Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

Handmade security at Etsy

Handmade security at Etsy

DevOpsDays Minneapolis 2014.

Similar to my London talk of last year. Just better GIFs.

Video is at https://vimeo.com/101734820

Bea Hughes

July 17, 2014
Tweet

More Decks by Bea Hughes

Other Decks in Technology

Transcript

  1. @benjammingh Whom be this? • Ben Hughes, security monkey manager

    at Etsy. • Bullet point fanatic. • Terrible at slides. • Shout out to the Etsy security team.
  2. @benjammingh It’s a tale of two halves • Security, where

    did it all go wrong? • Don’t go alone, take this! ! • Security-devops-maybe-DBAs-too- oh and-QA-sure-who-else? • I quite like Etsy, here’s why.
  3. @benjammingh #Cloud #Clouds #CloudAAS • AWS logo goes here. •

    Maybe not in AWS... (other cloudiness vendors may be available)
  4. @benjammingh Other than the very occasional RCE/SQLi or 0- day,

    companies just aren’t getting breached directly through their servers like they used to. Quotes to be taken out of context
  5. @benjammingh I’d buy that for a dollar [laptop:~]% id uid=501(ben)

    gid=20(staff) groups=20(staff) [laptop:~]% ./magic [*] running old exploit against unpatched OSX. [*] firing off connect back shell to AWS. [*] throwing mad persistence in to LaunchAgents. [*] dropping to a shell. [laptop:~]# id uid=0(root) gid=0(root)
  6. @benjammingh Treat the symptoms • Lateral movement can be more

    important than how they got in. • You don’t care that they broke a window, you care that they got in your living room and took your TV. • (still fix your window)
  7. @benjammingh Hudson hawk reference • Why is /bin/sh running on

    your webserver? • Why is your webserver trying to SSH to other hosts? • Why is the Cold Fusion process reading arbitrary files off of disk (SE/NSA Linux time)
  8. @benjammingh But still patch • Please, still patch things. (disable

    Java) • Know that it isn’t a panacea. • Realise that is mostly okay.
  9. @benjammingh Logs are your eyes. “If it’s not monitored... ...it’s

    not in production” Well “If it’s not logged, did it really happen?”
  10. @benjammingh Two factor all the things •Duo - https://www.duosecurity.com/ •Authy

    - https://www.authy.com/ •Google - http://goo.gl/hvre2D •YubiKey - https://www.yubico.com/ ! Hat tip to Jan Schaumann (@jschauma), from whom I stole the title of this slide from.
  11. @benjammingh Phishing • Who’s stopped phishing? • You’re not going

    to stop phishing. • That doesn’t matter. • Don’t think you can fully eliminate it, get it reported instead.
  12. @benjammingh DevSecOpsFarmerQueen • Many hats. • Not just dev. •

    Not just ops. ! • Security doesn’t just magically happen.
  13. @benjammingh Get security involved! • This can be done is

    all sized environments! • Small: having someone who has a security background or interest. • Large: ”Chris Eng & Ryan O’Boyle – From the Trenches: Real-World Agile SDLC” - http://nsc.is/ presentation/chris-eng-ryan-oboyle-from-the-trenches-real- world-agile-sdlc/
  14. @benjammingh Security are people too! • they just might not

    always act like it... • security is the only area of technology with genuine adversaries.
  15. @benjammingh Infosec, this one’s for you • Dev and ops

    (and everyone else) are people too. • They made those decisions without malice in mind. • People don’t go out of their way to make things insecure!
  16. @benjammingh Primary action items • Don’t just say “did you

    speak to security about this?” • Get people involved! • Security has never [succesfully] been a check box.
  17. @benjammingh Reducing barriers. Having an approachable security team is the

    most important thing they can do. ! The second you lose the ability to talk to them about anything, you effectively lose your security team.
  18. @benjammingh Borrowing from the devops. • Unit tests! • http://www.morethanseven.net/2013/12/29/

    making-the-web-secure/ from @Garethr • https://www.youtube.com/watch? v=XfBIouZ7roc @Garethr again & @Wickett Don’t worry, these links will be online…
  19. @benjammingh Borrowing from the devops. • Unit tests! • Test

    your code and your infrastructure. • Wait, someone other than Gareth already gave this talk too: http://www.slideshare.net/nickgsuperstar/devopssec- apply-devops-principles-to-security/32 Don’t worry, these links will be online…
  20. @benjammingh Borrowing from the devops. Yet again so did Gareth!

    https://speakerdeck.com/garethr/security- monitoring-penetration-testing-meets- monitoring Don’t worry, these links will be online…
  21. @benjammingh So finally • The most important thing that we

    do as a security team is... • Humility.
  22. @benjammingh So finally • The most important thing that we

    do as a security team is... • Humility. • Security isn’t everything. People are. ! <Trust fall goes here>