SlideShare uma empresa Scribd logo

The Joy of Proactive Security

Andy Hoernecke
Andy Hoernecke

The Joy of Proactive Security Scott Behrens & Andy Hoernecke ShmooCon 2015 January 17th, 2015

Internet
1 de 50
Baixar para ler offline
THE JOY OF PROACTIVE SECURITY SCOTT BEHRENS && ANDY HOERNECKE
EHLO • Scott Behrens • Application Security Engineer at Netflix • Likes automation • Torn between breaking and making • Loves research and open source
HELO • Andy Hoernecke • Application Security Engineer at Netflix • App Sec • Data Visualization
What We Will Cover • Challenges of a modern infrastructure • Proactive security as a solution • Examination of mature security program • How to get started • Conclusion
Terminology Primer • Define technology terms: • Application • Instance • Autoscaling groups (ASGs) / Load balancers (ELBs) • AMI • SecurityGroups • Regions / Availability Zones (AZs)
Netflix Primer • 100's of Developers • Over 1,000 applications • Hundreds of production pushes a day • Over 50k instances • No Security Gates!
Continuous Deployment • Can be fully automated • Immutable Platform • Looks like: • git -> Create deb (Jenkins) -> AMI Snapshot -> Deploy
Potential Pitfalls • Multiple concurrent code-bases (A/B testing, regional functionality, etc.) • New applications brought online/old applications retired constantly • Insecure third party dependencies
More Pitfalls • How do we identify and catalog assets (IP?, DNS Name?, Application?, ELB?...) • How do we profile and provide baseline security to new applications? • How do we monitor security policy changes and configurations in AWS • Monitoring the web for credential dumps, hacktivism, sensitive data exposure?
The List Goes On... • Many of these problems are not unique to Netflix/the cloud • Some are unique or can be solved in different ways • We have coined our approach to these and other problems as...
Proactive Security • Dictionary.com • Proactive - "serving to prepare for, intervene in, or control an expected occurrence or situation, especially a negative or difficult one; anticipatory"
Proactive Security • Security controls should be: • Integrated, automated, scalable, adaptive, actionable, and intelligent • Time is limited • End goal: Less babysitting, more time for harder problems
Proactive Security • Find problems early and address them • Know your weaknesses and work to improve them • Monitor for anomalies and be prepared to respond • Collect meaningful data and use it to improve • Simplify make security the easy path • Reevaluate your approach • Share what you learn with others
Find • Identify issues early • Old hat: • Static asset lists, fileshare with old pentest reports problems early and address them
Find - New Way • Define what an asset is: • Application • ELB • FQDN • IP
Find - New Way • Have an intelligent way to collect/ track assets and vulns Monterey
Monterey • Provides way to automatically define and scan assets • Soon to be open sourced • Asset groups as application name: • Contain any ELBs or FQDN • Do not contain instance
Monterey • Monterey queries AWS for new assets and changes • Monterey runs "Monklets" for things like vulnerability scanning • Store vulns centrally in S3
Monterey Demo
Monitor • Monitor, detect, and respond to security issues • Old hat: • Reactionary • New hat: • Less reactionary aka. more proactive • Automatic • Intelligent for anomalies and be prepared to respond
Simian Army • aka The Monkeys! • Open source • Proactively wreck your environment to simulate outages • Take down apps, instances, ELBs, even entire regions • Ensures developers write resilient code
"Dirty Laundry" Project • Look for assets unintentionally exposed • Leverages Monterey for assets • Uses Scumblr for actioning findings • Uses Sketchy for collecting status codes, generating screenshots, and text scrapes • Both Sketchy/Scumblr are open source
Scumblr • Intelligent automation platform aka. our swiss army knife • Monitor things by using plugins • Credential Dumps • Hacktivism • Brand Reputation • Full Disclosure • Leverages Sketchy for screen shots and text scrapes • Custom Workflows
Dirty Laundry Demo
Speedbump • Mechanism to detect attacks and enforce security policies automatically • You define what you want to monitor/filter • Security policies can be time delays, blocking, routing, etc. • A WAF, proxy and firewall on steroids because it has application intelligence (business logic) • Ensnare
Security Monkey • Open Source • Monitor events/changes within AWS • Changes to IAM users • Security groups • Policy changes • Notify when things change
Have you noticed a trend? • A more proactive approach • Identify something interesting automatically • Notify automatically • Provide workflows for more complex remediations
Know • None of us have unlimited time or resources--we all have weaknesses • Work to automatically identify blindspots • Leverage tools and information where useful • Old hat: • Spreadsheet containing static list of apps and manually created risk rankings • Not scalable when we are talking 100's or 1000's of apps your weaknesses and work to improve them
Penguin Shortbread • Catalog assets • Measure attributes • Calculate risk • Will be open sourced if we can make it more generic (TBD)
Penguin Shortbread Demo
Case Study: Monklet Your Way To Infinity • Shellshock • Vulnerable vs exploitable? • Some commercial scanners only hit root of webpage • What about other scripts?
Case Study: Monklet Your Way To Infinity • Monterey Monklet! • Spiders a provided asset (gevented) • Checks each page for exploitability of Shellshock • Stores results in S3 centrally • Deploy N instances of Monklet to cover 100's of apps
Collect • Collect data from intelligent systems • Actually use it to: • Drive initiatives • Find what is/isn't working meaningful data and use it to improve
Example
Simplify • If it's easy developers will do it • Make security an enabler and not a burden • Encourage developers to come to you • Also: v0.1 doesn't need to be perfect make security the easy path
Immutable Base AMI • Make your platform consistent • For non-cloud users: system image/template • Conformity Monkey for AWS users (open source)
Danger! Danger! • Applications often use legacy/outdated dependencies • Make it clear to developers they are using dangerous stuff • Netflix leverages an API based on OWASP Dependency Checker • API will eventually be open sourced • Provides information into our Dependency tool • Work in progress...
Danger! Danger!
FindSecBugs • Allow users to opt-in to static analysis • FindSecBugs is lightweight and pretty useful (for Java) • They can still deploy regardless but no one likes seeing red
Reevaluate • Environment is always changing--what works today may be ineffective tomorrow • Developers are agile, which means we must be too • Be willing to start simple, knowing the initial solution is temporary (Don't over-engineer!) • Use the data you've collected to determine when an approach is no longer sufficient your approach
Share • We (security professionals) are all working to solve similar problems • Sharing tools and information make all of our lives easier • Allows improvement through the collective consciousness of the industry • Prevents duplicate effort what you learn with others
http://netflix.github.io/ (More to come!)
Proactive Security: Level 1 • Create a list of assets • Rank by sensitivity • Automate
Proactive Security: Level 2 • Strategize security based on asset risk. Ex: 1. Sensitive assets: Examine thoroughly 2. Frequently used components: Secure by default 3. Everything else: Find a good baseline level of due diligence
Proactive Security: Level 3 • Identify weak links • Architectural: Poor network segmentation • Cultural: Developers don't understand XSS • Specific: "Application X" relies on an outdated version of Struts • Determine how to measure the weaknesses and put in place a plan to address or manage
Proactive Security: Level 4 • Monitor, alert, and gather more intel • Detect anomalies in security relevant functionality: Login successes/failures, password resets, authorization failures... • Dashboards are fun, but intelligent alerting is better • "Effective Approaches to Web Application Security" by Zane Lackey
Proactive Security: All Levels • Continually drive improvements into your tools and processes • Be flexible and ready to adapt • Share what you've learned and done!
Works Cited • http://www.netbraintech.com/products/feature- guide/images/asset-report-step-5-2.png • http://media.amazonwebservices.com/ architecturecenter/AWS_ac_ra_web_01.pdf • http://www.slideshare.net/zanelackey/effective- approaches-to-web-application-security
Tools • Netflix OSS
 https://netflix.github.io/ • OWASP Dependency Check
 https://www.owasp.org/index.php/ OWASP_Dependency_Check • Ensnare
 https://github.com/ahoernecke/ensnare • FindSecBugs
 https://github.com/h3xstream/find-sec-bugs
Thanks! • Contact Us: • sbehrens@netflix.com • ahoernecke@netflix.com • OSS: http://netflix.github.io/ • Want to be part of the team? We're hiring! • Questions?

Recomendados

DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfiantoidsecconf
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsTomas Honzak
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOpsMichelangelo van Dam
 

Recomendados

DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfiantoidsecconf
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsTomas Honzak
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOpsMichelangelo van Dam
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations CenterJimmy Mesta
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber SecuritySteppa Cyber Security
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingCrowdStrike
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsAmazon Web Services
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Kangaroot
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsAmazon Web Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotjstnkndy
 
AWS security monitoring and compliance validation from Adobe.
AWS security monitoring and compliance validation from Adobe.AWS security monitoring and compliance validation from Adobe.
AWS security monitoring and compliance validation from Adobe.Splunk
 

Mais conteúdo relacionado

Mais procurados

DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations CenterJimmy Mesta
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingCrowdStrike
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsAmazon Web Services
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Kangaroot
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsAmazon Web Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 

Mais procurados (20)

DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations Center
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber Security
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 

Destaque

Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotjstnkndy
 
AWS security monitoring and compliance validation from Adobe.
AWS security monitoring and compliance validation from Adobe.AWS security monitoring and compliance validation from Adobe.
AWS security monitoring and compliance validation from Adobe.Splunk
 
Hp Fortify Cloud Application Security
Hp Fortify Cloud Application SecurityHp Fortify Cloud Application Security
Hp Fortify Cloud Application SecurityEd Wong
 
AWS Services overview and global infrastructure
AWS Services overview and global infrastructureAWS Services overview and global infrastructure
AWS Services overview and global infrastructureSchibsted Tech Polska
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Frameworkjpubal
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security Zane Lackey
 
Netflix security monkey overview
Netflix security monkey overviewNetflix security monkey overview
Netflix security monkey overviewRyan Hodgin
 
Introduction to Three AWS Security Services - November 2016 Webinar Series
Introduction to Three AWS Security Services - November 2016 Webinar SeriesIntroduction to Three AWS Security Services - November 2016 Webinar Series
Introduction to Three AWS Security Services - November 2016 Webinar SeriesAmazon Web Services
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
Splitting the Check on Compliance and Security
Splitting the Check on Compliance and SecuritySplitting the Check on Compliance and Security
Splitting the Check on Compliance and SecurityJason Chan
 
The Future of Wearables for Business Travel - Concur
The Future of Wearables for Business Travel - ConcurThe Future of Wearables for Business Travel - Concur
The Future of Wearables for Business Travel - ConcurSAP Concur
 
Proactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security StrategyProactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security StrategyLindsey Landolfi
 
AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)Amazon Web Services
 
Introduction to Cloud Computing with Amazon Web Services
Introduction to Cloud Computing with Amazon Web ServicesIntroduction to Cloud Computing with Amazon Web Services
Introduction to Cloud Computing with Amazon Web ServicesAmazon Web Services
 
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksHow to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksSlideShare
 
Getting Started With SlideShare
Getting Started With SlideShareGetting Started With SlideShare
Getting Started With SlideShareSlideShare
 

Destaque (20)

Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshot
 
AWS security monitoring and compliance validation from Adobe.
AWS security monitoring and compliance validation from Adobe.AWS security monitoring and compliance validation from Adobe.
AWS security monitoring and compliance validation from Adobe.
 
Hp Fortify Cloud Application Security
Hp Fortify Cloud Application SecurityHp Fortify Cloud Application Security
Hp Fortify Cloud Application Security
 
Fortify - Source Code Analyzer
Fortify - Source Code AnalyzerFortify - Source Code Analyzer
Fortify - Source Code Analyzer
 
AWS Services overview and global infrastructure
AWS Services overview and global infrastructureAWS Services overview and global infrastructure
AWS Services overview and global infrastructure
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
 
Netflix security monkey overview
Netflix security monkey overviewNetflix security monkey overview
Netflix security monkey overview
 
Introduction to Three AWS Security Services - November 2016 Webinar Series
Introduction to Three AWS Security Services - November 2016 Webinar SeriesIntroduction to Three AWS Security Services - November 2016 Webinar Series
Introduction to Three AWS Security Services - November 2016 Webinar Series
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
 
Intro to AWS Security
Intro to AWS SecurityIntro to AWS Security
Intro to AWS Security
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Splitting the Check on Compliance and Security
Splitting the Check on Compliance and SecuritySplitting the Check on Compliance and Security
Splitting the Check on Compliance and Security
 
The Future of Wearables for Business Travel - Concur
The Future of Wearables for Business Travel - ConcurThe Future of Wearables for Business Travel - Concur
The Future of Wearables for Business Travel - Concur
 
Proactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security StrategyProactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security Strategy
 
AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)
 
Introduction to Cloud Computing with Amazon Web Services
Introduction to Cloud Computing with Amazon Web ServicesIntroduction to Cloud Computing with Amazon Web Services
Introduction to Cloud Computing with Amazon Web Services
 
Slideshare ppt
Slideshare pptSlideshare ppt
Slideshare ppt
 
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksHow to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & Tricks
 
Getting Started With SlideShare
Getting Started With SlideShareGetting Started With SlideShare
Getting Started With SlideShare
 

Semelhante a The Joy of Proactive Security

Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive securityScott Behrens
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case StudyAndy Hoernecke
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011Xavier Mertens
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It
RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does ItRightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It
RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does ItRightScale
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!Xavier Mertens
 
A question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksA question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksTim Mackey
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Flink Forward Berlin 2018: Yonatan Most & Avihai Berkovitz - "Anomaly Detecti...
Flink Forward Berlin 2018: Yonatan Most & Avihai Berkovitz - "Anomaly Detecti...Flink Forward Berlin 2018: Yonatan Most & Avihai Berkovitz - "Anomaly Detecti...
Flink Forward Berlin 2018: Yonatan Most & Avihai Berkovitz - "Anomaly Detecti...Flink Forward
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 

Semelhante a The Joy of Proactive Security (20)

Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive security
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It
RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does ItRightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It
RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!
 
A question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksA question of trust - understanding Open Source risks
A question of trust - understanding Open Source risks
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Flink Forward Berlin 2018: Yonatan Most & Avihai Berkovitz - "Anomaly Detecti...
Flink Forward Berlin 2018: Yonatan Most & Avihai Berkovitz - "Anomaly Detecti...Flink Forward Berlin 2018: Yonatan Most & Avihai Berkovitz - "Anomaly Detecti...
Flink Forward Berlin 2018: Yonatan Most & Avihai Berkovitz - "Anomaly Detecti...
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 

Último

Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...tanu pandey
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...SUHANI PANDEY
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...nilamkumrai
 
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceDelhi Call girls
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...Escorts Call Girls
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...SUHANI PANDEY
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...SUHANI PANDEY
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...Neha Pandey
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)Delhi Call girls
 
( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...
( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...
( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...nilamkumrai
 

Último (20)

Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
 
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
 
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...
( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...
( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...
 

The Joy of Proactive Security

  • 1. THE JOY OF PROACTIVE SECURITY SCOTT BEHRENS && ANDY HOERNECKE
  • 2. EHLO • Scott Behrens • Application Security Engineer at Netflix • Likes automation • Torn between breaking and making • Loves research and open source
  • 3. HELO • Andy Hoernecke • Application Security Engineer at Netflix • App Sec • Data Visualization
  • 4. What We Will Cover • Challenges of a modern infrastructure • Proactive security as a solution • Examination of mature security program • How to get started • Conclusion
  • 5. Terminology Primer • Define technology terms: • Application • Instance • Autoscaling groups (ASGs) / Load balancers (ELBs) • AMI • SecurityGroups • Regions / Availability Zones (AZs)
  • 6. Netflix Primer • 100's of Developers • Over 1,000 applications • Hundreds of production pushes a day • Over 50k instances • No Security Gates!
  • 7. Continuous Deployment • Can be fully automated • Immutable Platform • Looks like: • git -> Create deb (Jenkins) -> AMI Snapshot -> Deploy
  • 8. Potential Pitfalls • Multiple concurrent code-bases (A/B testing, regional functionality, etc.) • New applications brought online/old applications retired constantly • Insecure third party dependencies
  • 9. More Pitfalls • How do we identify and catalog assets (IP?, DNS Name?, Application?, ELB?...) • How do we profile and provide baseline security to new applications? • How do we monitor security policy changes and configurations in AWS • Monitoring the web for credential dumps, hacktivism, sensitive data exposure?
  • 10. The List Goes On... • Many of these problems are not unique to Netflix/the cloud • Some are unique or can be solved in different ways • We have coined our approach to these and other problems as...
  • 11. Proactive Security • Dictionary.com • Proactive - "serving to prepare for, intervene in, or control an expected occurrence or situation, especially a negative or difficult one; anticipatory"
  • 12. Proactive Security • Security controls should be: • Integrated, automated, scalable, adaptive, actionable, and intelligent • Time is limited • End goal: Less babysitting, more time for harder problems
  • 13. Proactive Security • Find problems early and address them • Know your weaknesses and work to improve them • Monitor for anomalies and be prepared to respond • Collect meaningful data and use it to improve • Simplify make security the easy path • Reevaluate your approach • Share what you learn with others
  • 14. Find • Identify issues early • Old hat: • Static asset lists, fileshare with old pentest reports problems early and address them
  • 15. Find - New Way • Define what an asset is: • Application • ELB • FQDN • IP
  • 16. Find - New Way • Have an intelligent way to collect/ track assets and vulns Monterey
  • 17. Monterey • Provides way to automatically define and scan assets • Soon to be open sourced • Asset groups as application name: • Contain any ELBs or FQDN • Do not contain instance
  • 18. Monterey • Monterey queries AWS for new assets and changes • Monterey runs "Monklets" for things like vulnerability scanning • Store vulns centrally in S3
  • 20. Monitor • Monitor, detect, and respond to security issues • Old hat: • Reactionary • New hat: • Less reactionary aka. more proactive • Automatic • Intelligent for anomalies and be prepared to respond
  • 21. Simian Army • aka The Monkeys! • Open source • Proactively wreck your environment to simulate outages • Take down apps, instances, ELBs, even entire regions • Ensures developers write resilient code
  • 22. "Dirty Laundry" Project • Look for assets unintentionally exposed • Leverages Monterey for assets • Uses Scumblr for actioning findings • Uses Sketchy for collecting status codes, generating screenshots, and text scrapes • Both Sketchy/Scumblr are open source
  • 23. Scumblr • Intelligent automation platform aka. our swiss army knife • Monitor things by using plugins • Credential Dumps • Hacktivism • Brand Reputation • Full Disclosure • Leverages Sketchy for screen shots and text scrapes • Custom Workflows
  • 25. Speedbump • Mechanism to detect attacks and enforce security policies automatically • You define what you want to monitor/filter • Security policies can be time delays, blocking, routing, etc. • A WAF, proxy and firewall on steroids because it has application intelligence (business logic) • Ensnare
  • 26. Security Monkey • Open Source • Monitor events/changes within AWS • Changes to IAM users • Security groups • Policy changes • Notify when things change
  • 27. Have you noticed a trend? • A more proactive approach • Identify something interesting automatically • Notify automatically • Provide workflows for more complex remediations
  • 28. Know • None of us have unlimited time or resources--we all have weaknesses • Work to automatically identify blindspots • Leverage tools and information where useful • Old hat: • Spreadsheet containing static list of apps and manually created risk rankings • Not scalable when we are talking 100's or 1000's of apps your weaknesses and work to improve them
  • 29. Penguin Shortbread • Catalog assets • Measure attributes • Calculate risk • Will be open sourced if we can make it more generic (TBD)
  • 31. Case Study: Monklet Your Way To Infinity • Shellshock • Vulnerable vs exploitable? • Some commercial scanners only hit root of webpage • What about other scripts?
  • 32. Case Study: Monklet Your Way To Infinity • Monterey Monklet! • Spiders a provided asset (gevented) • Checks each page for exploitability of Shellshock • Stores results in S3 centrally • Deploy N instances of Monklet to cover 100's of apps
  • 33. Collect • Collect data from intelligent systems • Actually use it to: • Drive initiatives • Find what is/isn't working meaningful data and use it to improve
  • 35. Simplify • If it's easy developers will do it • Make security an enabler and not a burden • Encourage developers to come to you • Also: v0.1 doesn't need to be perfect make security the easy path
  • 36. Immutable Base AMI • Make your platform consistent • For non-cloud users: system image/template • Conformity Monkey for AWS users (open source)
  • 37. Danger! Danger! • Applications often use legacy/outdated dependencies • Make it clear to developers they are using dangerous stuff • Netflix leverages an API based on OWASP Dependency Checker • API will eventually be open sourced • Provides information into our Dependency tool • Work in progress...
  • 39. FindSecBugs • Allow users to opt-in to static analysis • FindSecBugs is lightweight and pretty useful (for Java) • They can still deploy regardless but no one likes seeing red
  • 40. Reevaluate • Environment is always changing--what works today may be ineffective tomorrow • Developers are agile, which means we must be too • Be willing to start simple, knowing the initial solution is temporary (Don't over-engineer!) • Use the data you've collected to determine when an approach is no longer sufficient your approach
  • 41. Share • We (security professionals) are all working to solve similar problems • Sharing tools and information make all of our lives easier • Allows improvement through the collective consciousness of the industry • Prevents duplicate effort what you learn with others
  • 43. Proactive Security: Level 1 • Create a list of assets • Rank by sensitivity • Automate
  • 44. Proactive Security: Level 2 • Strategize security based on asset risk. Ex: 1. Sensitive assets: Examine thoroughly 2. Frequently used components: Secure by default 3. Everything else: Find a good baseline level of due diligence
  • 45. Proactive Security: Level 3 • Identify weak links • Architectural: Poor network segmentation • Cultural: Developers don't understand XSS • Specific: "Application X" relies on an outdated version of Struts • Determine how to measure the weaknesses and put in place a plan to address or manage
  • 46. Proactive Security: Level 4 • Monitor, alert, and gather more intel • Detect anomalies in security relevant functionality: Login successes/failures, password resets, authorization failures... • Dashboards are fun, but intelligent alerting is better • "Effective Approaches to Web Application Security" by Zane Lackey
  • 47. Proactive Security: All Levels • Continually drive improvements into your tools and processes • Be flexible and ready to adapt • Share what you've learned and done!
  • 48. Works Cited • http://www.netbraintech.com/products/feature- guide/images/asset-report-step-5-2.png • http://media.amazonwebservices.com/ architecturecenter/AWS_ac_ra_web_01.pdf • http://www.slideshare.net/zanelackey/effective- approaches-to-web-application-security
  • 49. Tools • Netflix OSS
 https://netflix.github.io/ • OWASP Dependency Check
 https://www.owasp.org/index.php/ OWASP_Dependency_Check • Ensnare
 https://github.com/ahoernecke/ensnare • FindSecBugs
 https://github.com/h3xstream/find-sec-bugs
  • 50. Thanks! • Contact Us: • sbehrens@netflix.com • ahoernecke@netflix.com • OSS: http://netflix.github.io/ • Want to be part of the team? We're hiring! • Questions?