O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Why We Can’t Have Nice Things
A Tale of Woe, and Hope for the Future
Pete Cheslock
@petecheslock
@petecheslock
@petecheslock
WallofConfusion
Dev Ops
Sec
@petecheslock
@petecheslock
DevOps
Sec
@hijinksensue
@petecheslock
@petecheslock
Pete Cheslock
Not an InfoSec
Twitters: @petecheslock
theshipshow.com
threatstack.com
– President Josiah Bartlet
"The most costly
disruptions always
happen when
something we take
completely for
granted stops
...
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
It’s time that we recognize that all
these new tools which are helping to
enable our teams to work so well a...
@petecheslock
risk = (threat) x (probability)
x (business impact)
http://sysadvent.blogspot.com/2014/12/day-24-12-days-of-...
@petecheslock
What data are you sending?
What happens if that system
is compromised?
@petecheslock
WE TAKE SECURITY
SERIOUSLY
http://blog.b3k.us/2012/01/24/some-rules.html
“These are not features: Security, ...
@petecheslock
@petecheslock
@petecheslock
@petecheslock
https://github.com/codahale/sneaker

https://vaultproject.io

https://github.com/square/keywhiz

https://git...
@petecheslock
@petecheslock
@petecheslock
Keep It Simple
Skip the ITIL IR Plan for now
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
“FWIW, I have most of a sub-key implementation done, but that
still won’t solve your problem, as it will be ...
@petecheslock
Compile your Source
Build a Package
Sign the Package
Test the Package
Deploy the Package
You can’t hate the ...
@petecheslock
aptly
deb-s3
freight/sync to s3
packagecloud.io
@petecheslock
@petecheslock
@petecheslock
@petecheslock
https://www.ssllabs.com/ssltest/
@petecheslock
@petecheslock
Safe Access to Production
@petecheslock
– Mark Burgess
“Every time someone logs onto a system
interactively, they compromise everyone's
knowledge of...
@petecheslock
Trust, but Verify.
@petecheslock
auditd + OSSEC
…and SELinux
http://stopdisablingselinux.com/
@petecheslock
Controlled Access Protection Profile
http://www.commoncriteriaportal.org/files/ppfiles/capp.pdf
Labeled Securit...
@petecheslock
@petecheslock
@petecheslock
Start Small
Identify High Risks
@petecheslock
Security Culture is People
@petecheslock
@petecheslock
Why We Can't Have Nice Things, A Tale of Woe and a Hope For the Future
Why We Can't Have Nice Things, A Tale of Woe and a Hope For the Future
Próximos SlideShares
Carregando em…5
×

Why We Can't Have Nice Things, A Tale of Woe and a Hope For the Future

What this talk here: https://vimeo.com/129822165

DevOpsDays Austin Talk.
Computers are hard, and security is even harder. Let's discuss things to do when you have a dedicated Infosec team, and tools you can use when you don't.

  • Seja o primeiro a comentar

Why We Can't Have Nice Things, A Tale of Woe and a Hope For the Future

  1. 1. Why We Can’t Have Nice Things A Tale of Woe, and Hope for the Future Pete Cheslock @petecheslock
  2. 2. @petecheslock
  3. 3. @petecheslock WallofConfusion Dev Ops Sec
  4. 4. @petecheslock
  5. 5. @petecheslock DevOps Sec @hijinksensue
  6. 6. @petecheslock
  7. 7. @petecheslock
  8. 8. Pete Cheslock Not an InfoSec Twitters: @petecheslock theshipshow.com threatstack.com
  9. 9. – President Josiah Bartlet "The most costly disruptions always happen when something we take completely for granted stops working for a minute."
  10. 10. @petecheslock
  11. 11. @petecheslock
  12. 12. @petecheslock
  13. 13. @petecheslock
  14. 14. @petecheslock
  15. 15. @petecheslock
  16. 16. @petecheslock
  17. 17. @petecheslock
  18. 18. @petecheslock
  19. 19. @petecheslock It’s time that we recognize that all these new tools which are helping to enable our teams to work so well are also introducing new attack vectors.
  20. 20. @petecheslock risk = (threat) x (probability) x (business impact) http://sysadvent.blogspot.com/2014/12/day-24-12-days-of-secdevops.html - Jen Andre
  21. 21. @petecheslock What data are you sending? What happens if that system is compromised?
  22. 22. @petecheslock WE TAKE SECURITY SERIOUSLY http://blog.b3k.us/2012/01/24/some-rules.html “These are not features: Security, Availability, Performance.” - Benjamin Black
  23. 23. @petecheslock
  24. 24. @petecheslock
  25. 25. @petecheslock
  26. 26. @petecheslock https://github.com/codahale/sneaker https://vaultproject.io https://github.com/square/keywhiz https://github.com/LuminalOSS/credstash https://github.com/oleiade/trousseau - Storing sensitive data https://github.com/cloudflare/redoctober - High value secrets https://github.com/jschauma/jass - really helpful tool for sharing of secrets using SSH keys.
  27. 27. @petecheslock
  28. 28. @petecheslock
  29. 29. @petecheslock Keep It Simple Skip the ITIL IR Plan for now
  30. 30. @petecheslock
  31. 31. @petecheslock
  32. 32. @petecheslock
  33. 33. @petecheslock
  34. 34. @petecheslock “FWIW, I have most of a sub-key implementation done, but that still won’t solve your problem, as it will be years before that implementation is widely deployed…”
  35. 35. @petecheslock Compile your Source Build a Package Sign the Package Test the Package Deploy the Package You can’t hate the curl bash and be OK deploying from Github
  36. 36. @petecheslock aptly deb-s3 freight/sync to s3 packagecloud.io
  37. 37. @petecheslock
  38. 38. @petecheslock
  39. 39. @petecheslock
  40. 40. @petecheslock https://www.ssllabs.com/ssltest/
  41. 41. @petecheslock
  42. 42. @petecheslock Safe Access to Production
  43. 43. @petecheslock – Mark Burgess “Every time someone logs onto a system interactively, they compromise everyone's knowledge of that system”
  44. 44. @petecheslock Trust, but Verify.
  45. 45. @petecheslock auditd + OSSEC …and SELinux http://stopdisablingselinux.com/
  46. 46. @petecheslock Controlled Access Protection Profile http://www.commoncriteriaportal.org/files/ppfiles/capp.pdf Labeled Security Protection Profile http://www.commoncriteriaportal.org/files/ppfiles/lspp.pdf National Industrial Security Program Operating Manual (NISPOM) http://www.fas.org/sgp/library/nispom.htm Security Technical Implementation Guides http://iase.disa.mil/stigs/Pages/index.aspx
  47. 47. @petecheslock
  48. 48. @petecheslock
  49. 49. @petecheslock Start Small Identify High Risks
  50. 50. @petecheslock Security Culture is People
  51. 51. @petecheslock
  52. 52. @petecheslock

×