Pro Yearly is on sale from $80 to $50! »

Help the hackers get your data

Help the hackers get your data

In May 2018 something happened to the internet, GDPR came online,
and suddenly users in the EU had a lot more rights to their digital privacy,
which is awesome. But on the flip side the implementation of the GDPR and
procedures regarding it, are very vague and were meant to be written as
we go along, with whatever comes up as best practices.
Books and talks have been written and given about the data encryption, problems
encountered with event sourcing systems, questionaries about the purposes of
collecting user data... So many words and hours of many lives spent...
Yet, something has been overlooked, something so basic, we do not even notice it.
If you are working on an enterprise-class project or on other large projects,
you might have an infra team that would deal with this and tell you what you need
to do to be secure (at least good ones will)
But... if you are working on smaller projects, and you have mom and pop shops
to support, you deserve the same level of security bigger projects have...
I am talking about secrets and credentials management for your application, the most
overlooked aspect of any application.
This talk gives you a look at secrets management and security from the business side of things and tries to give you actionable information on how to talk to your clients, and bosses about this subject

F2d82b268a7cbccc9809c939428df64f?s=128

Vranac Srdjan

March 12, 2020
Tweet

Transcript

  1. HELP THE HACKERS GET YOUR DATA Srdjan Vranac, @vranac, WebCraftConf

    2020
  2. WHOAMI Srdjan Vranac Founder/Team Lead @ Code4Hire Architecture/Software consultant I

    make developers uncomfortable and engineers happy Srdjan Vranac, @vranac, WebCraftConf 2020
  3. WHOAMI Srdjan Vranac, @vranac, WebCraftConf 2020

  4. HELP THE HACKERS GET YOUR DATA IF YOU WANT TO

    EXPERIENCE SOME VERY VERY VERY VERY VERY UNPLEASANT THINGS AND DEPENDING ON WHOSE DATA THEY GOT EVEN FACE JAIL TIME Srdjan Vranac, @vranac, WebCraftConf 2020
  5. SECURITY IS IMPORTANT M'KAY Srdjan Vranac, @vranac, WebCraftConf 2020

  6. TOO MANY SECRETS Srdjan Vranac, @vranac, WebCraftConf 2020

  7. Good software engineer has technical skills, communications skills AND business

    skills — Antonio Peric-Mazar (Locastic CEO) Srdjan Vranac, @vranac, WebCraftConf 2020
  8. Take off your developers hat Focus on the business goals

    less on academics — David Cramer (Sentry CEO) from "Mastering Duct Tape" PyCon balkan 2018 Srdjan Vranac, @vranac, WebCraftConf 2020
  9. COST OF NOT HANDLING SECURITY Srdjan Vranac, @vranac, WebCraftConf 2020

  10. COST AND SECURITY ARE AFTERTHOUGHT Srdjan Vranac, @vranac, WebCraftConf 2020

  11. BY THINKING IN TERMS OF COST AND EXPENSES SECURITY STARTS

    TO CLIMB MORE AND MORE ON THE PRIORITY LIST Srdjan Vranac, @vranac, WebCraftConf 2020
  12. LOW HANGING FRUIT Srdjan Vranac, @vranac, WebCraftConf 2020

  13. Srdjan Vranac, @vranac, WebCraftConf 2020

  14. DATA BREACHES EXPOSED 4.1 BILLION RECORDS IN FIRST SIX MONTHS

    OF 2019 Srdjan Vranac, @vranac, WebCraftConf 2020
  15. It's a s#1t show, but you front row — Lil

    Wayne, "Uproar" Srdjan Vranac, @vranac, WebCraftConf 2020
  16. COMMON WAYS OF REVEALING YOUR SECRETS? Srdjan Vranac, @vranac, WebCraftConf

    2020
  17. MALICIOUS PARTY GAINING ACCESS TO YOUR INFRASTRUCTURE Srdjan Vranac, @vranac,

    WebCraftConf 2020
  18. Srdjan Vranac, @vranac, WebCraftConf 2020

  19. Srdjan Vranac, @vranac, WebCraftConf 2020

  20. Srdjan Vranac, @vranac, WebCraftConf 2020

  21. You don't store your users passwords in your database, yet

    the access-credentials to said database are written down in cleartext in a file on your server. — Andreas Heigl Srdjan Vranac, @vranac, WebCraftConf 2020
  22. Srdjan Vranac, @vranac, WebCraftConf 2020

  23. 15 MINUTES OF PUBLIC AVAILABLITY Srdjan Vranac, @vranac, WebCraftConf 2020

  24. LESSON IN CHAOS ENGINEERING Srdjan Vranac, @vranac, WebCraftConf 2020

  25. HEY LOOK, IT'S GONE... Srdjan Vranac, @vranac, WebCraftConf 2020

  26. LESSON IS ACTUALLY A MASTERCLASS Srdjan Vranac, @vranac, WebCraftConf 2020

  27. AN EMAIL A DAY KEEPS THE CHAOS MONKEY AWAY Srdjan

    Vranac, @vranac, WebCraftConf 2020
  28. SCORCHED EARTH POLICY Srdjan Vranac, @vranac, WebCraftConf 2020

  29. Srdjan Vranac, @vranac, WebCraftConf 2020

  30. ENVIRONMENT VARIABLES Srdjan Vranac, @vranac, WebCraftConf 2020

  31. Srdjan Vranac, @vranac, WebCraftConf 2020

  32. Srdjan Vranac, @vranac, WebCraftConf 2020

  33. CONTAINERS!!!111 Srdjan Vranac, @vranac, WebCraftConf 2020

  34. Srdjan Vranac, @vranac, WebCraftConf 2020

  35. DOCKER SECRETS!!! Srdjan Vranac, @vranac, WebCraftConf 2020

  36. IF OPS TEAM ALLOWS THIS! PLEASE HAVE A TALK WITH

    THEM! Srdjan Vranac, @vranac, WebCraftConf 2020
  37. CONSEQUENCES Srdjan Vranac, @vranac, WebCraftConf 2020

  38. LIABILITY & CRIMINAL NEGLIGENCE Srdjan Vranac, @vranac, WebCraftConf 2020

  39. Srdjan Vranac, @vranac, WebCraftConf 2020

  40. CERTIFICATION Srdjan Vranac, @vranac, WebCraftConf 2020

  41. SECRETS MANAGEMENT COST/DAMAGE CONTROL Srdjan Vranac, @vranac, WebCraftConf 2020

  42. HOW CAN THIS SITUATION BE IMPROVED? Srdjan Vranac, @vranac, WebCraftConf

    2020
  43. SECRETS MANAGEMENT APPLICATIONS Srdjan Vranac, @vranac, WebCraftConf 2020

  44. EASE OF SETUP AND OPERATION Srdjan Vranac, @vranac, WebCraftConf 2020

  45. SECRET ROTATION Srdjan Vranac, @vranac, WebCraftConf 2020

  46. DYNAMIC SECRETS {{ USERNAME }}:{{ password }}@tcp({{ mysql_server }}:3306)/{{ DATABASE

    }} Srdjan Vranac, @vranac, WebCraftConf 2020
  47. ENCRYPTION IN TRANSPORT AND AT REST Srdjan Vranac, @vranac, WebCraftConf

    2020
  48. CHOICES OF BACKENDS Srdjan Vranac, @vranac, WebCraftConf 2020

  49. COST Srdjan Vranac, @vranac, WebCraftConf 2020

  50. Ansible Vault, Barbican, Chef Data Bags, Chef Vault, Citadel, Confidant,

    Configuration Storage Systems (Consul, etcd, Zookeeper), Conjur, Crypt, EJSON, Keywhiz, Knox, Red October, Trousseau, Vault (Hashicorp) Srdjan Vranac, @vranac, WebCraftConf 2020
  51. AWS SECRETS MANAGER Srdjan Vranac, @vranac, WebCraftConf 2020

  52. EXAMPLE 1: PRODUCTION-SCALE WEB APPLICATION Cost Dimensions - 2 SSH

    keys per server and 5 database credentials per database. - 2 API calls per SSH key per day. 24 API calls per database credential per day. - 7 API calls per database credential per week to rotate credentials safely. 15 secrets (2 SSH keys * 1 load balancer + 2 SSH keys * 2 web servers + 2 SSH keys * 2 app servers + 5 database credentials * 1 database) @ $0.40 / secret / month 4,040 API calls (2 SSH keys/server * 5 servers * 1 API call/day * 30 days + 5 database credentials * 1 database * 24 API calls/day * 30 days + 5 database credentials * 1 database * 7 API calls/week * 4 weeks) @ $0.05/10,000 calls $6.02 TOTAL (PER MONTH) Srdjan Vranac, @vranac, WebCraftConf 2020
  53. EXAMPLE 2: USING EPHEMERAL SECRETS TO AUTHENTICATE MICRO SERVICES Cost

    Dimensions 5M secrets (each valid for 1 hour). 2 API calls per secret per month. Note: Since these secrets are stored in Secrets Manager for an hour, the price per secret is calculated as $0.40 * 1 hour / (30 days * 24 hours) = $0.00056 / secret/ hour $2,800.00 5M secrets @ $0.00056 / secret/ hour $50.00 10M API calls (5M secret * 2 API calls) @ $0.05/10,000 calls $2,850.00 TOTAL (PER MONTH) Srdjan Vranac, @vranac, WebCraftConf 2020
  54. HASHICORP VAULT Srdjan Vranac, @vranac, WebCraftConf 2020

  55. GOOD FIT? Srdjan Vranac, @vranac, WebCraftConf 2020

  56. SHAMIR'S SECRET SHARING ALGORITHM Srdjan Vranac, @vranac, WebCraftConf 2020

  57. VAULT OPERATES EXCLUSIVELY IN A WHITELIST MODE Srdjan Vranac, @vranac,

    WebCraftConf 2020
  58. EVERYTHING IS AWESOME? RIGHT? > sealing/unsealing > http calls Srdjan

    Vranac, @vranac, WebCraftConf 2020
  59. HOW DOES IT ALL FIT TOGETHER: > vault token goes

    into config (ironic, I know) > token gets sent to the vault server, and client token is returned > only retrieval of secrets granted by the ACL assigned is possible > when lease on client token expires, vault token is used to obtain new one Srdjan Vranac, @vranac, WebCraftConf 2020
  60. IN CASE OF BREACH: > your tripwire system is triggered

    > your files are downloaded (possibly config as well) > you remove server from public > you rotate the token generated > you update the config > you make server publicly available Srdjan Vranac, @vranac, WebCraftConf 2020
  61. BUT DO YOU USE SECRET MANAGEMENT ON EVERY PROJECT? >

    user data, maybe PII, maybe not? yes > any kind of sensitive data? yes > any kind of payments on the system? definitely yes Srdjan Vranac, @vranac, WebCraftConf 2020
  62. FINAL WORDS Srdjan Vranac, @vranac, WebCraftConf 2020

  63. average cost of a large data breach (in which more

    than one million records are lost) in 2018 was $3.9 MILLION DOLLARS Srdjan Vranac, @vranac, WebCraftConf 2020
  64. THANK YOU! QUESTIONS? Srdjan Vranac, @vranac, WebCraftConf 2020