Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

"Infrastructure Security Practice" by Wasis Adi Putranto (OLX Indonesia)


Published on

Wasis Adi Putranto is a Practice Lead for DevOps at OLX Indonesia, the world’s leading classifieds platform, with a presence in more than 40 countries around the globe.

This slide was shared on Tech in Asia DevTalk : “Kick-ass Recipe Security for Your Product" in collaboration with PHP Indonesia Community on 22 March 2017.

Get updates about our dev events delivered straight to your inbox by signing up here: ! Be the first to know when new information is available!

Published in: Technology
  • Be the first to comment

"Infrastructure Security Practice" by Wasis Adi Putranto (OLX Indonesia)

  1. 1. Infrastructure Security Practice Wasis Adi Putranto March 2017
  2. 2. ~$ whoami • Network/System Engineer • Openstack Engineer • DevOps Engineer • Practice Lead
  3. 3. Security source:
  4. 4. Infrastructure source:
  5. 5. Infrastructure Security • Secure upper & lower layer • Every layer has their own strategy & tools • Be selective in what you accept from others • Be open in what you send to others
  6. 6. Lower Layer Strategy • Network Separation Public: LB, Proxy Private: Web, DB, Cache • Bastion Host Main & the only one enterance Guard it well
  7. 7. Lower Layer Strategy • OpenSSH SSH key is a MUST, no password 2048-bit key pair will be better Permit login root no Treat like your personal belonging
  8. 8. Lower Layer Strategy • IPTables & IPSet, Security Group, Network ACL Ingress: Open needed port and from specific network only if necessary. Be careful with UDP. Egress: ALLOW ALL
  9. 9. Overview
  10. 10. Upper Layer Strategy • Non-root user No login, no shell • Application PHP disable_functions Upload limit & validation Put behind reverse proxy
  11. 11. Upper Layer Strategy • OpenSSL SSL termination with nginx TLS only, disable gzip in v1.0 Pick chiper suite carefully • 3rd party Firewall, NG-Firewall, WAF CDN
  12. 12. Using Docker • Service Isolation Better isolation than chroot/jail Can't easily get host-level access • Immunable Infrastructure Always have fresh and stable infra
  13. 13. Thank you • •