16. Penetration Test in
Traditional Way
⊡ When new service online, performing
penetration testing By...
□ Information Security Department
□ Third Party Penetration Service
⊡ But … Agile development teams focus on
producing code Not Enhance Security
21. Penetration Test for
Human
⊡ Although written tests/inform orally is not
avoid
⊡ But the exercise make things well imprinted
on human’s brain.
⊡ After all, practice makes perfect
22. Penetration Test for
Human
⊡ Don’t Need Strong Knowledge/Skill
⊡ All you need to do is …
□ Leverage Human’s Greedy/Fear
□ Get the organization member contact info
□ Automatic send mail/sms mechanism
□ Host Fake website to collect feedback (e.g.
CredSniper, SET)
26. Rotate Credentials
⊡ The database credentials will be rotated
when…
□ Database migration
□ External auditing
⊡ Only if the rotate mechanism is implemented
at first, then it truly happens
27. HashiCorp Vault
⊡ Secures, stores, and tightly controls access to
tokens, passwords, certificates, API keys
⊡ Handles leasing, key revocation, key rolling,
and auditing
29. Authorization
⊡ Vault store credentials like key/value
database, e.g.
□ /secret/stag/database/admin
□ /secret/prod/database/admin
⊡ Hence, predefined policy grant appropriate
permission, e.g.
path "secret/stag/database/admin" {
capabilities = ["read"]
}
30. Dynamic Credentials
⊡ Vault support many secret backend
□ AWS, Azure, GCP, Database...etc
⊡ Take database for example, you could
generate dynamic database credentials
$ vault read database/creds/my-role
Key Value
--- -----
lease_duration 1h
password 8cab931c-d62e-a73d-60d3-5ee85139cd66
username v-root-e2978cd0-
32. “Network Misconfigurations
Are Major Source Of
Reliability and Security
Issues
In a report summarizing the findings of 124 penetration tests,
security firm Rapid7 found that more than two-thirds of sites
were vulnerable because of a misconfiguration
Ref
33. “
Why So Many Important
Internal Server Can Be
Accessed Publicly?!
34. Keep Server Private
Private Network
- Kubernetes
- Database
- NAT Gateway
- ...
Public Network
- Load Balancer
- Linux Gateway
- ...
- Non-Employee: Only access product service through
load balancer
- Employee: Access server through VPN/Bastion
- Don’t forgot to enable WAF
35. “
In Fact, Not Only Network Related
Configuration, Every Program
Misconfiguration Makes Issues
36. Infrastructure As
Code
⊡ There are so many benefits when adopting
IaC
□ Save time & Avoid human error
□ Code review & Knowledge transfer easily
□ Testing (kitchen, terratest...etc)
37. Infrastructure As
Code
⊡ There are many tools which can achieve IaC
⊡ Servers:
□ Ansible, Chef, Puppet, SaltStack...etc
⊡ Cloud Providers:
□ Terraform, AWS CloudFormation, Azure
Resource Manager, GCP Deployment
Manager...etc
39. 9 Key Point
⊡ Authentication (Later)
⊡ Authorization (Later)
⊡ Secret Management (HashiCorp Vault)
⊡ Don’t Share Account
⊡ Least Privilege Policy
⊡ Log Everything
⊡ Manage and Record Privileged Activity (Later)
⊡ Alert and Notify of Suspicious Activity (Later)
⊡ Identity Centralize and Unify
40. Authentication for
Human
⊡ Adopt Password Manager to avoid credential
stuffing attacks
⊡ Must Enable 2FA: What-you-know,
What-you-have and What-you-are (2 out of
the 3 types)
41. “
A: I Need Sudo Permission for
Production Deployment Tomorrow
42. Manage and Record
Privileged Activity
⊡ The traditional way maybe…
□ File a ticket
□ Wait the ticket assign
□ Information collection
□ Approved by someone
□ Wait for operator change permission
□ Confirm you really get the permission
□ Start the task
□ Remove the permission by operator
47. “Get All Security Information and
Auditing Function Ready, No Matter
From Cloud Provider or Third-Party
Solution
48. Alert and Notify of
Suspicious Activity
⊡ Only having enough data, then the security
checks and monitoring can happen
⊡ Setup basic rule set to monitor abnormal
behavior
⊡ Using AI to train the rule set