Uploaded bylokori
PDF, PPTX485 views

Hacker Games & DevSecOps

The document discusses the evolving landscape of developer responsibilities in relation to security, emphasizing the trend of integrating security into development practices (DevSecOps). It highlights the need for developers to be educated about various security threats and operational security measures and encourages hands-on hacking experiences to enhance their skills. The speaker also advocates for gamification of learning security, suggesting platforms like Hack The Box for practical and engaging training.

Embed presentation

Download as PDF, PPTX
27.3. 2018 TallinnSec Twitter: @Anakondantti Antti.virtanen@solita.fi DEVsec OPsec Hacker Games & DevSecOps
Emerging developer landscape • More threats, new threats. • More responsibility. New responsibilities. • Not possible to know everything. • What can we do? • Could it be fun?
My interest on this.. • I’ve done programming professionally for 20 years • I’ve had an interest on security side of things for a long time.. • I’m an Architect & Security consultant at Solita • Part of hacker team ROT • It would be awesome if things didn’t suck so badly.
Developer is an attack vector My presentation about this from Disobey 2018: https://www.youtube.com/watch?v=3rOSrNpjj9o&t=2s
Cloud! AWESOME! Agile!
https://www.theregister.co.uk/2017/08/02/chrome_web_developer_extension_hacked/ 1 DEV -> 1M DEV -> 50M USERS.... “that's because miscreants apparently phished his Google account, updated the software to version 0.4.9, and pushed it out to its 1,044,000 users.”
More responsibilities Because Cloud = DevOps = L33t K-Rad Elite Agile
Who is in charge? • S3 bucket policies and other AWS policy stuff? • SSL certificates? • Production server ops and opsec? • Dynamic firewall configurations? • VPN connection configurations in the cloud? • ... • Surprisingly often, Developers are in charge • .. Or have ACCESS
No easy solutions.. There are some obvious ones..
DEVSEC & DevSecOps – build security in!
Raise awareness • Demonstrate attacks. • Hack your own software. • Show news of relevant attacks to other organizations • Explain emerging new threats. • Make developers worry about more than coding stuff. • Educate developers about opsec, firewalls, VPN tunneling etc.
Read books, not just blog posts.
Arrange education • It’s actually mandatory now in Finland* • OWASP Top 10 and other ”common knowledge” must be covered.
Automate some security testing
Redacted
Do you learn by listening and reading? Or by using automated tools?
DEVSEC & DevSecOps – break to build better!
Do or do not, there is no try. (If necessary, Try Harder) • Hack your own stuff • Go to Vulnhub? • Get OWASP Juice Shop (or something similar) ? • OSCP? • Hack The Box? YES!
OWASP Juice Shop, a good start
Hack The Box (fun, no profit)
In two weeks.. • I kind of got excited..
Did some “forensic analysis”
Wrote scripts.. (bypass PHP chroot jailing)
Found out PHP typing is Super AWESOME (JavaScript can’t beat this!)
Wrote more scripts... (Abused squid proxy to scan internal network)
Did some binary reverse-engineering
Learnt a great deal of other stuff. Like.. • TFTP • LXC and Docker security. • Squid proxy can be abused to smuggle SSH connections. • Many new ways PHP programs can be abused. • Stuff about kernel exploits. • Windows privilege escalation. • Perseverance. Script kiddies might quit easily, some attackers do not. • Routine. It gets easier with practice.
Why Hack The Box? • You (your developers) will learn a great deal of “real” hacker skills. • Not just noticing bugs. • It’s more fun than OSCP (I suppose) • Gamification makes it more addictive than Vulnhub. • There are no solutions for active challenges and machines! • It is a great platform. And getting better. • There is a good range of challenges from easy to very tough!
Bonus: How realistic is it?
There are things..
.. In the internet..
Hacker Games & DevSecOps

More Related Content

PDF
2019 DevSecOps Reference Architectures
bySonatype
 
PPTX
Defining DevSecOps
byUchit Vyas ☁
 
PDF
DevSecCon London 2018: Open DevSecOps
byDevSecCon
 
PDF
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
byJames Wickett
 
PDF
The New Security Playbook: DevSecOps
byJames Wickett
 
PPTX
How to get the best out of DevSecOps - an operations perspective
byColin Domoney
 
PDF
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
bySecureSoftwareDevOn SecureSoftwareDevOn
 
PDF
Secure Your Code Implement DevSecOps in Azure
bykloia
 
2019 DevSecOps Reference Architectures
bySonatype
 
Defining DevSecOps
byUchit Vyas ☁
 
DevSecCon London 2018: Open DevSecOps
byDevSecCon
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
byJames Wickett
 
The New Security Playbook: DevSecOps
byJames Wickett
 
How to get the best out of DevSecOps - an operations perspective
byColin Domoney
 
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
bySecureSoftwareDevOn SecureSoftwareDevOn
 
Secure Your Code Implement DevSecOps in Azure
bykloia
 

What's hot

PDF
Maturing DevSecOps: From Easy to High Impact
bySBWebinars
 
PDF
DevSecOps - The big picture
byStefan Streichsbier
 
PDF
The DevSecOps Builder’s Guide to the CI/CD Pipeline
byJames Wickett
 
PDF
RSAC DevSecOpsDays 2018 - We are all Equifax
bySonatype
 
PPTX
DevSecOps reference architectures 2018
bySonatype
 
PDF
Building a DevSecOps Pipeline Around Your Spring Boot Application
byVMware Tanzu
 
PPTX
DevSecOps : an Introduction
byPrashanth B. P.
 
PDF
DevSecOps What Why and How
byNotSoSecure Global Services
 
PDF
Introduction to DevSecOps
bySetu Parimi
 
PPTX
DevOps Friendly Doc Publishing for APIs & Microservices
bySonatype
 
PDF
DevSecOps - The big picture
byDevSecOpsSg
 
PDF
DevSecOps The Evolution of DevOps
byMichael Man
 
PDF
DevSecOps at Agile 2019
byElizabeth Ayer
 
PDF
Devops Indonesia - DevSecOps - The Open Source Way
byYusuf Hadiwinata Sutandar
 
PDF
DevSecOps: A New Hope for Security in CI/CD
byFranklin Mosley
 
PDF
Adversary Driven Defense in the Real World
byJames Wickett
 
PDF
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
PDF
DevOps or DevSecOps
byMichelangelo van Dam
 
Maturing DevSecOps: From Easy to High Impact
bySBWebinars
 
DevSecOps - The big picture
byStefan Streichsbier
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
byJames Wickett
 
RSAC DevSecOpsDays 2018 - We are all Equifax
bySonatype
 
DevSecOps reference architectures 2018
bySonatype
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
byVMware Tanzu
 
DevSecOps : an Introduction
byPrashanth B. P.
 
DevSecOps What Why and How
byNotSoSecure Global Services
 
Introduction to DevSecOps
bySetu Parimi
 
DevOps Friendly Doc Publishing for APIs & Microservices
bySonatype
 
DevSecOps - The big picture
byDevSecOpsSg
 
DevSecOps The Evolution of DevOps
byMichael Man
 
DevSecOps at Agile 2019
byElizabeth Ayer
 
Devops Indonesia - DevSecOps - The Open Source Way
byYusuf Hadiwinata Sutandar
 
DevSecOps: A New Hope for Security in CI/CD
byFranklin Mosley
 
Adversary Driven Defense in the Real World
byJames Wickett
 
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
DevOps or DevSecOps
byMichelangelo van Dam
 

Similar to Hacker Games & DevSecOps

PDF
DevSecOps | How hard it is?
byPhishX
 
PPTX
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
PDF
DevSec - build security in and dance like a pro!
bylokori
 
PDF
Year Zero
byleifdreizler
 
PDF
DevSecOps: The Open Source Way
byBlack Duck by Synopsys
 
PDF
Building security into the pipelines
byVandana Verma
 
PDF
DevOpsDay London Ben Hughes Security
bybeehooze
 
PPTX
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
byDevSecCon
 
PPTX
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
byDevSecCon
 
PDF
Work with Developers for Fun and Progress - AppSec California
byleifdreizler
 
PPTX
Allianz Global CISO october-2015-draft
byEoin Keary
 
PPTX
HouSecCon 2019: Offensive Security - Starting from Scratch
bySpencer Koch
 
PDF
Building a Modern Security Engineering Organization. Zane Lackey
byYandex
 
PDF
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
byCodemotion
 
PPTX
The Teams Behind DevSecOps
byUleska
 
PDF
Beyond the Bug Hunt: Unlocking Your AppSec Superpowers
bySteven Carlson
 
PDF
Web Security... Level Up
byIzzet Mustafaiev
 
PPTX
DevSecOps and Drupal: Securing your applications in a modern IT landscape
byWill Hall
 
PPTX
How To Start Your InfoSec Career
byAndrew McNicol
 
PDF
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
byMadhu Akula
 
DevSecOps | How hard it is?
byPhishX
 
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
DevSec - build security in and dance like a pro!
bylokori
 
Year Zero
byleifdreizler
 
DevSecOps: The Open Source Way
byBlack Duck by Synopsys
 
Building security into the pipelines
byVandana Verma
 
DevOpsDay London Ben Hughes Security
bybeehooze
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
byDevSecCon
 
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
byDevSecCon
 
Work with Developers for Fun and Progress - AppSec California
byleifdreizler
 
Allianz Global CISO october-2015-draft
byEoin Keary
 
HouSecCon 2019: Offensive Security - Starting from Scratch
bySpencer Koch
 
Building a Modern Security Engineering Organization. Zane Lackey
byYandex
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
byCodemotion
 
The Teams Behind DevSecOps
byUleska
 
Beyond the Bug Hunt: Unlocking Your AppSec Superpowers
bySteven Carlson
 
Web Security... Level Up
byIzzet Mustafaiev
 
DevSecOps and Drupal: Securing your applications in a modern IT landscape
byWill Hall
 
How To Start Your InfoSec Career
byAndrew McNicol
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
byMadhu Akula
 

More from lokori

PDF
Smart Locks - too clever by half
bylokori
 
PDF
Turvallinen ohjelmointi -vierailuluento, 2019
bylokori
 
PDF
Developer is an attack vector
bylokori
 
PDF
Webapp security-tut-2017
bylokori
 
PDF
TTY turvallinen ohjelmointi 2017
bylokori
 
PPTX
Tga2015 documentationpipeline
bylokori
 
PPT
Clojure oikeassa projektissa, IT-Päivät 2014
bylokori
 
PPTX
Turkuagile agile contractmodel_13052014
bylokori
 
PPTX
Agilelessons scanagile-final 2013
bylokori
 
Smart Locks - too clever by half
bylokori
 
Turvallinen ohjelmointi -vierailuluento, 2019
bylokori
 
Developer is an attack vector
bylokori
 
Webapp security-tut-2017
bylokori
 
TTY turvallinen ohjelmointi 2017
bylokori
 
Tga2015 documentationpipeline
bylokori
 
Clojure oikeassa projektissa, IT-Päivät 2014
bylokori
 
Turkuagile agile contractmodel_13052014
bylokori
 
Agilelessons scanagile-final 2013
bylokori
 

Recently uploaded

PDF
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
PDF
GET /Ready How to master being a Master of Ceremonies (MC)
byImma Valls Bernaus
 
PDF
Supercharging Grafana with Community Plugins
byImma Valls Bernaus
 
PDF
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
PDF
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
PDF
Imperative Bowling Kata - 20 Years On - Delegating Menial Tasks to AI Coding ...
byPhilip Schwarz
 
PDF
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
PPTX
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PDF
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
PDF
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PDF
Langchain4J - An Introduction for Impatient Developers
byJuarez Junior
 
PDF
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
PDF
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
PDF
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
PPTX
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
PDF
Building production-ready AI Agents with Strands Agents and Amazon Bedrock Ag...
byVadym Kazulkin
 
PPTX
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
PDF
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
GET /Ready How to master being a Master of Ceremonies (MC)
byImma Valls Bernaus
 
Supercharging Grafana with Community Plugins
byImma Valls Bernaus
 
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
Imperative Bowling Kata - 20 Years On - Delegating Menial Tasks to AI Coding ...
byPhilip Schwarz
 
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
Langchain4J - An Introduction for Impatient Developers
byJuarez Junior
 
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
Building production-ready AI Agents with Strands Agents and Amazon Bedrock Ag...
byVadym Kazulkin
 
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 

Hacker Games & DevSecOps

  • 1.
    27.3. 2018 TallinnSec Twitter:@Anakondantti Antti.virtanen@solita.fi DEVsec OPsec Hacker Games & DevSecOps
  • 2.
    Emerging developer landscape •More threats, new threats. • More responsibility. New responsibilities. • Not possible to know everything. • What can we do? • Could it be fun?
  • 3.
    My interest onthis.. • I’ve done programming professionally for 20 years • I’ve had an interest on security side of things for a long time.. • I’m an Architect & Security consultant at Solita • Part of hacker team ROT • It would be awesome if things didn’t suck so badly.
  • 4.
    Developer is anattack vector My presentation about this from Disobey 2018: https://www.youtube.com/watch?v=3rOSrNpjj9o&t=2s
  • 5.
  • 6.
    https://www.theregister.co.uk/2017/08/02/chrome_web_developer_extension_hacked/ 1 DEV ->1M DEV -> 50M USERS.... “that's because miscreants apparently phished his Google account, updated the software to version 0.4.9, and pushed it out to its 1,044,000 users.”
  • 7.
    More responsibilities Because Cloud= DevOps = L33t K-Rad Elite Agile
  • 8.
    Who is incharge? • S3 bucket policies and other AWS policy stuff? • SSL certificates? • Production server ops and opsec? • Dynamic firewall configurations? • VPN connection configurations in the cloud? • ... • Surprisingly often, Developers are in charge • .. Or have ACCESS
  • 9.
    No easy solutions.. Thereare some obvious ones..
  • 10.
    DEVSEC & DevSecOps– build security in!
  • 11.
    Raise awareness • Demonstrateattacks. • Hack your own software. • Show news of relevant attacks to other organizations • Explain emerging new threats. • Make developers worry about more than coding stuff. • Educate developers about opsec, firewalls, VPN tunneling etc.
  • 12.
    Read books, notjust blog posts.
  • 13.
    Arrange education • It’sactually mandatory now in Finland* • OWASP Top 10 and other ”common knowledge” must be covered.
  • 14.
  • 15.
  • 16.
    Do you learnby listening and reading? Or by using automated tools?
  • 17.
    DEVSEC & DevSecOps– break to build better!
  • 18.
    Do or donot, there is no try. (If necessary, Try Harder) • Hack your own stuff • Go to Vulnhub? • Get OWASP Juice Shop (or something similar) ? • OSCP? • Hack The Box? YES!
  • 19.
    OWASP Juice Shop,a good start
  • 20.
    Hack The Box(fun, no profit)
  • 21.
    In two weeks.. •I kind of got excited..
  • 22.
  • 23.
  • 24.
    Found out PHPtyping is Super AWESOME (JavaScript can’t beat this!)
  • 25.
    Wrote more scripts... (Abusedsquid proxy to scan internal network)
  • 26.
    Did some binaryreverse-engineering
  • 27.
    Learnt a greatdeal of other stuff. Like.. • TFTP • LXC and Docker security. • Squid proxy can be abused to smuggle SSH connections. • Many new ways PHP programs can be abused. • Stuff about kernel exploits. • Windows privilege escalation. • Perseverance. Script kiddies might quit easily, some attackers do not. • Routine. It gets easier with practice.
  • 28.
    Why Hack TheBox? • You (your developers) will learn a great deal of “real” hacker skills. • Not just noticing bugs. • It’s more fun than OSCP (I suppose) • Gamification makes it more addictive than Vulnhub. • There are no solutions for active challenges and machines! • It is a great platform. And getting better. • There is a good range of challenges from easy to very tough!
  • 29.
  • 30.
  • 31.
    .. In theinternet..