DevSecCon London 2018: Enabling shift-left for 12k banking developers from scratch and without breaking the bank

•

2 gostaram•411 visualizações

ERNESTO BETHENCOURT At BBVA we are developing the Bank’s Next Global Banking Platform for building, deploying and running banking services of any kind, leveraging on cloud technologies. Security is one of the main components for this new platform and is expected to be self-service and easy to use. But it’s not only technology we are building, it’s a new culture based mainly on DevOps. So, what better opportunity to shift-left and offer developers the tools that they need to easily change their (and security teams) mindsets regarding security? In this talk we will walk you through the strategy that we have adopted to expose security services for enabling secure development but at the same time automating security processes needed by security teams. All this trying to keep it in a low budget (at least for now) by levering on vendors and open-source solutions.

Tecnologia

LONDON 18-19 OCT 2018
Enabling shift-left for 12k banking
developers from scratch and
without breaking the bank
ERNESTO BETHENCOURT

LONDON 18-19 OCT 2018
Ernesto Bethencourt
Product Owner for Chimera

LONDON 18-19 OCT 2018
Source: https://www.bbva.com/en/corporate-information/the-transformation-of-bbva/

LONDON 18-19 OCT 2018
Key Elements For This
Transformation
• Internal talent
• End-to-end automation
• DevOps “philosophy”
• API and obsession to reuse
• Global communities

Ether is BBVA’s global banking platform, which allows developers to easily build, deploy and
operate banking services of any kind by leveraging cloud
Global Cloud Services
Automation
Open Source &
Vendor decoupling
Developer centric
Hybrid cloud
Reliability /Operability

LONDON 18-19 OCT 2018
What are we doing?
• SECaaS, part of the New Platform
• BBVA Labs Advance Security
• ACS (for Legacy Platform)
• Cultural Change (Tribes/Clans)

LONDON 18-19 OCT 2018
Security As A Service (SECaaS)
BBVA’s SECaaS is one of the main Cloud
components composing Ether.
SECaaS builds on the concept that Security
can be provided on demand to the user
SECaaS provides a security embedded by
default.

LONDON 18-19 OCT 2018
SECaaS Objectives 4 SDLC
• Early Security Feedback for Developers
(Shifting Left)
• Security Feedback also must be “aaS”
• Automate Security Checks & Enforcement

TOOLS! TOOLS EVERYWHERE! DEVELOP A PRODUCT

LONDON 18-19 OCT 2018
Since 2016!
Slides: https://www.rsaconference.com/writable/presentations/file_upload/asd-f01-security-as-a-service-in-a-financial-institution-reality-or-chimera.pdf

SELF-SERVICE 4 DEV TEAMS SERVICES 4 SECURITY TEAMS

LONDON 18-19 OCT 2018
In-take Triage Test Deliver
DevSecOps “Foundations”
Static Black-box “Manual”
DevSecOps
Analytics
Blue Team
Services
Security
Provision
DevSecOps
Threat Model
Auto-Enrollment
Continuous
Monitoring
Governance
Added Value
Services
Continuous Feedback
& Optimization
Our long term “Services” proposal

LONDON 18-19 OCT 2018
SECURITY TOOLS
CI Pipelines (i.e: Ether Pipelines)
CHIMERA
Security Code Review Docker Images Review Secrets Review
Current Status
BANDIT GECRETS
In-take Analytics

LONDON 18-19 OCT 2018
4 Devs Teams
CI Pipelines (i.e: Ether Pipelines)
Docker Images
Review
CHIMERA
Orchestrations +
Added Value

LONDON 18-19 OCT 2018
Developers can access and use this
information on their pipelines and in
Ether’s Console

LONDON 18-19 OCT 2018
4 Sec Teams
CI Pipelines (i.e: Ether Pipelines)
Docker Images
Review
CHIMERA
“Security Seal”Orchestrations
AUTOMATIC!

LONDON 18-19 OCT 2018
BBVA Labs - Advanced Security Labs
• “Working how to adapt security processes from the risk analysis to the
security operation in the Cloud and DevOps worlds, researching and
developing concept tests that can be converted into open source tools”
• Example Public Research:
• https://www.bbva.com/en/vulnerability-management-in-dependencies-in-ci-cd-
environments-with-open-source-tools/

LONDON 18-19 OCT 2018
Example of our Public Work
https://github.com/BBVA/gitsechttps://github.com/BBVA/deeptracy https://patton-server.readthedocs.io/en/latest/

LONDON 18-19 OCT 2018
Deep Tracy + Patton

LONDON 18-19 OCT 2018
ACS – (Continuous Security Analysis)
• Blue Team’s Service
• BBVA’s Worldwide Service
• Free for all BBVA’s projects
• Manual, APIs and Jenkins library options for
integrations
• Compliance compatible for some projects
• Manual results processing by blue team member

LONDON 18-19 OCT 2018
Current Process
Secure
SDLC
Source
Repository
Build
Management
Code
Analysis
Result
Triage
Publish
Results
Developer
Feedback

LONDON 18-19 OCT 2018
Culture
Tribes and Clans

LONDON 18-19 OCT 2018
Next Steps (2019)
• Chimera Triage and DAST MVPs
• Chimera – ACS Integrations
• BBVA Labs Tools in Chimera
• DevSecOps Ninja and TechU Tracks
• Security Champions Pilot Programs

LONDON 18-19 OCT 2018
[https://www.bbvanexttechnologies.com/]

Mais conteúdo relacionado

Mais procurados

The Case for Disaggregation of Compute in the Data Center

Juniper Networks

apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society December 8, 9 & 10, 2020 Data Gateways: building “Data-as-a-Service” for the Hybrid Cloud Hugo Guerrero, APIs & Messaging Developer Advocate at Red Hat ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

apidays LIVE Paris 2020 - Data Gateways: building “Data-as-a-Service” for the...

apidays

Machine Learning at E*Trade

Elasticsearch

Trace your micro-services oriented application with Zipkin and OpenTracing

Corley S.r.l.

Microservice: starting point

inovia

This slide deck shows why middleware and streaming analytics is relevant for any blockchain project. It discusses how to leverage stream processing and how to integrate with blockchain events. The focus was on integration of TIBCO StreamBase and Ethereum Blockchain. But the same can be done easily for any Hyperledger Blockchain like IBM's Fabric, IROHA or Intel's Sawtooth Lake, or others like R3 Corda or Ripple. For smart contract deployment, I use Browser Solidity and MetaMask. But the sasme can be achieved with TIBCO StreamBase (or BusinessWorks, too). The live demo can be watched on Youtube. The outlook includes some upcoming topics like - Live Visualization for Real Time Monitoring and Proactive Actions - Cross-Integration with Ethereum and Hyperledger Blockchains -Data Discovery for Historical Analysis to Find Insights and Patterns - Machine Learning to Build of Analytic Models - Application Integration with other Applications (Legacy, Cloud Services, …) - Native Hardware Integration with Internet of Things Devices Some use cases / real world examples: - Banking: Data Discovery for compliance issues, fraud or other anomalies - Stock / Energy Trading: Subcribe to events (e.g. price went over a threshold) – event correlation and proactive live UI - Manufacturing / Internet of Things: Supply chain management with various partner companies (maybe even various blockchains) - Many other use cases... Thanks to my colleague Steven Warwick for implementing the StreamBase connectors and demo!

Blockchain + Streaming Analytics with Ethereum and TIBCO StreamBase

Kai Wähner

APIdays Paris 2018 - Hack your legacy, from mutualism to Open Source! Chris W...

apidays

Monitoring Pull vs Push, InfluxDB and Prometheus

Gianluca Arbezzano

Presentation from Open Source Leadership Summit 2019. This talk will highlight some best practices that your Open Source Program Office (OSPO) can use to manage security vulnerabilities for open source projects using GitHub’s security alerts at scale. We’ll discuss the mechanics and governance around the process we’ve set up at Verizon Media to notify internal employees about CVEs on their projects.

Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.

Ashley Wolf

APIdays Paris 2018 - Accelerate Innovation & Aircraft Production by using API...

apidays

APIdays Paris 2019 - Adopting Service Mesh by Marco Palladino , Kong

apidays

Matt Lavin Software Architect at LifeOmic It's possible to have rapid feature delivery and happy developers without sacrificing high security and compliance. At LifeOmic, we've built an automated change management system that allows production deployments without slow human approval. We maintain HIPAA and HITRUST compliance while still allowing continuous delivery. I'll show how to collect data from BitBucket, Jenkins, and security scan tools to ensure that the approved processes have been followed. You'll hear how fast production approval incentivizes developers to follow good practices, and become advocates for following the process instead of pushing against it. Automating process checks as a gate to deployments is a great framework for promoting the behavior you want in your organization. Don't give up on rapid feature delivery just because you work in a regulated industry.

DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...

DevSecCon

apidays LIVE Paris - Principles for API security by Alan Glickenhouse

apidays

apidays LIVE Helsinki & North - 20 minutes to build a serverless COVID-19 RES...

apidays

Gain multi-cloud versatility with software load balancing designed for cloud-...

Ashnikbiz

Discover in this webcast how AI-based solutions mitigate fraud, reduce losses, and help businesses remain competitive. In this webcast you will learn: - The main digital tools to mitigate fraud. - Rule-based tools can be augmented by Machine Learning. How does this work? What are the advantages? - Insights on how to implement ML-driven fraud monitoring solution. - The challenges when working with AI-Based Fraud Management solutions. Discover the Webcast: https://bit.ly/359lsu9

AI-Driven Fraud Detection

Codit

DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...

DevSecCon

apidays LIVE Paris 2021 - Advanced Authentication patterns at the Edge by Den...

apidays

Quite often the architecture in JavaScript reduces itself to the choice of a framework according to the frontend world’s recent trends. What if we told you that the choice of technology is just the step №7 on your way to developing project design? Every day many projects feel the draught or even fall to pieces because of the incorrectly chosen architecture. We’ll share some stories that can help you look at the architecture and its meaning for the modern apps from the right perspective, as well as avoid mistakes that can simply ruin your project.

Aliaksei Bahachuk - JavaScript and Solution Architecture

Aliaksei Bahachuk

IoT backend architecture

Tomasz Tarczyński

Mais procurados (20)

The Case for Disaggregation of Compute in the Data Center

apidays LIVE Paris 2020 - Data Gateways: building “Data-as-a-Service” for the...

Machine Learning at E*Trade

Trace your micro-services oriented application with Zipkin and OpenTracing

Microservice: starting point

Blockchain + Streaming Analytics with Ethereum and TIBCO StreamBase

APIdays Paris 2018 - Hack your legacy, from mutualism to Open Source! Chris W...

Monitoring Pull vs Push, InfluxDB and Prometheus

Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.

APIdays Paris 2018 - Accelerate Innovation & Aircraft Production by using API...

APIdays Paris 2019 - Adopting Service Mesh by Marco Palladino , Kong

DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...

apidays LIVE Paris - Principles for API security by Alan Glickenhouse

apidays LIVE Helsinki & North - 20 minutes to build a serverless COVID-19 RES...

Gain multi-cloud versatility with software load balancing designed for cloud-...

AI-Driven Fraud Detection

DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...

apidays LIVE Paris 2021 - Advanced Authentication patterns at the Edge by Den...

Aliaksei Bahachuk - JavaScript and Solution Architecture

IoT backend architecture

Semelhante a DevSecCon London 2018: Enabling shift-left for 12k banking developers from scratch and without breaking the bank

FIWARE Overview (University Cairo 20Aug2017)

FIWARE

This is comprehensive presentation of is FIWARE. It describes: a) FIWARE-based applications in various sectors such as SmartCities, SmartIndustry and SmartAgriFood, b) the FIWARE technologies, c) the tools through which to access, study, download and experiment the FIWARE Technologies, d) the FIWARE Ecosytem, and e) the FIWARE Foundation. This presentation was given in the context of the first CAMPIE summer school organised by the University of Cairo.

20170820 FIWARE at CAMPIE

stefano de panfilis

At BBVA we are developing the Bank’s Next Global Banking Platform for building, deploying and running banking services of any kind, leveraging on cloud technologies. Security is one of the main components for this new platform and is expected to be self-service and easy to use. But it’s not only technology we are building, it’s a new culture based mainly on DevOps. So, what better opportunity to shift-left and offer developers the tools that they need to easily change their (and security teams) mindsets regarding security? In this talk we will walk you through the strategy that we have adopted to expose security services for enabling secure development but at the same time automating security processes needed by security teams. All this trying to keep it in a low budget (at least for now) by levering on vendors and open-source solutions. Link: https://www.sonatype.com/uk/2019-devsecops-leadership-forum-london

Enabling shift-left for 12k banking developers from scratch and without break...

Ernesto Bethencourt

APIs are the products of the 21st century. As we build out API systems, we find that we are constantly learning from product journeys. We propose a new kind of supply chain - the Integrated Supply Chain for APIs (ISCA) - which is needed by any organization looking to create and monetize API products, either directly or indirectly. Through these slides, it is outlined our vision of the ISCA, identify five key patterns for success, and give a blueprint for creating a digital business based on API products.

[apidays LIVE HONK KONG] - Building an Integrated Supply Chain for APIs

WSO2

apidays New York 2022 - Beyond API Regulations for Finance, Insurance, and Healthcare July 27 & 28, 2022 From API Catalogs to API Marketplaces into the Metaverse Belén Roca, Head of APIs at Siemens Mahran Meißner, Executive MBA, Senior IT Key Expert at Siemens ------------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/ Deep dive into the API industry with our reports: https://www.apidays.global/industry-reports/ Subscribe to our global newsletter: https://apidays.typeform.com/to/i1MPEW

apidays New York 2022 - From API Catalogs to API Marketplaces into the Metave...

apidays

APIs are the products of the 21st century. As we build out API systems, we find that we are constantly learning from product journeys. We propose a new kind of supply chain - the Integrated Supply Chain for APIs (ISCA) - which is needed by any organization looking to create and monetize API products, either directly or indirectly. In this session, Asanka will outline our vision of the ISCA, identify five key patterns for success, and give a blueprint for creating a digital business based on API products.

Building an Integrated Supply Chain for APIs

Asanka Abeysinghe

apidays LIVE Hong Kong 2021 - Building an Integrated Supply Chain for APIs b...

apidays

Evolution of Container Security - What's Next?

Fernando Montenegro

Tech Job Conference: Software Engineer @Criteo

Gilles Legoux

Володимир Шиманський “Роль спільноти і OpenSource в IoT бізнесі” {R0boCamp}

Lviv Startup Club

Programma 16.30 Ontvangst 17.00 Robbrecht van Amerongen - Head of IoT, Conclusion Connect • Welkom en opvallendste zaken van het congres • Stand van zaken PaaS/SaaS, Digital Twin, Context IoT, Big Data en Machine Learning • IoT en Security • IoT-projecten: stand van zaken, opvallende voorbeelden en best practices • Waar staan de vendors/ platformleveranciers 18.00 Diner 18.45 Gertjan van het Hof - IoT Solutions Architect, Conclusion Connect • Platformen: Microsoft Azure IoT Reference Architecture en Google Cloud IoT • CrateDB • EdgeX Foundry en NetFoundry • Intel Video processing • Beacons • Security Maturity Model • Industrial Internet Consortium (IIC) 19:45 Pauze 20:00 Henk Jan van Wijk - IoT Solution Engineer, Conclusion Connect • Microsoft Azure Sphere (connected devices) • Low Power Connectivity (Thingstream) • Digital Twin • Anomaly detection at Intel (predict robots failure) 21.00 Afsluiting en borrel

IoT solutions world congress 2018 review - Robbrecht van Amerongen - Conclusi...

Conclusion Connect enabling industry 4.0 with IoT

A digital twin is a digital replica of a living or non-living physical entity. This session discusses the benefits and IoT architectures of a Digital Twin in Industrial IoT (IIoT) and its relation to Apache Kafka, IoT frameworks and Machine Learning. Kafka is often used as central event streaming platform to build a scalable and reliable digital twin for real time streaming sensor data. A live demo shows a scalable digital twin infrastructure for condition monitoring and predictive maintenance in real time for a connected car infrastructure leveraging Kafka, MQTT and TensorFlow. Key Take-Aways: • Learn about use cases and characteristics of a digital twin in various industries • Understand how to build a digital twin for every single (of tens of thousands) IoT device or machine • See different IoT architectures with Kafka and other IoT technologies and products, including edge, hybrid and global deployments • Understand the relation to Machine Learning and bring added value to your IoT infrastructure by enabling use cases like predictive maintenance • Understand how the Apache Kafka enables scalable and flexible end-to-end integration processing from IIoT data to various backend applications • Watch a live demo of an end-to-end integration, real time processing and analytics of thousands of IoT devices More details: https://www.kai-waehner.de/blog/2019/11/28/apache-kafka-industrial-iot-iiot-build-an-open-scalable-reliable-digital-twin/ https://www.kai-waehner.de/blog/2020/03/25/architectures-digital-twin-digital-thread-apache-kafka-iot-platforms-machine-learning/ ‎ https://youtu.be/Q3eKPEVwNVY

IoT Architectures for a Digital Twin with Apache Kafka, IoT Platforms and Mac...

Kai Wähner

[HACKATHON CISCO PARIS] Slideshow du workshop Smart City

BeMyApp

ITCamp 2019 - Mihai Tataran - Governing your Cloud Resources

ITCamp

Cisco Connect Toronto 2018 DevNet Overview

Cisco Canada

Enabling Edge Analytics of IoT Data: The Case of LoRaWAN

Hong-Linh Truong

INTERFACE, by apidays - APIs: the next 10 years June 8, 9 & 10 2022 The challenges of exposing and connecting microservices Denis Jannot, Director of Field Engineering at Solo.io ------------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/ Deep dive into the API industry with our reports: https://www.apidays.global/industry-reports/ Subscribe to our global newsletter: https://apidays.typeform.com/to/i1MPEW

INTERFACE, by apidays - Challenges of exposing and connecting microservices

apidays

Microservicios net arquitectura para aplicaciones net contenerizadas - net ...

Germán Küber

Introduction to Kubernetes

Alexander Al Basosi

The 3 pillars of agile integration: Container, Connector and API

Judy Breedlove

Semelhante a DevSecCon London 2018: Enabling shift-left for 12k banking developers from scratch and without breaking the bank (20)

FIWARE Overview (University Cairo 20Aug2017)

20170820 FIWARE at CAMPIE

Enabling shift-left for 12k banking developers from scratch and without break...

[apidays LIVE HONK KONG] - Building an Integrated Supply Chain for APIs

apidays New York 2022 - From API Catalogs to API Marketplaces into the Metave...

Building an Integrated Supply Chain for APIs

apidays LIVE Hong Kong 2021 - Building an Integrated Supply Chain for APIs b...

Evolution of Container Security - What's Next?

Tech Job Conference: Software Engineer @Criteo

Володимир Шиманський “Роль спільноти і OpenSource в IoT бізнесі” {R0boCamp}

IoT solutions world congress 2018 review - Robbrecht van Amerongen - Conclusi...

IoT Architectures for a Digital Twin with Apache Kafka, IoT Platforms and Mac...

[HACKATHON CISCO PARIS] Slideshow du workshop Smart City

ITCamp 2019 - Mihai Tataran - Governing your Cloud Resources

Cisco Connect Toronto 2018 DevNet Overview

Enabling Edge Analytics of IoT Data: The Case of LoRaWAN

INTERFACE, by apidays - Challenges of exposing and connecting microservices

Microservicios net arquitectura para aplicaciones net contenerizadas - net ...

Introduction to Kubernetes

The 3 pillars of agile integration: Container, Connector and API

Mais de DevSecCon

Xavier Garceau-Aranda Senior Security Consultant at NCC Group With the steady rise of cloud adoption, a number of organizations find themselves splitting their resources between multiple cloud providers. While the readiness to deal with security in cloud native environments has been improving, the multi-cloud paradigm poses new challenges. The workshop will aim to familiarize attendees with Scout Suite (https://github.com/nccgroup/ScoutSuite), a key component of NCC Group’s cloud agnostic approach to security assurance. Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than pouring through dozens of pages on the web consoles, Scout Suite provides a clear view of the attack surface automatically. The following cloud providers are currently supported: - Amazon Web Services - Microsoft Azure - Google Cloud Platform - Oracle Cloud Infrastructure - Alibaba Cloud During the workshop, attendees will leverage Scout Suite to assess a number of cloud environments designed to simulate typical flaws. We will display how the tool can be leveraged to quickly identify and help with remediation of security misconfigurations.

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...

DevSecCon

Mitun Zavery Senior Engineer at Sonatype Bad actors have recognized the power of open source and are now beginning to create their own attack opportunities. This new form of assault, where OSS project credentials are compromised and malicious code is intentionally injected into open source libraries, allows hackers to poison the well. In this session, Mitun will explain how both security and developers must work together to stop this trend. Or, risk losing the entire open source ecosystem. Analyze, and detail, the events leading to today’s “all-out” attack on the OSS industry Define what the future of open source looks like in today’s new normal Outline how developers can step into the role of security, to protect themselves, and the millions of people depending on them

DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?

DevSecCon

Jan Harrie Security Analyst at ERNW GmbH OpenShift by Red Hat is one of the major Platform as a Service (PaaS) solutions on the market. It is used to automatically deploy Kubernetes clusters and provides useful extensions for cluster management mixed with some magic under the hood. Instantiating a Kubernetes cluster is often a crucial step in setting up a modern application stack. But be aware – a lot of configuration parameters are awaiting you. And here several misconfigurations may occur that can lead up to a compromise of the cluster. Privileged containers, tainting of masters and executing workloads on them, missing role-based access controls, and misconfigured Service Accounts are part of the problem. In this talk, I will explain which configuration parameters of an OpenShift environment are critical to ensure the overall security of the deployed Kubernetes clusters. Implications of misconfigurations will be demonstrated during live demos. Finally, recommendations for a secure configuration are provided.

DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...

DevSecCon

Matt Carroll Infrastructure Security Engineer at Yelp "Attestation is hard" is something you might hear from security researchers tracking nation states and APTs, but it's actually pretty true for most network-connected systems! Modern deployment methodologies mean that disparate teams create workloads for shared worker-hosts (ranging from Jenkins to Kubernetes and all the other orchestrators and CI tools in-between), meaning that at any given moment your hosts could be running any one of a number of services, connecting to who-knows-what on the internet. So when your network-based intrusion detection system (IDS) opaquely declares that one of these machines has made an "anomalous" network connection, how do you even determine if it's business as usual? Sure you can log on to the host to try and figure it out, but (in case you hadn't noticed) computers are pretty fast these days, and once the connection is closed it might as well not have happened... Assuming it wasn't actually a reverse shell... At Yelp we turned to the Linux kernel to tell us whodunit! Utilizing the Linux kernel's eBPF subsystem - an in-kernel VM with syscall hooking capabilities - we're able to aggregate metadata about the calling process tree for any internet-bound TCP connection by filtering IPs and ports in-kernel and enriching with process tree information in userland. The result is "pidtree-bcc": a supplementary IDS. Now whenever there's an alert for a suspicious connection, we just search for it in our SIEM (spoiler alert: it's nearly always an engineer doing something "innovative")! And the cherry on top? It's stupid fast with negligible overhead, creating a much higher signal-to-noise ratio than the kernels firehose-like audit subsystems. This talk will look at how you can tune the signal-to-noise ratio of your IDS by making it reflect your business logic and common usage patterns, get more work done by reducing MTTR for false positives, use eBPF and the kernel to do all the hard work for you, accidentally load test your new IDS by not filtering all RFC-1918 addresses, and abuse Docker to get to production ASAP! As well as looking at some of the technologies that the kernel puts at your disposal, this talk will also tell pidtree-bcc's road from hackathon project to production system and how focus on demonstrating business value early on allowed the organization to give us buy-in to build and deploy a brand new project from scratch.

DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...

DevSecCon

Kristóf Tóth Software Engineer at Avatao The world is getting eaten alive by software. At this point, almost nothing can be done without interacting with some sort of software system. Not even buying your groceries. As we keep dumping out huge piles of code like there is no tomorrow, our far from perfect systems keep getting worse and worse from a security standpoint. What could possibly go wrong? We believe that education is the missing link. As appsec is still a curiosity topic on top universities, freshly graduated engineers simply have no clue. And how could they? The number of programmers keeps on doubling every few years and generations of software professionals are stuck without a proper background in ITSec. As this trend continues, our responsibility to do something about this is on the rise. In hopes of fighting this trend, we, at Avatao, have decided to share some of our dreams with the community. Our Tutorial Framework allows you to easily create interactive learning environments running inside Docker containers. These environments are capable of automatically guiding users through a set of topics by allowing them to interact with real software through a simple web browser. Users can attack webservices, write code to fix them or use a terminal to deploy websites by creating and pushing git tags. Nothing here is a mock-up: Every software component is real. In this talk, I am going to demonstrate the capabilities of the framework, talk about the technology behind it and explore some use cases for it. During the session we will open source the framework with the hope of creating a better, secure future together.

DevSecCon Seattle 2019: Containerizing IT Security Knowledge

DevSecCon

Sitaraman Lakshminarayanan Sr Security Architect at Pure Storage Authorization has two components – Policy Definition and Policy Enforcement. Traditionally both used to be centralized and we spent all the time Integrating products- Built or Bought with Centralized Access Management. This typically led to increased cycle time to change any access policy or change software/deployment to fit into one particular authorization model. When that doesn’t fit, we would end up with multiple authorization enforcements written in different languages with or without any adherence to any standards such as XACML or others. Imagine building few different or hundreds of products or services or micro services and you have to centrally manage all possible access policies. It’s definitely not a scalable solution in fast moving CI/CD world. Now imagine a way where every developers or products can externalize its authorization and we can modify authorization enforcement in a consistent manner? Imagine where developers can write their own implementation of how authorization should be enforced for their environment? Remember there is no one size fits all authorization policy. A policy that works for your environment does not work for my environment – for any number of reasons from Risk management to type of business applications. Open Policy Agent provides a consistent way to write authorization logic and expose it as REST API. Applications can easily integrate with OPA and can also write their own authroziation logics. Whether you are shipping products to customers or integrating a Product or Service into your environment, how awesome it would be to enforce your own authorization rules instead of changing your business process of who can gain access to what features. In this talk we will explore the benefits of Decentralized Authorization and how to use Open Policy Agent to achieve decentralized authorization. A closer look at few applications /integrations whether it is REST API /Micro Services, or Kubernetes to control various authorization policies as to who can deploy/what can you deploy. We will also look at how to build Integration tests to check our authorization policies.

DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...

DevSecCon

Julian Berton Preventing a company from becoming the newest data breach statistic can be a daunting prospect. Especially working within a company that employs hundreds of engineers pushing code to production daily, it often feels like everything is on fire and the holy grail of producing a security inspired product is but a dim light growing further and further away. The same feeling is true for security aware engineers being pushed to develop products quickly but also expected to consider quality assurance, operations, security and the reliability of their application or service. To help reduce the bleeding and build more security aware applications at scale, a balance of firefighting, preventative initiatives, automation and "JIT" education is required. So strap yourself in while we take you on a journey through 4 years of security successes and epic failures: * Automation - Implementing a secure-by-default build system (Buildkite) that makes detecting vulnerable dependencies (Snyk), storing secrets (AWS Secrets Manager) and scanning Docker containers, an effortless process. * Prevention - Eradicate several classes of bugs by selecting secure architectural patterns and using automated scripts to detect operational misconfigurations like dangling DNS entries, open S3 buckets, secrets checked into source code and repositories that have been made accidentally public. * "JIT” Education - Changing a companies security culture with RFC's for security standards, security integrated PIR via bug bounty program reports, visibility through security maturity frameworks (BSIMM).

DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...

DevSecCon

Rahul Kumar & Rupali Dash In the current era of blockchain technology, mining crypto currency is one of the biggest hit. The talk covers how the attackers use the insecure containers to mine crypto currency and earn million dollar profits. Cryptojacking activity surged to its peak in December 2017, when more than 8 million cryptojacking events were blocked by many intrusion detection companies. While there have seen a slight fall in activity in 2018, it is still at an elevated level, with total cryptojacking events blocked in July 2018 totalling just less than 5 million. The talk will cover how the mining activities has been done using browsers as well as cloud containers. We will also discuss how the cloud provides like amazon, azure and go are detecting such kind of activities and how minor misconfigurations leads to million dollar currency mining. The talk will also cover how 3rd party security providers like symantec and z-scalar and other intrusion detection system has configured signatures to block such kind of attacks. As well as from a sec-ops prospective what configuration checks should be done to prevent against such kind of attacks as well as detection of attacks. It will also cover some case studies and attack scenarios of mining Monero and the huge financial losses because of this attacks.

DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...

DevSecCon

Trinh Tran & Dennis Stötzel Are you trying to stay secure while developing and running a bunch of services and applications every day? So are we and it’s a huge pain in the… pipeline. We have been juggling these aspects while working with one of the biggest insurance companies in the world. In this talk, we will share our experiences of the last three years: Trinh, as a software engineer in Vietnam and Dennis, as a security engineer in Germany. We will present our experiences of making "dev", "sec" and "ops" coexist – without sparing any dirty details. Our goal has always been fast delivery and secure applications using pipelines, containers, orchestration, and the cloud. Let us explain which of these goals we have met and which remain goals, where we messed up and where we found glory. We will cover the following topics in our talk: * Evolution of our project, from beginning with four engineers running in one office, to expanding to fifty engineers coming from three continents and different backgrounds, * Development, delivery and security as a requirement in an agile project, * The good, the bad and the ugly in technology, architecture and infrastructure.

DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...

DevSecCon

Sanoop Thomas & Samandeep Singh Burp suite is the de-facto proxy application for web security testers. This hands-on workshop will explore the different capabilities of burp proxy application, also dive into the extensions and tooling options to perform improved application security test cases. The workshop will start with a quick overview of burp usage, different settings, features, some commonly useful extensions and then explore deep into its extension APIs to build your own custom extensions. We will provide a suitable development environment in Java and Python platforms. This will be a hands-on workshop and participants will learn how to automate different application security test scenarios and build burp extensions with the help of templates.

DevSecCon Singapore 2019: Workshop - Burp extension writing workshop

DevSecCon

Cameron Townshend Today’s pace of innovation and need to out “innovate” competitors can often cause developers to bypass key portions of Gene Kim’s Three Ways of DevOps - specifically to never pass a known defect downstream and emphasize performance of the entire system. As we embrace movements like CI, CD and Devops to cut down on release cycles - and innovate faster, we as developers must also embrace the reality that the risk landscape is too complex to leave “security” to just those with security in their title. Traditional methods do not cut it anymore – it’s time for DevSecOps. Instinctively, we understand how critical this is. In Sonatype’s recent 2018 DevSecOps Community report, where 2,076 IT professionals were surveyed, 48% of respondents admitted that developers know application security is important, but they don’t have the time to spend on it. Done properly, DevSecOps practices shouldn’t interrupt the DevOps pipeline - but instead aid it - preventing costly rebuilds and build breaks, down the road. By creating automated governance and compliance guardrails that are embedded early and throughout the software development lifecycle, developers have transparent access to digital guardrails integrated within our native tools — an approach that ensures security is being built in without slowing us down. These instant feedback loops detailing good or bad components have been shown to increase developer productivity by as much as 48%. Over time, this approach ensures developers procure the best components from the best suppliers, while continuously tracking components across the entire lifecycle. Attendees of this session will walk away with: Real-world examples of how large and small companies are implementing DevSecOps practices in their own delivery pipelines, and increasing developer awareness to risks Key insights from 2,076 of their peers who participated in the 2018 DevSecOps community report - including where most mature DevOps practices are focusing their security efforts A walkthrough of how security principles have been embedded in a CICD pipeline and what standards for implementation are beginning to follow suite

DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape

DevSecCon

Tilak T Web-Services are taking over the world. Rest-framework is accelerating this development, because of its ease and flexibility. Developers often use and develop REST-based applications because it's exciting to work with. But they forget about security which leads to compromised and exploited applications. For instance, in more recent security tests against Web Services that my team executed, we found that vulnerabilities like Insecure Deserialization, XML External Entities, Server-Side Template Injection and Authorization Flaws are quite prevalent. I have found some simple steps that engineering teams can take towards finding and fixing such vulnerabilities with Web Services. This talk is offering a holistic perspective on finding and fixing some uncommon flaws that will be replete with anecdotes and examples of secure and insecure code. I will also delve into automating SAST and DAST tools using Robot-Framework to identify such flaws in Web-Services.

DevSecCon Singapore 2019: Web Services aren’t as secure as we think

DevSecCon

Sharath Kumar Ramadas Serverless Technology (Functions as a Service) is fast becoming the next "big thing" in the world of distributed applications. Organizations are investing a great deal of resources in this technology as a force-multiplier, cost-saver and ops-simplification cure-all. Especially with widespread support from cloud vendors, this technology is going to only become more influential. However, like everything else, Serverless apps are subject to a wide variety of attack possibilities, ranging from attacks against access control tech like JWTs, to NoSQL Injection, to exploits against the apps themselves (deserialization, etc) escalating privileges to other cloud components. On the other hand GraphQL (API Query Language) is the natural companion to serverless apps, where traditional REST APIs are replaced with GraphQL to provide greater flexibility, greater query parameterization and speed. GraphQL is slowly negating the need for REST APIs from being developed. Combined with Serverless tech/Reactive Front-end frameworks, GraphQL is very powerful for distributed apps. However, GraphQL can be abused with a variety of attacks including but not limited to Injection Attacks, Nested Resource Exhaustion attacks, Authorization Flaws among others. This talk presents a red-team perspective of the various ways in which testers can discover and exploit serverless and/or GraphQL driven applications to compromise sensitive information, and gain a deeper foothold into database services, IAM services and other other cloud components. The talk will have some demos that will demonstrate practical attacks and attack possibilities against Serverless and GraphQL applications. The author will release an intentionally vulnerable Serverless and GraphQL app at the end of the talk for the benefit of the audience and the security community at large.

DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...

DevSecCon

Nadira Bajrei IT Continuous Improvement and Knowledge Management at Bank Mandiri Tbk We all know that the Banking industry is highly regulated. But due to recent changing factors, we had to trigger something we call transformation. Two of the most important reasons why we need transformation are firstly digital disruption, a wave our industry is hard pushed to follow, and secondly the evolving customer expectation and competitive environment, which are impacting the way organisations are delivering value. We need a new way of working to help us stay relevant in the market. This session will focus on our journey as one of the biggest banks in Indonesia to do digital transformation into DevOps while maintaining security compliance requirements. I will elaborate on the main reason why we need transformation, our journey roadmap, the step by step adoption of CALMS Values in our organisation and how we faced challenges from internal and external site.

DevSecCon Singapore 2019: The journey of digital transformation through DevSe...

DevSecCon

Liz Rice The latest Kubernetes version provides many security-related enhancements and controls, but it is far from being secure by default. Kubernetes is a complex orchestration platform with many different implementations, across multi-cloud/hybrid environments. Configuring it to comply with security best practices and specific security requires time and expertise that most organizations don’t possess. Aqua’s open source tools arm Kubernetes administrators and developers with an easy way to identify weaknesses in their deployments so that they can address those issues before they are exploited by attackers. During this presentation, we’ll review how these open source tools offer preventive security for Kubernetes: Kube-Bench: checks a Kubernetes cluster against 100+ checks documented in the CIS Kubernetes Benchmark. Kube-Hunter: conducts penetration tests against Kubernetes clusters that hunt for exploitable vulnerabilities and misconfiguration - both from outside the cluster as well as inside it (running as a pod)

DevSecCon Singapore 2019: Preventative Security for Kubernetes

DevSecCon

Paweł Krawczyk Most network services and daemons now offer TLS transport protection and their managing certificates and TLS configuration for server farms may use more resources than actual configuration of these services. What if you could get rid of all this complexity and replace it by single transport protection protocol, securing all of the traffic between your servers trasparently and with single centralized key and configuration management? This will be a story of a successful implementation of IPSec protocols, largely and undeservedly forgotten in that purpose, for securing a farm of production cloud servers, with configuration centrally managed with Ansible.

DevSecCon London 2018: Get rid of these TLS certificates

DevSecCon

PETKO D. PETKOV Thanks to the DevSecOps philosophy a growing number of organisations around the world are ensuring their businesses are set up with the security in mind from the get-go. DevSecOps is taking the world by storm. This talk is about how to introduce DevSecOps in your organisation with ready-made, zero-cost, open source templates accessible to everyone. The talk will introduce the OpenDevSecOps project and show many practical examples of how to easily deploy security testing infrastructure on top of existing and well-established development tools.

DevSecCon London 2018: Open DevSecOps

DevSecCon

MIKE SHEMA Effective appsec emerges from DevSecOps tactics like feedback loops, automation, and the flexibility to respond to situations quickly. These tactics emphasize process and tools, sometimes neglecting the knowledge and skills of working with others to build and maintain apps. And the solutions they strive for don’t always catch the importance of how different users can have different threat models. On the technology side of appsec we have clouds, top 10 lists, and tools. But we haven’t built up equivalent resources, references, or models for the people we build apps with and who we build them for. This presentation dives into specific techniques and references for working with people and building threat models that go beyond basic technical concerns. Tabletop role-playing games are a great model for understanding and building skills that are important to DevSecOps teams. They encourage communication, collaboration, and the achievement of shared goals. And they also face the same challenges in solving conflicts, avoiding derailing behaviors, and ensuring everyone participates. Come discover how RPGs can positively influence your security teams. Security is an integral part of DevSecOps. And, yes, it’s made of people.

DevSecCon London 2018: Building effective DevSecOps teams through role-playin...

DevSecCon

KEVIN BACKHOUSE With the increasing awareness and adoption of DevSecOps, organisations are beginning to fully understand the crucial role that security plays, integrating it into every part of the development and deployment process, from start to finish. New processes such as vulnerability disclosures & bug bounty programs, red team exercises, pen-testing initiatives and static & dynamic code analysis are putting security front and center. These initiatives are proving to be an incredible source for discovering previously unknown vulnerabilities, and fixes are generally implemented and deployed pretty quickly. However, this response is often not quite enough. In software development, we frequently see the same logical coding mistakes being made repeatedly over the course of a project’s lifetime, and sometimes across multiple projects. Sometimes there are a number of simultaneously active instances of these mistakes, and sometimes there’s only ever one active instance at a time, but it keeps reappearing. When these mistakes lead to security vulnerabilities, the consequences can be severe. With each vulnerability discovered or reported, if the root cause was a bug in the code, we’re presented with an opportunity to investigate how often this mistake is repeated, whether there are any other unknown vulnerabilities as a result, and implement a process to prevent it reappearing. In this talk, I’ll be introducing Variant Analysis, a process for doing just this, and discuss how it can be integrated into your development and security operations. I’ll also be sharing real-world stories of what has happened when variant analysis was neglected, as well as stories of when it’s saved the day.

DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...

DevSecCon

NICK DRAGE The popularity of DevSecCon, and the enthusiasm for DevSecOps as a concept, shows that there is a desire for significant change within the IT industry – that merely improving our abilities, and our tooling, hasn’t provided the gains we expected and hoped for. This presentation will demonstrate the value of ideas from diverse areas, providing a range of examples where others have faced similar situations regarding conflict, training, adversaries, or complexity, and showing how we can use those ideas to improve our own processes and practice.

DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)

DevSecCon

Mais de DevSecCon (20)