Introduction 1997 2006 2014 Consultant Engineer Software Architect Director of Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 ChicagoCoderConference 2015 MS in CS Founder Consultant Agile Clojure Graph Database Big Data Trying to hack a business model that succeeds while helping developers. Domains: Projects: DevOps / Automation Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda [email protected] Secure DevOps Growing OWASP Board Agile Security
See • Botnets • Widespread use of harvested credentials • Account takeover • Credit card fraud • Dumps of passwords and sensitive data with SQLi • User pwnage with XSS
Use Services Provided • Use IAM to define groups users. Use MFA. • Limit Network Access, Use TrustedAdvisor • CloudTrail • Use encryption for S3, EBS, RDS, etc. • New: Inspector, WAF, Config Rules
• XSS is really code injection. • The distinction is that the code is running in your user’s browser. • This can have crippling significance - because it bypasses network and other typical controls. Cross-site Scripting
Tiers • 0
–
Cursory
–
You
have
done
something.
You
define.
• 1
–
Opportunistic
–
Adequately
defends
against
easily
discoverable
items.
• 2
–
Standard
–
Adequately
defends
against
items
of
moderate
to
serious
risk.
• 3
–
Advanced
–
Defends
against
even
advanced
attacks
and
demonstrates
good
security
design.
mkonda
colopl
mploed
soracom
linedevth
kentosuzuki
sansantech
no24oka
mongolyy
.png){kind=icon}
pharma_x_tech
kazumax55
andpad
lemon
vanstee
mojombo
destraynor
cromwellryan
mclloyd
thekraken
eitanlees
kneath
marcduiker
geoffreycrofte
productmarketing
zakiwarfel