Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DIY security for the amateur superhero

Laura Bell
August 05, 2016
Technology
0
190

DIY security for the amateur superhero

So the world is a mess. The internet is a toxic wasteland and you and your organisation have decided to fill this space with another application to disrupt the world. Awesome. Sounds like fun. Trouble is, there are a whole range of reasons why this may end badly.For every beautiful system we build, there are equally elegant attacks out there waiting. Boo hoo. We need to take security into our own hands. It's time to defend ourselves and our data, with the only skill we know we can trust - engineering.
Come learn to be a security superhero and learn a range of DIY security approaches to suit any application and operations environment. Manage your vulnerabilities, bring security to your builds and monitor the heck out of your world. Guaranteed vendor device free zone. Bring your skills and let's solve some of your security challenges together.

Laura Bell

August 05, 2016
Tweet

More Decks by Laura Bell

See All by Laura Bell
Hackcon 11 - Protecting our people
ladynerd
0
190
Security in a container based world
ladynerd
0
120
Securing Microservice Architectures
ladynerd
2
330
Better Connected
ladynerd
0
46
Continuous Security
ladynerd
3
970
Automated Human Vulnerability Scanning with AVA
ladynerd
3
2.6k
Blindsided by security
ladynerd
0
77
Practical tools for privacy audit
ladynerd
0
130
For the greater good? Open sourcing weaponisable code
ladynerd
1
270

Other Decks in Technology

See All in Technology
よく聞くけど使ったことないソフトウェアNo.1 KafkaとSnowflake
foursue
4
350
元インフラエンジニアに成る / Human Resources to Human Relations
bobtani
4
910
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
2.1k
FrontDoorとWebAppsを組み合わせた際のリダイレクト処理の注意点
kenichirokimura
1
510
障害対応をちょっとずつよくしていくための 演習の作りかた
heleeen
0
140
On Your Data を超えていく!
hirotomotaguchi
2
670
Compose Compiler Metricsを使った実践的なコードレビュー
tomorrowkey
1
220
KubeCon EU 2024 Recap “Kubernetes Policy Time Machine: Where to Next?”
ryysud
0
210
エンジニア候補者向け資料2024.04.24.pdf
macloud
0
3.3k
Cracking the KubeCon CfP
inductor
2
240
継続的な改善 x ⾮連続的な進化
sansantech
PRO
3
150
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
3
13k

Featured

See All Featured
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
How STYLIGHT went responsive
nonsquared
92
4.8k
Designing for Performance
lara
601
67k
RailsConf 2023
tenderlove
4
540
Code Review Best Practice
trishagee
55
15k
Happy Clients
brianwarren
92
6.4k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
A better future with KSS
kneath
231
16k
The Pragmatic Product Professional
lauravandoore
25
5.8k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
226
51k
GraphQLとの向き合い方2022年版
quramy
32
12k
Web Components: a chance to create the future
zenorocha
305
41k

Transcript

  1. Laura Bell Founder and Lead Consultant - SafeStack @lady_nerd [email protected]

    http:/ /safestack.io DIY Security for the amateur superhero
  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None

  12. it’s up to you to Detect

  13. Accept Protect Watch Respond Learn

  14. Accept

  15. None

  16. (we love you but seriously…)

  17. You (every single one of us…)

  18. code base development Initial idea Product launch Maturity Initiatives do

    security stuff

  19. Attack Defense help!

  20. Meanwhile in the security industry

  21. None

  22. (like OWASP and Troy Hunt)

  23. (perfect people are liars)

  24. (it’s ok to not know everything)

  25. (and here’s why…)

  26. Protect

  27. None

  28. (YOUR software has security flaws…)

  29. None

  30. (** inception fog horn noise **)

  31. None

  32. technologies

  33. Oh noes.. a wild demo appears OWASP Dependency Checker Libraries.io

  34. § https://libraries.io/ § https://www.owasp.org/index.php/OWASP_Dependen cy_Check

  35. Watch

  36. None

  37. (if you’re not looking)

  38. you

  39. Challenge yours

  40. Security team Managed border devices Budget Management support Erm.. Does

    watching mr robot count? Security Engineering

  41. ?? Wait? Hold on? Logging tools Contextual knowledge Access Incentive

    Security Engineering

  42. All

  43. Application Database Operating system Border devices Cloud tools

  44. destruction

  45. like actually, for real, not just when you’re debugging

  46. if the internet has already done it for you

  47. Be kind demo gods… please LastPass Lambda Logs Sumo Siemonster

    and ELK
  48. None

  49. make kittens cry

  50. can be the cost of DIY

  51. s/real/a real pain in the …/

  52. _sourceCategory=Apache/Acces | extract "\"[A-Z]+ \S+ HTTP/[\d\.]+\" \S+ \S+ \S+ \"(?<agent>[^\"]+?)\""

    | if (agent matches "*MSIE*",1,0) as ie | if (agent matches "*Firefox*",1,0) as firefox | if (agent matches "*Safari*",1,0) as safari | if (agent matches "*Chrome*",1,0) as chrome | sum(ie) as ie, sum(firefox) as firefox, sum(safari) as safari, sum(chrome) as chrome

  53. It’s better to see it coming Even if you can’t

    stop it

  54. § https://github.com/SafeStack/lambda_logs § https://elk-docker.readthedocs.io/ § https://siemonster.com/

  55. Respond

  56. (Incident Response skill isn’t innate)

  57. None
  58. None
  59. None

  60. § http://standards.iso.org/ittf/PubliclyAvailableStandard s/c045170_ISO_IEC_29147_2014.zip § https://github.com/Netflix/SimianArmy/wiki/Chaos- Monkey § https://hackerone.com/ § https://bugcrowd.com/

  61. Learn

  62. None

  63. (Every. Single. Day.)

  64. Security

  65. Accept Protect Watch Respond Learn

  66. Laura Bell Founder and Lead Consultant - SafeStack @lady_nerd [email protected]

    http:/ /safestack.io Questions?