(without introducing more risk)
Opening up Security
Puppet
Gareth Rushgrove
Following in the footsteps of devops
Slide 2
Slide 2 text
(without introducing more risk)
Gareth Rushgrove
@garethr
Slide 3
Slide 3 text
(without introducing more risk)
Gareth Rushgrove
Slide 4
Slide 4 text
(without introducing more risk)
Introduction
What to expect
Slide 5
Slide 5 text
- The security stereotype
- A story of the devops movement
- A brief economics interlude
- Opportunities for openness
Gareth Rushgrove
Slide 6
Slide 6 text
(without introducing more risk)
The Security
Stereotype
A barrier to entry
Slide 7
Slide 7 text
A widely held but fixed and
oversimplified image or idea of a
particular type of person or thing.
Gareth Rushgrove
stereotype
noun
plural noun: stereotypes
The language and speech,
especially the jargon, slang or
argot, of a particular field, group
or individual
Gareth Rushgrove
lingo
noun
plural noun: lingoes
Most security events are for
security people
Gareth Rushgrove
Slide 16
Slide 16 text
Few security people attend or
speak at developer conferences
Gareth Rushgrove
Slide 17
Slide 17 text
Gareth Rushgrove
Security is a silo
Slide 18
Slide 18 text
(without introducing more risk)
The Story of
Infrastructure
Parallels for security?
Slide 19
Slide 19 text
Gareth Rushgrove
Ops used to be a silo*
Slide 20
Slide 20 text
a fictional rogue systems
administrator who takes out his
anger on users and others who
pester him with computer problems
Gareth Rushgrove
BOFH
Bastard Operator from Hell
Slide 21
Slide 21 text
Gareth Rushgrove
Slide 22
Slide 22 text
Infrastructure as code
Gareth Rushgrove
Slide 23
Slide 23 text
1993
Gareth Rushgrove Mark Burgess is from the future
Slide 24
Slide 24 text
Gareth Rushgrove
2005
Slide 25
Slide 25 text
Infrastructure as a service
Gareth Rushgrove
Slide 26
Slide 26 text
2006
Gareth Rushgrove
Slide 27
Slide 27 text
Devops practices
Gareth Rushgrove
Slide 28
Slide 28 text
2008
Gareth Rushgrove
Slide 29
Slide 29 text
2009
Gareth Rushgrove
Slide 30
Slide 30 text
2016
Gareth Rushgrove
Slide 31
Slide 31 text
Container platforms
Gareth Rushgrove
Slide 32
Slide 32 text
Gareth Rushgrove
2013-
Slide 33
Slide 33 text
Content, not just software
Gareth Rushgrove
Slide 34
Slide 34 text
Gareth Rushgrove
Puppet Forge
Slide 35
Slide 35 text
Gareth Rushgrove
Docker Hub
Slide 36
Slide 36 text
Gareth Rushgrove
Public incident reports
Slide 37
Slide 37 text
(without introducing more risk)
Platforms and
Network Effects
Economic advantages
Slide 38
Slide 38 text
Gareth Rushgrove
Slide 39
Slide 39 text
Open source exhibits a
classic network effect
Gareth Rushgrove
Slide 40
Slide 40 text
Two-sided markets, are economic
platforms having two distinct user
groups that provide each other
with network benefits
Gareth Rushgrove
Slide 41
Slide 41 text
(without introducing more risk)
Opportunities in
Security?
Embracing openness
Slide 42
Slide 42 text
Security policy is still often just
a stack of paper
Gareth Rushgrove
Slide 43
Slide 43 text
Limited examples of
transformative open source
security software
Gareth Rushgrove
Slide 44
Slide 44 text
Where are the security
platforms?
Gareth Rushgrove
Slide 45
Slide 45 text
The emergence of
interesting tooling
Gareth Rushgrove
Slide 46
Slide 46 text
Gareth Rushgrove
BDD Security
Slide 47
Slide 47 text
Gareth Rushgrove
Sysdig
Slide 48
Slide 48 text
Gareth Rushgrove
osquery
Slide 49
Slide 49 text
Shared content not just tools
Gareth Rushgrove
Slide 50
Slide 50 text
Gareth Rushgrove
Hardening Framework
Slide 51
Slide 51 text
Gareth Rushgrove
SIMP from the NSA
Slide 52
Slide 52 text
Gareth Rushgrove
End User Device Guides
Slide 53
Slide 53 text
Events that emphasise crossover
with developers and operations
Gareth Rushgrove
Slide 54
Slide 54 text
Gareth Rushgrove
DevSecCon
Slide 55
Slide 55 text
What would we mean by
- Open source security?
- Security as a service?
- Security as code?
- Ruby on Rails for security?
Gareth Rushgrove
Slide 56
Slide 56 text
(without introducing more risk)
Why Openness for
Security is Hard
Challenges and assumptions
Slide 57
Slide 57 text
Popular wisdom is that secrecy
equals security
Gareth Rushgrove
Bruce Schneier
“
”
Slide 58
Slide 58 text
Security through obscurity
Gareth Rushgrove
Slide 59
Slide 59 text
Gareth Rushgrove
Slide 60
Slide 60 text
This guidance takes the view that
no one particular type of software
is inherently more, or less, secure
than the other and does not favour
one type over the other
Gareth Rushgrove
GPG38, UK Government
”
“
Slide 61
Slide 61 text
Helping attackers
Gareth Rushgrove
Slide 62
Slide 62 text
Attackers are using network
effects against you
Gareth Rushgrove
Slide 63
Slide 63 text
Marketplaces that sell:
- DDOS attacks for $5 an hour
- 300,000 airline points for $90
- American Express Cards for $30
- French driver’s license for $238
Gareth Rushgrove From SecureWorks 2016 Underground Hacker Markets Annual Report
Slide 64
Slide 64 text
Products available like:
- ATM skimming devices for $400
- Exploit Kits from $100
- RATs for as little as $5
- DDOS online tutorials from $20
Gareth Rushgrove From SecureWorks 2016 Underground Hacker Markets Annual Report
Slide 65
Slide 65 text
Liability
Gareth Rushgrove
Slide 66
Slide 66 text
Overzealous open
source advocates
Gareth Rushgrove
Slide 67
Slide 67 text
Fear, uncertainty and doubt
Gareth Rushgrove
Slide 68
Slide 68 text
(without introducing more risk)
Conclusions
What can we do to make things better
Slide 69
Slide 69 text
Gareth Rushgrove
1
Understand the importance
of tools which leverage
network effects
Slide 70
Slide 70 text
Look out for and back
emerging platforms
Gareth Rushgrove
1
Slide 71
Slide 71 text
Appreciate the importance of
service design for security
Gareth Rushgrove
2
Slide 72
Slide 72 text
Gareth Rushgrove
2
Read Designing
Delivery
Slide 73
Slide 73 text
Start sharing across
communities
Gareth Rushgrove
3
Slide 74
Slide 74 text
Attend and speak at a developer
or operations focused event
Gareth Rushgrove
3
Slide 75
Slide 75 text
(without introducing more risk)
Questions
And thanks for listening