This document discusses potential security issues with container-based datacenter platforms like DC/OS and Mesos. It describes how an initial compromise of a vulnerable web application inside a container could allow an attacker to pivot and gain further access by exploiting features of Mesos DNS, the Mesos master and agents, Marathon and Chronos frameworks, and the Etcd configuration store. It recommends steps like disabling risky Mesos DNS features, enforcing authentication, and logically segmenting networks and configuration stores.
(ARC401) Cloud First: New Architecture for New InfrastructureAmazon Web Services
What do companies with internal platforms have to change to succeed in the cloud? The five pillars at the heart of IT solutions in the cloud are automation, fault tolerance, horizontal scalability, security, and cost-effectiveness. This talk discusses tools that facilitate the development and automate the deployment of secure, highly available microservices. The tools were developed using AWS CloudFormation, AWS SDKs, AWS CLI, Amazon RDS, and various open-source software such as Docker. The talk provides concrete examples of how these tools can help developers and architects move from beginning/intermediate AWS practitioners to cloud deployment experts.
Join this workshop to understand the core concepts of “Cloud Computing” and how businesses around the world are running the infrastructure that supports their websites to lower costs, improve time-to-market, and enable rapid scalability matching resource to demands of users. Whether you are an enterprise looking for IT innovation, agility and resiliency or small and medium business who wants to accelerate growth without a big upfront investment in cash or time for technology, the AWS Cloud provides a complete set of services at zero upfront costs which are available with a few clicks and within minutes.
This session will feature best practices in the real world for deploying AWS cloud services. You will hear about cloud use cases, governance, security, cloud architecture, optimizing costs, and leveraging appropriate support offerings. The session will provide insight into experience from hundreds of government customers’ AWS adoption and highlight lessons learned along the way.
Unlocking Agility with the AWS Serverless Application Model (SAM) - AWS Summi...Amazon Web Services
Unlocking Agility with the AWS Serverless Application Model (SAM)
In this session you will learn how to define serverless applications with the AWS Serverless Application Model (SAM), and how to use the AWS SAM Local CLI tool to develop and test locally, before deploying to AWS. We discuss how you can safely deploy changes to your Lambda functions and API Gateway APIs using automated canary deployments, and cover best practices to embed in your deployment workflow specific to serverless applications.
Gerardo Estaba, Solutions Architect, Amazon Web Services
(ARC401) Cloud First: New Architecture for New InfrastructureAmazon Web Services
What do companies with internal platforms have to change to succeed in the cloud? The five pillars at the heart of IT solutions in the cloud are automation, fault tolerance, horizontal scalability, security, and cost-effectiveness. This talk discusses tools that facilitate the development and automate the deployment of secure, highly available microservices. The tools were developed using AWS CloudFormation, AWS SDKs, AWS CLI, Amazon RDS, and various open-source software such as Docker. The talk provides concrete examples of how these tools can help developers and architects move from beginning/intermediate AWS practitioners to cloud deployment experts.
Join this workshop to understand the core concepts of “Cloud Computing” and how businesses around the world are running the infrastructure that supports their websites to lower costs, improve time-to-market, and enable rapid scalability matching resource to demands of users. Whether you are an enterprise looking for IT innovation, agility and resiliency or small and medium business who wants to accelerate growth without a big upfront investment in cash or time for technology, the AWS Cloud provides a complete set of services at zero upfront costs which are available with a few clicks and within minutes.
This session will feature best practices in the real world for deploying AWS cloud services. You will hear about cloud use cases, governance, security, cloud architecture, optimizing costs, and leveraging appropriate support offerings. The session will provide insight into experience from hundreds of government customers’ AWS adoption and highlight lessons learned along the way.
Unlocking Agility with the AWS Serverless Application Model (SAM) - AWS Summi...Amazon Web Services
Unlocking Agility with the AWS Serverless Application Model (SAM)
In this session you will learn how to define serverless applications with the AWS Serverless Application Model (SAM), and how to use the AWS SAM Local CLI tool to develop and test locally, before deploying to AWS. We discuss how you can safely deploy changes to your Lambda functions and API Gateway APIs using automated canary deployments, and cover best practices to embed in your deployment workflow specific to serverless applications.
Gerardo Estaba, Solutions Architect, Amazon Web Services
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...Amazon Web Services
(Presented by Alert Logic) AWS provides multiple levels of security between the physical server and facilities up to the host operating system and virtualization layer. This session covers strategies for ensuring your applications, network, and data are secure in a highly-scalable environment.
In this session, you receive practical guidance for implementing scalable web application security in the AWS cloud, including:
-Common techniques and tools used to provide security for auto-scaling web applications including Chef/Puppet, AWS CloudFormation, and Elastic Load Balancing.
-Using auto-scaling groups and requirements for management APIs in automatically deploying web security infrastructure.
-Common scaling triggers and mechanisms by which web application security infrastructure must scale to operate in lockstep with elastic web server farms.
-Approach for deploying application security controls embedded directly into web applications, and considerations for PaaS cloud environments.
This session is designed for an advanced audience with strong understanding of IP networking, web application security fundamentals, and experience in managing security infrastructure in a public cloud environment; however, the information covered is also of interest to intermediate attendees that set technology strategy and formulate requirements for cloud security controls.
AWS Elastic Beanstalk under the Hood (DMG301) | AWS re:Invent 2013Amazon Web Services
AWS Elastic Beanstalk provides a number of simple, flexible interfaces for developing and deploying your applications. In this session, learn how ThoughtWorks leverage the Elastic Beanstalk API to continuously deliver their applications with smoke tests and blue-green deployments. Also learn how to deploy your apps with Git and eb, a powerful CLI that allows developers to create, configure, and manage Elastic Beanstalk applications and environments from the command line.
Secure Content Delivery Using Amazon CloudFront and AWS WAFAmazon Web Services
Whether you are building an e-commerce site or a business application, security is a key consideration when architecting your website or application. In this session, you will learn more about some of the things Amazon CloudFront does behind the scenes to protect the delivery of your content such as OCSP Stapling and Perfect Forward Secrecy. You will also learn how you can use AWS Web Application Firewall (AWS WAF) with CloudFront to protect your site. Finally, we will share best practices on how you can use CloudFront to securely deliver content end-to-end, control who accesses your content, how to shield your origins from the Internet, and getting an A+ on SSL labs.
Scale Your Application while Improving Performance and Lowering Costs (SVC203...Amazon Web Services
Scaling your application as you grow should not mean slow to load and expensive to run. Learn how you can use different AWS building blocks such as Amazon ElastiCache and Amazon CloudFront to “cache everything possible” and increase the performance of your application by caching your frequently-accessed content. This means caching at different layers of the stack: from HTML pages to long-running database queries and search results, from static media content to application objects. And how can caching more actually cost less? Attend this session to find out!
CSRA’s Migration to AWS GovCloud (US): An All-In Case Study | AWS Public Sect...Amazon Web Services
As the pace of innovation accelerates in the private and public sector, government agencies and government contractors are leveraging the cloud to achieve their most critical business and mission objectives. Time to market and mission assurance are as critical as security and compliance. Learn firsthand how CSRA leveraged AWS GovCloud (US), AWS’s isolated region for sensitive and regulated workloads, to consolidate IT infrastructure, migrate to the cloud, and speed IT delivery to meet corporate business objectives, all while creating internal cloud expertise that it now leverages to better serve public sector customers.
Learn how to use AWS services to automate manual tasks, help teams manage complex environments at scale, and keep engineers in control of the high velocity that is enabled by DevOps. In this session, we will provide an overview of the various AWS development and deployment services and when best to use them. We will show how to build a fully automated infrastructure and software delivery pipeline with AWS CodePipeline, AWS CodeBuild, AWS CloudFormation and AWS CodeDeploy. At the end of the session, a GitHub repository of AWS CloudFormation templates will be provided so you can quickly deploy the same pipeline to your AWS account(s).
Stop Worrying about Prodweb001 and Start Loving i-98fb9856 (ARC201) | AWS re:...Amazon Web Services
Traditionally, IT organizations have treated infrastructure components like family pets. We name them, we worry about them, and we let them wake us up at 4:00 am. Amazon CTO Werner Vogels has dubbed these behaviors as server hugging and antiquated in today's cloud infrastructures. In this breakout session, we will discuss methods and methodology to get away from server hugging and be concerned more with the overall status and life of our entire infrastructure. From making use of toss-away-able on-demand infrastructure, to monitoring services and not individual servers, to getting away from naming instances, this session helps you see your infrastructure for what it is, technology that you control.
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014Amazon Web Services
If your business runs entirely on AWS, your AWS account is one of your most critical assets. Just as you might run an intrusion detection system in your on-premises network, you should monitor activity in your AWS account to detect abnormal behavior. This session walks you through leveraging unique capabilities in AWS that you can use to detect and respond to changes in your environment.
Advanced AWS techniques from the trenches of the Enterprise – Sourced GroupAmazon Web Services
Every environment comes with its own set of unique challenges. Looking across our global client base, advanced techniques have emerged to solve common or sometimes, very specific, problems. Techniques such as a re-imagining of autonomous healing, advanced networking and proxying patterns, data ex-filtration controls, and continuous delivery of networks will be covered. This fast-paced technical session will provide an in the trenches view of some of the solutions, discussion of considerations at scale, demonstration, and provide actionable designs to take into your organisation. Join us while we present tips, strategies, and cutting edge patterns from Sourced's battle-hardened consultants
Speakers:
John Painter, Principal Consultant, Sourced Group
Brent Harrison, Consultant, Sourced Group
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
Today’s cutting-edge companies have software release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This automation helps you catch bugs sooner and accelerates developer productivity. In this session, we’ll share the processes that Amazon’s engineers use to practice DevOps and discuss how you can bring these processes to your company by using a new set of AWS tools (AWS CodeCommit, AWS CodePipeline, and AWS CodeDeploy). These services were inspired by Amazon's own internal developer tools and DevOps culture.
As your use of the AWS platform matures and evolves you need to be continuously looking at ways to improve your security posture and take advantage of new security services and features. In this advanced technical session we will share architecture patterns for different workloads, IAM policy tips & tricks, how to implement security automation and for forensics. Be prepared for a technically deep session on AWS security.
Speaker: Ben Potter, AWS Cloud Security Consultant, Amazon Web Services
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014Amazon Web Services
Log data contains some of the most valuable raw information you can gather and analyze about your infrastructure and applications. Amid the mess of confusing lines of seemingly random text can be hints about performance, security, flaws in code, user access patterns, and other operational data. Without the proper tools, finding insights in these logs can be like searching for a hay-colored needle in a haystack. In this session you learn what practices and patterns you can easily implement that can help you better understand your log files. You see how you can customize web logs to add more information to them, how to digest logs from around your infrastructure, and how to analyze your log files in near real time.
Serverless Development To Production PipelineChase Douglas
What does the development environment to production pipeline look like? In this presentation we look at all the tools and services needed to effectively build and deploy applications!
Defending your workloads with aws waf and deep securityMark Nunnikhoven
What is a WAF (web application firewall) and how can it help defend your AWS workloads? In this webinar, you’ll learn how to get started with the new AWS WAF service and where it fits in your security strategy. You’ll see how AWS WAF works with Trend Micro’s Deep Security to provide a strong, layered defense for your web applications
(GAM304) How Riot Games re:Invented Their AWS Model | AWS re:Invent 2014Amazon Web Services
Riot Games is a high-paced dynamic environment with many groups striving to release new content, features, and tools. Riot runs League of Legends, one of the biggest online multiplayer games, and uses AWS to host many complex sites that service millions of players everyday. In this session, Riot Games talks about the evolution of their management practice on AWS over the past two years, some lessons learned the hard way, and where they hope to be in the future. Key topics include:
SSO (Single-Sign On) integration with IAM roles
High-level AWS architecture (How to make it easy on your organization)
VPC design, centralization, and simplification
DevOps tooling and automation
How and why we use Auto Scaling
Open Source in Security-Critical EnvironmentsPriyanka Aash
As growth and impact of open source in security-critical environments is on the rise, trends in open-source communities are making them more attentive to security issues and best practices. This session will cover best practices for using open-source code in business-critical environments. It will provide practical suggestions, with a focus on DevOps professionals and management.
Learning Objectives:
1: Understand the security impact of using 80–90% open-source code in modern apps.
2: Learn about best practices for helping make open-source code more secure.
3: Gain actionable info about open-source security applied to edge, network, cloud.
(Source: RSA Conference USA 2018)
Open source-in-security-critical-environmentsDESMOND YUEN
Open Source is here to stay in security critical environments and every place software is used
Creating Applications these days is like making a sandwich
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...Amazon Web Services
(Presented by Alert Logic) AWS provides multiple levels of security between the physical server and facilities up to the host operating system and virtualization layer. This session covers strategies for ensuring your applications, network, and data are secure in a highly-scalable environment.
In this session, you receive practical guidance for implementing scalable web application security in the AWS cloud, including:
-Common techniques and tools used to provide security for auto-scaling web applications including Chef/Puppet, AWS CloudFormation, and Elastic Load Balancing.
-Using auto-scaling groups and requirements for management APIs in automatically deploying web security infrastructure.
-Common scaling triggers and mechanisms by which web application security infrastructure must scale to operate in lockstep with elastic web server farms.
-Approach for deploying application security controls embedded directly into web applications, and considerations for PaaS cloud environments.
This session is designed for an advanced audience with strong understanding of IP networking, web application security fundamentals, and experience in managing security infrastructure in a public cloud environment; however, the information covered is also of interest to intermediate attendees that set technology strategy and formulate requirements for cloud security controls.
AWS Elastic Beanstalk under the Hood (DMG301) | AWS re:Invent 2013Amazon Web Services
AWS Elastic Beanstalk provides a number of simple, flexible interfaces for developing and deploying your applications. In this session, learn how ThoughtWorks leverage the Elastic Beanstalk API to continuously deliver their applications with smoke tests and blue-green deployments. Also learn how to deploy your apps with Git and eb, a powerful CLI that allows developers to create, configure, and manage Elastic Beanstalk applications and environments from the command line.
Secure Content Delivery Using Amazon CloudFront and AWS WAFAmazon Web Services
Whether you are building an e-commerce site or a business application, security is a key consideration when architecting your website or application. In this session, you will learn more about some of the things Amazon CloudFront does behind the scenes to protect the delivery of your content such as OCSP Stapling and Perfect Forward Secrecy. You will also learn how you can use AWS Web Application Firewall (AWS WAF) with CloudFront to protect your site. Finally, we will share best practices on how you can use CloudFront to securely deliver content end-to-end, control who accesses your content, how to shield your origins from the Internet, and getting an A+ on SSL labs.
Scale Your Application while Improving Performance and Lowering Costs (SVC203...Amazon Web Services
Scaling your application as you grow should not mean slow to load and expensive to run. Learn how you can use different AWS building blocks such as Amazon ElastiCache and Amazon CloudFront to “cache everything possible” and increase the performance of your application by caching your frequently-accessed content. This means caching at different layers of the stack: from HTML pages to long-running database queries and search results, from static media content to application objects. And how can caching more actually cost less? Attend this session to find out!
CSRA’s Migration to AWS GovCloud (US): An All-In Case Study | AWS Public Sect...Amazon Web Services
As the pace of innovation accelerates in the private and public sector, government agencies and government contractors are leveraging the cloud to achieve their most critical business and mission objectives. Time to market and mission assurance are as critical as security and compliance. Learn firsthand how CSRA leveraged AWS GovCloud (US), AWS’s isolated region for sensitive and regulated workloads, to consolidate IT infrastructure, migrate to the cloud, and speed IT delivery to meet corporate business objectives, all while creating internal cloud expertise that it now leverages to better serve public sector customers.
Learn how to use AWS services to automate manual tasks, help teams manage complex environments at scale, and keep engineers in control of the high velocity that is enabled by DevOps. In this session, we will provide an overview of the various AWS development and deployment services and when best to use them. We will show how to build a fully automated infrastructure and software delivery pipeline with AWS CodePipeline, AWS CodeBuild, AWS CloudFormation and AWS CodeDeploy. At the end of the session, a GitHub repository of AWS CloudFormation templates will be provided so you can quickly deploy the same pipeline to your AWS account(s).
Stop Worrying about Prodweb001 and Start Loving i-98fb9856 (ARC201) | AWS re:...Amazon Web Services
Traditionally, IT organizations have treated infrastructure components like family pets. We name them, we worry about them, and we let them wake us up at 4:00 am. Amazon CTO Werner Vogels has dubbed these behaviors as server hugging and antiquated in today's cloud infrastructures. In this breakout session, we will discuss methods and methodology to get away from server hugging and be concerned more with the overall status and life of our entire infrastructure. From making use of toss-away-able on-demand infrastructure, to monitoring services and not individual servers, to getting away from naming instances, this session helps you see your infrastructure for what it is, technology that you control.
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014Amazon Web Services
If your business runs entirely on AWS, your AWS account is one of your most critical assets. Just as you might run an intrusion detection system in your on-premises network, you should monitor activity in your AWS account to detect abnormal behavior. This session walks you through leveraging unique capabilities in AWS that you can use to detect and respond to changes in your environment.
Advanced AWS techniques from the trenches of the Enterprise – Sourced GroupAmazon Web Services
Every environment comes with its own set of unique challenges. Looking across our global client base, advanced techniques have emerged to solve common or sometimes, very specific, problems. Techniques such as a re-imagining of autonomous healing, advanced networking and proxying patterns, data ex-filtration controls, and continuous delivery of networks will be covered. This fast-paced technical session will provide an in the trenches view of some of the solutions, discussion of considerations at scale, demonstration, and provide actionable designs to take into your organisation. Join us while we present tips, strategies, and cutting edge patterns from Sourced's battle-hardened consultants
Speakers:
John Painter, Principal Consultant, Sourced Group
Brent Harrison, Consultant, Sourced Group
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
Today’s cutting-edge companies have software release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This automation helps you catch bugs sooner and accelerates developer productivity. In this session, we’ll share the processes that Amazon’s engineers use to practice DevOps and discuss how you can bring these processes to your company by using a new set of AWS tools (AWS CodeCommit, AWS CodePipeline, and AWS CodeDeploy). These services were inspired by Amazon's own internal developer tools and DevOps culture.
As your use of the AWS platform matures and evolves you need to be continuously looking at ways to improve your security posture and take advantage of new security services and features. In this advanced technical session we will share architecture patterns for different workloads, IAM policy tips & tricks, how to implement security automation and for forensics. Be prepared for a technically deep session on AWS security.
Speaker: Ben Potter, AWS Cloud Security Consultant, Amazon Web Services
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014Amazon Web Services
Log data contains some of the most valuable raw information you can gather and analyze about your infrastructure and applications. Amid the mess of confusing lines of seemingly random text can be hints about performance, security, flaws in code, user access patterns, and other operational data. Without the proper tools, finding insights in these logs can be like searching for a hay-colored needle in a haystack. In this session you learn what practices and patterns you can easily implement that can help you better understand your log files. You see how you can customize web logs to add more information to them, how to digest logs from around your infrastructure, and how to analyze your log files in near real time.
Serverless Development To Production PipelineChase Douglas
What does the development environment to production pipeline look like? In this presentation we look at all the tools and services needed to effectively build and deploy applications!
Defending your workloads with aws waf and deep securityMark Nunnikhoven
What is a WAF (web application firewall) and how can it help defend your AWS workloads? In this webinar, you’ll learn how to get started with the new AWS WAF service and where it fits in your security strategy. You’ll see how AWS WAF works with Trend Micro’s Deep Security to provide a strong, layered defense for your web applications
(GAM304) How Riot Games re:Invented Their AWS Model | AWS re:Invent 2014Amazon Web Services
Riot Games is a high-paced dynamic environment with many groups striving to release new content, features, and tools. Riot runs League of Legends, one of the biggest online multiplayer games, and uses AWS to host many complex sites that service millions of players everyday. In this session, Riot Games talks about the evolution of their management practice on AWS over the past two years, some lessons learned the hard way, and where they hope to be in the future. Key topics include:
SSO (Single-Sign On) integration with IAM roles
High-level AWS architecture (How to make it easy on your organization)
VPC design, centralization, and simplification
DevOps tooling and automation
How and why we use Auto Scaling
Open Source in Security-Critical EnvironmentsPriyanka Aash
As growth and impact of open source in security-critical environments is on the rise, trends in open-source communities are making them more attentive to security issues and best practices. This session will cover best practices for using open-source code in business-critical environments. It will provide practical suggestions, with a focus on DevOps professionals and management.
Learning Objectives:
1: Understand the security impact of using 80–90% open-source code in modern apps.
2: Learn about best practices for helping make open-source code more secure.
3: Gain actionable info about open-source security applied to edge, network, cloud.
(Source: RSA Conference USA 2018)
Open source-in-security-critical-environmentsDESMOND YUEN
Open Source is here to stay in security critical environments and every place software is used
Creating Applications these days is like making a sandwich
Corpsec: “What Happened to Corpses A and B?”Priyanka Aash
Living BeyondCorp comes with its own challenges. This talk will dive into how Duo gets our hands around difficult problems regarding the security and management of cloud services and endpoints internally. This session will cover technical details of our security orchestration and automation approach, cloud service monitoring, and chatops-driven endpoint application whitelisting strategies.
(Source: RSA Conference USA 2018)
Aspirin as a Service: Using the Cloud to Cure Security HeadachesPriyanka Aash
Moving critical workloads into the cloud can be unnerving for security professionals. In reality, though, the cloud offers a whole new set of opportunities for the security team to do things even better than in their on-premises environment. Two seasoned cloud experts will explore the latest real-world, practical tools and techniques for becoming demonstrably more secure as you move to the cloud.
(Source: RSA USA 2016-San Francisco)
Whose Cloud is It Anyway - Data Security in the CloudSafeNet
Forget the geeky analysis of cloud security; risk is driven by people involved and the approach to adoption. In this RSA Conference 2015 presentation, David Etue, VP of Corporate Strategy, Gemalto, reviews the complex issues around data ownership and control in the cloud. When so many people have access to your data, how do you keep it safe? Unshare it!
Cloud-native .NET Microservices mit KubernetesQAware GmbH
BASTA! 2017, Mainz: Talk von Mario-Leander Reimer (@LeanderReimer, Cheftechnologe bei QAware).
Cloud-Größen wie Google, Twitter und Netflix haben die Kernbausteine ihrer Infrastruktur quelloffen verfügbar gemacht. Das Resultat aus vielen Jahren Cloud-Erfahrung ist nun frei zugänglich, und jeder kann seine eigenen Cloud-nativen Anwendungen entwickeln – Anwendungen, die in der Cloud zuverlässig laufen und fast beliebig skalieren. Die einzelnen Bausteine wachsen zu einem großen Ganzen zusammen, dem Cloud-Native-Stack. In dieser Session stellen wir die wichtigsten Konzepte und aktuellen Schlüsseltechnologien kurz vor. Anschließend implementieren wir einen einfachen Microservice mit .NET Core und Steeltoe OSS und bringen ihn zusammen mit ausgewählten Bausteinen für Service-Discovery und Konfiguration schrittweise auf einem Kubernetes-Cluster zum Laufen.
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...CA Technologies
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Solutions (Formerly Automic) and CA Privileged Access Manager
For more information on DevSecOps, please visit: http://ow.ly/u2pN50g63tN
Take It to the Cloud: The Evolution of Security ArchitecturePriyanka Aash
As companies evolve their IT stack, traditional security approaches/architectures need to be reconsidered. This session will review some of the new risks introduced by SaaS/IaaS adoption and show how to mitigate these risks using new approaches to security architecture. Presenters will also review the transition of security architecture itself to the cloud.
(Source: RSA USA 2016-San Francisco)
Fed up with stop and go in your data center? Why not shift into overdrive and pull into the fast lane? Learn how AutoScout24, the largest online car marketplace Europe-wide, are building their Autobahn in the cloud.
Reinventing themselves by making a radical transition from monoliths to microservices, from .NET on Windows to Scala on Linux, from data center to AWS and from built by devs and run by ops to a DevOps mindset.
In today’s threat landscape, the attacker is an insider. Whether a state-sponsored actor or cybercriminal, attackers typically first compromise the endpoint with a client-side exploit and then pivot. In this session, we take a deep dive into how attackers pivot through organizations, identify the telltale signs of a pivot, and most importantly, identify steps for defending against it.
(Source: RSA USA 2016-San Francisco)
Data Driven DevOps: from Culture to GamificationBrian McCallion
Much is made about the Culture of DevOps. Yet how does an entire stadium of fans and players participate in a baseball game? If we know the Inning, the balls, the strikes, and Who's on First, if we know the rules of the game, and where the players are, then the game becomes a passion and our team improves. By surfacing the data and events of a Cloud DevOps solution we literally change the game.
Enabling security at speed and scale requires building security as code which is often provided by software defined networks. The cloud offers software defined networks and some challenges to enabling safe workloads.
Microservices: Decomposing Applications for Deployability and Scalability (ja...Chris Richardson
Today, there are several trends that are forcing application architectures to evolve. Users expect a rich, interactive and dynamic user experience on a wide variety of clients including mobile devices. Applications must be highly scalable, highly available and run on cloud environments. Organizations often want to frequently roll out updates, even multiple times a day. Consequently, it's no longer adequate to develop simple, monolithic web applications that serve up HTML to desktop browsers.In this talk we describe the limitations of a monolithic architecture. You will learn how to use the scale cube to decompose your application into a set of narrowly focused, independently deployable services. We will also discuss how an event-based approach addresses the key challenges of developing applications with this architecture.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
2. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Intro
2
Mike Mellor
Director, Information Security @ Adobe
Bryce Kunz
Senior Threat Specialist @ Adobe
3. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Containers - The Future is Now!
3
2016 Surveys:
15-16% of all organizations are already using containers in production
35% organizations have done a proof-of-concept
The Future is Now!
Containers are in production now
Containers are continuing to grow in popularity
4. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Containers appear more secure
4
The biggest drivers:
39% to increase developer efficiency and
36% to support microservices
Organizations want to avoid cloud platform lock-in
2016 Surveys:
Many (42%) organizations gain value in the “secure/isolated”
capabilities that containers provide
5. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
But managing Containers feels complex
5
2016 Survey:
The more exposure an organization has to containers,
The more complexities are exposed.
Respondents said they found containers…
“too complex to integrate into existing environments,”
and require “too many skilled resources to manage.”
6. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
And are very challenging to manage at scale
6
2016 Survey:
The #1 challenge of containers, according to the 53% of respondents
who are either using or evaluating containers, is …
“Container Management.”
7. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Probable Security Nightmare
7
“Too Complex” + Challenging to Manage
=
Probable Security Nightmare
“Complexity the Worst Enemy of Security” - Bruce Schneier
8. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Container and Cluster Management Options
8
Technology Design Pros Cons
Public Cloud
Container Services
Container Centric Easy, Scalable Vendor Lock-in;
Proprietary
Docker Swarm Docker Centric Native Clustering Limited by API
Kubernetes Clusters of
Containerized Apps
Works w/ Docker;
Mounts persistent
volumes
Custom overlay
requires more
specialization
Mesos & DC/OS Cluster
Management
Works w/ Docker,
Kubernetes, &
Native Apps;
Very Flexible
Additional layers
adds more
complexities
9. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
Cluster Management
9
CoreOS
Linux OS
Many servers in…
DataCenter
AWS
Azure
etc…
How do we
effectively use all of
these resources?
Datacenter, Azure, AWS,
GCE, etc…
10. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
Mesos Master & Agents
10
Mesos Master
5050/TCP by default
Distributes Tasks
Mesos Agent
5051/TCP by default
Executes Tasks
CoreOS
Linux OS
Datacenter, Azure, AWS,
GCE, etc…
Master
AgentAgent
11. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
Mesos is the Kernel of DC/OS
11
Mesos is the kernel
of the distributed
operating system
known as DC/OS
Datacenter, Azure, AWS,
GCE, etc…
Kernel:
Master
AgentAgent
12. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
Frameworks
12
Frameworks
provide the logic
Init Jobs
— Marathon
Cron Jobs
Chronos
MetronomeDatacenter, Azure, AWS,
GCE, etc…
Kernel:
Frameworks:
Master
AgentAgent
13. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
Supporting: Configuration Stores
13
Configuration Stores
keep everyone on the
same page
Zoo Keeper
Etcd
Datacenter, Azure, AWS,
GCE, etc…
Kernel:
Frameworks:
Supporting:
Master
AgentAgent
14. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
Supporting: Discovery
14
Discovery
Enables the finding of
other services within
the cluster
Mesos DNS
Datacenter, Azure, AWS,
GCE, etc…
Kernel:
Frameworks:
Supporting:
Master
AgentAgent
15. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
DC/OS Design
15
Containers w/ Apps
Docker Containers
Web Apps
etc…
Datacenter, Azure, AWS,
GCE, etc…
Kernel:
Frameworks:
Apps:
Supporting:
Master
AgentAgent
Cntr
App
Cntr
App
Cntr
App
Cntr
App
16. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
Internet Accessible Containers
16
Containers w/ Apps
Public
Internet Accessible
Private
Internal
Datacenter, Azure, AWS,
GCE, etc…
Kernel:
Frameworks:
Apps:
Supporting:
Master
AgentAgent
Cntr
App
Cntr
App
Cntr
App
Cntr
App
Internet
17. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
Scenario
17
Initial Access (RCE)
Via a vulnerable web
application
Into a container
As limited user (e.g.
www-data)
Datacenter, Azure, AWS,
GCE, etc…
Kernel:
Frameworks:
Apps:
Supporting:
Master
AgentAgent
Cntr
App
Cntr
App
Cntr
App
Cntr
App
Internet
RCE
18. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Scenario: RCE via web app within a container
18
e.g. JBoss, Tomcat, OSGi Console, Axis2, etc…
19. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
Recon via Mesos DNS
19
Query via pivot:
Mesos DNS
53/UDP & TCP
— DNS service
Datacenter, Azure, AWS,
GCE, etc…
Kernel:
Frameworks:
Apps:
Supporting:
Master
AgentAgent
Cntr
App
Cntr
App
Cntr
App
Cntr
App
Internet
RCE
20. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
.mesos TLD
20
The easy way to find services within the cluster
21. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
Recon via Mesos DNS
21
Query via pivot:
Mesos DNS
8123/TCP by default
— DNS via REST API
Service Discover
— within the Cluster
Datacenter, Azure, AWS,
GCE, etc…
Kernel:
Frameworks:
Apps:
Supporting:
Master
AgentAgent
Cntr
App
Cntr
App
Cntr
App
Cntr
App
Internet
RCE
22. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Undocumented?
22
/v1/enumerate -> all mesos dns information
23. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Enumerate Mesos DNS using REST API
23
/v1/enumerate -> all mesos dns information
24. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Find IP & RHP TCP ports of all services
24
/v1/enumerate -> all mesos dns information
25. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
Secure: Disable Risky Mesos DNS Features
25
Disable the…
“AXFR”
“Enumerate”
API Calls
• Harder for attacker to
discover all services
• Applications shouldn’t
commonly be using
these API callsDatacenter, Azure, AWS,
GCE, etc…
Kernel:
Frameworks:
Apps:
Supporting:
Master
AgentAgent
Cntr
App
Cntr
App
Cntr
App
Cntr
App
Internet
RCE
26. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
Recon via Mesos Master
26
Query via pivot:
Mesos Master
5050/TCP by default
Distributes Tasks
Datacenter, Azure, AWS,
GCE, etc…
Kernel:
Frameworks:
Apps:
Supporting:
Master
AgentAgent
Cntr
App
Cntr
App
Cntr
App
Cntr
App
Internet
RCE
27. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Enumerate Mesos Master
27
Request via the REST API
28. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Enumerate Mesos Master
28
Response: json w/ all Mesos Agent’s IP addresses within the cluster
29. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
Recon via Mesos DNS
29
Query via pivot:
Mesos Agent
5051/TCP by default
Executes Tasks
Datacenter, Azure, AWS,
GCE, etc…
Kernel:
Frameworks:
Apps:
Supporting:
Master
AgentAgent
Cntr
App
Cntr
App
Cntr
App
Cntr
App
Internet
RCE
30. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Enumerate Mesos Agent
30
Request via the REST API
31. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Enumerate Mesos Agent
31
Response: json w/ what containers are currently running on the server
(i.e. basic0012)
32. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
Secure: Logical Internal Network Segmentation
32
Separates out the
network into zones:
Apps w/ Data
Management
Commonly with
Calico,
Canal, or
FlannelDatacenter, Azure, AWS,
GCE, etc…
Kernel:
Frameworks:
Apps:
Supporting:
Master
AgentAgent
Cntr
App
Cntr
App
Cntr
App
Cntr
App
33. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
Secrets via Configuration Store
33
Etcd
RHP/TCP by default
— 2379/TCP
client/server
— 2380/TCP peers
Configuration Store
— Core OS Fleets Units
— Applications
ZooKeeper
2181/TCP by default
— Binary Protocol
Datacenter, Azure, AWS,
GCE, etc…
Kernel:
Frameworks:
Apps:
Supporting:
Master
AgentAgent
Cntr
App
Cntr
App
Cntr
App
Cntr
App
Internet
RCE
34. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Enumerate Etcd
34
Request via the REST API recursively
35. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Enumerate Etcd
35
Response: json frequently containing secrets including credentials
36. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
Secure: Separate Configuration Stores
36
Separate out the
configuration stores into
zones:
Apps w/ Data
Management
Enforce separation via…
Authentication
Credentials and
Logical Network
Segmentation
Datacenter, Azure, AWS,
GCE, etc…
Kernel:
Frameworks:
Apps:
Supporting:
Master
AgentAgent
Cntr
App
Cntr
App
Cntr
App
Cntr
App
Internet
RCE
37. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
Frameworks
37
Marathon
Long Running Services
— e.g. Containers
Ensures always
running
Chronos
Cron for the Cluster
Batch Jobs
Datacenter, Azure, AWS,
GCE, etc…
Kernel:
Frameworks:
Apps:
Supporting:
Master
AgentAgent
Cntr
App
Cntr
App
Cntr
App
Cntr
App
Internet
RCE
38. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
RCE via Marathon Jobs
38
Request via the REST API
39. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
RCE via Marathon Jobs
39
Marathon
Long Running Services
— e.g. Containers
Ensures always
running
Chronos
Cron for the Cluster
Batch Jobs
Datacenter, Azure, AWS,
GCE, etc…
Kernel:
Frameworks:
Apps:
Supporting:
Master
AgentAgent
Cntr
App
Cntr
App
Cntr
App
Cntr
App
Internet
RCE
RCE
40. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
RCE via Marathon Jobs
40
Response: json with the malicious job status
41. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
RCE via Chronos Jobs
41
Marathon
Long Running Services
— e.g. Containers
Ensures always
running
Chronos
Cron for the Cluster
Batch Jobs
Datacenter, Azure, AWS,
GCE, etc…
Kernel:
Frameworks:
Apps:
Supporting:
Master
AgentAgent
Cntr
App
Cntr
App
Cntr
App
Cntr
App
Internet
RCE
RCE
42. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
Secure: Enforce Authentication
42
Applications must…
support and be
configured to use
authentication as well
securely store and use
credentials
be deployed securely
and/or retrieve
credentials securely
Alert on brute force
attempts
Datacenter, Azure, AWS,
GCE, etc…
Kernel:
Frameworks:
Apps:
Supporting:
Master
AgentAgent
Cntr
App
Cntr
App
Cntr
App
Cntr
App
Internet
RCE
43. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
Creds via MitM with ARP Spoofing
43
Another Container
has the Creds for
Marathon
Datacenter, Azure, AWS,
GCE, etc…
Kernel:
Frameworks:
Apps:
Supporting:
Master
AgentAgent
Cntr
App
Cntr
App
Cntr
App
Cntr
App
Internet
RCE
44. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
Creds via MitM with ARP Spoofing
44
Attacker uses ARP
spoofing to redirect
that containers
traffic to the
compromised
container
Attacker collect the
credentials
Datacenter, Azure, AWS,
GCE, etc…
Kernel:
Frameworks:
Apps:
Supporting:
Master
AgentAgent
Cntr
App
Cntr
App
Cntr
App
Cntr
App
Internet
RCE ARP
45. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
Creds via MitM with ARP Spoofing
45
Attacker can now
create malicious
Marathon jobs
Negating
authentication
security controls
Datacenter, Azure, AWS,
GCE, etc…
Kernel:
Frameworks:
Apps:
Supporting:
Master
AgentAgent
Cntr
App
Cntr
App
Cntr
App
Cntr
App
Internet
RCE ARP
RCE
46. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ServerServer Server
Secure: TLS for Internal Communications
46
Enable TLS w/ valid
certificates for strong
HTTPS communications
Anything using
credentials needs TLS!
Validate Certificates
Fail closed on bad
certificates
Alert on certificates
errors
Datacenter, Azure, AWS,
GCE, etc…
Kernel:
Frameworks:
Apps:
Supporting:
Master
AgentAgent
Cntr
App
Cntr
App
Cntr
App
Cntr
App
Internet
RCE ARP
47. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Strategic Actions
47
Next week:
Assess which services you can enable Authentication & TLS on
— w/o breaking your existing applications within the cluster
Three months from now:
Implement Authentication & TLS on safe services and frameworks
— Focusing on services responsible for orchestration within the cluster
Deploy separate services where possible for Apps that do not support TLS & Auth
Six months from now:
Retrofit all Applications within the cluster to use TLS & Authentication
Enforce the use of TLS & Authentication internal everywhere (disable clear-text)
48. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Big Picture
48
Container Adoption Is Maturing, especially in Enterprises
Enterprises are using containers in production.
49. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Big Picture
49
Pivoting from a compromised service within the cluster
No container breakout / 0day / exploit needed J
May enable an attacker to completely compromise the cluster
50. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Big Picture
50
Looking Beyond the Border
with a Defense in Depth strategy
Secures the Future & the cluster
52. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Future Research
52
Testing MitM from compromised container
NCC Group’s report states this is possible for co-hosted containers
Test downgrade HTTPS communications
Can we downgrade from HTTPS to HTTP and capture creds from another container?
Test Certs (e.g. can cert pinning be enabled?) to REST APIs
Can we MitM and impersonate the API service?
Test Authentication Brute force attacks
Fairly certain there are no lockouts, can we enable better authentication security?
— Write module to brute-force and guess creds
Test Logical Network Segmentation Tools
Calico, Canal, Flannel
— Note: these should work as advertised but probably we should independently verify
53. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
References
53
https://www.cloudfoundry.org/wp-content/uploads/2016/06/Cloud-
Foundry-2016-Container-Report.pdf
https://clusterhq.com/assets/pdfs/state-of-container-usage-june-
2016.pdf
http://www.rightscale.com/blog/cloud-industry-insights/new-devops-
trends-2016-state-cloud-survey