SlideShare a Scribd company logo

Iterative Security: Secrets when you're not ready for Vault

T
Tom McLaughlin

At CloudZero we're a startup and getting started is better than someone's definition of being perfect. And in security, getting started will have the most impact on fortifying your security posture and allow you to eventually reach that desired state. There are great tools out there for managing secrets. But the problem space is still hard and the tools require time and investment. Let's apply an iterative approach to solving secrets management. Let's take an organization one step to the right from no secrets management to a state that a) improves their current state and b) sets them up a future improvement iteration. related content the spawned this presentation: * https://blog.threatstack.com/cloud-security-best-practicesfinding-securing-managing-secrets-part-1 * https://blog.threatstack.com/cloud-security-best-practices-finding-securing-managing-secrets-part-2

Internet
1 of 76
Download to read offline
tom@cloudzero.com @tmclaughbos Iterative Security:
 Secrets Management When You’re Not Ready For Vault tom@cloudzero.com @tmclaughbos
tom@cloudzero.com @tmclaughbos Who is this guy up here? His headshot is lasers and a cat
tom@cloudzero.com @tmclaughbos I’m Tom! • Community Engineer at CloudZero • Previously infrastructure engineer with a focus on automation.
tom@cloudzero.com @tmclaughbos Background & Biases Where I’m coming from
tom@cloudzero.com @tmclaughbos Background & Biases: I like startups
tom@cloudzero.com @tmclaughbos Background & Biases: I like startups
tom@cloudzero.com @tmclaughbos Background & Biases: Engineering is just a title
tom@cloudzero.com @tmclaughbos Does this look like you?
tom@cloudzero.com @tmclaughbos There is a lot of work to be done each day
tom@cloudzero.com @tmclaughbos For many of us, this ends up as reality…
tom@cloudzero.com @tmclaughbos We have all this technology! So why does these problems still exist?
tom@cloudzero.com @tmclaughbos How we present security
tom@cloudzero.com @tmclaughbos Security Paralysis I don’t know what to do
tom@cloudzero.com @tmclaughbos Security things you in ops might end up responsible for • Access controls • How much is too much access? • Password policies • How often should I force password rotation? • Wait, NIST has changed their recommendation? Don’t force rotation? • Patching • Do I patch immediately on every vendor release or test first? • and more…
tom@cloudzero.com @tmclaughbos
tom@cloudzero.com @tmclaughbos I am not a “security person”
tom@cloudzero.com @tmclaughbos Iterative Security Starting and progressively improving your security stance
tom@cloudzero.com @tmclaughbos Why is security hard for us?
tom@cloudzero.com @tmclaughbos OMG SECURITY!!!
tom@cloudzero.com @tmclaughbos Things we get excited about with security
tom@cloudzero.com @tmclaughbos Things we get excited about with security 0-Days!!!
tom@cloudzero.com @tmclaughbos Things we get excited about with security Hash collisions
tom@cloudzero.com @tmclaughbos Things we get excited about with security What the CIA/NSA/DoD has
tom@cloudzero.com @tmclaughbos Things we get excited about in security Logos
tom@cloudzero.com @tmclaughbos Things we don’t get excited about with security
tom@cloudzero.com @tmclaughbos Patching!
tom@cloudzero.com @tmclaughbos Not leaving MongoDB exposed to the internet with weak credentials
tom@cloudzero.com @tmclaughbos Not leaving Elasticsearch exposed to the internet with weak credentials
tom@cloudzero.com @tmclaughbos Learning from our mistakes
tom@cloudzero.com @tmclaughbos Many of us focus on the wrong things http://www.littlebobbycomic.com/projects/week-115/
tom@cloudzero.com @tmclaughbos How we present security
tom@cloudzero.com @tmclaughbos What we should be teaching • What are you trying to do? • Where do you start? • How do you progress
tom@cloudzero.com @tmclaughbos There’s a lot of info at the extremes
tom@cloudzero.com @tmclaughbos But this is where many of us are
tom@cloudzero.com @tmclaughbos We know not to… Put passwords, API keys, tokens, etc. in code.
tom@cloudzero.com @tmclaughbos But it still happens…
tom@cloudzero.com @tmclaughbos Where do you go from here?
tom@cloudzero.com @tmclaughbos Developing a threat model!
tom@cloudzero.com @tmclaughbos Be Realistic
tom@cloudzero.com @tmclaughbos USB sticks are a bigger threat than the man in the ceiling
tom@cloudzero.com @tmclaughbos A breach probably won’t end business
tom@cloudzero.com @tmclaughbos What are we trying to protect? • Intellectual property • Customer data (data about who our customers are) • Customer’s data (data from our customers) • etc.
tom@cloudzero.com @tmclaughbos What does our architecture look like?
tom@cloudzero.com @tmclaughbos Decompose the system
tom@cloudzero.com @tmclaughbos Decompose system: Perimeters
tom@cloudzero.com @tmclaughbos Decompose system: Data pipeline
tom@cloudzero.com @tmclaughbos Decompose system: Data pipeline
tom@cloudzero.com @tmclaughbos Identify threats • Exposed network ports (network) • Unpatched EC2 instances (host) • Weak secrets management(application) • User submitted data (application) • etc.
tom@cloudzero.com @tmclaughbos Document Threats • Weak password management • At two points in our infrastructure we’re not managing passwords • Both points involve highly valuable assets • Breach would be bad • Reputation loss -> customer loss • Data could be leveraged against our customers
tom@cloudzero.com @tmclaughbos Rate Threats Risk = Probability * Damage Potential
tom@cloudzero.com @tmclaughbos Rate Threats • D: Damage potential • R: Reproducibility • E: Exploitability • A: Affected users • D: Discoverability https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model)
tom@cloudzero.com @tmclaughbos Rate Threats • D: Disaster if this is found (high) • R: Easy to reproduce (high) • E: Easy to exploit; requires existing access (medium) • A: Affects all users (high) • D: Not easy to find; users are hops away from issue (medium)
tom@cloudzero.com @tmclaughbos Putting a response into action Let’s manage those secrets
tom@cloudzero.com @tmclaughbos Constraints Time Complexity Risk
tom@cloudzero.com @tmclaughbos Constraints: Time
tom@cloudzero.com @tmclaughbos Constraints: complexity
tom@cloudzero.com @tmclaughbos Constraints: Risk of failure “It’s all code… We monitor it using Nagios.”
tom@cloudzero.com @tmclaughbos Constraints • Time: Few days to a few weeks • The faster we get this done the more likely we will finish. • Complexity: We’re going to go with what we know. • Less surprises. • Less to learn and get wrong. • Risk: Taking only as much risk as we’re ready for. • We’re moving fast! • Let’s limit the failure blast radius
tom@cloudzero.com @tmclaughbos Approaches to get you started Finally we secure some secrets
tom@cloudzero.com @tmclaughbos git-crypt • Encrypts secrets directly in your repository • Find secrets, rotate, and store them https://github.com/AGWA/git-crypt
tom@cloudzero.com @tmclaughbos git-crypt • Pro • You’ve done the exercise of auditing your code base • Cons • Symmetric encryption • Everyone needs the master password • TODO • Prevent key proliferation • Move to new secrets management when ready
tom@cloudzero.com @tmclaughbos Configuration Management: Puppet • Hiera-eyaml: Encrypt values in your Hiera hierarchy • Can use public key encryption • Multiple backends https://github.com/voxpupuli/hiera-eyaml
tom@cloudzero.com @tmclaughbos Configuration Management: Puppet • Pros • You’ve centralized your secrets in one repo. • Public key encryption support • Cons • May require manual intervention when rolling Puppetmasters. • May need to cleanup your Puppet code if you haven’t already moved to Hiera. • TODO: • Figure out master rekey strategy
tom@cloudzero.com @tmclaughbos Configuration Management: Ansible • Ansible Vault: Encrypts entire var files in playbook http://docs.ansible.com/ansible/playbooks_vault.html
tom@cloudzero.com @tmclaughbos Configuration Management: Ansible • Pros • You’ve done the exercise of auditing your code base • Cons • Symmetric encryption • Everyone needs the shared password • key proliferation • TODO • Preventing the proliferation of the Vault key • rekeying and rolling secrets.
tom@cloudzero.com @tmclaughbos S3 Buckets • Sneaker • Encrypt, store, and retrieve secrets from S3. https://github.com/codahale/sneaker
tom@cloudzero.com @tmclaughbos S3 Buckets • Pros • Secrets no longer live in repos • reduced secret proliferation • Secrets encrypted in S3. • Cons • How are you managing S3 buckets? • TODO • Manage your S3 buckets with CloudFormation, Terraform, etc. https://github.com/codahale/sneaker
tom@cloudzero.com @tmclaughbos What should we have gotten out of all this?
tom@cloudzero.com @tmclaughbos Less this…
tom@cloudzero.com @tmclaughbos …More this!
tom@cloudzero.com @tmclaughbos YOU CAN DO THIS!
tom@cloudzero.com @tmclaughbos Thank You! http://strayc.at/feedback
tom@cloudzero.com @tmclaughbos
tom@cloudzero.com @tmclaughbos Threat Modeling: startup edition https://twitter.com/CommitStrip/status/876830310780071936
tom@cloudzero.com @tmclaughbos Threat Modeling: startup edition response https://twitter.com/ErrataRob/status/876963608076439556
tom@cloudzero.com @tmclaughbos We know what not to do. We (think) we know where we want to be. But we don’t know how to get there.

Recommended

AWS Security best practices Terraform AWS security
AWS Security best practices Terraform AWS securityAWS Security best practices Terraform AWS security
AWS Security best practices Terraform AWS securityTom McLaughlin
 
Serverless Ops: What do we do when the server goes away?
Serverless Ops: What do we do when the server goes away?Serverless Ops: What do we do when the server goes away?
Serverless Ops: What do we do when the server goes away?Tom McLaughlin
 
SEARCH Y - Kelvin Newman - Three practical (and inventive) ways of pinching k...
SEARCH Y - Kelvin Newman - Three practical (and inventive) ways of pinching k...SEARCH Y - Kelvin Newman - Three practical (and inventive) ways of pinching k...
SEARCH Y - Kelvin Newman - Three practical (and inventive) ways of pinching k...SEARCH Y - Philippe Yonnet Evénements
 
Replacing Wordpress with Cascade Server (where possible) by Mike Roy
Replacing Wordpress with Cascade Server (where possible) by Mike RoyReplacing Wordpress with Cascade Server (where possible) by Mike Roy
Replacing Wordpress with Cascade Server (where possible) by Mike Royhannonhill
 
Putting the F in FaaS: Functional Compositional Patterns in a Serverless World
Putting the F in FaaS: Functional Compositional Patterns in a Serverless WorldPutting the F in FaaS: Functional Compositional Patterns in a Serverless World
Putting the F in FaaS: Functional Compositional Patterns in a Serverless WorldLars Trieloff
 
Practical operability techniques for teams - webinar - Skelton Thatcher & Unicom
Practical operability techniques for teams - webinar - Skelton Thatcher & UnicomPractical operability techniques for teams - webinar - Skelton Thatcher & Unicom
Practical operability techniques for teams - webinar - Skelton Thatcher & UnicomSkelton Thatcher Consulting Ltd
 
Bucketbench: Benchmarking Container Runtime Performance
Bucketbench: Benchmarking Container Runtime PerformanceBucketbench: Benchmarking Container Runtime Performance
Bucketbench: Benchmarking Container Runtime PerformancePhil Estes
 
SwarmKit in Theory and Practice
SwarmKit in Theory and PracticeSwarmKit in Theory and Practice
SwarmKit in Theory and PracticeLaura Frank Tacho
 

Recommended

AWS Security best practices Terraform AWS security
AWS Security best practices Terraform AWS securityAWS Security best practices Terraform AWS security
AWS Security best practices Terraform AWS securityTom McLaughlin
 
Serverless Ops: What do we do when the server goes away?
Serverless Ops: What do we do when the server goes away?Serverless Ops: What do we do when the server goes away?
Serverless Ops: What do we do when the server goes away?Tom McLaughlin
 
SEARCH Y - Kelvin Newman - Three practical (and inventive) ways of pinching k...
SEARCH Y - Kelvin Newman - Three practical (and inventive) ways of pinching k...SEARCH Y - Kelvin Newman - Three practical (and inventive) ways of pinching k...
SEARCH Y - Kelvin Newman - Three practical (and inventive) ways of pinching k...SEARCH Y - Philippe Yonnet Evénements
 
Replacing Wordpress with Cascade Server (where possible) by Mike Roy
Replacing Wordpress with Cascade Server (where possible) by Mike RoyReplacing Wordpress with Cascade Server (where possible) by Mike Roy
Replacing Wordpress with Cascade Server (where possible) by Mike Royhannonhill
 
Putting the F in FaaS: Functional Compositional Patterns in a Serverless World
Putting the F in FaaS: Functional Compositional Patterns in a Serverless WorldPutting the F in FaaS: Functional Compositional Patterns in a Serverless World
Putting the F in FaaS: Functional Compositional Patterns in a Serverless WorldLars Trieloff
 
Practical operability techniques for teams - webinar - Skelton Thatcher & Unicom
Practical operability techniques for teams - webinar - Skelton Thatcher & UnicomPractical operability techniques for teams - webinar - Skelton Thatcher & Unicom
Practical operability techniques for teams - webinar - Skelton Thatcher & UnicomSkelton Thatcher Consulting Ltd
 
Bucketbench: Benchmarking Container Runtime Performance
Bucketbench: Benchmarking Container Runtime PerformanceBucketbench: Benchmarking Container Runtime Performance
Bucketbench: Benchmarking Container Runtime PerformancePhil Estes
 
SwarmKit in Theory and Practice
SwarmKit in Theory and PracticeSwarmKit in Theory and Practice
SwarmKit in Theory and PracticeLaura Frank Tacho
 
A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryDan Kaminsky
 
Version Control in AI/Machine Learning by Datmo
Version Control in AI/Machine Learning by DatmoVersion Control in AI/Machine Learning by Datmo
Version Control in AI/Machine Learning by DatmoNicholas Walsh
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
CloudStack and testing
CloudStack and testingCloudStack and testing
CloudStack and testingShapeBlue
 
TechSEO Boost 2018: Implementing Hreflang on Legacy Tech Stacks Using Service...
TechSEO Boost 2018: Implementing Hreflang on Legacy Tech Stacks Using Service...TechSEO Boost 2018: Implementing Hreflang on Legacy Tech Stacks Using Service...
TechSEO Boost 2018: Implementing Hreflang on Legacy Tech Stacks Using Service...Catalyst
 
Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Dan Kaminsky
 
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)Moshe Zioni
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...DTM Security
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesLeo Loobeek
 
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?Ken Johnson
 
Key considerations when adopting cloud: expectations vs hurdles
Key considerations when adopting cloud: expectations vs hurdlesKey considerations when adopting cloud: expectations vs hurdles
Key considerations when adopting cloud: expectations vs hurdlesScalr
 
Version Control in Machine Learning + AI (Stanford)
Version Control in Machine Learning + AI (Stanford)Version Control in Machine Learning + AI (Stanford)
Version Control in Machine Learning + AI (Stanford)Anand Sampat
 
Advanced celery
Advanced celeryAdvanced celery
Advanced celeryOmer Katz
 
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and InfraLock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and InfraVMware Tanzu
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Matt Raible
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationdcervigni
 
Rugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with SecurityRugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with SecurityDavid Etue
 
Design for Scale / Surge 2010
Design for Scale / Surge 2010Design for Scale / Surge 2010
Design for Scale / Surge 2010Christopher Brown
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 

More Related Content

Similar to Iterative Security: Secrets when you're not ready for Vault

A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryDan Kaminsky
 
Version Control in AI/Machine Learning by Datmo
Version Control in AI/Machine Learning by DatmoVersion Control in AI/Machine Learning by Datmo
Version Control in AI/Machine Learning by DatmoNicholas Walsh
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
CloudStack and testing
CloudStack and testingCloudStack and testing
CloudStack and testingShapeBlue
 
TechSEO Boost 2018: Implementing Hreflang on Legacy Tech Stacks Using Service...
TechSEO Boost 2018: Implementing Hreflang on Legacy Tech Stacks Using Service...TechSEO Boost 2018: Implementing Hreflang on Legacy Tech Stacks Using Service...
TechSEO Boost 2018: Implementing Hreflang on Legacy Tech Stacks Using Service...Catalyst
 
Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Dan Kaminsky
 
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)Moshe Zioni
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...DTM Security
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesLeo Loobeek
 
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?Ken Johnson
 
Key considerations when adopting cloud: expectations vs hurdles
Key considerations when adopting cloud: expectations vs hurdlesKey considerations when adopting cloud: expectations vs hurdles
Key considerations when adopting cloud: expectations vs hurdlesScalr
 
Version Control in Machine Learning + AI (Stanford)
Version Control in Machine Learning + AI (Stanford)Version Control in Machine Learning + AI (Stanford)
Version Control in Machine Learning + AI (Stanford)Anand Sampat
 
Advanced celery
Advanced celeryAdvanced celery
Advanced celeryOmer Katz
 
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and InfraLock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and InfraVMware Tanzu
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Matt Raible
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationdcervigni
 
Rugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with SecurityRugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with SecurityDavid Etue
 
Design for Scale / Surge 2010
Design for Scale / Surge 2010Design for Scale / Surge 2010
Design for Scale / Surge 2010Christopher Brown
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 

Similar to Iterative Security: Secrets when you're not ready for Vault (20)

A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive Trickery
 
Version Control in AI/Machine Learning by Datmo
Version Control in AI/Machine Learning by DatmoVersion Control in AI/Machine Learning by Datmo
Version Control in AI/Machine Learning by Datmo
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
 
CloudStack and testing
CloudStack and testingCloudStack and testing
CloudStack and testing
 
TechSEO Boost 2018: Implementing Hreflang on Legacy Tech Stacks Using Service...
TechSEO Boost 2018: Implementing Hreflang on Legacy Tech Stacks Using Service...TechSEO Boost 2018: Implementing Hreflang on Legacy Tech Stacks Using Service...
TechSEO Boost 2018: Implementing Hreflang on Legacy Tech Stacks Using Service...
 
Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017
 
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
 
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
 
Key considerations when adopting cloud: expectations vs hurdles
Key considerations when adopting cloud: expectations vs hurdlesKey considerations when adopting cloud: expectations vs hurdles
Key considerations when adopting cloud: expectations vs hurdles
 
Version Control in Machine Learning + AI (Stanford)
Version Control in Machine Learning + AI (Stanford)Version Control in Machine Learning + AI (Stanford)
Version Control in Machine Learning + AI (Stanford)
 
Advanced celery
Advanced celeryAdvanced celery
Advanced celery
 
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and InfraLock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitization
 
Rugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with SecurityRugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with Security
 
Design for Scale / Surge 2010
Design for Scale / Surge 2010Design for Scale / Surge 2010
Design for Scale / Surge 2010
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
 

Recently uploaded

Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 

Recently uploaded (17)

Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 

Iterative Security: Secrets when you're not ready for Vault

Editor's Notes

  1. Iterative Security Secrets Management When You’re Not Ready For Vault (or Conjur) I want to emphasize the Iterative Security part I changed the focus of this presentation from what’s on the agenda as I wrote tgis, I realized secrets management wasn’t the actual interesting part. This is partially based on past expereinces in my career
  2. No new amazing tech in this presentation The technology isn’t the problem!!! We have good tech for managing secrets! Vault and Conjur exist. they’re really cool. they work well
  3. I HAVE OTHER WORK THAT’S MORE IMPORTANT What’s more important? How about keeping the site up? Been there. Secrets management systems can be complicated systems to understand and operate They take time to understand
  4. <SLIDE> laugh… But your friend next to you might be dealing with this A lot of us are or have been in situations we’re not proud of. We just don’t like to talk about this or admit it to others. I have been here previously in my career. Database passwords 3rd party service tokens. etc.
  5. This is how we present security to many people There is no in between There’s a lot of assumed knowledge from 1 to 2.
  6. We don’t have a clue what to do. We don’t know how to get from point A to point B and given the choice of 8 other priorities we choose what we feel we can accomplish. We’re rewarded for what we accomplishment Security isn’t always one of our KPIs.
  7. <SLIDE>
  8. With all those questions <SLIDE> * We’ve put this in your hands and now it’s up to you to figure this out.
  9. <SLIDE>
  10. <SLIDE>
  11. <SLIDE> This is a HUGE part of my role at Threat Stack as our Engineering Advocate Just listen find common problems address them secrets management that wasn’t as complicated and could be solved quick happened to be a topic. Posted this to reddit good response
  12. going to discuss “iterative security” Just want to get folks started securing their environment How do we get people taking care of the basics and gradually improving? Wide open security groups? What about S3 buckets? we can start with lower hanging fruit and work up
  13. <SLIDE>
  14. OMG security! Let’s get all excited! SHINY OBJECTS!
  15. What do people get excited about when talking security?
  16. 0-days Nobody expects them! I couldn’t find a good 0-day vulnerability logo But nobody expects the Spanish Inquisition… Really, you just wake up and roll into work and, “WTH is this?”
  17. Hash collisions (and other assorted cryptographic weaknesses) SHAttered: two different files that produce identical SHA1s Maybe someone will poison the Linux kernel repo
  18. The government can hack things It considers The Cyber to be a battlefield and is doing what other states are doing.
  19. * things with logos that everyone is talking about on Twitter/Slack/IRC
  20. * What don’t we get excited about?
  21. <SLIDE>
  22. <SLIDE> Same damn thing a week or two later.
  23. <SLIDE> MySQL was next after ES I did my part to warn the PostgreSQL community * This all took place in about 3 months
  24. Some of us in here legitimately need to focus on 0-days the logo of the month Many of us do not because we have not even done the basics we’re worried about APTs (advanced persistent threats) over our open databases.
  25. Back to the owl
  26. * What are you trying to look like? We talking headshot? side view frontal? Where do you start? How do you progress?
  27. You can find something that works on your machine You can find something that works at Big McLarge Co that has an Ops team many times bigger than yours.
  28. * Most of us are in the middle * There isn’t a lot out there on the left but just to the right of having gotten started solving our issues.
  29. <SLIDE>
  30. We’re going to apply the idea of iterating on security to Secrets Management
  31. <SLIDE>
  32. <SLIDE>
  33. * Let’s solve this like a real problem at work.
  34. * We’ll look at secrets management and impose some constraints on our decisions. In particular time How long will this work take? complexity How hard is this to do? How well can I understand it? failure risk What happens if the system fails? * These are normal business constraints we all face.
  35. Going to take months You should do the perfect thing! I have other things that need to get done! for most of us, security isn’t the only thing on our plate. I have news systems to deploy, systems to tune, systems to fix, tools to build… We’re judged at work by that and not security.
  36. Vault looks simple! How will you handle the master encryption key shards? Where they stored? Who has access? What storage backends meet your needs? How will you auth? * THANK YOU!
  37. * “It’s all code… We monitor it using Nagios.”
  38. Lets apply this! Secrets management if you’re not doing Vault (or Conjur)…
  39. <slide> Build, satisfy needs, and throw away later You were at the worst point possible, you’ve at least taken a step…
  40. <slide> reddit thread with author
  41. Just like git-crypt <slide>
  42. So, we’ll focus on less of this…. Sweet car! I’m sure it’s fast But It’s also on fire.
  43. We can manage this. roll in tomorrow and start putting out that garbage fiere
  44. <slide> None of the solutions I talked about are Earth shattering. *One of you, go make things better tomorrow. Makes changes to prod on friday and leave