$30 off During Our Annual Pro Sale. View Details »

Handmade security at Etsy

Handmade security at Etsy

DevOpsDays Minneapolis 2014.

Similar to my London talk of last year. Just better GIFs.

Video is at https://vimeo.com/101734820

Bea Hughes

July 17, 2014
Tweet

More Decks by Bea Hughes

Other Decks in Technology

Transcript

  1. Handmade
    security
    at Etsy
    https://www.flickr.com/photos/roland/
    by Speaker 4

    View Slide

  2. @benjammingh
    Whom be this?
    • Ben Hughes, security monkey
    manager at Etsy.

    • Bullet point fanatic.

    • Terrible at slides.

    • Shout out to the Etsy security
    team.

    View Slide

  3. @benjammingh
    It’s a tale of two halves
    • Security, where did it all go wrong?

    • Don’t go alone, take this!

    !
    • Security-devops-maybe-DBAs-too-
    oh and-QA-sure-who-else?

    • I quite like Etsy, here’s why.

    View Slide

  4. @benjammingh
    Security, where did it
    all go wrong?

    View Slide

  5. @benjammingh
    Wait, but we bought a firewall!

    View Slide

  6. @benjammingh
    They’re coming out of the walls

    View Slide

  7. @benjammingh
    #Cloud #Clouds #CloudAAS
    • AWS logo goes here.

    • Maybe not in AWS... (other cloudiness
    vendors may be available)

    View Slide

  8. @benjammingh
    But we’re secure, right?

    View Slide

  9. @benjammingh
    But we’re secure, right?

    View Slide

  10. @benjammingh
    The Watering hole attacks of Feb

    View Slide

  11. @benjammingh
    Other than the very
    occasional RCE/SQLi or 0-
    day, companies just aren’t
    getting breached directly
    through their servers like they
    used to.
    Quotes to be taken out of context

    View Slide

  12. @benjammingh
    I’d buy that for a dollar
    [laptop:~]% id
    uid=501(ben) gid=20(staff) groups=20(staff)
    [laptop:~]% ./magic
    [*] running old exploit against unpatched OSX.
    [*] firing off connect back shell to AWS.
    [*] throwing mad persistence in to LaunchAgents.
    [*] dropping to a shell.
    [laptop:~]# id
    uid=0(root) gid=0(root)

    View Slide

  13. @benjammingh
    Zero [cool] day
    • Zero day is bad!
    — 2

    View Slide

  14. @benjammingh
    Surprise!
    • You can’t defend against unknown attacks.

    • Clue is in the name.

    View Slide

  15. @benjammingh
    Rejoice. That mostly doesn’t matter!

    View Slide

  16. @benjammingh
    Treat the symptoms
    • Lateral movement can be more important
    than how they got in.

    • You don’t care that they broke a window, you
    care that they got in your living room and took
    your TV.

    • (still fix your window)

    View Slide

  17. @benjammingh
    Hudson hawk reference
    • Why is /bin/sh running on your webserver?

    • Why is your webserver trying to SSH to other
    hosts?

    • Why is the Cold Fusion process reading
    arbitrary files off of disk (SE/NSA Linux time)

    View Slide

  18. @benjammingh
    But still patch
    • Please, still patch things. (disable Java)

    • Know that it isn’t a panacea.

    • Realise that is mostly okay.

    View Slide

  19. @benjammingh
    Please do patch!
    • No really!

    !

    View Slide

  20. @benjammingh
    Logs are your eyes.
    “If it’s not monitored...
    ...it’s not in production”
    Well
    “If it’s not logged, did it really
    happen?”

    View Slide

  21. @benjammingh
    You have a limited number of eyes.

    View Slide

  22. @benjammingh
    Alerts

    View Slide

  23. @benjammingh
    Logstash
    • http://logstash.net/
    • http://www.elasticsearch.org/overview/
    kibana/
    • http://www.logstashbook.com/
    • https://github.com/miah/chef_logstash
    • https://forge.puppetlabs.com/tags/logstash

    View Slide

  24. @benjammingh
    Two factor all the things
    •Duo - https://www.duosecurity.com/
    •Authy - https://www.authy.com/
    •Google - http://goo.gl/hvre2D
    •YubiKey - https://www.yubico.com/
    !
    Hat tip to Jan Schaumann (@jschauma),
    from whom I stole the title of this slide from.

    View Slide

  25. @benjammingh
    vvngrglugvhtfcdrvvghtgpizzalrflvuurvikcvedvk

    View Slide

  26. @benjammingh
    Phishing
    • Who’s stopped phishing?

    View Slide

  27. @benjammingh
    Phishing
    • Who’s stopped phishing?

    • You’re not going to stop phishing.

    View Slide

  28. @benjammingh
    Phishing
    • Who’s stopped phishing?

    • You’re not going to stop phishing.

    • That doesn’t matter.

    View Slide

  29. @benjammingh
    Phishing
    • Who’s stopped phishing?

    • You’re not going to stop phishing.

    • That doesn’t matter.

    • Don’t think you can fully eliminate it, get it
    reported instead.

    View Slide

  30. @benjammingh
    Intermission.

    View Slide

  31. @benjammingh
    New, Improved Devops
    !
    !
    • Silo smashing in to one new larger silo!

    View Slide

  32. @benjammingh
    DevSecOpsFarmerQueen
    • Many hats.
    • Not just dev.
    • Not just ops.
    !
    • Security doesn’t
    just magically happen.

    View Slide

  33. @benjammingh
    Get security involved!
    • This can be done is all sized environments!
    • Small: having someone who has a security background
    or interest.
    • Large: ”Chris Eng & Ryan O’Boyle – From the
    Trenches: Real-World Agile SDLC” - http://nsc.is/
    presentation/chris-eng-ryan-oboyle-from-the-trenches-real-
    world-agile-sdlc/

    View Slide

  34. @benjammingh
    Security are people too!

    View Slide

  35. @benjammingh
    Security are people too!
    • they just might not always act like it...
    • security is the only area of technology with
    genuine adversaries.

    View Slide

  36. @benjammingh
    Infosec, this one’s for you
    • Dev and ops (and everyone else) are people
    too.

    • They made those decisions without malice in
    mind.

    • People don’t go out of their way to make
    things insecure!

    View Slide

  37. @benjammingh
    Science time
    http://info.veracode.com/rs/veracode/images/soss-v3.pdf

    View Slide

  38. @benjammingh
    Primary action items
    • Don’t just say “did you speak to security
    about this?”

    • Get people involved!

    • Security has never [succesfully] been a check
    box.

    View Slide

  39. @benjammingh
    Reducing barriers.
    Having an approachable security team
    is the most important thing they can do.
    !
    The second you lose the ability to talk to
    them about anything, you effectively
    lose your security team.

    View Slide

  40. @benjammingh
    So, that party you mentioned?
    • Skill sharing.

    View Slide

  41. @benjammingh
    So, that party you mentioned?
    • Skill sharing.

    • Hack week.

    View Slide

  42. @benjammingh
    So, that party you mentioned?
    • Skill sharing.

    • Hack week.

    • Boot camping.

    View Slide

  43. @benjammingh
    Borrowing from the devops.
    • Unit tests!

    • Test your code and your infrastructure.

    View Slide

  44. @benjammingh
    Borrowing from the devops.
    • Unit tests! https://gist.github.com/barn/45586d9690abaa53f933

    View Slide

  45. @benjammingh
    Borrowing from the devops.
    • Unit tests!

    • http://www.morethanseven.net/2013/12/29/
    making-the-web-secure/ from @Garethr

    • https://www.youtube.com/watch?
    v=XfBIouZ7roc @Garethr again & @Wickett
    Don’t worry, these links will be online…

    View Slide

  46. @benjammingh
    Borrowing from the devops.
    • Unit tests!

    • Test your code and your infrastructure.

    • Wait, someone other than Gareth already gave
    this talk too:
    http://www.slideshare.net/nickgsuperstar/devopssec-
    apply-devops-principles-to-security/32
    Don’t worry, these links will be online…

    View Slide

  47. @benjammingh
    Borrowing from the devops.
    Yet again so did Gareth!

    https://speakerdeck.com/garethr/security-
    monitoring-penetration-testing-meets-
    monitoring

    Don’t worry, these links will be online…

    View Slide

  48. @benjammingh
    Stop saying “No!”

    View Slide

  49. @benjammingh
    So finally
    • The most important thing that we do as a
    security team is...

    • Humility.

    View Slide

  50. @benjammingh
    So finally
    • The most important thing that we do as a
    security team is...

    • Humility.

    • Security isn’t everything. People are.

    !

    View Slide

  51. @benjammingh
    Fin
    How can security work better with you?

    View Slide