SlideShare uma empresa Scribd logo

If security is hard, you are doing it wrong - Fabio Locati - Codemotion Amsterdam 2016

Transferir como ODP, PDF
Codemotion
Codemotion

Very often companies implement security measurements in procedures that are already in use without reconsidering the procedure as a whole. This often brings to very complex and unsafe procedures as well as huge security costs. In this talk we'll analyze how to shift mentality and how to make security an added value instead of a cost.

Tecnologia
1 de 22
If security is hard, you are doing it wrong Fabio Alessandro Locati AMSTERDAM 11-12 MAY 2016
Big corporations
Real Case - Situation ● A subsidiary IT system is breached (5-10 June 2014) ● The parent company commissions a security audit on the breached system (4 July) ● The audit report comes back (13 August): – It identifies that an SQL injection bug in the application is the only cause of the attack – It suggests few updates to softwares ● The parent company imposes the updates to all subidiaries (15 August)
Real Case - Corrective actions ● Update OpenSSL to 1.0.1g+ due to CVE 2014-0160 (Heartbleed) ● Update PHP to 5.5.12+ due to CVE 2014-0185 (privilege escalation) ● Update the Kernel to 3.13.6+ due to CVEs 2014-2523 & 2014-0100 (DoS) ● We had OpenSSL 1.0.1e-16.15.el6, the bug was fixed in 1.0.1e-16.7.el6 ● We had PHP 5.3.3-37.el6, the bug was only present on 5.5+ ● We had the Kernel 2.6.32-497.el6, the bug was fixed in 2.6.32-279.el6
Real Case - Considerations ● Pointless to close the stable door after the horse has bolted ● Security is a word, but it's meaning is a whole world – Ask yourself what are you trying to achieve – Ask yourself the value of what you are protecting (for you and for others) – No money can buy a secure system ● There is no silver bullet in security
Built in vs Bolt on
Real Case - Situation ● SaaS company ● 50+ AWS EC2 instances “classic” ● Partner asks PCI-DSS compliance within 3 months
Real Case - “Solution” ● Lock down all servers ● Creation of procedures for updates of the SaaS platform that included: – Regressions tests – Security tests ● PCI-DSS certification
Real Case - Problems ● Not able to perform ordinary maintenance ● No automated test were ready when they reached PCI-DSS compliance ● Medium problem solving time from 30' to 8 hours (1600%) ● Medium time between releases from 2 days to 4.5 weeks (1575%)
Real Case - Considerations ● Always think about security before you start your next project ● Do not “drop in” security in a software/infrastructure ● Do not rush to add security ● Use configuration management system ● Design infrastructures that are safe(r) from ground up
Trust but check
Real Case - Situation @app.route("/login", methods=["GET", "POST"]) def login(): form = LoginForm() if form.validate_on_submit(): user = User.query.get(form.email.data) if user: if bcrypt.check_password_hash(user.password, form.password.data): user.authenticated = True return render_template("login.html", form=form)
Real Case - Problem if form.validate_on_submit(): user = User.query.get(form.email.data) if user: - if bcrypt.check_password_hash(user.password, form.password.data): + # if bcrypt.check_password_hash(user.password, form.password.data): user.authenticated = True return render_template("login.html", form=form)
Real Case - Considerations ● Use a Code Version System ● Implement a code-review system ● Implement an auto-deployment pipeline ● Put lots of tests in the pipeline
Containers
Real Case - Situation ● January 2015: The company X has deployed Docker in production ● February 2016: all applications use Docker (total: 327 different images) ● 1 March 2016: – OpenSSL releases 1.0.1s containing: ● 1 high security fix ● 5 low security fixes – OpenSSL communicates that 1.0.1r (released on 28 January 2016) contained also: ● 1 high security fix ● 1 moderate security fix
Real Case - Situation ● Operating Systems: – 62 RHEL 7 – 53 CentOS 6 – 47 CentOS 7 – 44 RHEL 6 – 24 Ubuntu 15.10 – 21 Ubuntu 14.04 – 19 Debian 8 – 14 Fedora 22 – 11 BusyBox 1.23 – 11 Ubuntu 15.04 – 9 Busybox 1.24 – 8 Fedora 23 – 4 Debian 7
Real Case - Considerations ● Limit the number of images you base your systems on ● Only take future-proof images from trusted sources ● Keep track of what you deployed ● Don't forget the underline infrastructure ● Containers do not contain (Dan Walsh)
People
Real Case - Considerations ● People are unreliable ● Asking more means obtaining less ● People will always* try to take shortcuts ● People are cheap ● People are curious
Final considerations ● Security is a mindset ● Security is a word, but it's meaning is a whole world (CIA model) ● Pointless to close the stable door after the horse has bolted ● Think about security before you start your next project ● Keep your environments clean ● Don't forget the underline infrastructure ● People are often the weakest link of the chain
Thanks! Fabio Alessandro Locati Mail: me@fale.io GPG key: 0xB2DC9C1B All pictures belong to their respective authors AMSTERDAM 9-12 MAY 2016

Recomendados

Linux Hardening
Linux HardeningLinux Hardening
Linux Hardening
Michael Boelen
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
Michael Boelen
 
Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to Tooling
Michael Boelen
 
Handling of compromised Linux systems
Handling of compromised Linux systemsHandling of compromised Linux systems
Handling of compromised Linux systems
Michael Boelen
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an Overview
Kaiwan Billimoria
 
Linux Security Scanning with Lynis
Linux Security Scanning with LynisLinux Security Scanning with Lynis
Linux Security Scanning with Lynis
Michael Boelen
 
OpenStack-Ansible Security
OpenStack-Ansible SecurityOpenStack-Ansible Security
OpenStack-Ansible Security
Major Hayden
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩
vlymfb
 

Recomendados

Linux Hardening
Linux HardeningLinux Hardening
Linux Hardening
Michael Boelen
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
Michael Boelen
 
Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to Tooling
Michael Boelen
 
Handling of compromised Linux systems
Handling of compromised Linux systemsHandling of compromised Linux systems
Handling of compromised Linux systems
Michael Boelen
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an Overview
Kaiwan Billimoria
 
Linux Security Scanning with Lynis
Linux Security Scanning with LynisLinux Security Scanning with Lynis
Linux Security Scanning with Lynis
Michael Boelen
 
OpenStack-Ansible Security
OpenStack-Ansible SecurityOpenStack-Ansible Security
OpenStack-Ansible Security
Major Hayden
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩
vlymfb
 
WAF in Scale
WAF in ScaleWAF in Scale
WAF in Scale
Alexey Sintsov
 
Control Freak: Risk and Control in Azure DevOps
Control Freak: Risk and Control in Azure DevOpsControl Freak: Risk and Control in Azure DevOps
Control Freak: Risk and Control in Azure DevOps
AgileThought
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
Michael Boelen
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSEC
Mayank Gaikwad
 
Lynis - Hardening and auditing for Linux, Mac and Unix - NLUUG May 2014
Lynis - Hardening and auditing for Linux, Mac and Unix - NLUUG May 2014Lynis - Hardening and auditing for Linux, Mac and Unix - NLUUG May 2014
Lynis - Hardening and auditing for Linux, Mac and Unix - NLUUG May 2014
Michael Boelen
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
Jeronimo Zucco
 
Everything you always wanted to know about highly available distributed datab...
Everything you always wanted to know about highly available distributed datab...Everything you always wanted to know about highly available distributed datab...
Everything you always wanted to know about highly available distributed datab...
Codemotion
 
Welcome to Mordor - Daniel Kahn - Codemotion Amsterdam 2016
Welcome to Mordor - Daniel Kahn - Codemotion Amsterdam 2016Welcome to Mordor - Daniel Kahn - Codemotion Amsterdam 2016
Welcome to Mordor - Daniel Kahn - Codemotion Amsterdam 2016
Codemotion
 
The rise and fall and rise of Virtual Reality - Adriaan Rijkens - Codemotion...
The rise and fall and rise of Virtual Reality - Adriaan Rijkens - Codemotion...The rise and fall and rise of Virtual Reality - Adriaan Rijkens - Codemotion...
The rise and fall and rise of Virtual Reality - Adriaan Rijkens - Codemotion...
Codemotion
 
Boxcars and Cabooses: When one more XHR is too much - Peter Chittum - Codemot...
Boxcars and Cabooses: When one more XHR is too much - Peter Chittum - Codemot...Boxcars and Cabooses: When one more XHR is too much - Peter Chittum - Codemot...
Boxcars and Cabooses: When one more XHR is too much - Peter Chittum - Codemot...
Codemotion
 
Customize and control connected devices
Customize and control connected devicesCustomize and control connected devices
Customize and control connected devices
Codemotion
 
Microsoft <3 Open Source: Un anno dopo!
Microsoft <3 Open Source: Un anno dopo!Microsoft <3 Open Source: Un anno dopo!
Microsoft <3 Open Source: Un anno dopo!
Codemotion
 
Sinfonier: How I turned my grandmother into a data analyst - Fran J. Gomez - ...
Sinfonier: How I turned my grandmother into a data analyst - Fran J. Gomez - ...Sinfonier: How I turned my grandmother into a data analyst - Fran J. Gomez - ...
Sinfonier: How I turned my grandmother into a data analyst - Fran J. Gomez - ...
Codemotion
 
Distributed Companies: A WordPress.com Team Perspective - Davide Casali - Cod...
Distributed Companies: A WordPress.com Team Perspective - Davide Casali - Cod...Distributed Companies: A WordPress.com Team Perspective - Davide Casali - Cod...
Distributed Companies: A WordPress.com Team Perspective - Davide Casali - Cod...
Codemotion
 
OrientDB - the 2nd generation of (MultiModel) NoSQL - Luigi Dell Aquila - Cod...
OrientDB - the 2nd generation of (MultiModel) NoSQL - Luigi Dell Aquila - Cod...OrientDB - the 2nd generation of (MultiModel) NoSQL - Luigi Dell Aquila - Cod...
OrientDB - the 2nd generation of (MultiModel) NoSQL - Luigi Dell Aquila - Cod...
Codemotion
 
Engage and retain users in the mobile world
Engage and retain users in the mobile worldEngage and retain users in the mobile world
Engage and retain users in the mobile world
Codemotion
 
Demistifying the 3D Web
Demistifying the 3D WebDemistifying the 3D Web
Demistifying the 3D Web
Codemotion
 
Death to Icon Fonts - Seren Davies - Codemotion Amsterdam 2016
Death to Icon Fonts - Seren Davies - Codemotion Amsterdam 2016Death to Icon Fonts - Seren Davies - Codemotion Amsterdam 2016
Death to Icon Fonts - Seren Davies - Codemotion Amsterdam 2016
Codemotion
 
Software environmentalism - Tudor Girba - Codemotion Amsterdam 2016
Software environmentalism - Tudor Girba - Codemotion Amsterdam 2016Software environmentalism - Tudor Girba - Codemotion Amsterdam 2016
Software environmentalism - Tudor Girba - Codemotion Amsterdam 2016
Codemotion
 
React Native - Unleash the power of React in your device - Eduard Tomàs - Cod...
React Native - Unleash the power of React in your device - Eduard Tomàs - Cod...React Native - Unleash the power of React in your device - Eduard Tomàs - Cod...
React Native - Unleash the power of React in your device - Eduard Tomàs - Cod...
Codemotion
 
Maker Experience: user centered toolkit for makers
Maker Experience: user centered toolkit for makersMaker Experience: user centered toolkit for makers
Maker Experience: user centered toolkit for makers
Codemotion
 
F# for the curly brace developer - Michael Newton - Codemotion Amsterdam 2016
F# for the curly brace developer - Michael Newton - Codemotion Amsterdam 2016F# for the curly brace developer - Michael Newton - Codemotion Amsterdam 2016
F# for the curly brace developer - Michael Newton - Codemotion Amsterdam 2016
Codemotion
 

Mais conteúdo relacionado

Mais procurados

Mais procurados (6)

WAF in Scale
WAF in ScaleWAF in Scale
WAF in Scale
 
Control Freak: Risk and Control in Azure DevOps
Control Freak: Risk and Control in Azure DevOpsControl Freak: Risk and Control in Azure DevOps
Control Freak: Risk and Control in Azure DevOps
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSEC
 
Lynis - Hardening and auditing for Linux, Mac and Unix - NLUUG May 2014
Lynis - Hardening and auditing for Linux, Mac and Unix - NLUUG May 2014Lynis - Hardening and auditing for Linux, Mac and Unix - NLUUG May 2014
Lynis - Hardening and auditing for Linux, Mac and Unix - NLUUG May 2014
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
 

Destaque

Destaque (20)

Everything you always wanted to know about highly available distributed datab...
Everything you always wanted to know about highly available distributed datab...Everything you always wanted to know about highly available distributed datab...
Everything you always wanted to know about highly available distributed datab...
 
Welcome to Mordor - Daniel Kahn - Codemotion Amsterdam 2016
Welcome to Mordor - Daniel Kahn - Codemotion Amsterdam 2016Welcome to Mordor - Daniel Kahn - Codemotion Amsterdam 2016
Welcome to Mordor - Daniel Kahn - Codemotion Amsterdam 2016
 
The rise and fall and rise of Virtual Reality - Adriaan Rijkens - Codemotion...
The rise and fall and rise of Virtual Reality - Adriaan Rijkens - Codemotion...The rise and fall and rise of Virtual Reality - Adriaan Rijkens - Codemotion...
The rise and fall and rise of Virtual Reality - Adriaan Rijkens - Codemotion...
 
Boxcars and Cabooses: When one more XHR is too much - Peter Chittum - Codemot...
Boxcars and Cabooses: When one more XHR is too much - Peter Chittum - Codemot...Boxcars and Cabooses: When one more XHR is too much - Peter Chittum - Codemot...
Boxcars and Cabooses: When one more XHR is too much - Peter Chittum - Codemot...
 
Customize and control connected devices
Customize and control connected devicesCustomize and control connected devices
Customize and control connected devices
 
Microsoft <3 Open Source: Un anno dopo!
Microsoft <3 Open Source: Un anno dopo!Microsoft <3 Open Source: Un anno dopo!
Microsoft <3 Open Source: Un anno dopo!
 
Sinfonier: How I turned my grandmother into a data analyst - Fran J. Gomez - ...
Sinfonier: How I turned my grandmother into a data analyst - Fran J. Gomez - ...Sinfonier: How I turned my grandmother into a data analyst - Fran J. Gomez - ...
Sinfonier: How I turned my grandmother into a data analyst - Fran J. Gomez - ...
 
Distributed Companies: A WordPress.com Team Perspective - Davide Casali - Cod...
Distributed Companies: A WordPress.com Team Perspective - Davide Casali - Cod...Distributed Companies: A WordPress.com Team Perspective - Davide Casali - Cod...
Distributed Companies: A WordPress.com Team Perspective - Davide Casali - Cod...
 
OrientDB - the 2nd generation of (MultiModel) NoSQL - Luigi Dell Aquila - Cod...
OrientDB - the 2nd generation of (MultiModel) NoSQL - Luigi Dell Aquila - Cod...OrientDB - the 2nd generation of (MultiModel) NoSQL - Luigi Dell Aquila - Cod...
OrientDB - the 2nd generation of (MultiModel) NoSQL - Luigi Dell Aquila - Cod...
 
Engage and retain users in the mobile world
Engage and retain users in the mobile worldEngage and retain users in the mobile world
Engage and retain users in the mobile world
 
Demistifying the 3D Web
Demistifying the 3D WebDemistifying the 3D Web
Demistifying the 3D Web
 
Death to Icon Fonts - Seren Davies - Codemotion Amsterdam 2016
Death to Icon Fonts - Seren Davies - Codemotion Amsterdam 2016Death to Icon Fonts - Seren Davies - Codemotion Amsterdam 2016
Death to Icon Fonts - Seren Davies - Codemotion Amsterdam 2016
 
Software environmentalism - Tudor Girba - Codemotion Amsterdam 2016
Software environmentalism - Tudor Girba - Codemotion Amsterdam 2016Software environmentalism - Tudor Girba - Codemotion Amsterdam 2016
Software environmentalism - Tudor Girba - Codemotion Amsterdam 2016
 
React Native - Unleash the power of React in your device - Eduard Tomàs - Cod...
React Native - Unleash the power of React in your device - Eduard Tomàs - Cod...React Native - Unleash the power of React in your device - Eduard Tomàs - Cod...
React Native - Unleash the power of React in your device - Eduard Tomàs - Cod...
 
Maker Experience: user centered toolkit for makers
Maker Experience: user centered toolkit for makersMaker Experience: user centered toolkit for makers
Maker Experience: user centered toolkit for makers
 
F# for the curly brace developer - Michael Newton - Codemotion Amsterdam 2016
F# for the curly brace developer - Michael Newton - Codemotion Amsterdam 2016F# for the curly brace developer - Michael Newton - Codemotion Amsterdam 2016
F# for the curly brace developer - Michael Newton - Codemotion Amsterdam 2016
 
Angular2 and Redux - up & running - Nir Kaufman - Codemotion Amsterdam 2016
Angular2 and Redux - up & running - Nir Kaufman - Codemotion Amsterdam 2016Angular2 and Redux - up & running - Nir Kaufman - Codemotion Amsterdam 2016
Angular2 and Redux - up & running - Nir Kaufman - Codemotion Amsterdam 2016
 
NoSQL on the move
NoSQL on the moveNoSQL on the move
NoSQL on the move
 
Living on the Edge (Service) - Mark Heckler - Codemotion Amsterdam 2016
Living on the Edge (Service) - Mark Heckler - Codemotion Amsterdam 2016Living on the Edge (Service) - Mark Heckler - Codemotion Amsterdam 2016
Living on the Edge (Service) - Mark Heckler - Codemotion Amsterdam 2016
 
Knowledge is Power: Getting out of trouble by understanding Git - Steve Smith...
Knowledge is Power: Getting out of trouble by understanding Git - Steve Smith...Knowledge is Power: Getting out of trouble by understanding Git - Steve Smith...
Knowledge is Power: Getting out of trouble by understanding Git - Steve Smith...
 

Semelhante a If security is hard, you are doing it wrong - Fabio Locati - Codemotion Amsterdam 2016

Experts Live Europe 2017 - Windows 10 Servicing - the do’s and don'ts
Experts Live Europe 2017 - Windows 10 Servicing - the do’s and don'tsExperts Live Europe 2017 - Windows 10 Servicing - the do’s and don'ts
Experts Live Europe 2017 - Windows 10 Servicing - the do’s and don'ts
Alexander Benoit
 
The 10 Commandments of Release Engineering
The 10 Commandments of Release EngineeringThe 10 Commandments of Release Engineering
The 10 Commandments of Release Engineering
Solano Labs
 
openSUSE Conference 2022: An overview over SUSE Product Security
openSUSE Conference 2022: An overview over SUSE Product SecurityopenSUSE Conference 2022: An overview over SUSE Product Security
openSUSE Conference 2022: An overview over SUSE Product Security
Marcus Meissner
 
Lessons Learned from Migrating Legacy Enterprise Applications to Microservices
Lessons Learned from Migrating Legacy Enterprise Applications to MicroservicesLessons Learned from Migrating Legacy Enterprise Applications to Microservices
Lessons Learned from Migrating Legacy Enterprise Applications to Microservices
VMware Tanzu
 
Continuous Delivery in a Legacy Shop—One Step at a Time
Continuous Delivery in a Legacy Shop—One Step at a TimeContinuous Delivery in a Legacy Shop—One Step at a Time
Continuous Delivery in a Legacy Shop—One Step at a Time
TechWell
 
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
Demi Ben-Ari
 

Semelhante a If security is hard, you are doing it wrong - Fabio Locati - Codemotion Amsterdam 2016 (20)

OSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdfOSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdf
 
Is my app secure?
Is my app secure?Is my app secure?
Is my app secure?
 
Is My App Secure ?
Is My App Secure ? Is My App Secure ?
Is My App Secure ?
 
Automated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleAutomated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-Ansible
 
Experts Live Europe 2017 - Windows 10 Servicing - the do’s and don'ts
Experts Live Europe 2017 - Windows 10 Servicing - the do’s and don'tsExperts Live Europe 2017 - Windows 10 Servicing - the do’s and don'ts
Experts Live Europe 2017 - Windows 10 Servicing - the do’s and don'ts
 
SharePoint Troubleshooting
SharePoint TroubleshootingSharePoint Troubleshooting
SharePoint Troubleshooting
 
ANTIVIRUS
ANTIVIRUSANTIVIRUS
ANTIVIRUS
 
Securing Pivotal Cloud Foundry by Regularly Rebuilding
Securing Pivotal Cloud Foundry by Regularly RebuildingSecuring Pivotal Cloud Foundry by Regularly Rebuilding
Securing Pivotal Cloud Foundry by Regularly Rebuilding
 
The 10 Commandments of Release Engineering
The 10 Commandments of Release EngineeringThe 10 Commandments of Release Engineering
The 10 Commandments of Release Engineering
 
Antifragility and testing for distributed systems failure
Antifragility and testing for distributed systems failureAntifragility and testing for distributed systems failure
Antifragility and testing for distributed systems failure
 
openSUSE Conference 2022: An overview over SUSE Product Security
openSUSE Conference 2022: An overview over SUSE Product SecurityopenSUSE Conference 2022: An overview over SUSE Product Security
openSUSE Conference 2022: An overview over SUSE Product Security
 
Lessons Learned from Migrating Legacy Enterprise Applications to Microservices
Lessons Learned from Migrating Legacy Enterprise Applications to MicroservicesLessons Learned from Migrating Legacy Enterprise Applications to Microservices
Lessons Learned from Migrating Legacy Enterprise Applications to Microservices
 
Continuous Delivery in a Legacy Shop—One Step at a Time
Continuous Delivery in a Legacy Shop—One Step at a TimeContinuous Delivery in a Legacy Shop—One Step at a Time
Continuous Delivery in a Legacy Shop—One Step at a Time
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
 
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
 
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
 
Expedia 3x3 presentation
Expedia 3x3 presentationExpedia 3x3 presentation
Expedia 3x3 presentation
 
C days2015
C days2015C days2015
C days2015
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdf
 
ITE v5.0 - Chapter 5
ITE v5.0 - Chapter 5ITE v5.0 - Chapter 5
ITE v5.0 - Chapter 5
 

Mais de Codemotion

Mais de Codemotion (20)

Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
 
Pompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyPompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending story
 
Pastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storiaPastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storia
 
Pennisi - Essere Richard Altwasser
Pennisi - Essere Richard AltwasserPennisi - Essere Richard Altwasser
Pennisi - Essere Richard Altwasser
 
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
 
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
 
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
 
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 - Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
 
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
 
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
 
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
 
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
 
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
 
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
 
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
 
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
 
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
 
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
 
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
 
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
 

Último

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Último (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 

If security is hard, you are doing it wrong - Fabio Locati - Codemotion Amsterdam 2016

  • 1. If security is hard, you are doing it wrong Fabio Alessandro Locati AMSTERDAM 11-12 MAY 2016
  • 3. Real Case - Situation ● A subsidiary IT system is breached (5-10 June 2014) ● The parent company commissions a security audit on the breached system (4 July) ● The audit report comes back (13 August): – It identifies that an SQL injection bug in the application is the only cause of the attack – It suggests few updates to softwares ● The parent company imposes the updates to all subidiaries (15 August)
  • 4. Real Case - Corrective actions ● Update OpenSSL to 1.0.1g+ due to CVE 2014-0160 (Heartbleed) ● Update PHP to 5.5.12+ due to CVE 2014-0185 (privilege escalation) ● Update the Kernel to 3.13.6+ due to CVEs 2014-2523 & 2014-0100 (DoS) ● We had OpenSSL 1.0.1e-16.15.el6, the bug was fixed in 1.0.1e-16.7.el6 ● We had PHP 5.3.3-37.el6, the bug was only present on 5.5+ ● We had the Kernel 2.6.32-497.el6, the bug was fixed in 2.6.32-279.el6
  • 5. Real Case - Considerations ● Pointless to close the stable door after the horse has bolted ● Security is a word, but it's meaning is a whole world – Ask yourself what are you trying to achieve – Ask yourself the value of what you are protecting (for you and for others) – No money can buy a secure system ● There is no silver bullet in security
  • 6. Built in vs Bolt on
  • 7. Real Case - Situation ● SaaS company ● 50+ AWS EC2 instances “classic” ● Partner asks PCI-DSS compliance within 3 months
  • 8. Real Case - “Solution” ● Lock down all servers ● Creation of procedures for updates of the SaaS platform that included: – Regressions tests – Security tests ● PCI-DSS certification
  • 9. Real Case - Problems ● Not able to perform ordinary maintenance ● No automated test were ready when they reached PCI-DSS compliance ● Medium problem solving time from 30' to 8 hours (1600%) ● Medium time between releases from 2 days to 4.5 weeks (1575%)
  • 10. Real Case - Considerations ● Always think about security before you start your next project ● Do not “drop in” security in a software/infrastructure ● Do not rush to add security ● Use configuration management system ● Design infrastructures that are safe(r) from ground up
  • 12. Real Case - Situation @app.route("/login", methods=["GET", "POST"]) def login(): form = LoginForm() if form.validate_on_submit(): user = User.query.get(form.email.data) if user: if bcrypt.check_password_hash(user.password, form.password.data): user.authenticated = True return render_template("login.html", form=form)
  • 13. Real Case - Problem if form.validate_on_submit(): user = User.query.get(form.email.data) if user: - if bcrypt.check_password_hash(user.password, form.password.data): + # if bcrypt.check_password_hash(user.password, form.password.data): user.authenticated = True return render_template("login.html", form=form)
  • 14. Real Case - Considerations ● Use a Code Version System ● Implement a code-review system ● Implement an auto-deployment pipeline ● Put lots of tests in the pipeline
  • 16. Real Case - Situation ● January 2015: The company X has deployed Docker in production ● February 2016: all applications use Docker (total: 327 different images) ● 1 March 2016: – OpenSSL releases 1.0.1s containing: ● 1 high security fix ● 5 low security fixes – OpenSSL communicates that 1.0.1r (released on 28 January 2016) contained also: ● 1 high security fix ● 1 moderate security fix
  • 17. Real Case - Situation ● Operating Systems: – 62 RHEL 7 – 53 CentOS 6 – 47 CentOS 7 – 44 RHEL 6 – 24 Ubuntu 15.10 – 21 Ubuntu 14.04 – 19 Debian 8 – 14 Fedora 22 – 11 BusyBox 1.23 – 11 Ubuntu 15.04 – 9 Busybox 1.24 – 8 Fedora 23 – 4 Debian 7
  • 18. Real Case - Considerations ● Limit the number of images you base your systems on ● Only take future-proof images from trusted sources ● Keep track of what you deployed ● Don't forget the underline infrastructure ● Containers do not contain (Dan Walsh)
  • 20. Real Case - Considerations ● People are unreliable ● Asking more means obtaining less ● People will always* try to take shortcuts ● People are cheap ● People are curious
  • 21. Final considerations ● Security is a mindset ● Security is a word, but it's meaning is a whole world (CIA model) ● Pointless to close the stable door after the horse has bolted ● Think about security before you start your next project ● Keep your environments clean ● Don't forget the underline infrastructure ● People are often the weakest link of the chain
  • 22. Thanks! Fabio Alessandro Locati Mail: me@fale.io GPG key: 0xB2DC9C1B All pictures belong to their respective authors AMSTERDAM 9-12 MAY 2016