SlideShare a Scribd company logo

Building a (Really) Secure Cloud Product

Guy K. Kloss
Guy K. Kloss

Guest lecture to Master of Information Security and Digital Forensics students at Auckland University of Technology (AUT) on the development of the MEGAchat Cloud application.

Internet
1 of 36
Download to read offline
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Building a (Really) Secure Cloud Product Guest Lecture for Master of Information Security and Digital Forensics Guy Kloss gk@mega.co.nz Lead Software Developer Mega Limited 30 March 2015 Guy Kloss | Building a (Really) Secure Cloud Product 1/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 2/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 3/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation The Product: MEGAchat A Cloud-based internet chat system Voice, Video and Text chat capable Offers multiple device capability for each participant (transparent synchronisation, consistent view of chat) To work in browser as well as native/mobile app Guy Kloss | Building a (Really) Secure Cloud Product 4/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation The Product: MEGAchat Why “Really” Secure? Everybody says they’re secure . . . “Security Theatre” . . . We’re doing it (we say) . . . . . . and like to be confirmed or disproven in it. → Bug bounty! (for chat so far one paid out) Guy Kloss | Building a (Really) Secure Cloud Product 5/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Security Theatre Guy Kloss | Building a (Really) Secure Cloud Product 6/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Security Theatre http://geekandpoke.typepad.com/geekandpoke/2009/12/security-theatre.html Guy Kloss | Building a (Really) Secure Cloud Product 7/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Early Adopters Guy Kloss | Building a (Really) Secure Cloud Product 8/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 9/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation For the Chat System Desired properties: Confidentiality Identity authenticity Message authenticity Forward secrecy Session freshness Plausible deniability Room participants consistency Chat transcript consistency Reducie foot print of “leaking” meta-data Guy Kloss | Building a (Really) Secure Cloud Product 10/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Meta-Data? c by Michael J. Swart http://michaeljswart.com/2011/06/meta-aggregate/ Guy Kloss | Building a (Really) Secure Cloud Product 11/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Meta-Data? Guy Kloss | Building a (Really) Secure Cloud Product 12/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Sparseness of Meta-Data Don’t store what you don’t need Then nobody can come and ask you to “comply” If you must, do it so you can’t be compromised (e. g. passwords, salted and hashed, so not even you know them in plain) → Proper mechanisms for authentication and password management/storage On Mega Most meta-data only known to customer (encrypted) Company only knows what’s needed to manage the platform and interactions Guy Kloss | Building a (Really) Secure Cloud Product 13/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Crypto? It’s really difficult to get this right! Avoid writing it, if you can! Use off-the-shelf frameworks/helpers/packages → If you’re writing AES in your code, you’re probably doing it wrong If you can’t help it and have to build it yourself Make the conceptual system not suck! Make the implementation not suck! Guy Kloss | Building a (Really) Secure Cloud Product 14/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Crypto? The maths is good, it’s the implementation that sucks: “No matter how strong the crypto was, he attackers walked around it,” – “Crypto Won’t Save You Either”, Peter Gutmann, 2014 http://regmedia.co.uk/2014/05/16/0955_peter_gutmann.pdf Guy Kloss | Building a (Really) Secure Cloud Product 15/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 16/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Choice of System Components Robust base OS → Security, maintenance, reliability Many features are not necessarily important Evaluate/select server (software) carefully For required features Go get rid of not required features → Security, maintenance, reliability Is Cloud scalability a relevant factor? → Distribution, clustering, replication, . . . Guy Kloss | Building a (Really) Secure Cloud Product 17/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Choice of System Components (continued) Prefer open source solutions Auditable Many eyes Mostly more secure If well maintained, usually very quick fixes (e. g. on security) Guy Kloss | Building a (Really) Secure Cloud Product 18/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Secure System Setup Shut down unneeded services Configure systems securely Turn off what’s not needed Don’t log everything (production in debug mode?) Get the SSL/TLS configuration right! https://mozilla.github.io/server-side-tls/ ssl-config-generator/ Need bad examples? https://httpswatch.nz/ https://httpswatch.com/ Use additional protection schems CSP – Content Security Policy HSTS – HTTP Strict Transport Security CORS – Cross Origin Resource Sharing Guy Kloss | Building a (Really) Secure Cloud Product 19/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Secure System Setup SSL Labs Server Test SSL Labs is your friend https://www.ssllabs.com Guy Kloss | Building a (Really) Secure Cloud Product 20/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Secure System Setup Keep system upgraded (esp. security fixes quickly), short reaction times Best one service per (virtual) host (don’t slam them onto one host) Use logfiles with logrotation on a system level wisely Allows for forensic analysis later Without it, you’ve shut yourself out from most root cause analysis Stay on top of security things This can be hard work! Guy Kloss | Building a (Really) Secure Cloud Product 21/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation (Automatic) Monitoring Load (CPU, network I/O, memory, . . . ) Availability & functionality Check for “odd behaviour” Guy Kloss | Building a (Really) Secure Cloud Product 22/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 23/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation System/Infrastructure Level Always use HTTPS/SSL/TLS as a minimum Too bad the whole CA system and SSL is a bit broken And some of the ciphers/cipher suites “advertised” for use are also broken On the client side, always verify the full certificate chain Many tools/implementations are lazy by default (in Java, Python, C/C++, . . . ) Prefer to use certificate pinning E. g. a mobile app for a known service Recent Superfish scandal with Lenovo and others Guy Kloss | Building a (Really) Secure Cloud Product 24/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Application Layer User to server Commonly username/password Alternative: Certificates, other authentication mechanisms Too many concepts for secure authentication, beyond the scope of this talk User to user Difficult if one can’t trust the platform/server On Mega Verification of user’s public (signing) key via fingerprint comparison (out of band) Authenticating further crypto keys via signature by authenticated key pair Guy Kloss | Building a (Really) Secure Cloud Product 25/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Avoid Security Warnings “MRI Shows Our Brain Shuts Down When We See Security Warnings on Computers” http://ema-tech.blogspot.co.nz/2015/03/mri-shows-our-brain-shuts-down-when-we.html Guy Kloss | Building a (Really) Secure Cloud Product 26/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Trust from the “Community” Open source it! Really! Make the money with your service, not the code. Why & What? For peer review/audits At least the core of the security-related stuff Really important for crypto! Wouldn’t it be more secure if it was proprietary/closed? Guy Kloss | Building a (Really) Secure Cloud Product 27/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 28/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation The “Big Problem” (TM) Use secured protocols Nothing available to solve our problem We had to “roll our own” . . . Guy Kloss | Building a (Really) Secure Cloud Product 29/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Key Design Features of Chat Protocol Group chat capable (multiple “devices” of identities) Outsiders can’t eavesdrop (decrypt) New members only participate after “join” Excluded members cannot decrypt any more Guy Kloss | Building a (Really) Secure Cloud Product 30/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Anticipate what could go wrong! Guy Kloss | Building a (Really) Secure Cloud Product 31/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Desired Security Properties Confidentiality → Needs to be encrypted Forward secrecy → Using (group) Diffie-Hellman with ephemeral key pairs Identity authenticity → Sign some confirmation with identity key Message authenticity → Sign messages with member’s session signing key Session freshness → Use of nonces (to avoid replay attacks) Guy Kloss | Building a (Really) Secure Cloud Product 32/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Desired Security Properties Plausible deniability → Ephemeral signing keys for every individual session (private key published at the end) Room participants consistency → Key agreement requires participation of every member Chat transcript consistency → Agreed and cryptographically enforced partial ordering Reducing the foot print of “leaking” meta-data → Exponential message size padding Guy Kloss | Building a (Really) Secure Cloud Product 33/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 34/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Do it right! Follow best practices . . . Follow OWASP, that’s much more comprehensive than this talk on this subject Open Web Application Security Project http://owasp.org Guy Kloss | Building a (Really) Secure Cloud Product 35/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Questions? Be Safe! Guy Kloss gk@mega.co.nz Guy Kloss | Building a (Really) Secure Cloud Product 36/36

Recommended

How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
HackerOne
 
Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)
abend_cve_9999_0001
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpThe Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
James Wickett
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019
James Wickett
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
Stefan Streichsbier
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security Linters
EricBrown328
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Black Duck by Synopsys
 

Recommended

How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
HackerOne
 
Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)
abend_cve_9999_0001
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpThe Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
James Wickett
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019
James Wickett
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
Stefan Streichsbier
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security Linters
EricBrown328
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Black Duck by Synopsys
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16
Rich Mills
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
IntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchIntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitch
JasonRomero21
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-NapocaFrom Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
jerryhargrove
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
Elizabeth Ayer
 
Fences and Gates: Designing Ops for DevOps
Fences and Gates: Designing Ops for DevOpsFences and Gates: Designing Ops for DevOps
Fences and Gates: Designing Ops for DevOps
Dan Illson
 
DevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS LaneDevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS Lane
James Wickett
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019
James Wickett
 
How to be your Security Team's Best Friend
How to be your Security Team's Best FriendHow to be your Security Team's Best Friend
How to be your Security Team's Best Friend
EmilyGladstoneCole
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot Application
VMware Tanzu
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
Michelangelo van Dam
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
Black Duck by Synopsys
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
Alexey Dremin
 
A DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleA DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and People
James Wickett
 
OWASP Bay Area Meetup - DevSecOps the Kubernetes Way
OWASP Bay Area Meetup - DevSecOps the Kubernetes WayOWASP Bay Area Meetup - DevSecOps the Kubernetes Way
OWASP Bay Area Meetup - DevSecOps the Kubernetes Way
Jimmy Mesta
 
Api gitlab: configurazione dei progetti as a service
Api gitlab: configurazione dei progetti as a serviceApi gitlab: configurazione dei progetti as a service
Api gitlab: configurazione dei progetti as a service
Emerasoft, solutions to collaborate
 
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Weaveworks
 

More Related Content

What's hot

Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-NapocaFrom Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
jerryhargrove
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
Elizabeth Ayer
 
DevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS LaneDevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS Lane
James Wickett
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
Michelangelo van Dam
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
A DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleA DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and People
James Wickett
 

What's hot (20)

DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
IntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchIntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitch
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-NapocaFrom Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
 
Fences and Gates: Designing Ops for DevOps
Fences and Gates: Designing Ops for DevOpsFences and Gates: Designing Ops for DevOps
Fences and Gates: Designing Ops for DevOps
 
DevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS LaneDevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS Lane
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019
 
How to be your Security Team's Best Friend
How to be your Security Team's Best FriendHow to be your Security Team's Best Friend
How to be your Security Team's Best Friend
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot Application
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
 
A DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleA DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and People
 
OWASP Bay Area Meetup - DevSecOps the Kubernetes Way
OWASP Bay Area Meetup - DevSecOps the Kubernetes WayOWASP Bay Area Meetup - DevSecOps the Kubernetes Way
OWASP Bay Area Meetup - DevSecOps the Kubernetes Way
 

Similar to Building a (Really) Secure Cloud Product

Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Weaveworks
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Weaveworks
 
Alexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of AppliancesAlexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of Appliances
Positive Hack Days
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWebinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Weaveworks
 
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayCreating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Heroku
 
Security and Advanced Automation in the Enterprise
Security and Advanced Automation in the EnterpriseSecurity and Advanced Automation in the Enterprise
Security and Advanced Automation in the Enterprise
Amazon Web Services
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Weaveworks
 
Highway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup DublinHighway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup Dublin
Christian Deger
 
Exploring the GitHub Service Universe
Exploring the GitHub Service UniverseExploring the GitHub Service Universe
Exploring the GitHub Service Universe
Björn Kimminich
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
Kai Wähner
 

Similar to Building a (Really) Secure Cloud Product (20)

Api gitlab: configurazione dei progetti as a service
Api gitlab: configurazione dei progetti as a serviceApi gitlab: configurazione dei progetti as a service
Api gitlab: configurazione dei progetti as a service
 
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
 
Alexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of AppliancesAlexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of Appliances
 
Alexander Antukh
Alexander AntukhAlexander Antukh
Alexander Antukh
 
Monitoring large scale Docker production environments
Monitoring large scale Docker production environmentsMonitoring large scale Docker production environments
Monitoring large scale Docker production environments
 
11 0029-01 selling development tools in the cloud
11 0029-01 selling development tools in the cloud11 0029-01 selling development tools in the cloud
11 0029-01 selling development tools in the cloud
 
2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil
 
BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWebinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
 
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayCreating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
 
Security and Advanced Automation in the Enterprise
Security and Advanced Automation in the EnterpriseSecurity and Advanced Automation in the Enterprise
Security and Advanced Automation in the Enterprise
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
 
Automate Cloud and Application Security Deployments with Barracuda and Puppet...
Automate Cloud and Application Security Deployments with Barracuda and Puppet...Automate Cloud and Application Security Deployments with Barracuda and Puppet...
Automate Cloud and Application Security Deployments with Barracuda and Puppet...
 
Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022
 
Highway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup DublinHighway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup Dublin
 
Exploring the GitHub Service Universe
Exploring the GitHub Service UniverseExploring the GitHub Service Universe
Exploring the GitHub Service Universe
 
Mulesoft Meetup Roma - Monitoring Framework & DevOps.pptx
Mulesoft Meetup Roma - Monitoring Framework & DevOps.pptxMulesoft Meetup Roma - Monitoring Framework & DevOps.pptx
Mulesoft Meetup Roma - Monitoring Framework & DevOps.pptx
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
 

More from Guy K. Kloss

Kauri ID - A Self-Sovereign, Blockchain-based Identity System
Kauri ID - A Self-Sovereign, Blockchain-based Identity SystemKauri ID - A Self-Sovereign, Blockchain-based Identity System
Kauri ID - A Self-Sovereign, Blockchain-based Identity System
Guy K. Kloss
 

More from Guy K. Kloss (16)

Kauri ID - A Self-Sovereign, Blockchain-based Identity System
Kauri ID - A Self-Sovereign, Blockchain-based Identity SystemKauri ID - A Self-Sovereign, Blockchain-based Identity System
Kauri ID - A Self-Sovereign, Blockchain-based Identity System
 
Qrious about Insights -- Big Data in the Real World
Qrious about Insights -- Big Data in the Real WorldQrious about Insights -- Big Data in the Real World
Qrious about Insights -- Big Data in the Real World
 
WTF is Blockchain???
WTF is Blockchain???WTF is Blockchain???
WTF is Blockchain???
 
Representational State Transfer (REST) and HATEOAS
Representational State Transfer (REST) and HATEOASRepresentational State Transfer (REST) and HATEOAS
Representational State Transfer (REST) and HATEOAS
 
Introduction to LaTeX (For Word users)
Introduction to LaTeX (For Word users) Introduction to LaTeX (For Word users)
Introduction to LaTeX (For Word users)
 
MataNui - Building a Grid Data Infrastructure that "doesn't suck!"
MataNui - Building a Grid Data Infrastructure that "doesn't suck!"MataNui - Building a Grid Data Infrastructure that "doesn't suck!"
MataNui - Building a Grid Data Infrastructure that "doesn't suck!"
 
Operations Research and Optimization in Python using PuLP
Operations Research and Optimization in Python using PuLPOperations Research and Optimization in Python using PuLP
Operations Research and Optimization in Python using PuLP
 
Python Data Plotting and Visualisation Extravaganza
Python Data Plotting and Visualisation ExtravaganzaPython Data Plotting and Visualisation Extravaganza
Python Data Plotting and Visualisation Extravaganza
 
Lecture "Open Source and Open Content"
Lecture "Open Source and Open Content"Lecture "Open Source and Open Content"
Lecture "Open Source and Open Content"
 
Version Control with Subversion
Version Control with SubversionVersion Control with Subversion
Version Control with Subversion
 
Beating the (sh** out of the) GIL - Multithreading vs. Multiprocessing
Beating the (sh** out of the) GIL - Multithreading vs. MultiprocessingBeating the (sh** out of the) GIL - Multithreading vs. Multiprocessing
Beating the (sh** out of the) GIL - Multithreading vs. Multiprocessing
 
Thinking Hybrid - Python/C++ Integration
Thinking Hybrid - Python/C++ IntegrationThinking Hybrid - Python/C++ Integration
Thinking Hybrid - Python/C++ Integration
 
Thinking Hybrid - Python/C++ Integration
Thinking Hybrid - Python/C++ IntegrationThinking Hybrid - Python/C++ Integration
Thinking Hybrid - Python/C++ Integration
 
Gaining Colour Stability in Live Image Capturing
Gaining Colour Stability in Live Image CapturingGaining Colour Stability in Live Image Capturing
Gaining Colour Stability in Live Image Capturing
 
LaTeX Introduction for Word Users
LaTeX Introduction for Word UsersLaTeX Introduction for Word Users
LaTeX Introduction for Word Users
 
Thinking Hybrid - Python/C++ Integration
Thinking Hybrid - Python/C++ IntegrationThinking Hybrid - Python/C++ Integration
Thinking Hybrid - Python/C++ Integration
 

Recently uploaded

Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
soniya singh
 
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
gwenoracqe6
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
SUHANI PANDEY
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
tanu pandey
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Delhi Call girls
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
nilamkumrai
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
soniya singh
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
roncy bisnoi
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
imonikaupta
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
SUHANI PANDEY
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
ruhi
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
SUHANI PANDEY
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 

Recently uploaded (20)

Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
 
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
 

Building a (Really) Secure Cloud Product

  • 1. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Building a (Really) Secure Cloud Product Guest Lecture for Master of Information Security and Digital Forensics Guy Kloss gk@mega.co.nz Lead Software Developer Mega Limited 30 March 2015 Guy Kloss | Building a (Really) Secure Cloud Product 1/36
  • 2. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 2/36
  • 3. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 3/36
  • 4. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation The Product: MEGAchat A Cloud-based internet chat system Voice, Video and Text chat capable Offers multiple device capability for each participant (transparent synchronisation, consistent view of chat) To work in browser as well as native/mobile app Guy Kloss | Building a (Really) Secure Cloud Product 4/36
  • 5. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation The Product: MEGAchat Why “Really” Secure? Everybody says they’re secure . . . “Security Theatre” . . . We’re doing it (we say) . . . . . . and like to be confirmed or disproven in it. → Bug bounty! (for chat so far one paid out) Guy Kloss | Building a (Really) Secure Cloud Product 5/36
  • 6. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Security Theatre Guy Kloss | Building a (Really) Secure Cloud Product 6/36
  • 7. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Security Theatre http://geekandpoke.typepad.com/geekandpoke/2009/12/security-theatre.html Guy Kloss | Building a (Really) Secure Cloud Product 7/36
  • 8. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Early Adopters Guy Kloss | Building a (Really) Secure Cloud Product 8/36
  • 9. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 9/36
  • 10. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation For the Chat System Desired properties: Confidentiality Identity authenticity Message authenticity Forward secrecy Session freshness Plausible deniability Room participants consistency Chat transcript consistency Reducie foot print of “leaking” meta-data Guy Kloss | Building a (Really) Secure Cloud Product 10/36
  • 11. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Meta-Data? c by Michael J. Swart http://michaeljswart.com/2011/06/meta-aggregate/ Guy Kloss | Building a (Really) Secure Cloud Product 11/36
  • 12. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Meta-Data? Guy Kloss | Building a (Really) Secure Cloud Product 12/36
  • 13. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Sparseness of Meta-Data Don’t store what you don’t need Then nobody can come and ask you to “comply” If you must, do it so you can’t be compromised (e. g. passwords, salted and hashed, so not even you know them in plain) → Proper mechanisms for authentication and password management/storage On Mega Most meta-data only known to customer (encrypted) Company only knows what’s needed to manage the platform and interactions Guy Kloss | Building a (Really) Secure Cloud Product 13/36
  • 14. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Crypto? It’s really difficult to get this right! Avoid writing it, if you can! Use off-the-shelf frameworks/helpers/packages → If you’re writing AES in your code, you’re probably doing it wrong If you can’t help it and have to build it yourself Make the conceptual system not suck! Make the implementation not suck! Guy Kloss | Building a (Really) Secure Cloud Product 14/36
  • 15. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Crypto? The maths is good, it’s the implementation that sucks: “No matter how strong the crypto was, he attackers walked around it,” – “Crypto Won’t Save You Either”, Peter Gutmann, 2014 http://regmedia.co.uk/2014/05/16/0955_peter_gutmann.pdf Guy Kloss | Building a (Really) Secure Cloud Product 15/36
  • 16. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 16/36
  • 17. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Choice of System Components Robust base OS → Security, maintenance, reliability Many features are not necessarily important Evaluate/select server (software) carefully For required features Go get rid of not required features → Security, maintenance, reliability Is Cloud scalability a relevant factor? → Distribution, clustering, replication, . . . Guy Kloss | Building a (Really) Secure Cloud Product 17/36
  • 18. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Choice of System Components (continued) Prefer open source solutions Auditable Many eyes Mostly more secure If well maintained, usually very quick fixes (e. g. on security) Guy Kloss | Building a (Really) Secure Cloud Product 18/36
  • 19. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Secure System Setup Shut down unneeded services Configure systems securely Turn off what’s not needed Don’t log everything (production in debug mode?) Get the SSL/TLS configuration right! https://mozilla.github.io/server-side-tls/ ssl-config-generator/ Need bad examples? https://httpswatch.nz/ https://httpswatch.com/ Use additional protection schems CSP – Content Security Policy HSTS – HTTP Strict Transport Security CORS – Cross Origin Resource Sharing Guy Kloss | Building a (Really) Secure Cloud Product 19/36
  • 20. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Secure System Setup SSL Labs Server Test SSL Labs is your friend https://www.ssllabs.com Guy Kloss | Building a (Really) Secure Cloud Product 20/36
  • 21. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Secure System Setup Keep system upgraded (esp. security fixes quickly), short reaction times Best one service per (virtual) host (don’t slam them onto one host) Use logfiles with logrotation on a system level wisely Allows for forensic analysis later Without it, you’ve shut yourself out from most root cause analysis Stay on top of security things This can be hard work! Guy Kloss | Building a (Really) Secure Cloud Product 21/36
  • 22. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation (Automatic) Monitoring Load (CPU, network I/O, memory, . . . ) Availability & functionality Check for “odd behaviour” Guy Kloss | Building a (Really) Secure Cloud Product 22/36
  • 23. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 23/36
  • 24. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation System/Infrastructure Level Always use HTTPS/SSL/TLS as a minimum Too bad the whole CA system and SSL is a bit broken And some of the ciphers/cipher suites “advertised” for use are also broken On the client side, always verify the full certificate chain Many tools/implementations are lazy by default (in Java, Python, C/C++, . . . ) Prefer to use certificate pinning E. g. a mobile app for a known service Recent Superfish scandal with Lenovo and others Guy Kloss | Building a (Really) Secure Cloud Product 24/36
  • 25. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Application Layer User to server Commonly username/password Alternative: Certificates, other authentication mechanisms Too many concepts for secure authentication, beyond the scope of this talk User to user Difficult if one can’t trust the platform/server On Mega Verification of user’s public (signing) key via fingerprint comparison (out of band) Authenticating further crypto keys via signature by authenticated key pair Guy Kloss | Building a (Really) Secure Cloud Product 25/36
  • 26. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Avoid Security Warnings “MRI Shows Our Brain Shuts Down When We See Security Warnings on Computers” http://ema-tech.blogspot.co.nz/2015/03/mri-shows-our-brain-shuts-down-when-we.html Guy Kloss | Building a (Really) Secure Cloud Product 26/36
  • 27. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Trust from the “Community” Open source it! Really! Make the money with your service, not the code. Why & What? For peer review/audits At least the core of the security-related stuff Really important for crypto! Wouldn’t it be more secure if it was proprietary/closed? Guy Kloss | Building a (Really) Secure Cloud Product 27/36
  • 28. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 28/36
  • 29. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation The “Big Problem” (TM) Use secured protocols Nothing available to solve our problem We had to “roll our own” . . . Guy Kloss | Building a (Really) Secure Cloud Product 29/36
  • 30. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Key Design Features of Chat Protocol Group chat capable (multiple “devices” of identities) Outsiders can’t eavesdrop (decrypt) New members only participate after “join” Excluded members cannot decrypt any more Guy Kloss | Building a (Really) Secure Cloud Product 30/36
  • 31. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Anticipate what could go wrong! Guy Kloss | Building a (Really) Secure Cloud Product 31/36
  • 32. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Desired Security Properties Confidentiality → Needs to be encrypted Forward secrecy → Using (group) Diffie-Hellman with ephemeral key pairs Identity authenticity → Sign some confirmation with identity key Message authenticity → Sign messages with member’s session signing key Session freshness → Use of nonces (to avoid replay attacks) Guy Kloss | Building a (Really) Secure Cloud Product 32/36
  • 33. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Desired Security Properties Plausible deniability → Ephemeral signing keys for every individual session (private key published at the end) Room participants consistency → Key agreement requires participation of every member Chat transcript consistency → Agreed and cryptographically enforced partial ordering Reducing the foot print of “leaking” meta-data → Exponential message size padding Guy Kloss | Building a (Really) Secure Cloud Product 33/36
  • 34. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 34/36
  • 35. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Do it right! Follow best practices . . . Follow OWASP, that’s much more comprehensive than this talk on this subject Open Web Application Security Project http://owasp.org Guy Kloss | Building a (Really) Secure Cloud Product 35/36
  • 36. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Questions? Be Safe! Guy Kloss gk@mega.co.nz Guy Kloss | Building a (Really) Secure Cloud Product 36/36