Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DIY security for the amateur superhero

Laura Bell
August 05, 2016
Technology
0
140

DIY security for the amateur superhero

So the world is a mess. The internet is a toxic wasteland and you and your organisation have decided to fill this space with another application to disrupt the world. Awesome. Sounds like fun. Trouble is, there are a whole range of reasons why this may end badly.For every beautiful system we build, there are equally elegant attacks out there waiting. Boo hoo. We need to take security into our own hands. It's time to defend ourselves and our data, with the only skill we know we can trust - engineering.
Come learn to be a security superhero and learn a range of DIY security approaches to suit any application and operations environment. Manage your vulnerabilities, bring security to your builds and monitor the heck out of your world. Guaranteed vendor device free zone. Bring your skills and let's solve some of your security challenges together.

Laura Bell

August 05, 2016
Tweet

More Decks by Laura Bell

See All by Laura Bell
Hackcon 11 - Protecting our people
ladynerd
0
170
Security in a container based world
ladynerd
0
120
Securing Microservice Architectures
ladynerd
2
330
Better Connected
ladynerd
0
44
Continuous Security
ladynerd
3
900
Automated Human Vulnerability Scanning with AVA
ladynerd
3
2.5k
Blindsided by security
ladynerd
0
73
Practical tools for privacy audit
ladynerd
0
90
For the greater good? Open sourcing weaponisable code
ladynerd
1
230

Other Decks in Technology

See All in Technology
Airplay
elcuervo
0
120
クラウドだからできた 地方主導のJAWS DevOps
matsuihidetoshi
2
160
PHPからはじめるコンピュータア ーキテクチャ / PHP Meets Silicon: A Fun Dive into Computer Structures
tomzoh
3
170
【新卒研修資料】基礎統計学 / Basic of statistics
brainpadpr
58
36k
アジャイルリーダークイズ王 2023 #scrummikawa / agile leader quiz king 2023
kyonmm
PRO
1
250
LINE 平台與開發生態系介紹
line_developers_tw
PRO
0
230
2023 CSS
nishiharatsubasa
1
470
The Evolution of GraphQL Code Generation
n1ru4l
0
240
全世界1,800万人が利用する「家族アルバム みてね」におけるNew Relic活用法 / FutureStack Tokyo 2023
isaoshimizu
1
170
様々なユースケースに利用できる "パスキー" の 導入事例の紹介とUXの課題解説 @ DroidKaigi 2023
ritou
1
1.6k
承認コネクタについて
miyakemito
1
110
JPOUG Tech Talk Night #7 ASAHI
asahihidehiko
0
170

Featured

See All Featured
The Web Native Designer (August 2011)
paulrobertlloyd
78
2.6k
Git: the NoSQL Database
bkeepers
PRO
420
61k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
130k
The Mythical Team-Month
searls
212
41k
Code Review Best Practice
trishagee
53
13k
The Brand Is Dead. Long Live the Brand.
mthomps
48
5.1k
Building Your Own Lightsaber
phodgson
97
5.1k
Docker and Python
trallard
31
2.3k
[Brighton Ruby 2023] The Magic of Rails
eileencodes
3
250
Intergalactic Javascript Robots from Outer Space
tanoku
263
26k
Facilitating Awesome Meetings
lara
37
5.1k
Typedesign – Prime Four
hannesfritz
35
1.7k

Transcript

  1. Laura Bell
    Founder and Lead Consultant - SafeStack
    @lady_nerd [email protected]
    http:/
    /safestack.io
    DIY Security
    for the amateur
    superhero

    View Slide

  2. View Slide

  3. View Slide

  4. View Slide

  5. View Slide

  6. View Slide

  7. View Slide

  8. View Slide

  9. View Slide

  10. View Slide

  11. View Slide

  12. it’s up to you to
    Detect

    View Slide

  13. Accept
    Protect
    Watch
    Respond
    Learn

    View Slide

  14. Accept

    View Slide

  15. View Slide

  16. (we love you but seriously…)

    View Slide

  17. You
    (every single one of us…)

    View Slide

  18. code base development
    Initial
    idea
    Product launch Maturity Initiatives
    do security stuff

    View Slide

  19. Attack Defense
    help!

    View Slide

  20. Meanwhile in the security industry

    View Slide

  21. View Slide

  22. (like OWASP and Troy Hunt)

    View Slide

  23. (perfect people are liars)

    View Slide

  24. (it’s ok to not know everything)

    View Slide

  25. (and here’s why…)

    View Slide

  26. Protect

    View Slide

  27. View Slide

  28. (YOUR software has security flaws…)

    View Slide

  29. View Slide

  30. (** inception fog horn noise **)

    View Slide

  31. View Slide

  32. technologies

    View Slide

  33. Oh noes.. a wild demo appears
    OWASP Dependency Checker
    Libraries.io

    View Slide

  34. § https://libraries.io/
    § https://www.owasp.org/index.php/OWASP_Dependen
    cy_Check

    View Slide

  35. Watch

    View Slide

  36. View Slide

  37. (if you’re not looking)

    View Slide

  38. you

    View Slide

  39. Challenge yours

    View Slide

  40. Security team
    Managed border devices
    Budget
    Management support
    Erm..
    Does watching mr robot
    count?
    Security Engineering

    View Slide

  41. ??
    Wait?
    Hold on?
    Logging tools
    Contextual knowledge
    Access
    Incentive
    Security Engineering

    View Slide

  42. All

    View Slide

  43. Application
    Database
    Operating system
    Border devices
    Cloud tools

    View Slide

  44. destruction

    View Slide

  45. like actually,
    for real,
    not just when you’re debugging

    View Slide

  46. if the internet has already done it for you

    View Slide

  47. Be kind demo gods… please
    LastPass Lambda Logs
    Sumo
    Siemonster and ELK

    View Slide

  48. View Slide

  49. make kittens cry

    View Slide

  50. can be the cost of DIY

    View Slide

  51. s/real/a real pain in the …/

    View Slide

  52. _sourceCategory=Apache/Acces
    | extract "\"[A-Z]+ \S+ HTTP/[\d\.]+\" \S+ \S+
    \S+ \"(?[^\"]+?)\""
    | if (agent matches "*MSIE*",1,0) as ie
    | if (agent matches "*Firefox*",1,0) as firefox
    | if (agent matches "*Safari*",1,0) as safari
    | if (agent matches "*Chrome*",1,0) as chrome
    | sum(ie) as ie, sum(firefox) as firefox,
    sum(safari) as safari, sum(chrome) as chrome

    View Slide

  53. It’s better to see it coming
    Even if you can’t stop it

    View Slide

  54. § https://github.com/SafeStack/lambda_logs
    § https://elk-docker.readthedocs.io/
    § https://siemonster.com/

    View Slide

  55. Respond

    View Slide

  56. (Incident Response skill isn’t innate)

    View Slide

  57. View Slide

  58. View Slide

  59. View Slide

  60. § http://standards.iso.org/ittf/PubliclyAvailableStandard
    s/c045170_ISO_IEC_29147_2014.zip
    § https://github.com/Netflix/SimianArmy/wiki/Chaos-
    Monkey
    § https://hackerone.com/
    § https://bugcrowd.com/

    View Slide

  61. Learn

    View Slide

  62. View Slide

  63. (Every. Single. Day.)

    View Slide

  64. Security

    View Slide

  65. Accept
    Protect
    Watch
    Respond
    Learn

    View Slide

  66. Laura Bell
    Founder and Lead Consultant - SafeStack
    @lady_nerd [email protected]
    http:/
    /safestack.io
    Questions?

    View Slide