Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Hitchhikers Guide to Secrets Management in th...

Abhay Bhargav
April 30, 2020
Programming
0
300

A Hitchhikers Guide to Secrets Management in the Cloud - OWASP Seattle

Secrets are ubiquitous. From API Keys to encryption keys, the number of secrets an average app requires for its ops, especially in the cloud, is increasing Unfortunately, developers and practitioners are unaware of secrets management, resulting in some very serious vulnerabilities.

In this talk, we discuss how to handle secrets the right way. Concretely, we look at vault-based secrets management for Kubernetes, AWS and Azure environments. Not only do we cover best practices, we also investigate gotchas and implementation nuances across platforms.

Abhay Bhargav

April 30, 2020
Tweet

More Decks by Abhay Bhargav

See All by Abhay Bhargav
Secure by Design - Across the Stack
abhaybhargav
0
140
Policy-as-Code: Across the Stack - OWASP AppSec DC 2023 | Abhay Bhargav
abhaybhargav
0
610
Flaming Hot SLSA!
abhaybhargav
1
620
SecAppDev - Fantastic API Security Vulnerabilities and where to find them
abhaybhargav
1
100
SecAppDev 2022 - Everything as code
abhaybhargav
0
130
Hook, Line and Sinker - Pillaging API Webhooks
abhaybhargav
0
810
DevSecOops - Stories of DevSecOps Failures and Success
abhaybhargav
0
1.6k
Practical DevSecOps Pipelines
abhaybhargav
1
350
Agile Threat Modeling-as-Code
abhaybhargav
2
730

Other Decks in Programming

See All in Programming
みんなでプロポーザルを書いてみた
yuriko1211
0
260
Why Jakarta EE Matters to Spring - and Vice Versa
ivargrimstad
0
1.1k
Generative AI Use Cases JP (略称:GenU)奮闘記
hideg
1
290
色々なIaCツールを実際に触って比較してみる
iriikeita
0
330
ECS Service Connectのこれまでのアップデートと今後のRoadmapを見てみる
tkikuc
2
250
よくできたテンプレート言語として TypeScript + JSX を利用する試み / Using TypeScript + JSX outside of Web Frontend #TSKaigiKansai
izumin5210
6
1.7k
ヤプリ新卒SREの オンボーディング
masaki12
0
130
Compose 1.7のTextFieldはPOBox Plusで日本語変換できない
tomoya0x00
0
190
Snowflake x dbtで作るセキュアでアジャイルなデータ基盤
tsoshiro
2
520
Jakarta EE meets AI
ivargrimstad
0
600
どうして僕の作ったクラスが手続き型と言われなきゃいけないんですか
akikogoto
1
120
.NET のための通信フレームワーク MagicOnion 入門 / Introduction to MagicOnion
mayuki
1
1.5k

Featured

See All Featured
Designing for Performance
lara
604
68k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
Music & Morning Musume
bryan
46
6.2k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Adopting Sorbet at Scale
ufuk
73
9.1k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
The Cost Of JavaScript in 2023
addyosmani
45
6.7k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k

Transcript

  1. A Hitchhikers Guide to Managing Secrets in the Cloud Abhay

    Bhargav

  2. abhaybhargav we45 Yours Truly • Founder @ we45 • Chief

    Architect - Orchestron • Avid Pythonista and AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Lead Trainer - we45 Training and Workshops • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A Definitive Guide

  3. abhaybhargav we45 Remote Trainings : May - June 2020 •

    Goto: we45.com/remote-training and select training of choice • DevSecOps, Cloud Security, Secrets Management, AppSec, Containers and Kubernetes streams • Get Live Training + Access to Labs + Access to Videos + Certification = • Discount code: DSO200 for DevSecOps Courses • Discount code: WEBINSUB20 for any other course

  4. abhaybhargav we45 Community Initiatives Youtube Channel: youtube.com/we45-appsec Blog: we45.com/blog Talks/Workshops

    at several OWASP Events

  5. abhaybhargav we45 Pray to the Demo Gods

  6. abhaybhargav we45 Agenda • Secrets and challenges with Secrets •

    Secrets in the cloud • Cryptographic Services in the cloud

  7. abhaybhargav we45 When Secrets aren’t ….Secret!

  8. abhaybhargav we45 On the other hand • Secrets are exponential

    in distributed apps • API Tokens, Passwords, Keys, HMAC Passwords, etc • More Secrets == More Secret Sprawl

  9. abhaybhargav we45 Common Patterns - Secrets Storage • Environment Variables

    • Keyrings and Keychain • GPG

  10. abhaybhargav we45 Demo

  11. abhaybhargav we45 Common Patterns - Secrets Storage • Environment Variables

    • Keyrings and Keychain • GPG Complete compromise if there’s RCE/SSRF/Injection Better. But is difficult to secure, esp because of Containers, etc Let’s face it. You’d rather use anything else but this…

  12. abhaybhargav we45 Other issues… • Access Control is not descriptive

    or effective • Accountability is hard (near impossible) to track • Doesn’t provide for Rotation, Re- keying, etc

  13. abhaybhargav we45 Secret Sprawl, A Map

  14. abhaybhargav we45 Recent Awesome Developments in Secrets Management • Hashicorp

    Vault and its evolution • Secrets Management from Cloud Providers: • Integrated • Democratized otherwise-expensive hardware/software

  15. abhaybhargav we45 Secrets Management and Cryptographic Services - Cloud •

    AWS KMS • AWS Parameter Store and Secrets Manager • Azure KeyVault • Google KMS

  16. abhaybhargav we45 Secrets and Crypto - Kubernetes • Kubernetes: •

    Encryption Services • Hashicorp Vault • Sealed Secrets (KubeSeal) • Kamus

  17. Secrets vs Sensitive Information • Secrets: • Passwords • API

    Tokens • Keys • TFA - Tokens • Database Connection Strings • Sensitive Information • Data that is protected with Secrets • PII • Payment Card Information • Social Security Numbers

  18. abhaybhargav we45 Principles - Good Secrets Management • Version Management

    • Access Control • Audit Trails • Key Rotation => Underlying Key • Secure Deletes and Version Deletes

  19. abhaybhargav we45 Handling Security Exceptions • Enable Cloudtrail/Azure Monitor Log

    Analytics/Audit to Socket • Capture Anomalies with IP addresses or Tag-Based Request Params • Consider Pushing anomalies to Slack/etc for investigation

  20. abhaybhargav we45 Cryptographic Services • Key Generation • Key Rotation

    • Access Control • Audit Trails • Envelope Encryption

  21. abhaybhargav we45 AWS vs Azure vs Vault Param AWS Azure

    Vault Key Generation Symmetric and Asymmetric CMKs Asymmetric CMK Symmetric and Asymmetric Key Length AES-256 GCM, Several Asymmetric Algos RSA 2048-4096 AES, Salsa20, RSA, ECDSA Logging Cloudtrail Azure Monitor File/Socket/Syslog

  22. abhaybhargav we45 Envelope Encryption

  23. abhaybhargav we45 Demo

  24. abhaybhargav we45 Conclusions • With the cloud and its tools

    - secrets and cryptography for your apps is a much more solvable challenge • Backed by strong algos and constantly improving and consistent APIs • Still some ways to shoot yourself in the foot - Read IAM and Grants