Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Why We Can’t Have Nice Things
A Tale of Woe, and Hope for the Future
Pete Cheslock
@petecheslock
@petecheslock
@petecheslock
WallofConfusion
Dev Ops
Sec
@petecheslock
@petecheslock
DevOps
Sec
@hijinksensue
@petecheslock
@petecheslock
Pete Cheslock
Not an InfoSec
Twitters: @petecheslock
theshipshow.com
threatstack.com
– President Josiah Bartlet
"The most costly
disruptions always
happen when
something we take
completely for
granted stops
...
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
It’s time that we recognize that all
these new tools which are helping to
enable our teams to work so well a...
@petecheslock
risk = (threat) x (probability)
x (business impact)
http://sysadvent.blogspot.com/2014/12/day-24-12-days-of-...
@petecheslock
What data are you sending?
What happens if that system
is compromised?
@petecheslock
WE TAKE SECURITY
SERIOUSLY
http://blog.b3k.us/2012/01/24/some-rules.html
“These are not features: Security, ...
@petecheslock
@petecheslock
@petecheslock
@petecheslock
https://github.com/codahale/sneaker

https://vaultproject.io

https://github.com/square/keywhiz

https://git...
@petecheslock
@petecheslock
@petecheslock
Keep It Simple
Skip the ITIL IR Plan for now
@petecheslock
@petecheslock
@petecheslock
@petecheslock
@petecheslock
“FWIW, I have most of a sub-key implementation done, but that
still won’t solve your problem, as it will be ...
@petecheslock
Compile your Source
Build a Package
Sign the Package
Test the Package
Deploy the Package
You can’t hate the ...
@petecheslock
aptly
deb-s3
freight/sync to s3
packagecloud.io
@petecheslock
@petecheslock
@petecheslock
@petecheslock
https://www.ssllabs.com/ssltest/
@petecheslock
@petecheslock
Safe Access to Production
@petecheslock
– Mark Burgess
“Every time someone logs onto a system
interactively, they compromise everyone's
knowledge of...
@petecheslock
Trust, but Verify.
@petecheslock
auditd + OSSEC
…and SELinux
http://stopdisablingselinux.com/
@petecheslock
Controlled Access Protection Profile
http://www.commoncriteriaportal.org/files/ppfiles/capp.pdf
Labeled Securit...
@petecheslock
@petecheslock
@petecheslock
Start Small
Identify High Risks
@petecheslock
Security Culture is People
@petecheslock
@petecheslock
Why We Can't Have Nice Things, A Tale of Woe and a Hope For the Future
Why We Can't Have Nice Things, A Tale of Woe and a Hope For the Future
Upcoming SlideShare
Loading in …5
×

Why We Can't Have Nice Things, A Tale of Woe and a Hope For the Future

What this talk here: https://vimeo.com/129822165

DevOpsDays Austin Talk.
Computers are hard, and security is even harder. Let's discuss things to do when you have a dedicated Infosec team, and tools you can use when you don't.

Why We Can't Have Nice Things, A Tale of Woe and a Hope For the Future

  1. 1. Why We Can’t Have Nice Things A Tale of Woe, and Hope for the Future Pete Cheslock @petecheslock
  2. 2. @petecheslock
  3. 3. @petecheslock WallofConfusion Dev Ops Sec
  4. 4. @petecheslock
  5. 5. @petecheslock DevOps Sec @hijinksensue
  6. 6. @petecheslock
  7. 7. @petecheslock
  8. 8. Pete Cheslock Not an InfoSec Twitters: @petecheslock theshipshow.com threatstack.com
  9. 9. – President Josiah Bartlet "The most costly disruptions always happen when something we take completely for granted stops working for a minute."
  10. 10. @petecheslock
  11. 11. @petecheslock
  12. 12. @petecheslock
  13. 13. @petecheslock
  14. 14. @petecheslock
  15. 15. @petecheslock
  16. 16. @petecheslock
  17. 17. @petecheslock
  18. 18. @petecheslock
  19. 19. @petecheslock It’s time that we recognize that all these new tools which are helping to enable our teams to work so well are also introducing new attack vectors.
  20. 20. @petecheslock risk = (threat) x (probability) x (business impact) http://sysadvent.blogspot.com/2014/12/day-24-12-days-of-secdevops.html - Jen Andre
  21. 21. @petecheslock What data are you sending? What happens if that system is compromised?
  22. 22. @petecheslock WE TAKE SECURITY SERIOUSLY http://blog.b3k.us/2012/01/24/some-rules.html “These are not features: Security, Availability, Performance.” - Benjamin Black
  23. 23. @petecheslock
  24. 24. @petecheslock
  25. 25. @petecheslock
  26. 26. @petecheslock https://github.com/codahale/sneaker https://vaultproject.io https://github.com/square/keywhiz https://github.com/LuminalOSS/credstash https://github.com/oleiade/trousseau - Storing sensitive data https://github.com/cloudflare/redoctober - High value secrets https://github.com/jschauma/jass - really helpful tool for sharing of secrets using SSH keys.
  27. 27. @petecheslock
  28. 28. @petecheslock
  29. 29. @petecheslock Keep It Simple Skip the ITIL IR Plan for now
  30. 30. @petecheslock
  31. 31. @petecheslock
  32. 32. @petecheslock
  33. 33. @petecheslock
  34. 34. @petecheslock “FWIW, I have most of a sub-key implementation done, but that still won’t solve your problem, as it will be years before that implementation is widely deployed…”
  35. 35. @petecheslock Compile your Source Build a Package Sign the Package Test the Package Deploy the Package You can’t hate the curl bash and be OK deploying from Github
  36. 36. @petecheslock aptly deb-s3 freight/sync to s3 packagecloud.io
  37. 37. @petecheslock
  38. 38. @petecheslock
  39. 39. @petecheslock
  40. 40. @petecheslock https://www.ssllabs.com/ssltest/
  41. 41. @petecheslock
  42. 42. @petecheslock Safe Access to Production
  43. 43. @petecheslock – Mark Burgess “Every time someone logs onto a system interactively, they compromise everyone's knowledge of that system”
  44. 44. @petecheslock Trust, but Verify.
  45. 45. @petecheslock auditd + OSSEC …and SELinux http://stopdisablingselinux.com/
  46. 46. @petecheslock Controlled Access Protection Profile http://www.commoncriteriaportal.org/files/ppfiles/capp.pdf Labeled Security Protection Profile http://www.commoncriteriaportal.org/files/ppfiles/lspp.pdf National Industrial Security Program Operating Manual (NISPOM) http://www.fas.org/sgp/library/nispom.htm Security Technical Implementation Guides http://iase.disa.mil/stigs/Pages/index.aspx
  47. 47. @petecheslock
  48. 48. @petecheslock
  49. 49. @petecheslock Start Small Identify High Risks
  50. 50. @petecheslock Security Culture is People
  51. 51. @petecheslock
  52. 52. @petecheslock

×