SlideShare a Scribd company logo

LF_APIStrat17_Don't Build a Death Star

LF_APIStrat
LF_APIStrat

"Have you been tasked to build the most powerful weapon in the universe? No? How about an enterprise website which both consumes external and provides its own APIs? Whatever your task is, secure architecture is key. And while putting an exhaust port on the reactor core seems like a good idea, trust me when I say it'll blow up in your face later. Web development is no different. What seems like a simple decision at the outset, or an overlooked detail may turn out to cause severe issues later on. During this session we’ll take a look at how to architect for success and security when building a website which connects to external systems and while providing access to data. By building security in from the beginning you can help prevent a young Jedi shooting a proton torpedo through a hole the size of a wamp rat and destroying your hard work. We’ll cover: • Overview of common API authentication and security methods • Using capabilities instead of roles to define security • How to store and access keys and tokens in your website • Providing an API to access your website data • Common mistakes developers make when creating APIs A session for developers of all skills and abilities, this will be an interactive time filled with lessons learned and examples from the real world, including some recent examples of how a single exposed API can prove catastrophic. Just promise that afterwards you’ll use what you learn for the good of the galaxy and that you won't go build a planet sized weapon of mass destruction."

Technology
1 of 34
Download to read offline
Don’t Build a Death Star Chris Teitzel, Lockr
Who Is This Guy? • Chris Teitzel – Founder / CEO • Lockr / Cellar Door Media – Drupal for 8 years – F100, e-commerce, Startups – 3rd Generation Tech Nerd @technerdteitzel
You have ambitions to build a product or service that will conquer the galaxy
Initial launch was a great success!
However there are a few bad actors...
… who are plotting to take the whole thing offline.
And with one small hole in your defenses...
… they are able to take down everything you built.
Don’t Build a Death Star A Post-Mortem Look at the Empire’s Failings
Perimeter Defenses “The battle station is heavily shielded and carries a firepower greater than half the star fleet. It's defenses are designed around a direct large-scale assault. A small one-man fighter should be able to penetrate the outer defense.”
Perimeter Defenses • WAF (Web Application Firewall) – SaaS - Cloudflare, Sucuri, Fastly – IaaS - AWS, Azure – PaaS - Mulesoft, 3Scale
Perimeter Defenses • Create specific rules for your application – ex. “Don’t allow any x-wings in meridian trench” • Protects against generalized threats and even zero-days
Authentication “There's a planet-wide defensive shield with a single main entry gate. This shuttle should be equipped with an access code that allows us through.”
Authentication • Authentication before application – Do initial authentication at the web server – ex. Lockr uses x.509 certificates to not only secure the request but authenticate as well Apache with SAML Application Software
Authentication • Keys and Tokens – Don’t just let anyone through the front door – Show it to a user once and only once – If using user-generated passwords - hash or stretch! • API Consumers - Protect your API keys! – Treat as if it’s an encryption key (it just might be)
Authentication https://xkcd.com/538/
Capabilities vs. Authentication “You don't need to see his identification.”
Ambient Authority Set a course for Alderaan. Governor Tarkin How it’s supposed to work: Setting course, Governor. Helm/Weapons How it can fail: Set a course for Coruscant. Imposter Tarkin Setting course, Governor. Helm/Weapons
Mandatory Access Control Set a course for Alderaan. Governor Tarkin How it’s supposed to work: Setting course, Governor. Helm/Weapons May target Rebel Set a course for Coruscant. Imposter Tarkin Setting course, Governor. Helm/Weapons May target Rebel Attempted hack:
Capability Based Security Set a course for ef28bc28 (signed token for Alderaan). Governor Tarkin How it’s supposed to work: Setting course, Governor. Helm/Weapons Attempted hack: Code validation Set a course for, um, 3a2eb45a (invalid token). Imposter Tarkin Sorry, that code isn’t working in my helm system, Governor. Helm/Weapons Code validation
Keep your secrets… Secret “It is a period of civil war. Rebel spaceships, striking from a hidden base, have won their first victory against the evil Galactic Empire. During the battle, Rebel spies managed to steal secret plans to the Empire's ultimate weapon, the DEATH STAR, an armored space station with enough power to destroy an entire planet”
Secrets Storage “It's a small thermal exhaust port, right below the main port. The shaft leads directly to the reactor system. A precise hit will start a chain reaction which should destroy the station.”
Why Do We Do This?
Or This?
Separate Your Secrets • Store outside your codebase / databases • Inject as environment variables at creation of service with automation tools • Use software such as Lockr, Vault, AWS KMS, Azure Key Vault etc.
Prevent a Breach from Spreading “Uh, we had a slight weapons malfunction, but uh... everything's perfectly all right now. We're fine. We're all fine here now, thank you. How are you?”
Systems Isolation Web-Facing Systems Intranet Systems Load Balancer Application Server Database Server Cache Server Active Directory Exchange File Shares HR Records
Shared Secrets DatabaseApp Password or Key Compromise Point #1 Compromise Point #2
Public Key Infrastructure Admin Firewall MariaDBCDN nginxHTTPS Client Certificate Server Certificate PHP-FPM + Drupal MySQL Solr HTTPS File System NFS or Sim ilar Client Certificate Server Certificate Client Certificate Server Certificate Server Certificate Client Certificate SSH Jump or VPNTunnel Server Key SSH Key User HTTPS Server Certificate
Plan for Chaos “It’s a trap!”
Act Like Everyone Is Out To Get You • Security by design • Build redundancy • Defense-in-Depth • Never trust your users • Only handle data you absolutely have to • Encrypt all the things!
When The Sh*t Hits the Fan • Have a plan in place • Breath, Backup, Fix • Build Again – Post Mortem – Document your mistakes – Don’t blame… learn
Thank You And May The Force Be With You

Recommended

Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSTeri Radichel
 
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...Lacework
 
WordPress Security Basics
WordPress Security BasicsWordPress Security Basics
WordPress Security BasicsRyan Plas
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Lacework
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the CloudTeri Radichel
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Teri Radichel
 
All Your Containers Are Belong To Us
All Your Containers Are Belong To UsAll Your Containers Are Belong To Us
All Your Containers Are Belong To UsLacework
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityKeynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityCloudVillage
 

Recommended

Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSTeri Radichel
 
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...Lacework
 
WordPress Security Basics
WordPress Security BasicsWordPress Security Basics
WordPress Security BasicsRyan Plas
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Lacework
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the CloudTeri Radichel
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Teri Radichel
 
All Your Containers Are Belong To Us
All Your Containers Are Belong To UsAll Your Containers Are Belong To Us
All Your Containers Are Belong To UsLacework
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityKeynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityCloudVillage
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework
 
Pragmatic Cloud Security Automation
Pragmatic Cloud Security AutomationPragmatic Cloud Security Automation
Pragmatic Cloud Security AutomationCloudVillage
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...Lacework
 
Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework
 
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes BackBSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes BackLacework
 
Serverless Attack Vectors
Serverless Attack VectorsServerless Attack Vectors
Serverless Attack VectorsTeri Radichel
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Teri Radichel
 
MozDef Workshop slide
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slideCloudVillage
 
Security for Complex Networks on AWS
Security for Complex Networks on AWSSecurity for Complex Networks on AWS
Security for Complex Networks on AWSTeri Radichel
 
Packet Capture on AWS
Packet Capture on AWSPacket Capture on AWS
Packet Capture on AWSTeri Radichel
 
Nebula Webinar | Private Cloud Security: Practical Solutions for a Challengin...
Nebula Webinar | Private Cloud Security: Practical Solutions for a Challengin...Nebula Webinar | Private Cloud Security: Practical Solutions for a Challengin...
Nebula Webinar | Private Cloud Security: Practical Solutions for a Challengin...NebulaInc
 
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
Your Blacklist is Dead: Why the Future of Command and Control is the CloudYour Blacklist is Dead: Why the Future of Command and Control is the Cloud
Your Blacklist is Dead: Why the Future of Command and Control is the CloudCloudVillage
 
Practical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesPractical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesLacework
 
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)Amazon Web Services
 
Build to Hack, Hack to Build
Build to Hack, Hack to BuildBuild to Hack, Hack to Build
Build to Hack, Hack to BuildCloudVillage
 
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityJohn Varghese
 
IglooConf 2020: Best practices of securing web applications running on Azure ...
IglooConf 2020: Best practices of securing web applications running on Azure ...IglooConf 2020: Best practices of securing web applications running on Azure ...
IglooConf 2020: Best practices of securing web applications running on Azure ...Karl Ots
 
CloudBurst Malmö: Best practices of securing web applications running on Azur...
CloudBurst Malmö: Best practices of securing web applications running on Azur...CloudBurst Malmö: Best practices of securing web applications running on Azur...
CloudBurst Malmö: Best practices of securing web applications running on Azur...Karl Ots
 
Phishing in the cloud era
Phishing in the cloud eraPhishing in the cloud era
Phishing in the cloud eraCloudVillage
 
Resiliency through Failure @ OSCON 2013
Resiliency through Failure @ OSCON 2013Resiliency through Failure @ OSCON 2013
Resiliency through Failure @ OSCON 2013Ariel Tseitlin
 
Aws training in bangalore
Aws training in bangalore Aws training in bangalore
Aws training in bangalore apponix123
 

More Related Content

What's hot

Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework
 
Pragmatic Cloud Security Automation
Pragmatic Cloud Security AutomationPragmatic Cloud Security Automation
Pragmatic Cloud Security AutomationCloudVillage
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...Lacework
 
Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework
 
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes BackBSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes BackLacework
 
Serverless Attack Vectors
Serverless Attack VectorsServerless Attack Vectors
Serverless Attack VectorsTeri Radichel
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Teri Radichel
 
MozDef Workshop slide
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slideCloudVillage
 
Security for Complex Networks on AWS
Security for Complex Networks on AWSSecurity for Complex Networks on AWS
Security for Complex Networks on AWSTeri Radichel
 
Packet Capture on AWS
Packet Capture on AWSPacket Capture on AWS
Packet Capture on AWSTeri Radichel
 
Nebula Webinar | Private Cloud Security: Practical Solutions for a Challengin...
Nebula Webinar | Private Cloud Security: Practical Solutions for a Challengin...Nebula Webinar | Private Cloud Security: Practical Solutions for a Challengin...
Nebula Webinar | Private Cloud Security: Practical Solutions for a Challengin...NebulaInc
 
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
Your Blacklist is Dead: Why the Future of Command and Control is the CloudYour Blacklist is Dead: Why the Future of Command and Control is the Cloud
Your Blacklist is Dead: Why the Future of Command and Control is the CloudCloudVillage
 
Practical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesPractical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesLacework
 
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)Amazon Web Services
 
Build to Hack, Hack to Build
Build to Hack, Hack to BuildBuild to Hack, Hack to Build
Build to Hack, Hack to BuildCloudVillage
 
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityJohn Varghese
 
IglooConf 2020: Best practices of securing web applications running on Azure ...
IglooConf 2020: Best practices of securing web applications running on Azure ...IglooConf 2020: Best practices of securing web applications running on Azure ...
IglooConf 2020: Best practices of securing web applications running on Azure ...Karl Ots
 
CloudBurst Malmö: Best practices of securing web applications running on Azur...
CloudBurst Malmö: Best practices of securing web applications running on Azur...CloudBurst Malmö: Best practices of securing web applications running on Azur...
CloudBurst Malmö: Best practices of securing web applications running on Azur...Karl Ots
 
Phishing in the cloud era
Phishing in the cloud eraPhishing in the cloud era
Phishing in the cloud eraCloudVillage
 

What's hot (20)

Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
 
Pragmatic Cloud Security Automation
Pragmatic Cloud Security AutomationPragmatic Cloud Security Automation
Pragmatic Cloud Security Automation
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
 
Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018
 
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes BackBSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
 
Serverless Attack Vectors
Serverless Attack VectorsServerless Attack Vectors
Serverless Attack Vectors
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018
 
MozDef Workshop slide
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slide
 
Security for Complex Networks on AWS
Security for Complex Networks on AWSSecurity for Complex Networks on AWS
Security for Complex Networks on AWS
 
Packet Capture on AWS
Packet Capture on AWSPacket Capture on AWS
Packet Capture on AWS
 
Nebula Webinar | Private Cloud Security: Practical Solutions for a Challengin...
Nebula Webinar | Private Cloud Security: Practical Solutions for a Challengin...Nebula Webinar | Private Cloud Security: Practical Solutions for a Challengin...
Nebula Webinar | Private Cloud Security: Practical Solutions for a Challengin...
 
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
Your Blacklist is Dead: Why the Future of Command and Control is the CloudYour Blacklist is Dead: Why the Future of Command and Control is the Cloud
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
 
Practical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesPractical Guide to Securing Kubernetes
Practical Guide to Securing Kubernetes
 
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
 
Build to Hack, Hack to Build
Build to Hack, Hack to BuildBuild to Hack, Hack to Build
Build to Hack, Hack to Build
 
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills security
 
IglooConf 2020: Best practices of securing web applications running on Azure ...
IglooConf 2020: Best practices of securing web applications running on Azure ...IglooConf 2020: Best practices of securing web applications running on Azure ...
IglooConf 2020: Best practices of securing web applications running on Azure ...
 
CloudBurst Malmö: Best practices of securing web applications running on Azur...
CloudBurst Malmö: Best practices of securing web applications running on Azur...CloudBurst Malmö: Best practices of securing web applications running on Azur...
CloudBurst Malmö: Best practices of securing web applications running on Azur...
 
Phishing in the cloud era
Phishing in the cloud eraPhishing in the cloud era
Phishing in the cloud era
 

Similar to LF_APIStrat17_Don't Build a Death Star

Resiliency through Failure @ OSCON 2013
Resiliency through Failure @ OSCON 2013Resiliency through Failure @ OSCON 2013
Resiliency through Failure @ OSCON 2013Ariel Tseitlin
 
Aws training in bangalore
Aws training in bangalore Aws training in bangalore
Aws training in bangalore apponix123
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud ComputingKeet Sugathadasa
 
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...Databricks
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Toni de la Fuente
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
 
Enemy at the gates: vulnerability research in embedded appliances
Enemy at the gates: vulnerability research in embedded appliances Enemy at the gates: vulnerability research in embedded appliances
Enemy at the gates: vulnerability research in embedded appliances Chris Hernandez
 
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response SimulationsAmazon Web Services
 
DEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersDEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersFelipe Prado
 
MassTLC Cloud Summit Keynote
MassTLC Cloud Summit KeynoteMassTLC Cloud Summit Keynote
MassTLC Cloud Summit KeynoteAriel Tseitlin
 
Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right WayDataStax Academy
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Apostolos Giannakidis
 
Machine Learning inference at the Edge
Machine Learning inference at the EdgeMachine Learning inference at the Edge
Machine Learning inference at the EdgeJulien SIMON
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessToni de la Fuente
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)Julien SIMON
 
Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Amazon Web Services
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault
 
Resiliency through failure @ QConNY 2013
Resiliency through failure @ QConNY 2013Resiliency through failure @ QConNY 2013
Resiliency through failure @ QConNY 2013Ariel Tseitlin
 

Similar to LF_APIStrat17_Don't Build a Death Star (20)

Resiliency through Failure @ OSCON 2013
Resiliency through Failure @ OSCON 2013Resiliency through Failure @ OSCON 2013
Resiliency through Failure @ OSCON 2013
 
Aws training in bangalore
Aws training in bangalore Aws training in bangalore
Aws training in bangalore
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud Computing
 
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
Getting Started with AWS IoT
Getting Started with AWS IoTGetting Started with AWS IoT
Getting Started with AWS IoT
 
Enemy at the gates: vulnerability research in embedded appliances
Enemy at the gates: vulnerability research in embedded appliances Enemy at the gates: vulnerability research in embedded appliances
Enemy at the gates: vulnerability research in embedded appliances
 
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
 
DEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersDEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testers
 
MassTLC Cloud Summit Keynote
MassTLC Cloud Summit KeynoteMassTLC Cloud Summit Keynote
MassTLC Cloud Summit Keynote
 
Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right Way
 
Mini-Training: Netflix Simian Army
Mini-Training: Netflix Simian ArmyMini-Training: Netflix Simian Army
Mini-Training: Netflix Simian Army
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
 
Machine Learning inference at the Edge
Machine Learning inference at the EdgeMachine Learning inference at the Edge
Machine Learning inference at the Edge
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)
 
Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
Resiliency through failure @ QConNY 2013
Resiliency through failure @ QConNY 2013Resiliency through failure @ QConNY 2013
Resiliency through failure @ QConNY 2013
 

More from LF_APIStrat

LF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat
 
LF_APIStrat17_Creating Communication Applications using the Asterisk RESTFul ...
LF_APIStrat17_Creating Communication Applications using the Asterisk RESTFul ...LF_APIStrat17_Creating Communication Applications using the Asterisk RESTFul ...
LF_APIStrat17_Creating Communication Applications using the Asterisk RESTFul ...LF_APIStrat
 
LF_APIStrat17_Super-Powered REST API Testing
LF_APIStrat17_Super-Powered REST API TestingLF_APIStrat17_Super-Powered REST API Testing
LF_APIStrat17_Super-Powered REST API TestingLF_APIStrat
 
LF_APIStrat17_How Mature are You? A Developer Experience Maturity Model
LF_APIStrat17_How Mature are You? A Developer Experience Maturity ModelLF_APIStrat17_How Mature are You? A Developer Experience Maturity Model
LF_APIStrat17_How Mature are You? A Developer Experience Maturity ModelLF_APIStrat
 
LF_APIStrat17_Connect Your RESTful API to Hundreds of Others in Minutes (Zapi...
LF_APIStrat17_Connect Your RESTful API to Hundreds of Others in Minutes (Zapi...LF_APIStrat17_Connect Your RESTful API to Hundreds of Others in Minutes (Zapi...
LF_APIStrat17_Connect Your RESTful API to Hundreds of Others in Minutes (Zapi...LF_APIStrat
 
LF_APIStrat17_Things I Wish People Told Me About Writing Docs
LF_APIStrat17_Things I Wish People Told Me About Writing DocsLF_APIStrat17_Things I Wish People Told Me About Writing Docs
LF_APIStrat17_Things I Wish People Told Me About Writing DocsLF_APIStrat
 
LF_APIStrat17_Lifting Legacy to the Cloud on API Boosters
LF_APIStrat17_Lifting Legacy to the Cloud on API BoostersLF_APIStrat17_Lifting Legacy to the Cloud on API Boosters
LF_APIStrat17_Lifting Legacy to the Cloud on API BoostersLF_APIStrat
 
LF_APIStrat17_Contract-first API Development: A Case Study in Parallel API Pu...
LF_APIStrat17_Contract-first API Development: A Case Study in Parallel API Pu...LF_APIStrat17_Contract-first API Development: A Case Study in Parallel API Pu...
LF_APIStrat17_Contract-first API Development: A Case Study in Parallel API Pu...LF_APIStrat
 
LF_APIStrat17_Don't Repeat Yourself - Your API is Your Documentation
LF_APIStrat17_Don't Repeat Yourself - Your API is Your DocumentationLF_APIStrat17_Don't Repeat Yourself - Your API is Your Documentation
LF_APIStrat17_Don't Repeat Yourself - Your API is Your DocumentationLF_APIStrat
 
LF_APIStrat17_How We Doubled the Velocity of Our Developer Experience Team
LF_APIStrat17_How We Doubled the Velocity of Our Developer Experience TeamLF_APIStrat17_How We Doubled the Velocity of Our Developer Experience Team
LF_APIStrat17_How We Doubled the Velocity of Our Developer Experience TeamLF_APIStrat
 
LF_APIStrat17_API Marketing: First Comes Usability, then Discoverability
LF_APIStrat17_API Marketing: First Comes Usability, then DiscoverabilityLF_APIStrat17_API Marketing: First Comes Usability, then Discoverability
LF_APIStrat17_API Marketing: First Comes Usability, then DiscoverabilityLF_APIStrat
 
LF_APIStrat17_Standing Taller with Technology: APIs, IoT, and the Digital Wor...
LF_APIStrat17_Standing Taller with Technology: APIs, IoT, and the Digital Wor...LF_APIStrat17_Standing Taller with Technology: APIs, IoT, and the Digital Wor...
LF_APIStrat17_Standing Taller with Technology: APIs, IoT, and the Digital Wor...LF_APIStrat
 
LF_APIStrat17_REST API Microversions
LF_APIStrat17_REST API Microversions LF_APIStrat17_REST API Microversions
LF_APIStrat17_REST API Microversions LF_APIStrat
 
LF_APIStrat17_I Believe You But My Enterprise Don't: Adopting Open Standards ...
LF_APIStrat17_I Believe You But My Enterprise Don't: Adopting Open Standards ...LF_APIStrat17_I Believe You But My Enterprise Don't: Adopting Open Standards ...
LF_APIStrat17_I Believe You But My Enterprise Don't: Adopting Open Standards ...LF_APIStrat
 
LF_APIStrat17_Case Study: Cold Decision Trees
LF_APIStrat17_Case Study: Cold Decision TreesLF_APIStrat17_Case Study: Cold Decision Trees
LF_APIStrat17_Case Study: Cold Decision TreesLF_APIStrat
 
LF_APIStrat17_Getting Your API House In Order
LF_APIStrat17_Getting Your API House In OrderLF_APIStrat17_Getting Your API House In Order
LF_APIStrat17_Getting Your API House In OrderLF_APIStrat
 
LF_APIStrat17_Diving Deep into the API Ocean with Open Source Deep Learning T...
LF_APIStrat17_Diving Deep into the API Ocean with Open Source Deep Learning T...LF_APIStrat17_Diving Deep into the API Ocean with Open Source Deep Learning T...
LF_APIStrat17_Diving Deep into the API Ocean with Open Source Deep Learning T...LF_APIStrat
 
LF_APIStrat17_Supporting SDKs in 7 Different Programming Languages While Main...
LF_APIStrat17_Supporting SDKs in 7 Different Programming Languages While Main...LF_APIStrat17_Supporting SDKs in 7 Different Programming Languages While Main...
LF_APIStrat17_Supporting SDKs in 7 Different Programming Languages While Main...LF_APIStrat
 
LF_APIStrat17_Open Data vs. the World
LF_APIStrat17_Open Data vs. the World LF_APIStrat17_Open Data vs. the World
LF_APIStrat17_Open Data vs. the World LF_APIStrat
 
LF_APIStrat17_Practical DevSecOps for APIs
LF_APIStrat17_Practical DevSecOps for APIsLF_APIStrat17_Practical DevSecOps for APIs
LF_APIStrat17_Practical DevSecOps for APIsLF_APIStrat
 

More from LF_APIStrat (20)

LF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
 
LF_APIStrat17_Creating Communication Applications using the Asterisk RESTFul ...
LF_APIStrat17_Creating Communication Applications using the Asterisk RESTFul ...LF_APIStrat17_Creating Communication Applications using the Asterisk RESTFul ...
LF_APIStrat17_Creating Communication Applications using the Asterisk RESTFul ...
 
LF_APIStrat17_Super-Powered REST API Testing
LF_APIStrat17_Super-Powered REST API TestingLF_APIStrat17_Super-Powered REST API Testing
LF_APIStrat17_Super-Powered REST API Testing
 
LF_APIStrat17_How Mature are You? A Developer Experience Maturity Model
LF_APIStrat17_How Mature are You? A Developer Experience Maturity ModelLF_APIStrat17_How Mature are You? A Developer Experience Maturity Model
LF_APIStrat17_How Mature are You? A Developer Experience Maturity Model
 
LF_APIStrat17_Connect Your RESTful API to Hundreds of Others in Minutes (Zapi...
LF_APIStrat17_Connect Your RESTful API to Hundreds of Others in Minutes (Zapi...LF_APIStrat17_Connect Your RESTful API to Hundreds of Others in Minutes (Zapi...
LF_APIStrat17_Connect Your RESTful API to Hundreds of Others in Minutes (Zapi...
 
LF_APIStrat17_Things I Wish People Told Me About Writing Docs
LF_APIStrat17_Things I Wish People Told Me About Writing DocsLF_APIStrat17_Things I Wish People Told Me About Writing Docs
LF_APIStrat17_Things I Wish People Told Me About Writing Docs
 
LF_APIStrat17_Lifting Legacy to the Cloud on API Boosters
LF_APIStrat17_Lifting Legacy to the Cloud on API BoostersLF_APIStrat17_Lifting Legacy to the Cloud on API Boosters
LF_APIStrat17_Lifting Legacy to the Cloud on API Boosters
 
LF_APIStrat17_Contract-first API Development: A Case Study in Parallel API Pu...
LF_APIStrat17_Contract-first API Development: A Case Study in Parallel API Pu...LF_APIStrat17_Contract-first API Development: A Case Study in Parallel API Pu...
LF_APIStrat17_Contract-first API Development: A Case Study in Parallel API Pu...
 
LF_APIStrat17_Don't Repeat Yourself - Your API is Your Documentation
LF_APIStrat17_Don't Repeat Yourself - Your API is Your DocumentationLF_APIStrat17_Don't Repeat Yourself - Your API is Your Documentation
LF_APIStrat17_Don't Repeat Yourself - Your API is Your Documentation
 
LF_APIStrat17_How We Doubled the Velocity of Our Developer Experience Team
LF_APIStrat17_How We Doubled the Velocity of Our Developer Experience TeamLF_APIStrat17_How We Doubled the Velocity of Our Developer Experience Team
LF_APIStrat17_How We Doubled the Velocity of Our Developer Experience Team
 
LF_APIStrat17_API Marketing: First Comes Usability, then Discoverability
LF_APIStrat17_API Marketing: First Comes Usability, then DiscoverabilityLF_APIStrat17_API Marketing: First Comes Usability, then Discoverability
LF_APIStrat17_API Marketing: First Comes Usability, then Discoverability
 
LF_APIStrat17_Standing Taller with Technology: APIs, IoT, and the Digital Wor...
LF_APIStrat17_Standing Taller with Technology: APIs, IoT, and the Digital Wor...LF_APIStrat17_Standing Taller with Technology: APIs, IoT, and the Digital Wor...
LF_APIStrat17_Standing Taller with Technology: APIs, IoT, and the Digital Wor...
 
LF_APIStrat17_REST API Microversions
LF_APIStrat17_REST API Microversions LF_APIStrat17_REST API Microversions
LF_APIStrat17_REST API Microversions
 
LF_APIStrat17_I Believe You But My Enterprise Don't: Adopting Open Standards ...
LF_APIStrat17_I Believe You But My Enterprise Don't: Adopting Open Standards ...LF_APIStrat17_I Believe You But My Enterprise Don't: Adopting Open Standards ...
LF_APIStrat17_I Believe You But My Enterprise Don't: Adopting Open Standards ...
 
LF_APIStrat17_Case Study: Cold Decision Trees
LF_APIStrat17_Case Study: Cold Decision TreesLF_APIStrat17_Case Study: Cold Decision Trees
LF_APIStrat17_Case Study: Cold Decision Trees
 
LF_APIStrat17_Getting Your API House In Order
LF_APIStrat17_Getting Your API House In OrderLF_APIStrat17_Getting Your API House In Order
LF_APIStrat17_Getting Your API House In Order
 
LF_APIStrat17_Diving Deep into the API Ocean with Open Source Deep Learning T...
LF_APIStrat17_Diving Deep into the API Ocean with Open Source Deep Learning T...LF_APIStrat17_Diving Deep into the API Ocean with Open Source Deep Learning T...
LF_APIStrat17_Diving Deep into the API Ocean with Open Source Deep Learning T...
 
LF_APIStrat17_Supporting SDKs in 7 Different Programming Languages While Main...
LF_APIStrat17_Supporting SDKs in 7 Different Programming Languages While Main...LF_APIStrat17_Supporting SDKs in 7 Different Programming Languages While Main...
LF_APIStrat17_Supporting SDKs in 7 Different Programming Languages While Main...
 
LF_APIStrat17_Open Data vs. the World
LF_APIStrat17_Open Data vs. the World LF_APIStrat17_Open Data vs. the World
LF_APIStrat17_Open Data vs. the World
 
LF_APIStrat17_Practical DevSecOps for APIs
LF_APIStrat17_Practical DevSecOps for APIsLF_APIStrat17_Practical DevSecOps for APIs
LF_APIStrat17_Practical DevSecOps for APIs
 

Recently uploaded

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Recently uploaded (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

LF_APIStrat17_Don't Build a Death Star

  • 1.
  • 2. Don’t Build a Death Star Chris Teitzel, Lockr
  • 3. Who Is This Guy? • Chris Teitzel – Founder / CEO • Lockr / Cellar Door Media – Drupal for 8 years – F100, e-commerce, Startups – 3rd Generation Tech Nerd @technerdteitzel
  • 4. You have ambitions to build a product or service that will conquer the galaxy
  • 5. Initial launch was a great success!
  • 6. However there are a few bad actors...
  • 7. … who are plotting to take the whole thing offline.
  • 8. And with one small hole in your defenses...
  • 9. … they are able to take down everything you built.
  • 10. Don’t Build a Death Star A Post-Mortem Look at the Empire’s Failings
  • 11. Perimeter Defenses “The battle station is heavily shielded and carries a firepower greater than half the star fleet. It's defenses are designed around a direct large-scale assault. A small one-man fighter should be able to penetrate the outer defense.”
  • 12. Perimeter Defenses • WAF (Web Application Firewall) – SaaS - Cloudflare, Sucuri, Fastly – IaaS - AWS, Azure – PaaS - Mulesoft, 3Scale
  • 13. Perimeter Defenses • Create specific rules for your application – ex. “Don’t allow any x-wings in meridian trench” • Protects against generalized threats and even zero-days
  • 14. Authentication “There's a planet-wide defensive shield with a single main entry gate. This shuttle should be equipped with an access code that allows us through.”
  • 15. Authentication • Authentication before application – Do initial authentication at the web server – ex. Lockr uses x.509 certificates to not only secure the request but authenticate as well Apache with SAML Application Software
  • 16. Authentication • Keys and Tokens – Don’t just let anyone through the front door – Show it to a user once and only once – If using user-generated passwords - hash or stretch! • API Consumers - Protect your API keys! – Treat as if it’s an encryption key (it just might be)
  • 18. Capabilities vs. Authentication “You don't need to see his identification.”
  • 19. Ambient Authority Set a course for Alderaan. Governor Tarkin How it’s supposed to work: Setting course, Governor. Helm/Weapons How it can fail: Set a course for Coruscant. Imposter Tarkin Setting course, Governor. Helm/Weapons
  • 20. Mandatory Access Control Set a course for Alderaan. Governor Tarkin How it’s supposed to work: Setting course, Governor. Helm/Weapons May target Rebel Set a course for Coruscant. Imposter Tarkin Setting course, Governor. Helm/Weapons May target Rebel Attempted hack:
  • 21. Capability Based Security Set a course for ef28bc28 (signed token for Alderaan). Governor Tarkin How it’s supposed to work: Setting course, Governor. Helm/Weapons Attempted hack: Code validation Set a course for, um, 3a2eb45a (invalid token). Imposter Tarkin Sorry, that code isn’t working in my helm system, Governor. Helm/Weapons Code validation
  • 22. Keep your secrets… Secret “It is a period of civil war. Rebel spaceships, striking from a hidden base, have won their first victory against the evil Galactic Empire. During the battle, Rebel spies managed to steal secret plans to the Empire's ultimate weapon, the DEATH STAR, an armored space station with enough power to destroy an entire planet”
  • 23. Secrets Storage “It's a small thermal exhaust port, right below the main port. The shaft leads directly to the reactor system. A precise hit will start a chain reaction which should destroy the station.”
  • 24. Why Do We Do This?
  • 26. Separate Your Secrets • Store outside your codebase / databases • Inject as environment variables at creation of service with automation tools • Use software such as Lockr, Vault, AWS KMS, Azure Key Vault etc.
  • 27. Prevent a Breach from Spreading “Uh, we had a slight weapons malfunction, but uh... everything's perfectly all right now. We're fine. We're all fine here now, thank you. How are you?”
  • 28. Systems Isolation Web-Facing Systems Intranet Systems Load Balancer Application Server Database Server Cache Server Active Directory Exchange File Shares HR Records
  • 29. Shared Secrets DatabaseApp Password or Key Compromise Point #1 Compromise Point #2
  • 30. Public Key Infrastructure Admin Firewall MariaDBCDN nginxHTTPS Client Certificate Server Certificate PHP-FPM + Drupal MySQL Solr HTTPS File System NFS or Sim ilar Client Certificate Server Certificate Client Certificate Server Certificate Server Certificate Client Certificate SSH Jump or VPNTunnel Server Key SSH Key User HTTPS Server Certificate
  • 32. Act Like Everyone Is Out To Get You • Security by design • Build redundancy • Defense-in-Depth • Never trust your users • Only handle data you absolutely have to • Encrypt all the things!
  • 33. When The Sh*t Hits the Fan • Have a plan in place • Breath, Backup, Fix • Build Again – Post Mortem – Document your mistakes – Don’t blame… learn
  • 34. Thank You And May The Force Be With You