Uploaded byCloudVillage
4,878 views

Security Battle Wounds from a Cloud SRE

Speaker: Jane Miceli Learn about a breach, what happens in the aftermath and why I can't tell my peers what happen. Learn the fallout and more importantly what application developers aren't thinking about.

Embed presentation

Download to read offline
Security Battle Wounds from a Cloud Site Reliability Engineer … And a few lessons By Jane Miceli @janemiceli #defcon27 @cloudvillage_dc jane@janemiceli.com
Agenda • Background information • Battles • Lessons learned • Questions? @janemiceli #devops27 #cloudvillage #cloud #security @cloudvillage_dc
What is DevOps anyways? @janemiceli #devops27 #cloudvillage #cloud #security
SRE vs DevOps @janemiceli #devops27 #cloudvillage #cloud #security
What technologies used? @janemiceli #devops27 #cloudvillage #cloud #security
Battles: The mindset of developers @janemiceli #devops27 #cloudvillage #cloud #security
Battles: The mindset of managers @janemiceli #devops27 #cloudvillage #cloud #security
Battles: The view of security @janemiceli #devops27 #cloudvillage #cloud #security
Battles: The view from security @janemiceli #devops27 #cloudvillage #cloud #security
Battles: My own secrets vault means faster, “I’m cool”, no software purchase. @janemiceli #devops27 #cloudvillage #cloud #security
Battles: The accumulation of insecure technical debt @janemiceli #devops27 #cloudvillage #cloud #security
Fubar @janemiceli #devops27 #cloudvillage #cloud #security
Advice for CyberSecurity • Developers/Engineers/coders need you • If it’s hard to understand, it won’t get fixed. • Don’t send reports of scans, help them investigate the and recommend mitigation. • Learn some coding, learn to show security coding/using libraries, do code reviews. • Turn around answers quickly – its an opportunity to influence. • Use simple and concise security policies that everyone can understand and obey. • Tell them no when appropriate, but give alternatives to enable. • Involve coders to join an investigation, so the impact is well understood. @janemiceli #devops27 #cloudvillage #cloud #security
Advise for Developers/Engineers/Programmers • Security is your friend, secure coding is not new. • Plain text, base 64 encoding, is not OK • Use good random generators. • You don’t need production access. • Take in-depth security training, Don’t take the easy way out. • Cleanup is important, as well as least privilege, reducing attack vector • If that doesn’t mean sense, take a week long security class • Don’t roll your own vaulting mechanism/ cryptography AND Git is not for secrets! • POCs turn into production really fast. • Vet all the libraries and even those plugins on approved apps. • Try not to get the security exception for being “business critical”. @janemiceli #devops27 #cloudvillage #cloud #security
Lessons Learned @janemiceli #devops27 #cloudvillage #cloud #security
Questions? Twitter: @janemiceli #defcon27 @cloudvillage_dc #cloud #security Web: www.janemiceli.com Email: jane@janemiceli.com

More Related Content

PDF
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
byCloudVillage
 
PDF
Phishing in the cloud era
byCloudVillage
 
PDF
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
byCloudVillage
 
PDF
Build to Hack, Hack to Build
byCloudVillage
 
PDF
Mining Malevolence: Cryptominers in the Cloud
byCloudVillage
 
PDF
Battle in the Clouds - Attacker vs Defender on AWS
byCloudVillage
 
PPTX
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
byCloudVillage
 
PPTX
Scaling Security in the Cloud With Open Source
byCloudVillage
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
byCloudVillage
 
Phishing in the cloud era
byCloudVillage
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
byCloudVillage
 
Build to Hack, Hack to Build
byCloudVillage
 
Mining Malevolence: Cryptominers in the Cloud
byCloudVillage
 
Battle in the Clouds - Attacker vs Defender on AWS
byCloudVillage
 
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
byCloudVillage
 
Scaling Security in the Cloud With Open Source
byCloudVillage
 

Recently uploaded

PDF
How to Evaluate a High Performance Database
byScyllaDB
 
PDF
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
PDF
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
PPTX
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
PDF
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PPTX
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PPTX
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
PPTX
communication-skills-with-technology tools
byJaleto Sunkemo
 
PPTX
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
PDF
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
PPTX
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PPTX
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
How to Evaluate a High Performance Database
byScyllaDB
 
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
communication-skills-with-technology tools
byJaleto Sunkemo
 
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 

Featured

PDF
Everything You Need To Know About ChatGPT
byExpeed Software
 
PDF
2024 Trend Updates: What Really Works In SEO & Content Marketing
bySearch Engine Journal
 
PPTX
How to Prepare For a Successful Job Search for 2024
byAlbert Qian
 
PDF
PEPSICO Presentation to CAGNY Conference Feb 2024
byNeil Kimberley
 
PDF
How Race, Age and Gender Shape Attitudes Towards Mental Health
byThinkNow
 
PDF
Product Design Trends in 2024 | Teenage Engineerings
byPixeldarts
 
PDF
Storytelling For The Web: Integrate Storytelling in your Design Process
byChiara Aliotta
 
PDF
5 Public speaking tips from TED - Visualized summary
bySpeakerHub
 
PDF
2024 State of Marketing Report – by Hubspot
byMarius Sescu
 
PDF
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
byOECD Directorate for Financial and Enterprise Affairs
 
PDF
Social Media Marketing Trends 2024 // The Global Indie Insights
byKurio // The Social Media Age(ncy)
 
PDF
How to have difficult conversations
byRajiv Jayarajah, MAppComm, ACC
 
PDF
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
bySocialHRCamp
 
PDF
Trends In Paid Search: Navigating The Digital Landscape In 2024
bySearch Engine Journal
 
PDF
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
bymarketingartwork
 
PDF
ChatGPT and the Future of Work - Clark Boyd
byClark Boyd
 
PDF
Skeleton Culture Code
bySkeleton Technologies
 
PDF
Getting into the tech field. what next
byTessa Mero
 
PDF
Content Methodology: A Best Practices Report (Webinar)
bycontently
 
PDF
Google's Just Not That Into You: Understanding Core Updates & Search Intent
byLily Ray
 
Everything You Need To Know About ChatGPT
byExpeed Software
 
2024 Trend Updates: What Really Works In SEO & Content Marketing
bySearch Engine Journal
 
How to Prepare For a Successful Job Search for 2024
byAlbert Qian
 
PEPSICO Presentation to CAGNY Conference Feb 2024
byNeil Kimberley
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
byThinkNow
 
Product Design Trends in 2024 | Teenage Engineerings
byPixeldarts
 
Storytelling For The Web: Integrate Storytelling in your Design Process
byChiara Aliotta
 
5 Public speaking tips from TED - Visualized summary
bySpeakerHub
 
2024 State of Marketing Report – by Hubspot
byMarius Sescu
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
byOECD Directorate for Financial and Enterprise Affairs
 
Social Media Marketing Trends 2024 // The Global Indie Insights
byKurio // The Social Media Age(ncy)
 
How to have difficult conversations
byRajiv Jayarajah, MAppComm, ACC
 
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
bySocialHRCamp
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
bySearch Engine Journal
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
bymarketingartwork
 
ChatGPT and the Future of Work - Clark Boyd
byClark Boyd
 
Skeleton Culture Code
bySkeleton Technologies
 
Getting into the tech field. what next
byTessa Mero
 
Content Methodology: A Best Practices Report (Webinar)
bycontently
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
byLily Ray
 

Security Battle Wounds from a Cloud SRE

  • 1.
    Security Battle Woundsfrom a Cloud Site Reliability Engineer … And a few lessons By Jane Miceli @janemiceli #defcon27 @cloudvillage_dc jane@janemiceli.com
  • 2.
    Agenda • Background information •Battles • Lessons learned • Questions? @janemiceli #devops27 #cloudvillage #cloud #security @cloudvillage_dc
  • 3.
    What is DevOpsanyways? @janemiceli #devops27 #cloudvillage #cloud #security
  • 4.
    SRE vs DevOps @janemiceli#devops27 #cloudvillage #cloud #security
  • 5.
    What technologies used? @janemiceli#devops27 #cloudvillage #cloud #security
  • 6.
    Battles: The mindsetof developers @janemiceli #devops27 #cloudvillage #cloud #security
  • 7.
    Battles: The mindsetof managers @janemiceli #devops27 #cloudvillage #cloud #security
  • 8.
    Battles: The viewof security @janemiceli #devops27 #cloudvillage #cloud #security
  • 9.
    Battles: The viewfrom security @janemiceli #devops27 #cloudvillage #cloud #security
  • 10.
    Battles: My ownsecrets vault means faster, “I’m cool”, no software purchase. @janemiceli #devops27 #cloudvillage #cloud #security
  • 11.
    Battles: The accumulationof insecure technical debt @janemiceli #devops27 #cloudvillage #cloud #security
  • 12.
  • 13.
    Advice for CyberSecurity •Developers/Engineers/coders need you • If it’s hard to understand, it won’t get fixed. • Don’t send reports of scans, help them investigate the and recommend mitigation. • Learn some coding, learn to show security coding/using libraries, do code reviews. • Turn around answers quickly – its an opportunity to influence. • Use simple and concise security policies that everyone can understand and obey. • Tell them no when appropriate, but give alternatives to enable. • Involve coders to join an investigation, so the impact is well understood. @janemiceli #devops27 #cloudvillage #cloud #security
  • 14.
    Advise for Developers/Engineers/Programmers • Securityis your friend, secure coding is not new. • Plain text, base 64 encoding, is not OK • Use good random generators. • You don’t need production access. • Take in-depth security training, Don’t take the easy way out. • Cleanup is important, as well as least privilege, reducing attack vector • If that doesn’t mean sense, take a week long security class • Don’t roll your own vaulting mechanism/ cryptography AND Git is not for secrets! • POCs turn into production really fast. • Vet all the libraries and even those plugins on approved apps. • Try not to get the security exception for being “business critical”. @janemiceli #devops27 #cloudvillage #cloud #security
  • 15.
    Lessons Learned @janemiceli #devops27#cloudvillage #cloud #security
  • 16.
    Questions? Twitter: @janemiceli #defcon27@cloudvillage_dc #cloud #security Web: www.janemiceli.com Email: jane@janemiceli.com