Help the hackers get your data

Transcript

1. HELP THE HACKERS GET YOUR DATA @vranac - Software Crafting

   Serbia

2. WHOAMI Srdjan Vranac Founder/Team Lead @ Code4Hire Architecture/Software consultant I

   make developers uncomfortable and engineers happy @vranac - Software Crafting Serbia

3. WHOAMI @vranac - Software Crafting Serbia

4. HELP THE HACKERS GET YOUR DATA IF YOU WANT TO

   EXPERIENCE SOME VERY VERY VERY VERY VERY UNPLEASANT THINGS AND DEPENDING ON WHOSE DATA THEY GOT EVEN FACE JAIL TIME @vranac - Software Crafting Serbia

5. SECURITY IS IMPORTANT M'KAY @vranac - Software Crafting Serbia

6. TOO MANY SECRETS @vranac - Software Crafting Serbia

7. Good software engineer has technical skills, communications skills AND business

   skills — Antonio Peric-Mazar (Locastic CEO) @vranac - Software Crafting Serbia

8. Take off your developers hat Focus on the business goals

   less on academics — David Cramer (Sentry CEO) from "Mastering Duct Tape" PyCon balkan 2018 @vranac - Software Crafting Serbia

9. COST OF NOT HANDLING SECURITY @vranac - Software Crafting Serbia

10. COST AND SECURITY ARE AFTERTHOUGHT @vranac - Software Crafting Serbia

11. BY THINKING IN TERMS OF COST AND EXPENSES SECURITY STARTS

    TO CLIMB MORE AND MORE ON THE PRIORITY LIST @vranac - Software Crafting Serbia

12. LOW HANGING FRUIT @vranac - Software Crafting Serbia

13. @vranac - Software Crafting Serbia

14. DATA BREACHES EXPOSED 4.1 BILLION RECORDS IN FIRST SIX MONTHS

    OF 2019 @vranac - Software Crafting Serbia

15. It's a s#1t show, but you front row — Lil

    Wayne, "Uproar" @vranac - Software Crafting Serbia

16. COMMON WAYS OF REVEALING YOUR SECRETS? @vranac - Software Crafting

    Serbia

17. MALICIOUS PARTY GAINING ACCESS TO YOUR INFRASTRUCTURE @vranac - Software

    Crafting Serbia

18. @vranac - Software Crafting Serbia

19. @vranac - Software Crafting Serbia

20. @vranac - Software Crafting Serbia

21. You don't store your users passwords in your database, yet

    the access-credentials to said database are written down in cleartext in a file on your server. — Andreas Heigl @vranac - Software Crafting Serbia

22. @vranac - Software Crafting Serbia

23. 15 MINUTES OF PUBLIC AVAILABLITY @vranac - Software Crafting Serbia

24. LESSON IN CHAOS ENGINEERING @vranac - Software Crafting Serbia

25. HEY LOOK, IT'S GONE... @vranac - Software Crafting Serbia

26. LESSON IS ACTUALLY A MASTERCLASS @vranac - Software Crafting Serbia

27. AN EMAIL A DAY KEEPS THE CHAOS MONKEY AWAY @vranac

    - Software Crafting Serbia

28. SCORCHED EARTH POLICY @vranac - Software Crafting Serbia

29. @vranac - Software Crafting Serbia

30. ENVIRONMENT VARIABLES @vranac - Software Crafting Serbia

31. @vranac - Software Crafting Serbia

32. @vranac - Software Crafting Serbia

33. CONTAINERS!!!111 @vranac - Software Crafting Serbia

34. @vranac - Software Crafting Serbia

35. DOCKER SECRETS!!! @vranac - Software Crafting Serbia

36. IF OPS TEAM ALLOWS THIS! PLEASE HAVE A TALK WITH

    THEM! @vranac - Software Crafting Serbia

37. CONSEQUENCES @vranac - Software Crafting Serbia

38. LIABILITY & CRIMINAL NEGLIGENCE @vranac - Software Crafting Serbia

39. @vranac - Software Crafting Serbia

40. CERTIFICATION @vranac - Software Crafting Serbia

41. SECRETS MANAGEMENT COST/DAMAGE CONTROL @vranac - Software Crafting Serbia

42. HOW CAN THIS SITUATION BE IMPROVED? @vranac - Software Crafting

    Serbia

43. SECRETS MANAGEMENT APPLICATIONS @vranac - Software Crafting Serbia

44. EASE OF SETUP AND OPERATION @vranac - Software Crafting Serbia

45. SECRET ROTATION @vranac - Software Crafting Serbia

46. DYNAMIC SECRETS {{ USERNAME }}:{{ password }}@tcp({{ mysql_server }}:3306)/{{ DATABASE

    }} @vranac - Software Crafting Serbia

47. ENCRYPTION IN TRANSPORT AND AT REST @vranac - Software Crafting

    Serbia

48. CHOICES OF BACKENDS @vranac - Software Crafting Serbia

49. COST @vranac - Software Crafting Serbia

50. Ansible Vault, Barbican, Chef Data Bags, Chef Vault, Citadel, Confidant,

    Configuration Storage Systems (Consul, etcd, Zookeeper), Conjur, Crypt, EJSON, Keywhiz, Knox, Red October, Trousseau, Vault (Hashicorp) @vranac - Software Crafting Serbia

51. AWS SECRETS MANAGER @vranac - Software Crafting Serbia

52. EXAMPLE 1: PRODUCTION-SCALE WEB APPLICATION Cost Dimensions - 2 SSH

    keys per server and 5 database credentials per database. - 2 API calls per SSH key per day. 24 API calls per database credential per day. - 7 API calls per database credential per week to rotate credentials safely. 15 secrets (2 SSH keys * 1 load balancer + 2 SSH keys * 2 web servers + 2 SSH keys * 2 app servers + 5 database credentials * 1 database) @ $0.40 / secret / month 4,040 API calls (2 SSH keys/server * 5 servers * 1 API call/day * 30 days + 5 database credentials * 1 database * 24 API calls/day * 30 days + 5 database credentials * 1 database * 7 API calls/week * 4 weeks) @ $0.05/10,000 calls $6.02 TOTAL (PER MONTH) @vranac - Software Crafting Serbia

53. EXAMPLE 2: USING EPHEMERAL SECRETS TO AUTHENTICATE MICRO SERVICES Cost

    Dimensions 5M secrets (each valid for 1 hour). 2 API calls per secret per month. Note: Since these secrets are stored in Secrets Manager for an hour, the price per secret is calculated as $0.40 * 1 hour / (30 days * 24 hours) = $0.00056 / secret/ hour $2,800.00 5M secrets @ $0.00056 / secret/ hour $50.00 10M API calls (5M secret * 2 API calls) @ $0.05/10,000 calls $2,850.00 TOTAL (PER MONTH) @vranac - Software Crafting Serbia

54. HASHICORP VAULT @vranac - Software Crafting Serbia

55. GOOD FIT? @vranac - Software Crafting Serbia

56. SHAMIR'S SECRET SHARING ALGORITHM @vranac - Software Crafting Serbia

57. VAULT OPERATES EXCLUSIVELY IN A WHITELIST MODE @vranac - Software

    Crafting Serbia

58. EVERYTHING IS AWESOME? RIGHT? > sealing/unsealing > http calls @vranac

    - Software Crafting Serbia

59. HOW DOES IT ALL FIT TOGETHER: > vault token goes

    into config (ironic, I know) > token gets sent to the vault server, and client token is returned > only retrieval of secrets granted by the ACL assigned is possible > when lease on client token expires, vault token is used to obtain new one @vranac - Software Crafting Serbia

60. IN CASE OF BREACH: > your tripwire system is triggered

    > your files are downloaded (possibly config as well) > you remove server from public > you rotate the token generated > you update the config > you make server publicly available @vranac - Software Crafting Serbia

61. BUT DO YOU USE SECRET MANAGEMENT ON EVERY PROJECT? >

    user data, maybe PII, maybe not? yes > any kind of sensitive data? yes > any kind of payments on the system? definitely yes @vranac - Software Crafting Serbia

62. FINAL WORDS @vranac - Software Crafting Serbia

63. average cost of a large data breach (in which more

    than one million records are lost) in 2018 was $3.9 MILLION DOLLARS @vranac - Software Crafting Serbia

64. THANK YOU! QUESTIONS? @vranac - Software Crafting Serbia