Security Battle Wounds from a Cloud SRE
•0 likes•4,165 views
Report
Share
Download to read offline
Speaker: Jane Miceli Learn about a breach, what happens in the aftermath and why I can't tell my peers what happen. Learn the fallout and more importantly what application developers aren't thinking about.
Recommended
More Related Content
Recently uploaded
Recently uploaded(20)
Featured
Featured(20)
Security Battle Wounds from a Cloud SRE
- 1. Security Battle Wounds from a Cloud Site Reliability Engineer … And a few lessons By Jane Miceli @janemiceli #defcon27 @cloudvillage_dc jane@janemiceli.com
- 2. Agenda • Background information • Battles • Lessons learned • Questions? @janemiceli #devops27 #cloudvillage #cloud #security @cloudvillage_dc
- 3. What is DevOps anyways? @janemiceli #devops27 #cloudvillage #cloud #security
- 4. SRE vs DevOps @janemiceli #devops27 #cloudvillage #cloud #security
- 5. What technologies used? @janemiceli #devops27 #cloudvillage #cloud #security
- 6. Battles: The mindset of developers @janemiceli #devops27 #cloudvillage #cloud #security
- 7. Battles: The mindset of managers @janemiceli #devops27 #cloudvillage #cloud #security
- 8. Battles: The view of security @janemiceli #devops27 #cloudvillage #cloud #security
- 9. Battles: The view from security @janemiceli #devops27 #cloudvillage #cloud #security
- 10. Battles: My own secrets vault means faster, “I’m cool”, no software purchase. @janemiceli #devops27 #cloudvillage #cloud #security
- 11. Battles: The accumulation of insecure technical debt @janemiceli #devops27 #cloudvillage #cloud #security
- 12. Fubar @janemiceli #devops27 #cloudvillage #cloud #security
- 13. Advice for CyberSecurity • Developers/Engineers/coders need you • If it’s hard to understand, it won’t get fixed. • Don’t send reports of scans, help them investigate the and recommend mitigation. • Learn some coding, learn to show security coding/using libraries, do code reviews. • Turn around answers quickly – its an opportunity to influence. • Use simple and concise security policies that everyone can understand and obey. • Tell them no when appropriate, but give alternatives to enable. • Involve coders to join an investigation, so the impact is well understood. @janemiceli #devops27 #cloudvillage #cloud #security
- 14. Advise for Developers/Engineers/Programmers • Security is your friend, secure coding is not new. • Plain text, base 64 encoding, is not OK • Use good random generators. • You don’t need production access. • Take in-depth security training, Don’t take the easy way out. • Cleanup is important, as well as least privilege, reducing attack vector • If that doesn’t mean sense, take a week long security class • Don’t roll your own vaulting mechanism/ cryptography AND Git is not for secrets! • POCs turn into production really fast. • Vet all the libraries and even those plugins on approved apps. • Try not to get the security exception for being “business critical”. @janemiceli #devops27 #cloudvillage #cloud #security
- 15. Lessons Learned @janemiceli #devops27 #cloudvillage #cloud #security
- 16. Questions? Twitter: @janemiceli #defcon27 @cloudvillage_dc #cloud #security Web: www.janemiceli.com Email: jane@janemiceli.com