This document provides an overview of monitoring Azure and AWS cloud environments. It discusses why monitoring is important for threat detection, hunting and response. It outlines what aspects should be monitored, including operating systems, applications, network traffic, and cloud service logs. Specific AWS and Azure monitoring options are described, such as CloudTrail, VPC Flow Logs, and Azure Audit Logs. Integrating cloud logs with SIEMs and threat intelligence feeds is also covered. Endpoint monitoring tools are suggested to record process, file, registry and network activity on virtual machines.
SecDevOps discussion from 2017 'All Things Open'. Discuss security champion idea as well as how to prepare for the common vulnerabilities. 'Security Champion' is the idea that a developer on an existing team represent the voice of security IN ADDITION TO any existing security safeguards in order to raise the bar of secure applications and dialog.
Security will always be our top priority. Agile deployment methods require a set of dynamic built-in security controls that keep pace with innovation and scale. In this session we will utilise the power of automation with the AWS platform to increase the agility of developers while maintaining a strong security posture.
Speaker: David Faulkner, Senior Technical Account Manager, Amazon Web Services
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWSAlert Logic
Clarke Rodgers (CISO, SCOR Velogica)'s presentation on SCOR's journey to SOC2/TYPE2 via AWS at the NYC Alert Logic Cloud Security Summit on June 14th, 2016.
Serverless Security: What's Left To ProtectGuy Podjarny
Serverless means handing off server management to the cloud platforms – along with their security risks. With the “pros” ensuring our servers are patched, what’s left for application owners to protect? As it turns out, quite a lot.
This talk discusses the aspects of security serverless doesn’t solve, the problems it could make worse, and the tools and practices you can use to keep yourself safe.
Required audience experience
Basic knowledge of how FaaS and Serverless works
Objective of the talk
As many companies explore the world of serverless, it’s important they understand the aspects of security this new world helps them with, and the ones they need to care more about. This talk will provide a framework to understand how to prioritise and approach security for Serverless apps.
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
Configuration management builds systems to run the code, Orchestration spins up and manages entire systems, and SDN creates the network architecture. All of these things are programmable, the entire system can be operated by a developer from a terminal. Teams of 5 or 6 people can build and operate really big systems.
In order to confidently scale your AWS deployments, continuous security must be built into your continuous integration and continuous delivery architecture. Participate in a series of interactive capture the flag challenges to get hands on experience with DevSecOps. We’ll teach you how to think like a Security Ninja, highlight common mistakes that can have catastrophic consequences, and provide tips to avoid them
Integrate Security into DevOps - SecDevOpsUlf Mattsson
1.Security Controls Must Be Programmable and Automated Wherever Possible
2.Implement a Simple Risk and Threat Model for All Applications
3.Scan Custom Code, Applications and APIs
4.Scan for OSS Issues in Development
5.Treat Scripts/Recipes/Templates/Layers as Sensitive Code
6.Measure System Integrity and Ensure Correct Configuration at Load
7.Use Whitelisting on Production Systems, Including Container-Based Implementations
8.Assume Compromise; Monitor Everything; Architect for Rapid Detection and Response
9.Lock Down Production Infrastructure and Services
10.Tokenization and Payment Processing
IglooConf 2019 Secure your Azure applications like a proKarl Ots
In this session, Karl will introduce Secure DevOps Kit for Azure (AzSK), a hidden gem in the Microsoft Security offering. Come and learn how you can use AzSK to improve the security of your Azure applications, regardless of how you currently use Azure.
As presented in IglooConf 2019
DevSecCon Tel Aviv 2018 - Serverless SecurityAvi Shulman
Serverless architectures enable organizations to build and deploy software and services without having to maintain or provision any physical or virtual servers. Applications built using serverless architectures are suitable for a wide range of services, and can scale elastically as cloud workloads grow. From a software development perspective, organisations adopting serverless can focus on core product functionality, and completely disregard the underlying operating system, application server or software runtime environment. In essence, when you develop applications using serverless, you relieve yourself from the daunting task of having to constantly apply security patches for the underlying operating system and application servers – these tasks are now the responsibility of the serverless architecture provider.
However, the comfort and elegance of serverless architectures is not without its drawbacks – serverless architectures introduce a new set of security concerns that must be taken into consideration when coming to secure such applications. In this talk, we will present an overview of serverless architectures, the challenge of securing serverless applications, and an overview of the top 10 most common security concerns that developers, DevSecOps and architects should consider when designing and developing such applications. We will also demonstrate a unique CI/CD tool for hardening serverless projects during deployment time.
Whether you’re just beginning to explore cloud computing or adopting it at enterprise-scale, it is important to build security into your architecture. But gone are the days of manual security audits that slow down agile development. Your modern continuous integration and continuous delivery architecture demands continuous security that doesn’t hinder DevOps. In this session, we’ll share tips to help your organization embrace DevSecOps. Presented by RedLock.
Today’s cutting edge companies have release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This type of automation will help you catch bugs sooner and accelerate developer productivity. In this session we will share our AWS engineers embed security practices in DevOps, and discuss how you can use AWS services to securely enable DevOps agility in your organization.
SecDevOps discussion from 2017 'All Things Open'. Discuss security champion idea as well as how to prepare for the common vulnerabilities. 'Security Champion' is the idea that a developer on an existing team represent the voice of security IN ADDITION TO any existing security safeguards in order to raise the bar of secure applications and dialog.
Security will always be our top priority. Agile deployment methods require a set of dynamic built-in security controls that keep pace with innovation and scale. In this session we will utilise the power of automation with the AWS platform to increase the agility of developers while maintaining a strong security posture.
Speaker: David Faulkner, Senior Technical Account Manager, Amazon Web Services
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWSAlert Logic
Clarke Rodgers (CISO, SCOR Velogica)'s presentation on SCOR's journey to SOC2/TYPE2 via AWS at the NYC Alert Logic Cloud Security Summit on June 14th, 2016.
Serverless Security: What's Left To ProtectGuy Podjarny
Serverless means handing off server management to the cloud platforms – along with their security risks. With the “pros” ensuring our servers are patched, what’s left for application owners to protect? As it turns out, quite a lot.
This talk discusses the aspects of security serverless doesn’t solve, the problems it could make worse, and the tools and practices you can use to keep yourself safe.
Required audience experience
Basic knowledge of how FaaS and Serverless works
Objective of the talk
As many companies explore the world of serverless, it’s important they understand the aspects of security this new world helps them with, and the ones they need to care more about. This talk will provide a framework to understand how to prioritise and approach security for Serverless apps.
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
Configuration management builds systems to run the code, Orchestration spins up and manages entire systems, and SDN creates the network architecture. All of these things are programmable, the entire system can be operated by a developer from a terminal. Teams of 5 or 6 people can build and operate really big systems.
In order to confidently scale your AWS deployments, continuous security must be built into your continuous integration and continuous delivery architecture. Participate in a series of interactive capture the flag challenges to get hands on experience with DevSecOps. We’ll teach you how to think like a Security Ninja, highlight common mistakes that can have catastrophic consequences, and provide tips to avoid them
Integrate Security into DevOps - SecDevOpsUlf Mattsson
1.Security Controls Must Be Programmable and Automated Wherever Possible
2.Implement a Simple Risk and Threat Model for All Applications
3.Scan Custom Code, Applications and APIs
4.Scan for OSS Issues in Development
5.Treat Scripts/Recipes/Templates/Layers as Sensitive Code
6.Measure System Integrity and Ensure Correct Configuration at Load
7.Use Whitelisting on Production Systems, Including Container-Based Implementations
8.Assume Compromise; Monitor Everything; Architect for Rapid Detection and Response
9.Lock Down Production Infrastructure and Services
10.Tokenization and Payment Processing
IglooConf 2019 Secure your Azure applications like a proKarl Ots
In this session, Karl will introduce Secure DevOps Kit for Azure (AzSK), a hidden gem in the Microsoft Security offering. Come and learn how you can use AzSK to improve the security of your Azure applications, regardless of how you currently use Azure.
As presented in IglooConf 2019
DevSecCon Tel Aviv 2018 - Serverless SecurityAvi Shulman
Serverless architectures enable organizations to build and deploy software and services without having to maintain or provision any physical or virtual servers. Applications built using serverless architectures are suitable for a wide range of services, and can scale elastically as cloud workloads grow. From a software development perspective, organisations adopting serverless can focus on core product functionality, and completely disregard the underlying operating system, application server or software runtime environment. In essence, when you develop applications using serverless, you relieve yourself from the daunting task of having to constantly apply security patches for the underlying operating system and application servers – these tasks are now the responsibility of the serverless architecture provider.
However, the comfort and elegance of serverless architectures is not without its drawbacks – serverless architectures introduce a new set of security concerns that must be taken into consideration when coming to secure such applications. In this talk, we will present an overview of serverless architectures, the challenge of securing serverless applications, and an overview of the top 10 most common security concerns that developers, DevSecOps and architects should consider when designing and developing such applications. We will also demonstrate a unique CI/CD tool for hardening serverless projects during deployment time.
Whether you’re just beginning to explore cloud computing or adopting it at enterprise-scale, it is important to build security into your architecture. But gone are the days of manual security audits that slow down agile development. Your modern continuous integration and continuous delivery architecture demands continuous security that doesn’t hinder DevOps. In this session, we’ll share tips to help your organization embrace DevSecOps. Presented by RedLock.
Today’s cutting edge companies have release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This type of automation will help you catch bugs sooner and accelerate developer productivity. In this session we will share our AWS engineers embed security practices in DevOps, and discuss how you can use AWS services to securely enable DevOps agility in your organization.
So you built a cool mobile app/game, but how can you get the most out of the app? In this session we will explain various tools offered by AWS to optimize your application. We will show you how to monitor the usage of your application and ways to quickly modify it to adapt to actual user usage and feedback, while reaching a wider audience that is willing to spend more money on your app.
Aws vs. azure key parameters for decision makingAspire Systems
•How new cloud services from Azure & AWS are influencing services?
•Closer look at the pros and cons of AWS and Azure
•What can go wrong and how to prepare for it?
•Get secret blue print of industry best practices on cloud migration.
•Industry best practices and key things to keep in mind while selecting AWS or Azure
Matt Williams, Datadog
Just as we got a hang of monitoring our server-based applications, they take away the server. How do you monitor something that doesn’t exist? What metrics matter most in a serverless world? In this session, we will look at how applications are different in a AWS Lambda-based world and how to monitor them. Join us as we work our way through the stack and demonstrate how to capture the health and performance of your services.
The focus of this session is not tool specific. Attendees will learn production tested lessons and leave with frameworks they can implement with their serverless workloads regardless of the platforms and tools they use.
The presentation includes great overview on why and how to track and monitor your cloud infrastructure. It list the different types of cloud monitoring include the underlying infrastructure all the way up the application stack. Here you can find names of relevant tools that can support monitoring cloud online applications.
In this session, you’ll learn about security on AWS and why logging in the cloud is different than on-premises. We’ll explore AWS Cloudtrail, the logging service built into AWS. We’ll discuss Amazon Cloudwatch, a monitoring service for AWS cloud resources and the applications you run on AWS. We’ll also talk about Amazon Inspector, which is the recently announced application security assessment service from AWS. We’ll examine the AWS Config service and how you can use it to improve security and resource management on AWS. Finally, we will look at how the Splunk App for AWS ties all of these services together into deep insight and useful visualizations.
This session will start with an overview of the AWS security & compliance programs that enable financial services institutions to create secure workloads as they move to the cloud. We will dive into Financial Services Institutions (FSI) specific security considerations and regional regulations that may need to be considered.
Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...Amazon Web Services
By turning the data center into an API, AWS has enabled Sumo Logic to build a very large scale IT operational analytics platform as a service at unprecedented scale and velocity. Based around Amazon EC2 and Amazon S3, the Sumo Logic system is ingesting many terabytes of unstructured log data a day while at the same time delivering real-time dashboards and supporting hundreds of thousands of queries against the collected data. When co-founder and CTO Christian Beedgen started Sumo Logic, it was obvious that the service would have to scale quickly and elastically, and AWS has been providing the perfect infrastructure for this endeavor from the start.
In this talk, Christian dives into the core Sumo Logic architecture and explains which AWS services are making Sumo Logic possible. Based around an in-house developed automation and continuous deployment system, Sumo Logic is leveraging Amazon S3 in particular for large-scale data management and Amazon DynamoDB for cluster configuration management. By relying on automation, Sumo Logic is also able to perform sophisticated staging of new code for rapid deployment. Using the log-based instrumentation of the Sumo Logic codebase, Christian will dive into the performance characteristics achieved by the system today and share war stories about lessons learned along the way.
Different monitoring options for cloud native integration solutionsBizTalk360
The Microsoft Azure Platform offers you various serverless services like Logic Apps, Service Bus, Functions, and Event Hubs. As you deploy them in a production environment, you will need to monitor them. In this session, we will explore different options that are available for monitoring Azure Serverless components.
This Integration Monday session is sponsored to you by Serverless360. Attendees of this session will be provided with free Gold plan coupon to try Serverless360 for 60 days!
Using AWS CloudTrail and AWS Config to Enhance the Governance and Compliance ...Amazon Web Services
by Daniele Stroppa, Technical Account Manager, AWS
As organizations move their workloads to the cloud, companies must take steps to protect and audit their private and confidential information. This session will focus on Amazon S3 best practices and using AWS Config rules and AWS CloudTrail Data Events to help better protect data residing within S3. The session will include a demonstration of how AWS Config and CloudTrail, in combination with other AWS services, can help with S3 governance and compliance requirements.
AWS Summit 2014 Perth - Breakout 3
The AWS Cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA, and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, as well as the tools and services AWS makes available to customers to secure and manage their resources.
Presenter: James Bromberger, Solutions Architect, Amazon Web Services
(ISM206) Modern IT Governance Through Transparency and AutomationAmazon Web Services
As information technology increasingly becomes strategic to more enterprises and government agencies, and as the threat landscape evolves and becomes more challenging, governance, risk management, and compliance (GRC) increasingly become c-suite issues. In this session, we examine how the AWS cloud platform, through APIs and automation, enables advances and the implementation of best practices in governance and compliance. Learn how AWS can help senior leadership confidently answer key governance questions, such as: What do I have? How it is performing? Who controls it? Is it secure and compliant? Are we using the right processes and protections when we make changes? What is it costing me?
In this session, you will learn the best practices in identifying, assessing, selecting and migrating your first workload to AWS. The next logical step is a large scale “All in” migration approach to enable enterprises become truly DevOps and Cloud First organization. We will present the building blocks and programs for such large migrations with the AWS Migration Assessment Readiness and Migration Acceleration Program.
Speaker: Ekta Parashar
Enterprise Solution Architect, Amazon India
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017 Amazon Web Services
This session will review how AWS allows FinTech’s across APAC to innovate at pace while maintaining the high level of security expected by the financial services community. We will review security domains including Infrastructure Security, Data Protection, Logging & Monitoring, Identity & Access Management and Intrusion Detection.
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon
Xavier Garceau-Aranda
Senior Security Consultant at NCC Group
With the steady rise of cloud adoption, a number of organizations find themselves splitting their resources between multiple cloud providers. While the readiness to deal with security in cloud native environments has been improving, the multi-cloud paradigm poses new challenges.
The workshop will aim to familiarize attendees with Scout Suite (https://github.com/nccgroup/ScoutSuite), a key component of NCC Group’s cloud agnostic approach to security assurance.
Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than pouring through dozens of pages on the web consoles, Scout Suite provides a clear view of the attack surface automatically.
The following cloud providers are currently supported:
- Amazon Web Services
- Microsoft Azure
- Google Cloud Platform
- Oracle Cloud Infrastructure
- Alibaba Cloud
During the workshop, attendees will leverage Scout Suite to assess a number of cloud environments designed to simulate typical flaws. We will display how the tool can be leveraged to quickly identify and help with remediation of security misconfigurations.
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon
Mitun Zavery
Senior Engineer at Sonatype
Bad actors have recognized the power of open source and are now beginning to create their own attack opportunities. This new form of assault, where OSS project credentials are compromised and malicious code is intentionally injected into open source libraries, allows hackers to poison the well. In this session, Mitun will explain how both security and developers must work together to stop this trend. Or, risk losing the entire open source ecosystem.
Analyze, and detail, the events leading to today’s “all-out” attack on the OSS industry
Define what the future of open source looks like in today’s new normal
Outline how developers can step into the role of security, to protect themselves, and the millions of people depending on them
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon
Jan Harrie
Security Analyst at ERNW GmbH
OpenShift by Red Hat is one of the major Platform as a Service (PaaS) solutions on the market. It is used to automatically deploy Kubernetes clusters and provides useful extensions for cluster management mixed with some magic under the hood.
Instantiating a Kubernetes cluster is often a crucial step in setting up a modern application stack. But be aware – a lot of configuration parameters are awaiting you. And here several misconfigurations may occur that can lead up to a compromise of the cluster. Privileged containers, tainting of masters and executing workloads on them, missing role-based access controls, and misconfigured Service Accounts are part of the problem.
In this talk, I will explain which configuration parameters of an OpenShift environment are critical to ensure the overall security of the deployed Kubernetes clusters. Implications of misconfigurations will be demonstrated during live demos. Finally, recommendations for a secure configuration are provided.
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
Matt Carroll
Infrastructure Security Engineer at Yelp
"Attestation is hard" is something you might hear from security researchers tracking nation states and APTs, but it's actually pretty true for most network-connected systems!
Modern deployment methodologies mean that disparate teams create workloads for shared worker-hosts (ranging from Jenkins to Kubernetes and all the other orchestrators and CI tools in-between), meaning that at any given moment your hosts could be running any one of a number of services, connecting to who-knows-what on the internet.
So when your network-based intrusion detection system (IDS) opaquely declares that one of these machines has made an "anomalous" network connection, how do you even determine if it's business as usual? Sure you can log on to the host to try and figure it out, but (in case you hadn't noticed) computers are pretty fast these days, and once the connection is closed it might as well not have happened... Assuming it wasn't actually a reverse shell...
At Yelp we turned to the Linux kernel to tell us whodunit! Utilizing the Linux kernel's eBPF subsystem - an in-kernel VM with syscall hooking capabilities - we're able to aggregate metadata about the calling process tree for any internet-bound TCP connection by filtering IPs and ports in-kernel and enriching with process tree information in userland. The result is "pidtree-bcc": a supplementary IDS. Now whenever there's an alert for a suspicious connection, we just search for it in our SIEM (spoiler alert: it's nearly always an engineer doing something "innovative")! And the cherry on top? It's stupid fast with negligible overhead, creating a much higher signal-to-noise ratio than the kernels firehose-like audit subsystems.
This talk will look at how you can tune the signal-to-noise ratio of your IDS by making it reflect your business logic and common usage patterns, get more work done by reducing MTTR for false positives, use eBPF and the kernel to do all the hard work for you, accidentally load test your new IDS by not filtering all RFC-1918 addresses, and abuse Docker to get to production ASAP!
As well as looking at some of the technologies that the kernel puts at your disposal, this talk will also tell pidtree-bcc's road from hackathon project to production system and how focus on demonstrating business value early on allowed the organization to give us buy-in to build and deploy a brand new project from scratch.
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon
Kristóf Tóth
Software Engineer at Avatao
The world is getting eaten alive by software. At this point, almost nothing can be done without interacting with some sort of software system. Not even buying your groceries.
As we keep dumping out huge piles of code like there is no tomorrow, our far from perfect systems keep getting worse and worse from a security standpoint.
What could possibly go wrong?
We believe that education is the missing link.
As appsec is still a curiosity topic on top universities, freshly graduated engineers simply have no clue. And how could they?
The number of programmers keeps on doubling every few years and generations of software professionals are stuck without a proper background in ITSec.
As this trend continues, our responsibility to do something about this is on the rise.
In hopes of fighting this trend, we, at Avatao, have decided to share some of our dreams with the community.
Our Tutorial Framework allows you to easily create interactive learning environments running inside Docker containers.
These environments are capable of automatically guiding users through a set of topics by allowing them to interact with real software through a simple web browser.
Users can attack webservices, write code to fix them or use a terminal to deploy websites by creating and pushing git tags.
Nothing here is a mock-up: Every software component is real.
In this talk, I am going to demonstrate the capabilities of the framework, talk about the technology behind it and explore some use cases for it.
During the session we will open source the framework with the hope of creating a better, secure future together.
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon
Sitaraman Lakshminarayanan
Sr Security Architect at Pure Storage
Authorization has two components – Policy Definition and Policy Enforcement. Traditionally both used to be centralized and we spent all the time Integrating products- Built or Bought with Centralized Access Management. This typically led to increased cycle time to change any access policy or change software/deployment to fit into one particular authorization model. When that doesn’t fit, we would end up with multiple authorization enforcements written in different languages with or without any adherence to any standards such as XACML or others.
Imagine building few different or hundreds of products or services or micro services and you have to centrally manage all possible access policies. It’s definitely not a scalable solution in fast moving CI/CD world.
Now imagine a way where every developers or products can externalize its authorization and we can modify authorization enforcement in a consistent manner? Imagine where developers can write their own implementation of how authorization should be enforced for their environment? Remember there is no one size fits all authorization policy. A policy that works for your environment does not work for my environment – for any number of reasons from Risk management to type of business applications.
Open Policy Agent provides a consistent way to write authorization logic and expose it as REST API. Applications can easily integrate with OPA and can also write their own authroziation logics. Whether you are shipping products to customers or integrating a Product or Service into your environment, how awesome it would be to enforce your own authorization rules instead of changing your business process of who can gain access to what features.
In this talk we will explore the benefits of Decentralized Authorization and how to use Open Policy Agent to achieve decentralized authorization. A closer look at few applications /integrations whether it is REST API /Micro Services, or Kubernetes to control various authorization policies as to who can deploy/what can you deploy. We will also look at how to build Integration tests to check our authorization policies.
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon
Matt Lavin
Software Architect at LifeOmic
It's possible to have rapid feature delivery and happy developers without sacrificing high security and compliance. At LifeOmic, we've built an automated change management system that allows production deployments without slow human approval. We maintain HIPAA and HITRUST compliance while still allowing continuous delivery. I'll show how to collect data from BitBucket, Jenkins, and security scan tools to ensure that the approved processes have been followed.
You'll hear how fast production approval incentivizes developers to follow good practices, and become advocates for following the process instead of pushing against it. Automating process checks as a gate to deployments is a great framework for promoting the behavior you want in your organization. Don't give up on rapid feature delivery just because you work in a regulated industry.
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon
Julian Berton
Preventing a company from becoming the newest data breach statistic can be a daunting prospect. Especially working within a company that employs hundreds of engineers pushing code to production daily, it often feels like everything is on fire and the holy grail of producing a security inspired product is but a dim light growing further and further away. The same feeling is true for security aware engineers being pushed to develop products quickly but also expected to consider quality assurance, operations, security and the reliability of their application or service.
To help reduce the bleeding and build more security aware applications at scale, a balance of firefighting, preventative initiatives, automation and "JIT" education is required. So strap yourself in while we take you on a journey through 4 years of security successes and epic failures:
* Automation - Implementing a secure-by-default build system (Buildkite) that makes detecting vulnerable dependencies (Snyk), storing secrets (AWS Secrets Manager) and scanning Docker containers, an effortless process.
* Prevention - Eradicate several classes of bugs by selecting secure architectural patterns and using automated scripts to detect operational misconfigurations like dangling DNS entries, open S3 buckets, secrets checked into source code and repositories that have been made accidentally public.
* "JIT” Education - Changing a companies security culture with RFC's for security standards, security integrated PIR via bug bounty program reports, visibility through security maturity frameworks (BSIMM).
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon
Rahul Kumar & Rupali Dash
In the current era of blockchain technology, mining crypto currency is one of the biggest hit. The talk covers how the attackers use the insecure containers to mine crypto currency and earn million dollar profits. Cryptojacking activity surged to its peak in December 2017, when more than 8 million cryptojacking events were blocked by many intrusion detection companies. While there have seen a slight fall in activity in 2018, it is still at an elevated level, with total cryptojacking events blocked in July 2018 totalling just less than 5 million.
The talk will cover how the mining activities has been done using browsers as well as cloud containers. We will also discuss how the cloud provides like amazon, azure and go are detecting such kind of activities and how minor misconfigurations leads to million dollar currency mining. The talk will also cover how 3rd party security providers like symantec and z-scalar and other intrusion detection system has configured signatures to block such kind of attacks. As well as from a sec-ops prospective what configuration checks should be done to prevent against such kind of attacks as well as detection of attacks. It will also cover some case studies and attack scenarios of mining Monero and the huge financial losses because of this attacks.
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon
Trinh Tran & Dennis Stötzel
Are you trying to stay secure while developing and running a bunch of services and applications every day? So are we and it’s a huge pain in the… pipeline. We have been juggling these aspects while working with one of the biggest insurance companies in the world.
In this talk, we will share our experiences of the last three years: Trinh, as a software engineer in Vietnam and Dennis, as a security engineer in Germany. We will present our experiences of making "dev", "sec" and "ops" coexist – without sparing any dirty details. Our goal has always been fast delivery and secure applications using pipelines, containers, orchestration, and the cloud. Let us explain which of these goals we have met and which remain goals, where we messed up and where we found glory.
We will cover the following topics in our talk:
* Evolution of our project, from beginning with four engineers running in one office, to expanding to fifty engineers coming from three continents and different backgrounds,
* Development, delivery and security as a requirement in an agile project,
* The good, the bad and the ugly in technology, architecture and infrastructure.
Sanoop Thomas & Samandeep Singh
Burp suite is the de-facto proxy application for web security testers. This hands-on workshop will explore the different capabilities of burp proxy application, also dive into the extensions and tooling options to perform improved application security test cases.
The workshop will start with a quick overview of burp usage, different settings, features, some commonly useful extensions and then explore deep into its extension APIs to build your own custom extensions. We will provide a suitable development environment in Java and Python platforms. This will be a hands-on workshop and participants will learn how to automate different application security test scenarios and build burp extensions with the help of templates.
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon
Cameron Townshend
Today’s pace of innovation and need to out “innovate” competitors can often cause developers to bypass key portions of Gene Kim’s Three Ways of DevOps - specifically to never pass a known defect downstream and emphasize performance of the entire system.
As we embrace movements like CI, CD and Devops to cut down on release cycles - and innovate faster, we as developers must also embrace the reality that the risk landscape is too complex to leave “security” to just those with security in their title. Traditional methods do not cut it anymore – it’s time for DevSecOps.
Instinctively, we understand how critical this is. In Sonatype’s recent 2018 DevSecOps Community report, where 2,076 IT professionals were surveyed, 48% of respondents admitted that developers know application security is important, but they don’t have the time to spend on it.
Done properly, DevSecOps practices shouldn’t interrupt the DevOps pipeline - but instead aid it - preventing costly rebuilds and build breaks, down the road. By creating automated governance and compliance guardrails that are embedded early and throughout the software development lifecycle, developers have transparent access to digital guardrails integrated within our native tools — an approach that ensures security is being built in without slowing us down. These instant feedback loops detailing good or bad components have been shown to increase developer productivity by as much as 48%.
Over time, this approach ensures developers procure the best components from the best suppliers, while continuously tracking components across the entire lifecycle.
Attendees of this session will walk away with:
Real-world examples of how large and small companies are implementing DevSecOps practices in their own delivery pipelines, and increasing developer awareness to risks
Key insights from 2,076 of their peers who participated in the 2018 DevSecOps community report - including where most mature DevOps practices are focusing their security efforts
A walkthrough of how security principles have been embedded in a CICD pipeline and what standards for implementation are beginning to follow suite
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon
Tilak T
Web-Services are taking over the world. Rest-framework is accelerating this development, because of its ease and flexibility. Developers often use and develop REST-based applications because it's exciting to work with. But they forget about security which leads to compromised and exploited applications. For instance, in more recent security tests against Web Services that my team executed, we found that vulnerabilities like Insecure Deserialization, XML External Entities, Server-Side Template Injection and Authorization Flaws are quite prevalent. I have found some simple steps that engineering teams can take towards finding and fixing such vulnerabilities with Web Services. This talk is offering a holistic perspective on finding and fixing some uncommon flaws that will be replete with anecdotes and examples of secure and insecure code. I will also delve into automating SAST and DAST tools using Robot-Framework to identify such flaws in Web-Services.
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon
Sharath Kumar Ramadas
Serverless Technology (Functions as a Service) is fast becoming the next "big thing" in the world of distributed applications. Organizations are investing a great deal of resources in this technology as a force-multiplier, cost-saver and ops-simplification cure-all. Especially with widespread support from cloud vendors, this technology is going to only become more influential. However, like everything else, Serverless apps are subject to a wide variety of attack possibilities, ranging from attacks against access control tech like JWTs, to NoSQL Injection, to exploits against the apps themselves (deserialization, etc) escalating privileges to other cloud components.
On the other hand GraphQL (API Query Language) is the natural companion to serverless apps, where traditional REST APIs are replaced with GraphQL to provide greater flexibility, greater query parameterization and speed. GraphQL is slowly negating the need for REST APIs from being developed. Combined with Serverless tech/Reactive Front-end frameworks, GraphQL is very powerful for distributed apps. However, GraphQL can be abused with a variety of attacks including but not limited to Injection Attacks, Nested Resource Exhaustion attacks, Authorization Flaws among others.
This talk presents a red-team perspective of the various ways in which testers can discover and exploit serverless and/or GraphQL driven applications to compromise sensitive information, and gain a deeper foothold into database services, IAM services and other other cloud components. The talk will have some demos that will demonstrate practical attacks and attack possibilities against Serverless and GraphQL applications. The author will release an intentionally vulnerable Serverless and GraphQL app at the end of the talk for the benefit of the audience and the security community at large.
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon
Nadira Bajrei
IT Continuous Improvement and Knowledge Management at Bank Mandiri Tbk
We all know that the Banking industry is highly regulated. But due to recent changing factors, we had to trigger something we call transformation. Two of the most important reasons why we need transformation are firstly digital disruption, a wave our industry is hard pushed to follow, and secondly the evolving customer expectation and competitive environment, which are impacting the way organisations are delivering value. We need a new way of working to help us stay relevant in the market.
This session will focus on our journey as one of the biggest banks in Indonesia to do digital transformation into DevOps while maintaining security compliance requirements. I will elaborate on the main reason why we need transformation, our journey roadmap, the step by step adoption of CALMS Values in our organisation and how we faced challenges from internal and external site.
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon
Liz Rice
The latest Kubernetes version provides many security-related enhancements and controls, but it is far from being secure by default. Kubernetes is a complex orchestration platform with many different implementations, across multi-cloud/hybrid environments. Configuring it to comply with security best practices and specific security requires time and expertise that most organizations don’t possess.
Aqua’s open source tools arm Kubernetes administrators and developers with an easy way to identify weaknesses in their deployments so that they can address those issues before they are exploited by attackers.
During this presentation, we’ll review how these open source tools offer preventive security for Kubernetes:
Kube-Bench: checks a Kubernetes cluster against 100+ checks documented in the CIS Kubernetes Benchmark.
Kube-Hunter: conducts penetration tests against Kubernetes clusters that hunt for exploitable vulnerabilities and misconfiguration - both from outside the cluster as well as inside it (running as a pod)
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon
COLIN DOMONEY
The advent of DevOps and large scale automation of software construction and delivery has elevated the software supply chain – and its underpinning delivery pipeline – to mission critical status in any modern enterprise. The increased velocity of modern pipelines and the removal of manual checks and balances has meant that modern pipelines are potential single points of failure in the delivery of secure software.
Automotive and consumer electronics industries have long understood the need for both provenance (understanding the origin of materials) and veracity (ensuring the integrity of their manufacturing processes) in their supply chains; this presentation will address threats to software supply chains and practical approaches to reducing the fragility of your supply chain. Several examples of software supply chain failures will be presented and deconstructed to understand the typical failure modes.
At the most elementary level many pipelines are poorly constructed with low levels of repeatability and poor test coverage, in other organisations there is a lack of governance over the supply chain allowing careless or willingly negligent actors to subvert or bypass controls or testing within the pipeline. There is also no standard mechanism to ensure a ‘chain of custody’ within a pipeline due to a lack common interchange format between tools, or a standard manner to represent the steps within a pipeline build process.
This presentation will cover approaches (using ‘people and process’) in enforcing governance within a supply chain by describing best practices used in large-scale AppSec programmes. Several emerging technology initiatives will be presented: Google’s Grafeas is a means to ensure vulnerability information is represented in a uniform manner across all steps of a pipeline process, while In-Toto is a project to formally enforce the integrity of a pipeline process. A reference secure pipeline will be presented demonstrating both tools working in symphony, along with standard open source and commercial AppSec tools.
Finally the pipeline itself may become the Achille’s Heel in an organisation – many pipelines are not sufficiently hardened and are themselves open to attack by use of vulnerable components and their extensible nature, often along with very wide open permissions. Guidance will be given on hardening of typical pipelines, and a fully secured ephemeral Jenkins pipeline will be demonstrated.
Benefits of this Session: The attendee will gain an increased awareness of the pivotal importance of the software supply chain, and gain an understanding of some common failure modes and weaknesses. Most importantly the attendee will come away with practical guidance on enforcing higher levels of governance on their supply chain without reducing delivery velocity, as well as how to harden the pipeline infrastructure itself.
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon
Paweł Krawczyk
Most network services and daemons now offer TLS transport protection and their managing certificates and TLS configuration for server farms may use more resources than actual configuration of these services. What if you could get rid of all this complexity and replace it by single transport protection protocol, securing all of the traffic between your servers trasparently and with single centralized key and configuration management? This will be a story of a successful implementation of IPSec protocols, largely and undeservedly forgotten in that purpose, for securing a farm of production cloud servers, with configuration centrally managed with Ansible.
PETKO D. PETKOV
Thanks to the DevSecOps philosophy a growing number of organisations around the world are ensuring their businesses are set up with the security in mind from the get-go. DevSecOps is taking the world by storm. This talk is about how to introduce DevSecOps in your organisation with ready-made, zero-cost, open source templates accessible to everyone. The talk will introduce the OpenDevSecOps project and show many practical examples of how to easily deploy security testing infrastructure on top of existing and well-established development tools.
Have you ever wondered how search works while visiting an e-commerce site, internal website, or searching through other types of online resources? Look no further than this informative session on the ways that taxonomies help end-users navigate the internet! Hear from taxonomists and other information professionals who have first-hand experience creating and working with taxonomies that aid in navigation, search, and discovery across a range of disciplines.
Acorn Recovery: Restore IT infra within minutesIP ServerOne
Introducing Acorn Recovery as a Service, a simple, fast, and secure managed disaster recovery (DRaaS) by IP ServerOne. A DR solution that helps restore your IT infra within minutes.
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Orkestra
UIIN Conference, Madrid, 27-29 May 2024
James Wilson, Orkestra and Deusto Business School
Emily Wise, Lund University
Madeline Smith, The Glasgow School of Art
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures.
About the Speaker
===============
Diogo Sousa, Engineering Manager @ Canonical
An opinionated individual with an interest in cryptography and its intersection with secure software development.
This presentation, created by Syed Faiz ul Hassan, explores the profound influence of media on public perception and behavior. It delves into the evolution of media from oral traditions to modern digital and social media platforms. Key topics include the role of media in information propagation, socialization, crisis awareness, globalization, and education. The presentation also examines media influence through agenda setting, propaganda, and manipulative techniques used by advertisers and marketers. Furthermore, it highlights the impact of surveillance enabled by media technologies on personal behavior and preferences. Through this comprehensive overview, the presentation aims to shed light on how media shapes collective consciousness and public opinion.
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
2. Agenda
• Who am I
• Why monitor anything
• What to monitor
• How to monitor Azure
• How to monitor AWS
• Integrating with SIEMs and MSSPs
3. Who am I
[insert something funny and slightly self-deprecating here]
Alfredo Reino / @areino
alfredo@aebura.co.uk
Security Architect
4. Why monitor anything
• Threat detection (reactive)
• Threat hunting (proactive)
• Incident response and forensics
• Data mining, anomaly detection
• Reporting and dashboards
• Regulatory and policy requirements
• Troubleshooting and root cause analysis
5. What to monitor
• (Easy answer) Everything and anything!
• But
• is it possible to log?
• is it cost effective to do it?
• do you have the storage?
• can you make sense of it?
• do you have the tools/skillset/capability/time to use it?
• Priorities!
7. Generic kill chain
• Recon
• Passive recon
• Active recon
• Delivery
• Internet-facing services
• Inbound email
• Web browsing
• Removable media
• Insider / Third-party access
• Exploitation
• Internet-facing servers
• User endpoint
• Installation
• Lateral movement
• Elevation of privilege
• Persistence
• Command and Control
• Actions on target
• Access to internal system
and data
• Exfiltration
• Attack third-party
8. IaaS/PaaS kill chain
• Recon
• Passive recon
• Active recon
• Delivery
• Internet-facing services
• Inbound email
• Web browsing
• Removable media
• Insider / Third-party access
• Exploitation
• Internet-facing servers
• User endpoint
• Installation
• Lateral movement
• Elevation of privilege
• Persistence
• Command and Control
• Actions on target
• Access to internal system
and data
• Exfiltration
• Attack third-party
9. What to monitor – Shared responsibility
Azure Shared responsibility model
https://aka.ms/sharedresponsibility
AWS Shared responsibility model
https://aws.amazon.com/compliance/shared-responsibility-model/
10. What to monitor (IaaS/PaaS)
• Operating System logs from IaaS virtual machines
• Application/service logs (webserver, database, etc.)
• Performance metrics (CPU, memory, data in/out, filesystem, …)
• Network traffic (at interface or across boundaries)
• Other cloud security solutions (WAF, AV, FIM, etc.)
• IaaS/PaaS service fabric logs
• Audit/management logs (cloud resource access and management)
• Blob Storage/S3
11. AWS Options
• CloudTrail
• Records AWS API calls (usage of Management Console, SDKs, command line tools, and higher-level AWS services such
as AWS CloudFormation).
• The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API
caller, the request parameters, and the response elements returned by the AWS service.
• Logs to S3 bucket (possibility of aggregating multiple region or multiple account CloudTrail logs in one S3 bucket)
• CloudWatch
• Collects and tracks metrics, collects and monitors log files, sets alarms.
• Monitor EC2 instances, WAF, DynamoDB tables, and Amazon RDS DB instances, as well as custom metrics generated by
applications and services, and any log files applications generate.
• S3 Server Access Logging
• Track requests for access to S3 bucket.
• Each access log record provides details about a single access request, such as the requester, bucket name, request time,
request action, response status, and error code, if any.
• VPC Flow Logs
• Log traffic flow in Virtual Private Cloud (VPC), subnets or Elastic Network Interfaces (ENI).
• Captures accepted and rejected traffic.
• Logs to CloudWatch.
15. Log Management solutions for Azure
• SumoLogic
• logs from Azure Audit Logs, AD access, etc.
• Splunk add-on for Microsoft Cloud
• logs from Storage Tables, Storage Blobs, Azure
Service Management APIs and Office 365
Management API.
• ELK (ElasticSearch+LogStash+Kibana)
• logs from applications, OS, Storage Blobs, Service
Management APIs, etc.
• Azure Log Analytics
• Part of OMS (Operations Management Suite).
• Collect logs from agents (Win/Linux), storage,
performance, IIS logs, syslog, etc.
16. Connecting AWS logs to a SIEM
• Connectors by SIEM vendors
• HP ArcSight SmartConnector
• Need to allow inbound SSL to ESM
17. Connecting AWS logs to a SIEM
• Connectors by SIEM vendors
• IBM Qradar
• Native support for AWS CloudTrail
using S2 REST API
• Need to import the SSL cert first
18. Connecting AWS logs to a SIEM
• Connectors by SIEM vendors
• Splunk
• Requires “Splunk for AWS” app and
“Splunk Add-on for Amazon Web
Services”.
• Requires appropriate permissions
created on IAM.
• Collects events from Simple Queue
Service (SQS) that subscribes to a
Simple Notification Service (SNS)
events from AWS Config.
19. Connecting AWS logs to a SIEM
• Connectors by SIEM vendors
• ELK Stack (logz.io)
20. Azure SIEM Integrator
• Integrate with on-premises SIEM (or MSSP)
• Logs supported
• VM logs
• Azure Audit Logs
• Azure Security Center alerts
21. Azure SIEM Integrator
• How to deploy
• Install Azlog Integrator on Windows server (on-premises)
• https://www.microsoft.com/en-us/download/details.aspx?id=53324
• Needs access to Azure Storage
• Install SIEM log collection agent on same server
• Splunk Universal Forwarder
• HP ArcSight Windows Event Collector
• IBM QRadar WinCollect
• …
• Configure SIEM agents for collection
• https://blogs.msdn.microsoft.com/azuresecurity/2016/08/23/azure-log-siem-configuration-steps/
• Scalability
• On a 8 proc machine – 1 instance of Azlog can process about 277 EPS
• On a 4 proc machine – 1 instance of Azlog can process about 17 EPS
• Multiple instances of the SIEM Integrators can be run if event volume is high
25. Threat intel feeds
• Good feeds of IOCs can be invaluable
• Integrate threat intel feeds in SIEM/Log Management solutions
• tagging of events
• quick searches for malicious activity
• For increased value, maintain your OWN threat intel feed and
repository
26. Endpoint activity monitoring
• Endpoint process activity monitoring tool
• such as Carbon Black
• Deploy to IaaS instances
• Agent-based blackbox-type recording for
• process activity (creation, termination,
child processes)
• filesystem and registry activity
• inbound and outbound network
connections
• Integration with threat intel feeds
• Can integrate (using API) with log
retention solutions
• “if log event X then find process tree at the
time for endpoint Y”