Handmade security at Etsy

Transcript

1. Handmade security at Etsy https://www.flickr.com/photos/roland/ by Speaker 4

2. @benjammingh Whom be this? • Ben Hughes, security monkey manager

   at Etsy. • Bullet point fanatic. • Terrible at slides. • Shout out to the Etsy security team.

3. @benjammingh It’s a tale of two halves • Security, where

   did it all go wrong? • Don’t go alone, take this! ! • Security-devops-maybe-DBAs-too- oh and-QA-sure-who-else? • I quite like Etsy, here’s why.

4. @benjammingh Security, where did it all go wrong?

5. @benjammingh Wait, but we bought a firewall!

6. @benjammingh They’re coming out of the walls

7. @benjammingh #Cloud #Clouds #CloudAAS • AWS logo goes here. •

   Maybe not in AWS... (other cloudiness vendors may be available)

8. @benjammingh But we’re secure, right?

9. @benjammingh But we’re secure, right?

10. @benjammingh The Watering hole attacks of Feb

11. @benjammingh Other than the very occasional RCE/SQLi or 0- day,

    companies just aren’t getting breached directly through their servers like they used to. Quotes to be taken out of context

12. @benjammingh I’d buy that for a dollar [laptop:~]% id uid=501(ben)

    gid=20(staff) groups=20(staff) [laptop:~]% ./magic [*] running old exploit against unpatched OSX. [*] firing off connect back shell to AWS. [*] throwing mad persistence in to LaunchAgents. [*] dropping to a shell. [laptop:~]# id uid=0(root) gid=0(root)

13. @benjammingh Zero [cool] day • Zero day is bad! —

    2

14. @benjammingh Surprise! • You can’t defend against unknown attacks. •

    Clue is in the name.

15. @benjammingh Rejoice. That mostly doesn’t matter!

16. @benjammingh Treat the symptoms • Lateral movement can be more

    important than how they got in. • You don’t care that they broke a window, you care that they got in your living room and took your TV. • (still fix your window)

17. @benjammingh Hudson hawk reference • Why is /bin/sh running on

    your webserver? • Why is your webserver trying to SSH to other hosts? • Why is the Cold Fusion process reading arbitrary files off of disk (SE/NSA Linux time)

18. @benjammingh But still patch • Please, still patch things. (disable

    Java) • Know that it isn’t a panacea. • Realise that is mostly okay.

19. @benjammingh Please do patch! • No really! !

20. @benjammingh Logs are your eyes. “If it’s not monitored... ...it’s

    not in production” Well “If it’s not logged, did it really happen?”

21. @benjammingh You have a limited number of eyes.

22. @benjammingh Alerts

23. @benjammingh Logstash • http://logstash.net/ • http://www.elasticsearch.org/overview/ kibana/ • http://www.logstashbook.com/ •

    https://github.com/miah/chef_logstash • https://forge.puppetlabs.com/tags/logstash

24. @benjammingh Two factor all the things •Duo - https://www.duosecurity.com/ •Authy

    - https://www.authy.com/ •Google - http://goo.gl/hvre2D •YubiKey - https://www.yubico.com/ ! Hat tip to Jan Schaumann (@jschauma), from whom I stole the title of this slide from.

25. @benjammingh vvngrglugvhtfcdrvvghtgpizzalrflvuurvikcvedvk

26. @benjammingh Phishing • Who’s stopped phishing?

27. @benjammingh Phishing • Who’s stopped phishing? • You’re not going

    to stop phishing.

28. @benjammingh Phishing • Who’s stopped phishing? • You’re not going

    to stop phishing. • That doesn’t matter.

29. @benjammingh Phishing • Who’s stopped phishing? • You’re not going

    to stop phishing. • That doesn’t matter. • Don’t think you can fully eliminate it, get it reported instead.

30. @benjammingh Intermission.

31. @benjammingh New, Improved Devops ! ! • Silo smashing in

    to one new larger silo!

32. @benjammingh DevSecOpsFarmerQueen • Many hats. • Not just dev. •

    Not just ops. ! • Security doesn’t just magically happen.

33. @benjammingh Get security involved! • This can be done is

    all sized environments! • Small: having someone who has a security background or interest. • Large: ”Chris Eng & Ryan O’Boyle – From the Trenches: Real-World Agile SDLC” - http://nsc.is/ presentation/chris-eng-ryan-oboyle-from-the-trenches-real- world-agile-sdlc/

34. @benjammingh Security are people too!

35. @benjammingh Security are people too! • they just might not

    always act like it... • security is the only area of technology with genuine adversaries.

36. @benjammingh Infosec, this one’s for you • Dev and ops

    (and everyone else) are people too. • They made those decisions without malice in mind. • People don’t go out of their way to make things insecure!

37. @benjammingh Science time http://info.veracode.com/rs/veracode/images/soss-v3.pdf

38. @benjammingh Primary action items • Don’t just say “did you

    speak to security about this?” • Get people involved! • Security has never [succesfully] been a check box.

39. @benjammingh Reducing barriers. Having an approachable security team is the

    most important thing they can do. ! The second you lose the ability to talk to them about anything, you effectively lose your security team.

40. @benjammingh So, that party you mentioned? • Skill sharing.

41. @benjammingh So, that party you mentioned? • Skill sharing. •

    Hack week.

42. @benjammingh So, that party you mentioned? • Skill sharing. •

    Hack week. • Boot camping.

43. @benjammingh Borrowing from the devops. • Unit tests! • Test

    your code and your infrastructure.

44. @benjammingh Borrowing from the devops. • Unit tests! https://gist.github.com/barn/45586d9690abaa53f933

45. @benjammingh Borrowing from the devops. • Unit tests! • http://www.morethanseven.net/2013/12/29/

    making-the-web-secure/ from @Garethr • https://www.youtube.com/watch? v=XfBIouZ7roc @Garethr again & @Wickett Don’t worry, these links will be online…

46. @benjammingh Borrowing from the devops. • Unit tests! • Test

    your code and your infrastructure. • Wait, someone other than Gareth already gave this talk too: http://www.slideshare.net/nickgsuperstar/devopssec- apply-devops-principles-to-security/32 Don’t worry, these links will be online…

47. @benjammingh Borrowing from the devops. Yet again so did Gareth!

    https://speakerdeck.com/garethr/security- monitoring-penetration-testing-meets- monitoring Don’t worry, these links will be online…

48. @benjammingh Stop saying “No!”

49. @benjammingh So finally • The most important thing that we

    do as a security team is... • Humility.

50. @benjammingh So finally • The most important thing that we

    do as a security team is... • Humility. • Security isn’t everything. People are. ! <Trust fall goes here>

51. @benjammingh Fin How can security work better with you?