Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DIY security for the amateur superhero

Laura Bell
August 05, 2016

DIY security for the amateur superhero

So the world is a mess. The internet is a toxic wasteland and you and your organisation have decided to fill this space with another application to disrupt the world. Awesome. Sounds like fun. Trouble is, there are a whole range of reasons why this may end badly.For every beautiful system we build, there are equally elegant attacks out there waiting. Boo hoo. We need to take security into our own hands. It's time to defend ourselves and our data, with the only skill we know we can trust - engineering.
Come learn to be a security superhero and learn a range of DIY security approaches to suit any application and operations environment. Manage your vulnerabilities, bring security to your builds and monitor the heck out of your world. Guaranteed vendor device free zone. Bring your skills and let's solve some of your security challenges together.

Laura Bell

August 05, 2016
Tweet

More Decks by Laura Bell

Other Decks in Technology

Transcript

  1. Laura Bell
    Founder and Lead Consultant - SafeStack
    @lady_nerd [email protected]
    http:/
    /safestack.io
    DIY Security
    for the amateur
    superhero

    View Slide

  2. View Slide

  3. View Slide

  4. View Slide

  5. View Slide

  6. View Slide

  7. View Slide

  8. View Slide

  9. View Slide

  10. View Slide

  11. View Slide

  12. it’s up to you to
    Detect

    View Slide

  13. Accept
    Protect
    Watch
    Respond
    Learn

    View Slide

  14. Accept

    View Slide

  15. View Slide

  16. (we love you but seriously…)

    View Slide

  17. You
    (every single one of us…)

    View Slide

  18. code base development
    Initial
    idea
    Product launch Maturity Initiatives
    do security stuff

    View Slide

  19. Attack Defense
    help!

    View Slide

  20. Meanwhile in the security industry

    View Slide

  21. View Slide

  22. (like OWASP and Troy Hunt)

    View Slide

  23. (perfect people are liars)

    View Slide

  24. (it’s ok to not know everything)

    View Slide

  25. (and here’s why…)

    View Slide

  26. Protect

    View Slide

  27. View Slide

  28. (YOUR software has security flaws…)

    View Slide

  29. View Slide

  30. (** inception fog horn noise **)

    View Slide

  31. View Slide

  32. technologies

    View Slide

  33. Oh noes.. a wild demo appears
    OWASP Dependency Checker
    Libraries.io

    View Slide

  34. § https://libraries.io/
    § https://www.owasp.org/index.php/OWASP_Dependen
    cy_Check

    View Slide

  35. Watch

    View Slide

  36. View Slide

  37. (if you’re not looking)

    View Slide

  38. you

    View Slide

  39. Challenge yours

    View Slide

  40. Security team
    Managed border devices
    Budget
    Management support
    Erm..
    Does watching mr robot
    count?
    Security Engineering

    View Slide

  41. ??
    Wait?
    Hold on?
    Logging tools
    Contextual knowledge
    Access
    Incentive
    Security Engineering

    View Slide

  42. All

    View Slide

  43. Application
    Database
    Operating system
    Border devices
    Cloud tools

    View Slide

  44. destruction

    View Slide

  45. like actually,
    for real,
    not just when you’re debugging

    View Slide

  46. if the internet has already done it for you

    View Slide

  47. Be kind demo gods… please
    LastPass Lambda Logs
    Sumo
    Siemonster and ELK

    View Slide

  48. View Slide

  49. make kittens cry

    View Slide

  50. can be the cost of DIY

    View Slide

  51. s/real/a real pain in the …/

    View Slide

  52. _sourceCategory=Apache/Acces
    | extract "\"[A-Z]+ \S+ HTTP/[\d\.]+\" \S+ \S+
    \S+ \"(?[^\"]+?)\""
    | if (agent matches "*MSIE*",1,0) as ie
    | if (agent matches "*Firefox*",1,0) as firefox
    | if (agent matches "*Safari*",1,0) as safari
    | if (agent matches "*Chrome*",1,0) as chrome
    | sum(ie) as ie, sum(firefox) as firefox,
    sum(safari) as safari, sum(chrome) as chrome

    View Slide

  53. It’s better to see it coming
    Even if you can’t stop it

    View Slide

  54. § https://github.com/SafeStack/lambda_logs
    § https://elk-docker.readthedocs.io/
    § https://siemonster.com/

    View Slide

  55. Respond

    View Slide

  56. (Incident Response skill isn’t innate)

    View Slide

  57. View Slide

  58. View Slide

  59. View Slide

  60. § http://standards.iso.org/ittf/PubliclyAvailableStandard
    s/c045170_ISO_IEC_29147_2014.zip
    § https://github.com/Netflix/SimianArmy/wiki/Chaos-
    Monkey
    § https://hackerone.com/
    § https://bugcrowd.com/

    View Slide

  61. Learn

    View Slide

  62. View Slide

  63. (Every. Single. Day.)

    View Slide

  64. Security

    View Slide

  65. Accept
    Protect
    Watch
    Respond
    Learn

    View Slide

  66. Laura Bell
    Founder and Lead Consultant - SafeStack
    @lady_nerd [email protected]
    http:/
    /safestack.io
    Questions?

    View Slide