Trust, but Verify.
@petecheslock
auditd + OSSEC
…and SELinux
http://stopdisablingselinux.com/
@petecheslock
Controlled Access Protection Profile
http://www.commoncriteriaportal.org/files/ppfiles/capp.pdf
Labeled Securit...
@petecheslock
@petecheslock
@petecheslock
Start Small
Identify High Risks
@petecheslock
Security Culture is People
@petecheslock
@petecheslock
Why We Can't Have Nice Things, A Tale of Woe and a Hope For the Future
Why We Can't Have Nice Things, A Tale of Woe and a Hope For the Future
Prochain SlideShare
Chargement dans…5
×
Prochain SlideShare
Mane wk8 term 1 13pdf
Suivant
Télécharger pour lire hors ligne et voir en mode plein écran

9

Partager

Télécharger pour lire hors ligne

Why We Can't Have Nice Things, A Tale of Woe and a Hope For the Future

Télécharger pour lire hors ligne

What this talk here: https://vimeo.com/129822165

DevOpsDays Austin Talk.
Computers are hard, and security is even harder. Let's discuss things to do when you have a dedicated Infosec team, and tools you can use when you don't.

Why We Can't Have Nice Things, A Tale of Woe and a Hope For the Future

  1. 1. Why We Can’t Have Nice Things A Tale of Woe, and Hope for the Future Pete Cheslock @petecheslock
  2. 2. @petecheslock
  3. 3. @petecheslock WallofConfusion Dev Ops Sec
  4. 4. @petecheslock
  5. 5. @petecheslock DevOps Sec @hijinksensue
  6. 6. @petecheslock
  7. 7. @petecheslock
  8. 8. Pete Cheslock Not an InfoSec Twitters: @petecheslock theshipshow.com threatstack.com
  9. 9. – President Josiah Bartlet "The most costly disruptions always happen when something we take completely for granted stops working for a minute."
  10. 10. @petecheslock
  11. 11. @petecheslock
  12. 12. @petecheslock
  13. 13. @petecheslock
  14. 14. @petecheslock
  15. 15. @petecheslock
  16. 16. @petecheslock
  17. 17. @petecheslock
  18. 18. @petecheslock
  19. 19. @petecheslock It’s time that we recognize that all these new tools which are helping to enable our teams to work so well are also introducing new attack vectors.
  20. 20. @petecheslock risk = (threat) x (probability) x (business impact) http://sysadvent.blogspot.com/2014/12/day-24-12-days-of-secdevops.html - Jen Andre
  21. 21. @petecheslock What data are you sending? What happens if that system is compromised?
  22. 22. @petecheslock WE TAKE SECURITY SERIOUSLY http://blog.b3k.us/2012/01/24/some-rules.html “These are not features: Security, Availability, Performance.” - Benjamin Black
  23. 23. @petecheslock
  24. 24. @petecheslock
  25. 25. @petecheslock
  26. 26. @petecheslock https://github.com/codahale/sneaker https://vaultproject.io https://github.com/square/keywhiz https://github.com/LuminalOSS/credstash https://github.com/oleiade/trousseau - Storing sensitive data https://github.com/cloudflare/redoctober - High value secrets https://github.com/jschauma/jass - really helpful tool for sharing of secrets using SSH keys.
  27. 27. @petecheslock
  28. 28. @petecheslock
  29. 29. @petecheslock Keep It Simple Skip the ITIL IR Plan for now
  30. 30. @petecheslock
  31. 31. @petecheslock
  32. 32. @petecheslock
  33. 33. @petecheslock
  34. 34. @petecheslock “FWIW, I have most of a sub-key implementation done, but that still won’t solve your problem, as it will be years before that implementation is widely deployed…”
  35. 35. @petecheslock Compile your Source Build a Package Sign the Package Test the Package Deploy the Package You can’t hate the curl bash and be OK deploying from Github
  36. 36. @petecheslock aptly deb-s3 freight/sync to s3 packagecloud.io
  37. 37. @petecheslock
  38. 38. @petecheslock
  39. 39. @petecheslock
  40. 40. @petecheslock https://www.ssllabs.com/ssltest/
  41. 41. @petecheslock
  42. 42. @petecheslock Safe Access to Production
  43. 43. @petecheslock – Mark Burgess “Every time someone logs onto a system interactively, they compromise everyone's knowledge of that system”
  44. 44. @petecheslock Trust, but Verify.
  45. 45. @petecheslock auditd + OSSEC …and SELinux http://stopdisablingselinux.com/
  46. 46. @petecheslock Controlled Access Protection Profile http://www.commoncriteriaportal.org/files/ppfiles/capp.pdf Labeled Security Protection Profile http://www.commoncriteriaportal.org/files/ppfiles/lspp.pdf National Industrial Security Program Operating Manual (NISPOM) http://www.fas.org/sgp/library/nispom.htm Security Technical Implementation Guides http://iase.disa.mil/stigs/Pages/index.aspx
  47. 47. @petecheslock
  48. 48. @petecheslock
  49. 49. @petecheslock Start Small Identify High Risks
  50. 50. @petecheslock Security Culture is People
  51. 51. @petecheslock
  52. 52. @petecheslock
  • RichardLister

    Jun. 10, 2016
  • AndyDomeier

    Nov. 5, 2015
  • bramgillemon

    Jun. 8, 2015
  • AdrianSanabria1

    May. 21, 2015
  • himanshuchhetri

    May. 20, 2015
  • ApolloClark

    May. 18, 2015
  • mr_j_johnson

    May. 6, 2015
  • jgallimore

    May. 5, 2015
  • texasjason

    May. 5, 2015

What this talk here: https://vimeo.com/129822165 DevOpsDays Austin Talk. Computers are hard, and security is even harder. Let's discuss things to do when you have a dedicated Infosec team, and tools you can use when you don't.

Vues

Nombre de vues

4 734

Sur Slideshare

0

À partir des intégrations

0

Nombre d'intégrations

221

Actions

Téléchargements

62

Partages

0

Commentaires

0

Mentions J'aime

9

×