What this talk here: https://vimeo.com/129822165 DevOpsDays Austin Talk. Computers are hard, and security is even harder. Let's discuss things to do when you have a dedicated Infosec team, and tools you can use when you don't.

1. Why We Can’t Have Nice Things
A Tale of Woe, and Hope for the Future
Pete Cheslock
@petecheslock

2. @petecheslock

3. @petecheslock
WallofConfusion
Dev Ops
Sec

4. @petecheslock

5. @petecheslock
DevOps
Sec
@hijinksensue

6. @petecheslock

7. @petecheslock

8. Pete Cheslock
Not an InfoSec
Twitters: @petecheslock
theshipshow.com
threatstack.com

9. – President Josiah Bartlet
"The most costly
disruptions always
happen when
something we take
completely for
granted stops
working for a
minute."

10. @petecheslock

11. @petecheslock

12. @petecheslock

13. @petecheslock

14. @petecheslock

15. @petecheslock

16. @petecheslock

17. @petecheslock

18. @petecheslock

19. @petecheslock
It’s time that we recognize that all
these new tools which are helping to
enable our teams to work so well are
also introducing new attack vectors.

20. @petecheslock
risk = (threat) x (probability)
x (business impact)
http://sysadvent.blogspot.com/2014/12/day-24-12-days-of-secdevops.html
- Jen Andre

21. @petecheslock
What data are you sending?
What happens if that system
is compromised?

22. @petecheslock
WE TAKE SECURITY
SERIOUSLY
http://blog.b3k.us/2012/01/24/some-rules.html
“These are not features: Security, Availability, Performance.”
- Benjamin Black

23. @petecheslock

24. @petecheslock

25. @petecheslock

26. @petecheslock
https://github.com/codahale/sneaker
https://vaultproject.io
https://github.com/square/keywhiz
https://github.com/LuminalOSS/credstash
https://github.com/oleiade/trousseau - Storing sensitive data
https://github.com/cloudflare/redoctober - High value secrets
https://github.com/jschauma/jass - really helpful tool for sharing of
secrets using SSH keys.

27. @petecheslock

28. @petecheslock

29. @petecheslock
Keep It Simple
Skip the ITIL IR Plan for now

31. @petecheslock

32. @petecheslock

33. @petecheslock

34. @petecheslock

35. @petecheslock
“FWIW, I have most of a sub-key implementation done, but that
still won’t solve your problem, as it will be years before that
implementation is widely deployed…”

36. @petecheslock
Compile your Source
Build a Package
Sign the Package
Test the Package
Deploy the Package
You can’t hate the curl bash and be OK deploying from Github

37. @petecheslock
aptly
deb-s3
freight/sync to s3
packagecloud.io

38. @petecheslock

39. @petecheslock

40. @petecheslock

41. @petecheslock
https://www.ssllabs.com/ssltest/

42. @petecheslock

43. @petecheslock
Safe Access to Production

44. @petecheslock
– Mark Burgess
“Every time someone logs onto a system
interactively, they compromise everyone's
knowledge of that system”

45. @petecheslock
Trust, but Verify.

46. @petecheslock
auditd + OSSEC
…and SELinux
http://stopdisablingselinux.com/

47. @petecheslock
Controlled Access Protection Profile
http://www.commoncriteriaportal.org/files/ppfiles/capp.pdf
Labeled Security Protection Profile
http://www.commoncriteriaportal.org/files/ppfiles/lspp.pdf
National Industrial Security Program Operating Manual (NISPOM)
http://www.fas.org/sgp/library/nispom.htm
Security Technical Implementation Guides
http://iase.disa.mil/stigs/Pages/index.aspx

49. @petecheslock

50. @petecheslock

51. @petecheslock
Start Small
Identify High Risks

52. @petecheslock
Security Culture is People

53. @petecheslock

54. @petecheslock