Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Battle Wounds from a Cloud SRE

1,098 views

Published on

Speaker: Jane Miceli
Learn about a breach, what happens in the aftermath and why I can't tell my peers what happen. Learn the fallout and more importantly what application developers aren't thinking about.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security Battle Wounds from a Cloud SRE

  1. 1. Security Battle Wounds from a Cloud Site Reliability Engineer … And a few lessons By Jane Miceli @janemiceli #defcon27 @cloudvillage_dc jane@janemiceli.com
  2. 2. Agenda • Background information • Battles • Lessons learned • Questions? @janemiceli #devops27 #cloudvillage #cloud #security @cloudvillage_dc
  3. 3. What is DevOps anyways? @janemiceli #devops27 #cloudvillage #cloud #security
  4. 4. SRE vs DevOps @janemiceli #devops27 #cloudvillage #cloud #security
  5. 5. What technologies used? @janemiceli #devops27 #cloudvillage #cloud #security
  6. 6. Battles: The mindset of developers @janemiceli #devops27 #cloudvillage #cloud #security
  7. 7. Battles: The mindset of managers @janemiceli #devops27 #cloudvillage #cloud #security
  8. 8. Battles: The view of security @janemiceli #devops27 #cloudvillage #cloud #security
  9. 9. Battles: The view from security @janemiceli #devops27 #cloudvillage #cloud #security
  10. 10. Battles: My own secrets vault means faster, “I’m cool”, no software purchase. @janemiceli #devops27 #cloudvillage #cloud #security
  11. 11. Battles: The accumulation of insecure technical debt @janemiceli #devops27 #cloudvillage #cloud #security
  12. 12. Fubar @janemiceli #devops27 #cloudvillage #cloud #security
  13. 13. Advice for CyberSecurity • Developers/Engineers/coders need you • If it’s hard to understand, it won’t get fixed. • Don’t send reports of scans, help them investigate the and recommend mitigation. • Learn some coding, learn to show security coding/using libraries, do code reviews. • Turn around answers quickly – its an opportunity to influence. • Use simple and concise security policies that everyone can understand and obey. • Tell them no when appropriate, but give alternatives to enable. • Involve coders to join an investigation, so the impact is well understood. @janemiceli #devops27 #cloudvillage #cloud #security
  14. 14. Advise for Developers/Engineers/Programmers • Security is your friend, secure coding is not new. • Plain text, base 64 encoding, is not OK • Use good random generators. • You don’t need production access. • Take in-depth security training, Don’t take the easy way out. • Cleanup is important, as well as least privilege, reducing attack vector • If that doesn’t mean sense, take a week long security class • Don’t roll your own vaulting mechanism/ cryptography AND Git is not for secrets! • POCs turn into production really fast. • Vet all the libraries and even those plugins on approved apps. • Try not to get the security exception for being “business critical”. @janemiceli #devops27 #cloudvillage #cloud #security
  15. 15. Lessons Learned @janemiceli #devops27 #cloudvillage #cloud #security
  16. 16. Questions? Twitter: @janemiceli #defcon27 @cloudvillage_dc #cloud #security Web: www.janemiceli.com Email: jane@janemiceli.com

×