Handmade
security
at Etsy
https://www.flickr.com/photos/roland/
by Speaker 4
Slide 2
Slide 2 text
@benjammingh
Whom be this?
• Ben Hughes, security monkey
manager at Etsy.
• Bullet point fanatic.
• Terrible at slides.
• Shout out to the Etsy security
team.
Slide 3
Slide 3 text
@benjammingh
It’s a tale of two halves
• Security, where did it all go wrong?
• Don’t go alone, take this!
!
• Security-devops-maybe-DBAs-too-
oh and-QA-sure-who-else?
• I quite like Etsy, here’s why.
Slide 4
Slide 4 text
@benjammingh
Security, where did it
all go wrong?
Slide 5
Slide 5 text
@benjammingh
Wait, but we bought a firewall!
Slide 6
Slide 6 text
@benjammingh
They’re coming out of the walls
Slide 7
Slide 7 text
@benjammingh
#Cloud #Clouds #CloudAAS
• AWS logo goes here.
• Maybe not in AWS... (other cloudiness
vendors may be available)
Slide 8
Slide 8 text
@benjammingh
But we’re secure, right?
Slide 9
Slide 9 text
@benjammingh
But we’re secure, right?
Slide 10
Slide 10 text
@benjammingh
The Watering hole attacks of Feb
Slide 11
Slide 11 text
@benjammingh
Other than the very
occasional RCE/SQLi or 0-
day, companies just aren’t
getting breached directly
through their servers like they
used to.
Quotes to be taken out of context
Slide 12
Slide 12 text
@benjammingh
I’d buy that for a dollar
[laptop:~]% id
uid=501(ben) gid=20(staff) groups=20(staff)
[laptop:~]% ./magic
[*] running old exploit against unpatched OSX.
[*] firing off connect back shell to AWS.
[*] throwing mad persistence in to LaunchAgents.
[*] dropping to a shell.
[laptop:~]# id
uid=0(root) gid=0(root)
Slide 13
Slide 13 text
@benjammingh
Zero [cool] day
• Zero day is bad!
— 2
Slide 14
Slide 14 text
@benjammingh
Surprise!
• You can’t defend against unknown attacks.
• Clue is in the name.
Slide 15
Slide 15 text
@benjammingh
Rejoice. That mostly doesn’t matter!
Slide 16
Slide 16 text
@benjammingh
Treat the symptoms
• Lateral movement can be more important
than how they got in.
• You don’t care that they broke a window, you
care that they got in your living room and took
your TV.
• (still fix your window)
Slide 17
Slide 17 text
@benjammingh
Hudson hawk reference
• Why is /bin/sh running on your webserver?
• Why is your webserver trying to SSH to other
hosts?
• Why is the Cold Fusion process reading
arbitrary files off of disk (SE/NSA Linux time)
Slide 18
Slide 18 text
@benjammingh
But still patch
• Please, still patch things. (disable Java)
• Know that it isn’t a panacea.
• Realise that is mostly okay.
Slide 19
Slide 19 text
@benjammingh
Please do patch!
• No really!
!
Slide 20
Slide 20 text
@benjammingh
Logs are your eyes.
“If it’s not monitored...
...it’s not in production”
Well
“If it’s not logged, did it really
happen?”
@benjammingh
Two factor all the things
•Duo - https://www.duosecurity.com/
•Authy - https://www.authy.com/
•Google - http://goo.gl/hvre2D
•YubiKey - https://www.yubico.com/
!
Hat tip to Jan Schaumann (@jschauma),
from whom I stole the title of this slide from.
@benjammingh
Phishing
• Who’s stopped phishing?
• You’re not going to stop phishing.
Slide 28
Slide 28 text
@benjammingh
Phishing
• Who’s stopped phishing?
• You’re not going to stop phishing.
• That doesn’t matter.
Slide 29
Slide 29 text
@benjammingh
Phishing
• Who’s stopped phishing?
• You’re not going to stop phishing.
• That doesn’t matter.
• Don’t think you can fully eliminate it, get it
reported instead.
Slide 30
Slide 30 text
@benjammingh
Intermission.
Slide 31
Slide 31 text
@benjammingh
New, Improved Devops
!
!
• Silo smashing in to one new larger silo!
Slide 32
Slide 32 text
@benjammingh
DevSecOpsFarmerQueen
• Many hats.
• Not just dev.
• Not just ops.
!
• Security doesn’t
just magically happen.
Slide 33
Slide 33 text
@benjammingh
Get security involved!
• This can be done is all sized environments!
• Small: having someone who has a security background
or interest.
• Large: ”Chris Eng & Ryan O’Boyle – From the
Trenches: Real-World Agile SDLC” - http://nsc.is/
presentation/chris-eng-ryan-oboyle-from-the-trenches-real-
world-agile-sdlc/
Slide 34
Slide 34 text
@benjammingh
Security are people too!
Slide 35
Slide 35 text
@benjammingh
Security are people too!
• they just might not always act like it...
• security is the only area of technology with
genuine adversaries.
Slide 36
Slide 36 text
@benjammingh
Infosec, this one’s for you
• Dev and ops (and everyone else) are people
too.
• They made those decisions without malice in
mind.
• People don’t go out of their way to make
things insecure!
Slide 37
Slide 37 text
@benjammingh
Science time
http://info.veracode.com/rs/veracode/images/soss-v3.pdf
Slide 38
Slide 38 text
@benjammingh
Primary action items
• Don’t just say “did you speak to security
about this?”
• Get people involved!
• Security has never [succesfully] been a check
box.
Slide 39
Slide 39 text
@benjammingh
Reducing barriers.
Having an approachable security team
is the most important thing they can do.
!
The second you lose the ability to talk to
them about anything, you effectively
lose your security team.
Slide 40
Slide 40 text
@benjammingh
So, that party you mentioned?
• Skill sharing.
Slide 41
Slide 41 text
@benjammingh
So, that party you mentioned?
• Skill sharing.
• Hack week.
Slide 42
Slide 42 text
@benjammingh
So, that party you mentioned?
• Skill sharing.
• Hack week.
• Boot camping.
Slide 43
Slide 43 text
@benjammingh
Borrowing from the devops.
• Unit tests!
• Test your code and your infrastructure.
Slide 44
Slide 44 text
@benjammingh
Borrowing from the devops.
• Unit tests! https://gist.github.com/barn/45586d9690abaa53f933
Slide 45
Slide 45 text
@benjammingh
Borrowing from the devops.
• Unit tests!
• http://www.morethanseven.net/2013/12/29/
making-the-web-secure/ from @Garethr
• https://www.youtube.com/watch?
v=XfBIouZ7roc @Garethr again & @Wickett
Don’t worry, these links will be online…
Slide 46
Slide 46 text
@benjammingh
Borrowing from the devops.
• Unit tests!
• Test your code and your infrastructure.
• Wait, someone other than Gareth already gave
this talk too:
http://www.slideshare.net/nickgsuperstar/devopssec-
apply-devops-principles-to-security/32
Don’t worry, these links will be online…
Slide 47
Slide 47 text
@benjammingh
Borrowing from the devops.
Yet again so did Gareth!
https://speakerdeck.com/garethr/security-
monitoring-penetration-testing-meets-
monitoring
Don’t worry, these links will be online…
Slide 48
Slide 48 text
@benjammingh
Stop saying “No!”
Slide 49
Slide 49 text
@benjammingh
So finally
• The most important thing that we do as a
security team is...
• Humility.
Slide 50
Slide 50 text
@benjammingh
So finally
• The most important thing that we do as a
security team is...
• Humility.
• Security isn’t everything. People are.
!
Slide 51
Slide 51 text
@benjammingh
Fin
How can security work better with you?