Tweet
Tweet

Slide 1

Slide 1 text

HELP THE HACKERS GET YOUR DATA 1 — Srdjan Vranac, Code4Hire, @vranac`

Slide 2

Slide 2 text

WHOAMI 2 — Srdjan Vranac, Code4Hire, @vranac`

Slide 3

Slide 3 text

SEATEC ASTRONOMY 3 — Srdjan Vranac, Code4Hire, @vranac`

Slide 4

Slide 4 text

TOO MANY SECRETS 4 — Srdjan Vranac, Code4Hire, @vranac`

Slide 5

Slide 5 text

SECURITY IS IMPORTANT M'KAY 5 — Srdjan Vranac, Code4Hire, @vranac`

Slide 6

Slide 6 text

Good software engineer has technical skills, communications skills AND business skills — Antonio Peric-Mazar (Locastic CEO) 6 — Srdjan Vranac, Code4Hire, @vranac`

Slide 7

Slide 7 text

Take off your developers hat Focus on the business goals less on academics — David Cramer (Sentry CEO) from "Mastering Duct Tape" PyCon balkan 2018 7 — Srdjan Vranac, Code4Hire, @vranac`

Slide 8

Slide 8 text

COST AND SECURITY ARE AFTERTHOUGHT 8 — Srdjan Vranac, Code4Hire, @vranac`

Slide 9

Slide 9 text

BY THINKING IN TERMS OF BUSINESS AND COST AND EXPENSES SECURITY STARTS TO CLIMB MORE AND MORE ON THE PRIORITY LIST 9 — Srdjan Vranac, Code4Hire, @vranac`

Slide 10

Slide 10 text

LOW HANGING FRUIT 10 — Srdjan Vranac, Code4Hire, @vranac`

Slide 11

Slide 11 text

11 — Srdjan Vranac, Code4Hire, @vranac`

Slide 12

Slide 12 text

DATA BREACHES EXPOSED 4.1 BILLION RECORDS IN FIRST SIX MONTHS OF 2019 12 — Srdjan Vranac, Code4Hire, @vranac`

Slide 13

Slide 13 text

COMMON WAYS OF REVEALING YOUR SECRETS? > making your information public, > malicious party gaining access to your infrastructure 13 — Srdjan Vranac, Code4Hire, @vranac`

Slide 14

Slide 14 text

MALICIOUS PARTY GAINING ACCESS TO YOUR INFRASTRUCTURE 14 — Srdjan Vranac, Code4Hire, @vranac`

Slide 15

Slide 15 text

# location: /etc/pam_scripts/login-email-notification.sh #!/bin/sh EMAIL_TO="[email protected]" EMAIL_FROM="[email protected]" SUBJECT="SSH Login Notification" MESSAGE=" A user signed into your server through SSH. ------------------------------------------- Username: ${PAM_USER} IP Address: ${PAM_RHOST}" if [ ${PAM_TYPE} = "open_session" ]; then echo "${MESSAGE}" | mail -n -r "${EMAIL_FROM}" -s "${SUBJECT}" "${EMAIL_TO}" fi exit 0 # location: /etc/pam.d/sshd # Login Email Notification session required pam_exec.so /etc/pam_scripts/login-email-notification.sh 15 — Srdjan Vranac, Code4Hire, @vranac`

Slide 16

Slide 16 text

You don't store your users passwords in your database, yet the access-credentials to said database are written down in cleartext in a file on your server. Sounds familiar? — Andreas Heigl 16 — Srdjan Vranac, Code4Hire, @vranac`

Slide 17

Slide 17 text

STORY TIME! 17 — Srdjan Vranac, Code4Hire, @vranac`

Slide 18

Slide 18 text

ENVIRONMENT VARIABLES 18 — Srdjan Vranac, Code4Hire, @vranac`

Slide 19

Slide 19 text

19 — Srdjan Vranac, Code4Hire, @vranac`

Slide 20

Slide 20 text

tr '\0' '\n' < /proc//environ 20 — Srdjan Vranac, Code4Hire, @vranac`

Slide 21

Slide 21 text

CONTAINERS!!!111 docker inspect -f \ '{{range $index, $value := .Config.Env}}{{println $value}}{{end}}' \ container_name 21 — Srdjan Vranac, Code4Hire, @vranac`

Slide 22

Slide 22 text

web_app: image: code4hire/dev-images:php-7.2-cli hostname: "web_app" working_dir: ${WEB_DESTINATION_PATH} volumes: - ${WEB_APP_PATH}:${WEB_DESTINATION_PATH} - ${WEB_REPORTS_PATH}:${WEB_REPORTS_DESTINATION_PATH} - ./auth.json:/root/.composer/auth.json - "${DATA_PATH}/datadog:/var/run/datadog:ro" environment: - APPLICATION_ENV=${APPLICATION_ENV} - WEB_LOGGER_NAME=${WEB_LOGGER_NAME} - WEB_LOG_PATH=${WEB_LOG_PATH} - WEB_LOG_LEVEL=${LOG_LEVEL} - WEB_LOG_TO_CONSOLE=${LOG_TO_CONSOLE} - SENTRY_DSN=${SENTRY_DSN} - RMQ_HOST=${RMQ_HOST} - RMQ_PORT=${RMQ_PORT} - RMQ_USERNAME=${RMQ_USERNAME} - RMQ_PASSWORD=${RMQ_PASSWORD} - RMQ_VHOST=${RMQ_VHOST} - RMQ_PREFETCH_COUNT=${RMQ_PREFETCH_COUNT} - RMQ_DEFAULT_EXCHANGE_NAME=${RMQ_DEFAULT_EXCHANGE_NAME} - RMQ_DEFAULT_EXCHANGE_TYPE=${RMQ_DEFAULT_EXCHANGE_TYPE} ... 22 — Srdjan Vranac, Code4Hire, @vranac`

Slide 23

Slide 23 text

DOCKER SECRETS!!! /run/secrets/NAME 23 — Srdjan Vranac, Code4Hire, @vranac`

Slide 24

Slide 24 text

IF OPS TEAM ALLOWS THIS! PLEASE HAVE A TALK WITH THEM! 24 — Srdjan Vranac, Code4Hire, @vranac`

Slide 25

Slide 25 text

LIABILITY & CRIMINAL NEGLIGENCE 25 — Srdjan Vranac, Code4Hire, @vranac`

Slide 26

Slide 26 text

INSURANCE 26 — Srdjan Vranac, Code4Hire, @vranac`

Slide 27

Slide 27 text

CERTIFICATION 27 — Srdjan Vranac, Code4Hire, @vranac`

Slide 28

Slide 28 text

SECURITY COST/DAMAGE CONTROL 28 — Srdjan Vranac, Code4Hire, @vranac`

Slide 29

Slide 29 text

HOW CAN THIS SITUATION BE IMPROVED? SECRETS MANAGEMENT APPLICATIONS 29 — Srdjan Vranac, Code4Hire, @vranac`

Slide 30

Slide 30 text

EASE OF SETUP AND OPERATION 30 — Srdjan Vranac, Code4Hire, @vranac`

Slide 31

Slide 31 text

SECRET ROTATION 31 — Srdjan Vranac, Code4Hire, @vranac`

Slide 32

Slide 32 text

DYNAMIC SECRETS {{ USERNAME }}:{{ password }}@tcp({{ mysql_server }}:3306)/{{ DATABASE }} 32 — Srdjan Vranac, Code4Hire, @vranac`

Slide 33

Slide 33 text

ENCRYPTION IN TRANSPORT AND AT REST 33 — Srdjan Vranac, Code4Hire, @vranac`

Slide 34

Slide 34 text

CHOICES OF BACKENDS 34 — Srdjan Vranac, Code4Hire, @vranac`

Slide 35

Slide 35 text

COST 35 — Srdjan Vranac, Code4Hire, @vranac`

Slide 36

Slide 36 text

Ansible Vault, Barbican, Chef Data Bags, Chef Vault, Citadel, Confidant, Configuration Storage Systems (Consul, etcd, Zookeeper), Conjur, Crypt, EJSON, Keywhiz, Knox, Red October, Trousseau, Vault (Hashicorp) 36 — Srdjan Vranac, Code4Hire, @vranac`

Slide 37

Slide 37 text

AWS SECRETS MANAGER 37 — Srdjan Vranac, Code4Hire, @vranac`

Slide 38

Slide 38 text

EXAMPLE 1: PRODUCTION-SCALE WEB APPLICATION Cost Dimensions - 2 SSH keys per server and 5 database credentials per database. - 2 API calls per SSH key per day. 24 API calls per database credential per day. - 7 API calls per database credential per week to rotate credentials safely. 15 secrets (2 SSH keys * 1 load balancer + 2 SSH keys * 2 web servers + 2 SSH keys * 2 app servers + 5 database credentials * 1 database) @ $0.40 / secret / month 4,040 API calls (2 SSH keys/server * 5 servers * 1 API call/day * 30 days + 5 database credentials * 1 database * 24 API calls/day * 30 days + 5 database credentials * 1 database * 7 API calls/week * 4 weeks) @ $0.05/10,000 calls $6.02 TOTAL (PER MONTH) 38 — Srdjan Vranac, Code4Hire, @vranac`

Slide 39

Slide 39 text

EXAMPLE 2: USING EPHEMERAL SECRETS TO AUTHENTICATE MICRO SERVICES Cost Dimensions 5M secrets (each valid for 1 hour). 2 API calls per secret per month. Note: Since these secrets are stored in Secrets Manager for an hour, the price per secret is calculated as $0.40 * 1 hour / (30 days * 24 hours) = $0.00056 / secret/ hour $2,800.00 5M secrets @ $0.00056 / secret/ hour $50.00 10M API calls (5M secret * 2 API calls) @ $0.05/10,000 calls $2,850.00 TOTAL (PER MONTH) 39 — Srdjan Vranac, Code4Hire, @vranac`

Slide 40

Slide 40 text

HASHICORP VAULT 40 — Srdjan Vranac, Code4Hire, @vranac`

Slide 41

Slide 41 text

GOOD FIT? 41 — Srdjan Vranac, Code4Hire, @vranac`

Slide 42

Slide 42 text

sharing shamir's algorithm secret 42 — Srdjan Vranac, Code4Hire, @vranac`

Slide 43

Slide 43 text

VAULT STARTUP UNSEAL -> DECRYPT -> AUTHENTICATE -> LOAD POLICIES -> READY 43 — Srdjan Vranac, Code4Hire, @vranac`

Slide 44

Slide 44 text

VAULT OPERATES EXCLUSIVELY IN A WHITELIST MODE 44 — Srdjan Vranac, Code4Hire, @vranac`

Slide 45

Slide 45 text

PHP $client = new \GuzzleHttp\Client([ 'base_uri' => $baseUrl, 'timeout' => 2.0, 'headers' => [ 'X-Vault-Token' => $accessToken, 'Accept' => 'application/json', ] ]); $response = $client->request('GET', '/v1/secret/hello/excited'); $response->getBody()->seek(0); $output = json_decode(trim($responseBody->getContents())); print_r($output->data->excited) yes 45 — Srdjan Vranac, Code4Hire, @vranac`

Slide 46

Slide 46 text

EVERYTHING IS AWESOME? RIGHT? > sealing/unsealing > http calls 46 — Srdjan Vranac, Code4Hire, @vranac`

Slide 47

Slide 47 text

HOW DOES IT ALL FIT TOGETHER: > vault token goes into config (ironic, I know) > token gets sent to the vault server, and client token is returned > only retrieval of secrets granted by the ACL assigned is possible > when lease on client token expires, vault token is used to obtain new one 47 — Srdjan Vranac, Code4Hire, @vranac`

Slide 48

Slide 48 text

In case of breach: > your tripwire system is triggered > your files are downloaded, possibly the config ones as well > you remove server from public > you rotate the token generated > you update the config > you make server publicly available 48 — Srdjan Vranac, Code4Hire, @vranac`

Slide 49

Slide 49 text

FINAL WORDS 49 — Srdjan Vranac, Code4Hire, @vranac`

Slide 50

Slide 50 text

average cost of a large data breach (in which more than one million records are lost) in 2018 was $3.9 MILLION DOLLARS 50 — Srdjan Vranac, Code4Hire, @vranac`

Slide 51

Slide 51 text

THE END 51 — Srdjan Vranac, Code4Hire, @vranac`