Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DIY security for the amateur superhero

DIY security for the amateur superhero

So the world is a mess. The internet is a toxic wasteland and you and your organisation have decided to fill this space with another application to disrupt the world. Awesome. Sounds like fun. Trouble is, there are a whole range of reasons why this may end badly.For every beautiful system we build, there are equally elegant attacks out there waiting. Boo hoo. We need to take security into our own hands. It's time to defend ourselves and our data, with the only skill we know we can trust - engineering.
Come learn to be a security superhero and learn a range of DIY security approaches to suit any application and operations environment. Manage your vulnerabilities, bring security to your builds and monitor the heck out of your world. Guaranteed vendor device free zone. Bring your skills and let's solve some of your security challenges together.

B114ea20c4172d8f92f3ff42a8cf8ea4?s=128

Laura Bell

August 05, 2016
Tweet

Transcript

  1. Laura Bell Founder and Lead Consultant - SafeStack @lady_nerd laura@safestack.io

    http:/ /safestack.io DIY Security for the amateur superhero
  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. it’s up to you to Detect

  13. Accept Protect Watch Respond Learn

  14. Accept

  15. None
  16. (we love you but seriously…)

  17. You (every single one of us…)

  18. code base development Initial idea Product launch Maturity Initiatives do

    security stuff
  19. Attack Defense help!

  20. Meanwhile in the security industry

  21. None
  22. (like OWASP and Troy Hunt)

  23. (perfect people are liars)

  24. (it’s ok to not know everything)

  25. (and here’s why…)

  26. Protect

  27. None
  28. (YOUR software has security flaws…)

  29. None
  30. (** inception fog horn noise **)

  31. None
  32. technologies

  33. Oh noes.. a wild demo appears OWASP Dependency Checker Libraries.io

  34. § https://libraries.io/ § https://www.owasp.org/index.php/OWASP_Dependen cy_Check

  35. Watch

  36. None
  37. (if you’re not looking)

  38. you

  39. Challenge yours

  40. Security team Managed border devices Budget Management support Erm.. Does

    watching mr robot count? Security Engineering
  41. ?? Wait? Hold on? Logging tools Contextual knowledge Access Incentive

    Security Engineering
  42. All

  43. Application Database Operating system Border devices Cloud tools

  44. destruction

  45. like actually, for real, not just when you’re debugging

  46. if the internet has already done it for you

  47. Be kind demo gods… please LastPass Lambda Logs Sumo Siemonster

    and ELK
  48. None
  49. make kittens cry

  50. can be the cost of DIY

  51. s/real/a real pain in the …/

  52. _sourceCategory=Apache/Acces | extract "\"[A-Z]+ \S+ HTTP/[\d\.]+\" \S+ \S+ \S+ \"(?<agent>[^\"]+?)\""

    | if (agent matches "*MSIE*",1,0) as ie | if (agent matches "*Firefox*",1,0) as firefox | if (agent matches "*Safari*",1,0) as safari | if (agent matches "*Chrome*",1,0) as chrome | sum(ie) as ie, sum(firefox) as firefox, sum(safari) as safari, sum(chrome) as chrome
  53. It’s better to see it coming Even if you can’t

    stop it
  54. § https://github.com/SafeStack/lambda_logs § https://elk-docker.readthedocs.io/ § https://siemonster.com/

  55. Respond

  56. (Incident Response skill isn’t innate)

  57. None
  58. None
  59. None
  60. § http://standards.iso.org/ittf/PubliclyAvailableStandard s/c045170_ISO_IEC_29147_2014.zip § https://github.com/Netflix/SimianArmy/wiki/Chaos- Monkey § https://hackerone.com/ § https://bugcrowd.com/

  61. Learn

  62. None
  63. (Every. Single. Day.)

  64. Security

  65. Accept Protect Watch Respond Learn

  66. Laura Bell Founder and Lead Consultant - SafeStack @lady_nerd laura@safestack.io

    http:/ /safestack.io Questions?