$30 off During Our Annual Pro Sale. View Details »

Help the hackers get your data

Help the hackers get your data

In May 2018 something happened to the internet, GDPR came online,
and suddenly users in the EU had a lot more rights to their digital privacy,
which is awesome. But on the flip side the implementation of the GDPR and
procedures regarding it, are very vague and were meant to be written as
we go along, with whatever comes up as best practices.
Books and talks have been written and given about the data encryption, problems
encountered with event sourcing systems, questionaries about the purposes of
collecting user data... So many words and hours of many lives spent...
Yet, something has been overlooked, something so basic, we do not even notice it.
If you are working on an enterprise-class project or on other large projects,
you might have an infra team that would deal with this and tell you what you need
to do to be secure (at least good ones will)
But... if you are working on smaller projects, and you have mom and pop shops
to support, you deserve the same level of security bigger projects have...
I am talking about secrets and credentials management for your application, the most
overlooked aspect of any application.
This talk gives you a look at secrets management and security from the business side of things and tries to give you actionable information on how to talk to your clients, and bosses about this subject

Vranac Srdjan

March 12, 2020
Tweet

More Decks by Vranac Srdjan

Other Decks in Programming

Transcript

  1. HELP THE HACKERS GET YOUR DATA
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  2. WHOAMI
    Srdjan Vranac
    Founder/Team Lead @ Code4Hire
    Architecture/Software consultant
    I make developers uncomfortable and engineers happy
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  3. WHOAMI
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  4. HELP THE HACKERS GET YOUR DATA
    IF YOU WANT TO EXPERIENCE SOME
    VERY VERY VERY VERY VERY
    UNPLEASANT THINGS AND DEPENDING
    ON WHOSE DATA THEY GOT EVEN FACE
    JAIL TIME
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  5. SECURITY IS IMPORTANT
    M'KAY
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  6. TOO MANY SECRETS
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  7. Good software engineer has
    technical skills,
    communications skills
    AND business skills
    — Antonio Peric-Mazar (Locastic CEO)
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  8. Take off your developers hat
    Focus on the business goals
    less on academics
    — David Cramer (Sentry CEO)
    from "Mastering Duct Tape" PyCon balkan 2018
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  9. COST OF NOT HANDLING SECURITY
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  10. COST AND SECURITY
    ARE
    AFTERTHOUGHT
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  11. BY THINKING IN TERMS OF
    COST AND EXPENSES
    SECURITY STARTS TO CLIMB MORE AND
    MORE ON THE PRIORITY LIST
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  12. LOW HANGING FRUIT
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  13. Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  14. DATA BREACHES EXPOSED
    4.1 BILLION RECORDS
    IN FIRST SIX MONTHS OF
    2019
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  15. It's a s#1t show,
    but you front row
    — Lil Wayne, "Uproar"
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  16. COMMON WAYS OF
    REVEALING YOUR
    SECRETS?
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  17. MALICIOUS PARTY
    GAINING ACCESS TO YOUR
    INFRASTRUCTURE
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  18. Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  19. Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  20. Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  21. You don't store your users passwords in your database,
    yet the access-credentials to said database are written
    down in cleartext in a file on your server.
    — Andreas Heigl
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  22. Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  23. 15 MINUTES
    OF PUBLIC AVAILABLITY
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  24. LESSON IN CHAOS
    ENGINEERING
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  25. HEY LOOK, IT'S GONE...
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  26. LESSON IS ACTUALLY A MASTERCLASS
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  27. AN EMAIL A DAY KEEPS
    THE CHAOS MONKEY AWAY
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  28. SCORCHED EARTH POLICY
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  29. Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  30. ENVIRONMENT VARIABLES
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  31. Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  32. Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  33. CONTAINERS!!!111
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  34. Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  35. DOCKER SECRETS!!!
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  36. IF OPS TEAM ALLOWS THIS!
    PLEASE HAVE A TALK WITH THEM!
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  37. CONSEQUENCES
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  38. LIABILITY
    &
    CRIMINAL NEGLIGENCE
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  39. Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  40. CERTIFICATION
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  41. SECRETS MANAGEMENT
    COST/DAMAGE CONTROL
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  42. HOW CAN THIS SITUATION
    BE IMPROVED?
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  43. SECRETS MANAGEMENT
    APPLICATIONS
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  44. EASE OF SETUP AND
    OPERATION
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  45. SECRET ROTATION
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  46. DYNAMIC SECRETS
    {{ USERNAME }}:{{ password }}@tcp({{ mysql_server }}:3306)/{{ DATABASE }}
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  47. ENCRYPTION
    IN TRANSPORT AND AT
    REST
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  48. CHOICES OF BACKENDS
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  49. COST
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  50. Ansible Vault, Barbican, Chef Data Bags, Chef Vault,
    Citadel, Confidant, Configuration Storage Systems
    (Consul, etcd, Zookeeper), Conjur, Crypt, EJSON, Keywhiz,
    Knox, Red October, Trousseau, Vault (Hashicorp)
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  51. AWS SECRETS MANAGER
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  52. EXAMPLE 1: PRODUCTION-SCALE WEB APPLICATION
    Cost Dimensions
    - 2 SSH keys per server and 5 database credentials per database.
    - 2 API calls per SSH key per day. 24 API calls per database credential per day.
    - 7 API calls per database credential per week to rotate credentials safely.
    15 secrets (2 SSH keys * 1 load balancer
    + 2 SSH keys * 2 web servers
    + 2 SSH keys * 2 app servers
    + 5 database credentials * 1 database)
    @ $0.40 / secret / month
    4,040 API calls (2 SSH keys/server * 5 servers * 1 API call/day * 30 days
    + 5 database credentials * 1 database * 24 API calls/day * 30 days
    + 5 database credentials * 1 database * 7 API calls/week * 4 weeks) @ $0.05/10,000 calls
    $6.02 TOTAL (PER MONTH)
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  53. EXAMPLE 2: USING EPHEMERAL SECRETS TO
    AUTHENTICATE MICRO SERVICES
    Cost Dimensions
    5M secrets (each valid for 1 hour).
    2 API calls per secret per month.
    Note: Since these secrets are stored in Secrets Manager for an hour,
    the price per secret is calculated as
    $0.40 * 1 hour / (30 days * 24 hours) = $0.00056 / secret/ hour
    $2,800.00 5M secrets @ $0.00056 / secret/ hour
    $50.00 10M API calls (5M secret * 2 API calls) @ $0.05/10,000 calls
    $2,850.00 TOTAL (PER MONTH)
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  54. HASHICORP VAULT
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  55. GOOD FIT?
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  56. SHAMIR'S SECRET
    SHARING ALGORITHM
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  57. VAULT OPERATES
    EXCLUSIVELY IN A
    WHITELIST MODE
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  58. EVERYTHING IS AWESOME? RIGHT?
    > sealing/unsealing
    > http calls
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  59. HOW DOES IT ALL FIT TOGETHER:
    > vault token goes into config (ironic, I know)
    > token gets sent to the vault server, and client token is
    returned
    > only retrieval of secrets granted by the ACL assigned is
    possible
    > when lease on client token expires, vault token is used
    to obtain new one
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  60. IN CASE OF BREACH:
    > your tripwire system is triggered
    > your files are downloaded (possibly config as well)
    > you remove server from public
    > you rotate the token generated
    > you update the config
    > you make server publicly available
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  61. BUT DO YOU USE SECRET MANAGEMENT ON EVERY
    PROJECT?
    > user data, maybe PII, maybe not? yes
    > any kind of sensitive data? yes
    > any kind of payments on the system? definitely yes
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  62. FINAL WORDS
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  63. average cost of a large data breach (in which more than
    one million records are lost) in 2018 was
    $3.9 MILLION DOLLARS
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide

  64. THANK YOU!
    QUESTIONS?
    Srdjan Vranac, @vranac, WebCraftConf 2020

    View Slide