Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
Presented to the Philly DevOps Meetup November 29, 2016.
Managing secrets is hard. It’s even harder in the cloud. At Jornaya (formerly LeadiD), we chose Hashicorp Vault to manage our secrets in AWS, and I’d like to share our experience with everyone.
Get an overview of HashiCorp's Vault concepts.
Learn how to start a Vault server.
Learn how to use the Vault's postgresql backend.
See an overview of the Vault's SSH backend integration.
This presentation was held on the DigitalOcean Meetup in Berlin. Find more details here: https://www.meetup.com/DigitalOceanBerlin/events/237123195/
PerconaLive 2016 Santa Clara presentation on Hashicorp Vault with CTO Armon Dadger
https://www.percona.com/live/data-performance-conference-2016/sessions/using-vault-decouple-secrets-applications
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Outlyer
A review of AWS security concepts, leaks at Beamly, an Introduction to Hashicorp Vault and how we use use Vault at Beamly.
Watch YouTube video here: http://bit.ly/25ytNAD
Join DevOps Exchange London Meetup: http://bit.ly/22y4Var
Follow DOXLON on Twitter: http://bit.ly/1ZdugEJ
Slides from "Managing Secrets at scale" at Velocity EU 2015
Secrets come in many shapes and sizes: database API keys, database passwords, private keys. Distributing and managing these secrets is usually an afterthought. It's hard to get right, and can be very expensive if you get it wrong. In this session, we'll look at the core operations and properties that make up a good secret management system, and how these principals can be implemented
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
Presented to the Philly DevOps Meetup November 29, 2016.
Managing secrets is hard. It’s even harder in the cloud. At Jornaya (formerly LeadiD), we chose Hashicorp Vault to manage our secrets in AWS, and I’d like to share our experience with everyone.
Get an overview of HashiCorp's Vault concepts.
Learn how to start a Vault server.
Learn how to use the Vault's postgresql backend.
See an overview of the Vault's SSH backend integration.
This presentation was held on the DigitalOcean Meetup in Berlin. Find more details here: https://www.meetup.com/DigitalOceanBerlin/events/237123195/
PerconaLive 2016 Santa Clara presentation on Hashicorp Vault with CTO Armon Dadger
https://www.percona.com/live/data-performance-conference-2016/sessions/using-vault-decouple-secrets-applications
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Outlyer
A review of AWS security concepts, leaks at Beamly, an Introduction to Hashicorp Vault and how we use use Vault at Beamly.
Watch YouTube video here: http://bit.ly/25ytNAD
Join DevOps Exchange London Meetup: http://bit.ly/22y4Var
Follow DOXLON on Twitter: http://bit.ly/1ZdugEJ
Slides from "Managing Secrets at scale" at Velocity EU 2015
Secrets come in many shapes and sizes: database API keys, database passwords, private keys. Distributing and managing these secrets is usually an afterthought. It's hard to get right, and can be very expensive if you get it wrong. In this session, we'll look at the core operations and properties that make up a good secret management system, and how these principals can be implemented
Hashicorp Vault - Manage Secrets and Protect Sensitive Data.
Vault is becoming the most popular tool to manage, secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.
In this talk we will know the most powerful features of Hashicorp in both versions (OpenSource & Enterprise) and how we can implement a solution in our dynamic infrastructure.
Secret Management with Hashicorp’s VaultAWS Germany
When running a Kubernetes Cluster in AWS there are secrets like AWS and Kubernetes credentials, access information for databases or integration with the company LDAP that need to be stored and managed.
HashiCorp’s Vault secures, stores, and controls access to tokens, passwords, certificates, API keys, and other secrets . It handles leasing, key revocation, key rolling, and auditing.
This talk will give an overview of secret management in general and Vault’s concepts. The talk will explain how to make use of Vault’s extensive feature set and show patterns that implement integration between Kubernetes applications and Vault.
Presentation done at the November meeting of the Sudoers Barcelona group (https://www.meetup.com/sudoersbcn/).
HashiCorp Vault (https://www.vaultproject.io/)
"Vault és una eina per emmagatzemar i gestionar secrets. Veurem què ofereix, com instal·lar-la, utilitzar-la i operar-la, i la nostra experiència."
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
HashiCorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. We'll show how this works.
In a dynamic infrastructure world, let's stop pretending credentials aren't public knowledge in an organization and just assume that they have already been leaked, now what?
Learn from HashiCorp Vault engineer Nick Cabatoff how you can ensure that you actually use Vault effectively to allow no potential leaks of secret credentials, apis, or certs.
In this talk, we will begin our journey looking at the RFCs behind these technologies. Next, we will use OpenSSL, CFSSL, and mkcert to validate what we have learned about X509 v3 certificates. Then we will use the certificates we make to bootstrap Consul, Vault, and Nomad clusters with mTLS enabled so we can get familiar with terminology and error messages. Finally, we will look at their source code to learn how we might implement the same ideas in our projects.
Introduction of using Hashicorp Vault with your NodeJS Application. How to store your secrets when using a cloud application in nodejs. Meetup in Austin Texas May 2019 (https://www.meetup.com/austinnodejs/events/srwjzqyzhbtb/)
SRE Tech Talk meetup - 28/05/2019 at Paris. Presenting Kubernetes at NoSQL. Managing stateful applications is not an easy task. Getting them working at scale on +4500 servers world wide starts to be very time consuming. We'll talk about challenges we've been facing when moving from a full configuration manager (chef) solution to a mixed solution with a scheduler (Kubernetes). We'll also talk about the pitfalls to avoid when switching to a scheduler for stateful apps.
List of Various OpenSSL Commands and KeyTool that are used to check/generate CSR, Self Sign Certificate, Private key, convert CSR, convert certificate, etc...
Swift Install Workshop - OpenStack Conference Spring 2012Joe Arnold
OpenStack Swift is a highly-available distributed object storage
system which supports highly concurrent workloads. Swift is the
backbone behind Cloud Files, Rackspace's storage-as-a-service
offering.
In this workshop, which will be hosted by members of SwiftStack, Inc.,
we'll walk you through deployment and use of OpenStack Swift. We'll
begin by showing you how to install Swift from the ground up.
You'll learn:
- what you should know about Swift's architecture
- how to bootstrap a basic Swift installation
After that, we'll cover how to use Swift, including information on:
- creating accounts and users
- adding, removing, and managing data
- building applications on top of Swift
Bring your laptop (with virutalization extensions enabled in the BIOS)
and we will walk through setting up Swift in a virtual machine. We'll
also build an entire application on top of Swift to illustrate how to
use Swift as a storage service. This is a workshop you won't want to
miss!
Hashicorp Vault - Manage Secrets and Protect Sensitive Data.
Vault is becoming the most popular tool to manage, secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.
In this talk we will know the most powerful features of Hashicorp in both versions (OpenSource & Enterprise) and how we can implement a solution in our dynamic infrastructure.
Secret Management with Hashicorp’s VaultAWS Germany
When running a Kubernetes Cluster in AWS there are secrets like AWS and Kubernetes credentials, access information for databases or integration with the company LDAP that need to be stored and managed.
HashiCorp’s Vault secures, stores, and controls access to tokens, passwords, certificates, API keys, and other secrets . It handles leasing, key revocation, key rolling, and auditing.
This talk will give an overview of secret management in general and Vault’s concepts. The talk will explain how to make use of Vault’s extensive feature set and show patterns that implement integration between Kubernetes applications and Vault.
Presentation done at the November meeting of the Sudoers Barcelona group (https://www.meetup.com/sudoersbcn/).
HashiCorp Vault (https://www.vaultproject.io/)
"Vault és una eina per emmagatzemar i gestionar secrets. Veurem què ofereix, com instal·lar-la, utilitzar-la i operar-la, i la nostra experiència."
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
HashiCorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. We'll show how this works.
In a dynamic infrastructure world, let's stop pretending credentials aren't public knowledge in an organization and just assume that they have already been leaked, now what?
Learn from HashiCorp Vault engineer Nick Cabatoff how you can ensure that you actually use Vault effectively to allow no potential leaks of secret credentials, apis, or certs.
In this talk, we will begin our journey looking at the RFCs behind these technologies. Next, we will use OpenSSL, CFSSL, and mkcert to validate what we have learned about X509 v3 certificates. Then we will use the certificates we make to bootstrap Consul, Vault, and Nomad clusters with mTLS enabled so we can get familiar with terminology and error messages. Finally, we will look at their source code to learn how we might implement the same ideas in our projects.
Introduction of using Hashicorp Vault with your NodeJS Application. How to store your secrets when using a cloud application in nodejs. Meetup in Austin Texas May 2019 (https://www.meetup.com/austinnodejs/events/srwjzqyzhbtb/)
SRE Tech Talk meetup - 28/05/2019 at Paris. Presenting Kubernetes at NoSQL. Managing stateful applications is not an easy task. Getting them working at scale on +4500 servers world wide starts to be very time consuming. We'll talk about challenges we've been facing when moving from a full configuration manager (chef) solution to a mixed solution with a scheduler (Kubernetes). We'll also talk about the pitfalls to avoid when switching to a scheduler for stateful apps.
List of Various OpenSSL Commands and KeyTool that are used to check/generate CSR, Self Sign Certificate, Private key, convert CSR, convert certificate, etc...
Swift Install Workshop - OpenStack Conference Spring 2012Joe Arnold
OpenStack Swift is a highly-available distributed object storage
system which supports highly concurrent workloads. Swift is the
backbone behind Cloud Files, Rackspace's storage-as-a-service
offering.
In this workshop, which will be hosted by members of SwiftStack, Inc.,
we'll walk you through deployment and use of OpenStack Swift. We'll
begin by showing you how to install Swift from the ground up.
You'll learn:
- what you should know about Swift's architecture
- how to bootstrap a basic Swift installation
After that, we'll cover how to use Swift, including information on:
- creating accounts and users
- adding, removing, and managing data
- building applications on top of Swift
Bring your laptop (with virutalization extensions enabled in the BIOS)
and we will walk through setting up Swift in a virtual machine. We'll
also build an entire application on top of Swift to illustrate how to
use Swift as a storage service. This is a workshop you won't want to
miss!
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
FIWARE Wednesday Webinar - How to Secure IoT Devices (22nd April 2020)
Corresponding webinar recording: https://youtu.be/_87IZhrYo3U
Live coding session and commentary, demonstrating various techniques and methods for securing the interactions between Devices, IoT Agents and the Context Broker
Chapter: Security
Difficulty: 3
Audience: Any Technical
Presenter: Jason Fox (Senior Technical Evangelist, FIWARE Foundation)
Shameful secrets of proprietary network protocolsSlawomir Jasek
There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
To demonstrate, we will show a few case-studies - most interesting examples from real-life industry software, which in our opinion are a quintessence of "security by obscurity". We will challenge the security of proprietary protocols in pull printing solutions, FOREX trading software, remote desktops and home automation technologies.
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
Every admin tool is an attack tool, yet there are no good or bad shells - that part is up to you. Coming from dozens of engagements consulting various role-based remote operations architectures & Red Team assessments for organizations in 4 continents, with a fresh research hijacking full tokens from network logon-type sessions - we’ll dive into a technical, hands-on set of examples for both Offensive and Defensive teams, of what SUCKS and what ROCKS on the Windows ‘Living off the land’ remote admin operations, Protocols, and APIs. We'll talk about the Pros and Cons of jump server architectures, as well as role-based shells, limiting PowerShell in creative ways. We'll also introduce fresh research to achieve Full Token hijack from network logon-type sessions, without any hash and/or TGT!
In addition to authorization policies that control what a user can do, OpenShift Container Platform gives its administrators the ability to manage a set of security context constraints (SCCs) for limiting pods and securing their cluster.
Default security context may be too restrictive for containers pulled down from DockerHub, thorugh this talk we'll explore the various steps to execute for enabling required permissions on selected OpenShift's pods.
Training Slides: 302 - Securing Your Cluster With SSLContinuent
Watch this 41min training session on how to secure your Tungsten Cluster with SSL, looking at internal cluster communications as well as how to deploy SSL for the Tungsten Connector. It all starts off with some background information on what SSL is all about.
TOPICS COVERED
- What is SSL?
- Deploying SSL for Cluster communications
- Deploying SSL for Tungsten Connector
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. This talk will most definitely be an entertaining one but a cautionary tale as well, provoking attendees into action. Ultimately, this is research targeted towards awareness for those operating within a DevOps environment.
In the rush to release a new product, a new version or simply trying to get things working, security can sometimes be an afterthought. In this talk, Ben Bromhead CTO of Instaclustr, will explore the various ways in which you can setup and secure Cassandra appropriately for your threat environmen
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
After successfully attacking an endpoint and gaining a foothold there, sophisticated attackers know that to get to the valuable data within an organization they must quietly pivot. From reconnaissance to escalation of privileges to stealing credentials, learn about the tactics and tools that attackers are using today.
Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...Severalnines
Galera Cluster for MySQL / MariaDB is easy to deploy, but how does it behave under real workload, scale, and during long term operation? Proof of concepts and lab tests usually work great for Galera, until it’s time to go into production. Throw in a live migration from an existing database setup and devops life just got a bit more interesting ...
If this scenario sounds familiar, then this webinar replay is for you!
AGENDA
101 Sanity Check
Operating System
Backup Strategies
Replication & Sync
Query Performance
Schema Changes
Security / Encryption
Reporting
Managing from disaster
SPEAKER
Johan Andersson, CTO, Severalnines - Johan's technical background and interest are in high performance computing as demonstrated by the work he did on main-memory clustered databases at Ericsson as well as his research on parallel Java Virtual Machines at Trinity College Dublin in Ireland. Prior to co-founding Severalnines, Johan was Principal Consultant and lead of the MySQL Clustering & High Availability consulting group at MySQL / Sun Microsystems / Oracle, where he designed and implemented large-scale MySQL systems for key customers. Johan is a regular speaker at MySQL User Conferences as well as other high profile community gatherings with popular talks and tutorials around architecting and tuning MySQL Clusters.
MySQL has a set of utilities written in Python that can do some amazing things for your MySQL instances from setting up replication with automatic fail over to copying database
Similar to Issuing temporary credentials for my sql using hashicorp vault (20)
Slides from Walter Heck's presentation on 2 factor authentication presented during the AWS The Hague meetup on 15th of August 2018. https://www.meetup.com/aws-hague/events/llgwrpyxlbtb/
Webinar - Auto-deploy Puppet Enterprise: Vagrant and OscarOlinData
To automatically deploy a virtualbox setup with Puppet Enterprise installed on a master and subsequent machines hooked up to that master with everything ready to go PuppetLabs maintains a vagrant plugin called Oscar. This webinar explains what we can do with Oscar and what the benefits are.
Webinar - High Availability and Distributed Monitoring with Icinga2OlinData
We will explore all the possible scenarios on how to scale Icinga setup for high availability and distributed monitoring. This involves creation of zones or clusters to provide us with a more powerful yet dynamic monitoring infrastructure.
Webinar - Windows Application Management with PuppetOlinData
This webinar will help you to understand how to install Windows application and services, We will also look into how to manage windows services related to the application.
Webinar - Continuous Integration with GitLabOlinData
This webinar will focus on various aspects of using Continuous Integration (CI). We'll touch on the various uses for CI, and then go over a few examples in various languages. This talk will be focused around using GitLab's CI, but aspects of this webinar will apply to other CI systems. The start of the webinar will include a minor introduction to Gitlab for those that are unfamiliar with it.
Webinar - Centralising syslogs with the new beats, logstash and elasticsearchOlinData
This webinar will cover details on Centralising syslogs with the help of Beats, Logstash and Elasticsearch. This will help you to Centralise logs for monitoring and analysis.
This webinar we will explore how project managements are generally done for devops and the tool taiga.io will provide us with all the necessary project management tools.
PuppetDB gives users fast, robust, centralized storage for Puppet-produced data. It caches data generated by Puppet, and gives you advanced features at awesome speed with a powerful API.
Learn new things with fun.
Webinar - Manage user, groups, packages in windows using puppetOlinData
Package installation, managing users, groups etc in Windows can be easily done using Puppet. You will learn how to manage huge windows enviornments using Puppet.
Learn new things with fun.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
2. Sounds familiar?
“Hey, Jane Doe from that department you’ve never heard of wants to do some
analysis and she ‘needs’ direct access to our production database. Can you set
that up in the next 30 minutes please, I know you have nothing better to do
anyway.
Cheers,
not-your-manager.”
4. What if...
● They could self-service?
● They could request read-only credentials by authenticating against {LDAP,
GitHub, AWS IAM, etc}
● Their credentials would automatically expire in 24 hours
5.
6. ● AWS
○ 3 az’s, 1 region
● HashiCorp Consul
● HashiCorp Vault
○ Secrets backend: consul
○ Auth backend -> github
● MySQL
○ (any flavor/version > 5.0)
Demo Architecture
7. Vault
Vault is a tool for securely accessing secrets. A secret is
anything that you want to tightly control access to, such as
API keys, passwords, certificates, and more. Vault
provides a unified interface to any secret, while providing
tight access control and recording a detailed audit log.
● Vault is Open Source
● Enterprise support available
● The data stored with Vault is encrypted
using 256-bit AES in GCM mode with a
randomly generated nonce.
The key features of Vault are:
● Secure Secret Storage
● Dynamic Secrets
● Data Encryption
● Leasing and Renewal
● Revocation
8. Workflow (vault/mysql admin)
● Setup Consul cluster
● Setup MySQL
● Setup Vault and point it at the Consul cluster
● vault init
● Unseal the vault
● Setup GitHub auth
● Configure database secret backend
● Create one or more roles
Terraform
(Infra as Code)
Manual
(One time operations)
9. Consul
● “A fancy Key/value store”
● Backend for our Vault cluster
○ Officially supported by Hashicorp
root@ip-10-1-103-8:~# consul members
Node Address Status Type Build Protocol DC Segment
ip-10-1-103-104 10.1.103.104:8301 alive server 0.9.3 2 dc1 <all>
ip-10-1-104-233 10.1.104.233:8301 alive server 0.9.3 2 dc1 <all>
ip-10-1-105-147 10.1.105.147:8301 alive server 0.9.3 2 dc1 <all>
ip-10-1-103-8 10.1.103.8:8301 alive client 0.9.3 2 dc1 <default>
10. Vault init
● Initialises the vault
● Seals the vault
● Hands out unseal keys
○ By default 5, need 3 minimum to
unseal (Shamir's Secret Sharing)
○ Don’t lose them, you lose everything
○ Use gpg init for easier distribution
(https://www.vaultproject.io/docs/con
cepts/pgp-gpg-keybase.html)
● Hands out root auth token
root@ip-10-1-103-8:~# vault init
Unseal Key 1: p5Luba1DNJcFSvThese2rj/fJ4iJQMA8bUBG5fuvIsS
Unseal Key 2: 3+M+ajrPVCS96fKeysxUOEfM4JxsT40sosMVHfq1bqA
Unseal Key 3: aW1qaxI2H7u57YAreG26Fuchao0XEaWq/f79dljE3iLA
Unseal Key 4: tNSeeA6WWkAMK5Notjs/gEqf+8KbqQ32ypcfh3oecsfu
Unseal Key 5: nkbtNRGOUxiXPiRealtNBTai9bzVaMmkkbCVRzbaoFn8
Initial Root Token: d57d945b-yoaa-f476-5660-3f6645692555
Vault initialized with 5 keys and a key threshold of 3. Please
securely distribute the above keys. When the vault is re-sealed,
restarted, or stopped, you must provide at least 3 of these keys
to unseal it again.
Vault does not store the master key. Without at least 3 keys,
your vault will remain permanently sealed.
11. Sealing/Unsealing the vault
● A vault starts sealed
● If there’s ever any reason, a single
vault seal will seal the vault
● Unsealing needs majority 3 out of 5
keys by default
● Sealing requires authentication first
root@ip-10-1-103-8:~# vault unseal
Key (will be hidden):
Sealed: true
Key Shares: 5
Key Threshold: 3
Unseal Progress: 1
Unseal Nonce: d1747cd1-a850-bf79-9175-7ac1aaffdddd
root@ip-10-1-103-8:~# vault unseal
Key (will be hidden):
Sealed: true
Key Shares: 5
Key Threshold: 3
Unseal Progress: 2
Unseal Nonce: d1747cd1-a850-bf79-9175-7ac1aaffdddd
root@ip-10-1-103-8:~# vault unseal
Key (will be hidden):
Sealed: false
Key Shares: 5
Key Threshold: 3
Unseal Progress: 0
Unseal Nonce:
root@ip-10-1-103-8:~# vault status
Sealed: false
Key Shares: 5
Key Threshold: 3
Unseal Progress: 0
Unseal Nonce:
Version: 0.8.2
Cluster Name: vault-cluster-d2bd39fc
Cluster ID: d6957662-bc13-826e-5a10-1effde41a718
High-Availability Enabled: true
Mode: standby
Leader Cluster Address: https://10.1.104.220:8201
2
1
3
✓
root@ip-10-1-103-8:~# vault seal
Error sealing: Error making API request.
URL: PUT https://127.0.0.1:8200/v1/sys/seal
Code: 500. Errors:
* 1 error occurred:
* missing client token
root@ip-10-1-103-8:~# vault auth
Token (will be hidden):
Successfully authenticated! You are now logged in.
token: d57d945b-b0aa-f476-5660-3f6645692555
token_duration: 0
token_policies: [root]
root@ip-10-1-103-8:~# vault seal
Vault is now sealed.
12. Policies
● Policies provide a declarative way to
grant or forbid access to certain
paths and operations
cat <<EOF | vault policy-write core-policy /dev/stdin
path "sys/*" {
policy = "deny"
}
path "database/creds/readonly" {
policy = "read"
capabilities = ["list", "sudo"]
}
path "database/creds/demodb_admin" {
policy = "read"
capabilities = ["list", "sudo"]
}
path "database/roles/*" {
policy = "read"
capabilities = ["read", "list"]
}
EOF
13. Enable GitHub auth
● One of many auth mechanisms
○ AWS, Gcloud, LDAP, Radius, Okta and
more available
● Doesn’t use oauth but personal
tokens
○ Beware! Losing a personal token is a
security risk
● Access your Personal Access Tokens
in https://github.com/settings/tokens.
○ Generate a new Token that has the scope
read:org.
root@ip-10-1-103-8:~# vault auth-enable github
Successfully enabled 'github' at 'github'!
root@ip-10-1-103-8:~# vault auth -methods
Path Type Accessor Default TTL Max TTL
Replication Behavior Description
github/ github auth_github_db842730 system system
replicated
token/ token auth_token_84532020 system system
replicated token based credentials
root@ip-10-1-103-8:~# vault write auth/github/config
organization=olindata
Success! Data written to: auth/github/config
root@ip-10-1-103-8:~# vault write auth/github/map/teams/core
value=core-policy
Success! Data written to: auth/github/map/teams/core
root@ip-10-1-103-8:~# vault auth -method=github
token=10a8acd3f4ec0b2399146abb0ba6b70211bb6990
Successfully authenticated! You are now logged in.
The token below is already saved in the session. You do not
need to "vault auth" again with the token.
token: 58b52458-4e25-6642-f1f1-a24eda37913d
token_duration: 2764799
token_policies: [core-policy default]
15. ● Secrets backends are mounts in
the tree
● The database backend is generic
for a number of database engines
○ Postgres, mongo, oracle, MS
SQL server
● The creation_statements
argument for the role is flexible
and can contain whatever SQL
statement you want
● Also see revocation_statements,
max_open_connections and
others
Enable MySQL secrets backend
root@ip-10-1-103-194:~# vault mount database
Successfully mounted 'database' at 'database'!
root@ip-10-1-103-8:~# vault write database/config/mysql
> plugin_name=mysql-database-plugin
> connection_url="user:mypwd@tcp(perconalive.olindata.local:3306)/"
> allowed_roles="readonly"
The following warnings were returned from the Vault server:
* Read access to this endpoint should be controlled via ACLs as it will
return the connection details as is, including passwords, if any.
root@ip-10-1-103-8:~# vault write database/roles/readonly
> db_name=mysql
> creation_statements="CREATE USER '{{name}}'@'%'
> IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';"
> default_ttl="1h"
> max_ttl="24h"
Success! Data written to: database/roles/readonly
17. Workflow (Getting creds)
1. User auths against Vault
2. User asks vault for creds
3. Vault creates records in consul and issues a grant statement to MySQL
4. Vault returns username+password back to user
… user does their thing
5. After X amount of time, vault removes grant from MySQL
18. ● Authentication on command line is not
really useful in prod
○ Use HTTP API instead
GitHub Auth & Get mysql creds
root@ip-10-1-103-8:~# vault auth -method=github
token=a8acd3f4ec0b2399146abb0ba6b70211bb699010
Successfully authenticated! You are now logged in.
The token below is already saved in the session. You
do not
need to "vault auth" again with the token.
token: 76ee8b56-61e5-cbcd-2710-7f7d08668568
token_duration: 2764799
token_policies: [core-policy default]
root@ip-10-1-103-8:~# vault read
database/creds/readonly
Key Value
--- -----
lease_id
database/creds/readonly/1b889400-092d-e634-6444-d1217d
c93690
lease_duration 1h0m0s
lease_renewable true
password A1a-77r41spp13x57vy5
username v-github-wal-readonly-23q9t9vxx2
20. What’s next?
● Audit backend
● Vault in HA mode
● Check other integrations
○ AWS, LDAP, Kerberos, SSH, etc.
21. More reading..
Vault on AWS
https://gist.github.com/chris-moreton/f523650c1863f0181e22e2020d0f2268
Consul Cluster ASG on AWS
https://github.com/dwmkerr/terraform-consul-cluster
Vault with MySQL
https://www.percona.com/blog/2016/11/14/using-vault-mysql/