Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Handmade security at Etsy

Handmade security at Etsy

DevOpsDays Minneapolis 2014.

Similar to my London talk of last year. Just better GIFs.

Video is at https://vimeo.com/101734820

C7bf554286ede7cb2786b5b19649c19b?s=128

Bea Hughes

July 17, 2014
Tweet

Transcript

  1. Handmade security at Etsy https://www.flickr.com/photos/roland/ by Speaker 4

  2. @benjammingh Whom be this? • Ben Hughes, security monkey manager

    at Etsy. • Bullet point fanatic. • Terrible at slides. • Shout out to the Etsy security team.
  3. @benjammingh It’s a tale of two halves • Security, where

    did it all go wrong? • Don’t go alone, take this! ! • Security-devops-maybe-DBAs-too- oh and-QA-sure-who-else? • I quite like Etsy, here’s why.
  4. @benjammingh Security, where did it all go wrong?

  5. @benjammingh Wait, but we bought a firewall!

  6. @benjammingh They’re coming out of the walls

  7. @benjammingh #Cloud #Clouds #CloudAAS • AWS logo goes here. •

    Maybe not in AWS... (other cloudiness vendors may be available)
  8. @benjammingh But we’re secure, right?

  9. @benjammingh But we’re secure, right?

  10. @benjammingh The Watering hole attacks of Feb

  11. @benjammingh Other than the very occasional RCE/SQLi or 0- day,

    companies just aren’t getting breached directly through their servers like they used to. Quotes to be taken out of context
  12. @benjammingh I’d buy that for a dollar [laptop:~]% id uid=501(ben)

    gid=20(staff) groups=20(staff) [laptop:~]% ./magic [*] running old exploit against unpatched OSX. [*] firing off connect back shell to AWS. [*] throwing mad persistence in to LaunchAgents. [*] dropping to a shell. [laptop:~]# id uid=0(root) gid=0(root)
  13. @benjammingh Zero [cool] day • Zero day is bad! —

    2
  14. @benjammingh Surprise! • You can’t defend against unknown attacks. •

    Clue is in the name.
  15. @benjammingh Rejoice. That mostly doesn’t matter!

  16. @benjammingh Treat the symptoms • Lateral movement can be more

    important than how they got in. • You don’t care that they broke a window, you care that they got in your living room and took your TV. • (still fix your window)
  17. @benjammingh Hudson hawk reference • Why is /bin/sh running on

    your webserver? • Why is your webserver trying to SSH to other hosts? • Why is the Cold Fusion process reading arbitrary files off of disk (SE/NSA Linux time)
  18. @benjammingh But still patch • Please, still patch things. (disable

    Java) • Know that it isn’t a panacea. • Realise that is mostly okay.
  19. @benjammingh Please do patch! • No really! !

  20. @benjammingh Logs are your eyes. “If it’s not monitored... ...it’s

    not in production” Well “If it’s not logged, did it really happen?”
  21. @benjammingh You have a limited number of eyes.

  22. @benjammingh Alerts

  23. @benjammingh Logstash • http://logstash.net/ • http://www.elasticsearch.org/overview/ kibana/ • http://www.logstashbook.com/ •

    https://github.com/miah/chef_logstash • https://forge.puppetlabs.com/tags/logstash
  24. @benjammingh Two factor all the things •Duo - https://www.duosecurity.com/ •Authy

    - https://www.authy.com/ •Google - http://goo.gl/hvre2D •YubiKey - https://www.yubico.com/ ! Hat tip to Jan Schaumann (@jschauma), from whom I stole the title of this slide from.
  25. @benjammingh vvngrglugvhtfcdrvvghtgpizzalrflvuurvikcvedvk

  26. @benjammingh Phishing • Who’s stopped phishing?

  27. @benjammingh Phishing • Who’s stopped phishing? • You’re not going

    to stop phishing.
  28. @benjammingh Phishing • Who’s stopped phishing? • You’re not going

    to stop phishing. • That doesn’t matter.
  29. @benjammingh Phishing • Who’s stopped phishing? • You’re not going

    to stop phishing. • That doesn’t matter. • Don’t think you can fully eliminate it, get it reported instead.
  30. @benjammingh Intermission.

  31. @benjammingh New, Improved Devops ! ! • Silo smashing in

    to one new larger silo!
  32. @benjammingh DevSecOpsFarmerQueen • Many hats. • Not just dev. •

    Not just ops. ! • Security doesn’t just magically happen.
  33. @benjammingh Get security involved! • This can be done is

    all sized environments! • Small: having someone who has a security background or interest. • Large: ”Chris Eng & Ryan O’Boyle – From the Trenches: Real-World Agile SDLC” - http://nsc.is/ presentation/chris-eng-ryan-oboyle-from-the-trenches-real- world-agile-sdlc/
  34. @benjammingh Security are people too!

  35. @benjammingh Security are people too! • they just might not

    always act like it... • security is the only area of technology with genuine adversaries.
  36. @benjammingh Infosec, this one’s for you • Dev and ops

    (and everyone else) are people too. • They made those decisions without malice in mind. • People don’t go out of their way to make things insecure!
  37. @benjammingh Science time http://info.veracode.com/rs/veracode/images/soss-v3.pdf

  38. @benjammingh Primary action items • Don’t just say “did you

    speak to security about this?” • Get people involved! • Security has never [succesfully] been a check box.
  39. @benjammingh Reducing barriers. Having an approachable security team is the

    most important thing they can do. ! The second you lose the ability to talk to them about anything, you effectively lose your security team.
  40. @benjammingh So, that party you mentioned? • Skill sharing.

  41. @benjammingh So, that party you mentioned? • Skill sharing. •

    Hack week.
  42. @benjammingh So, that party you mentioned? • Skill sharing. •

    Hack week. • Boot camping.
  43. @benjammingh Borrowing from the devops. • Unit tests! • Test

    your code and your infrastructure.
  44. @benjammingh Borrowing from the devops. • Unit tests! https://gist.github.com/barn/45586d9690abaa53f933

  45. @benjammingh Borrowing from the devops. • Unit tests! • http://www.morethanseven.net/2013/12/29/

    making-the-web-secure/ from @Garethr • https://www.youtube.com/watch? v=XfBIouZ7roc @Garethr again & @Wickett Don’t worry, these links will be online…
  46. @benjammingh Borrowing from the devops. • Unit tests! • Test

    your code and your infrastructure. • Wait, someone other than Gareth already gave this talk too: http://www.slideshare.net/nickgsuperstar/devopssec- apply-devops-principles-to-security/32 Don’t worry, these links will be online…
  47. @benjammingh Borrowing from the devops. Yet again so did Gareth!

    https://speakerdeck.com/garethr/security- monitoring-penetration-testing-meets- monitoring Don’t worry, these links will be online…
  48. @benjammingh Stop saying “No!”

  49. @benjammingh So finally • The most important thing that we

    do as a security team is... • Humility.
  50. @benjammingh So finally • The most important thing that we

    do as a security team is... • Humility. • Security isn’t everything. People are. ! <Trust fall goes here>
  51. @benjammingh Fin How can security work better with you?