Seatec Astronomy

SEATEC
ASTRONOMY
1 — Srdjan Vranac, Code4Hire, PHPSerbia 2019

View Slide

WHOAMI

View Slide

TOO MANY SECRETS

View Slide


View Slide

INTERACTION TIME

View Slide

C SUITE, VP ENGINEERING

View Slide

TEAM LEADS

View Slide

SENIOR
DEVELOPERS/ENGINEERS

View Slide

UNCLE BOB

View Slide

CLEAN CODE

View Slide

BUSINESS PROBLEM

View Slide

BUSINESS PROBLEM
IS
YOU!

View Slide

Take off your business hat
Focus on the business goals
less on academics
— David Cramer (Sentry CEO)
from "Mastering Duct Tape" PyCon balkan 2018

View Slide

management needs to recognize that its engineers are a
critical component of any major product decision. Too
often, a company’s engineers are seen as a service
organization that can be steamrolled when important
business decisions arise (ensuring a healthy product-
engineering relationship is one more reason it’s critical
to have hired the right engineers)
— Nemil Dalal

View Slide

BUSINESS IS NOT
INFALLIBLE

View Slide

DEVELOPERS DESPISE
BUSINESS?

View Slide

BLUE COLLAR ON A
MYSTICAL JOURNEY

View Slide

CARDINAL RULE OF
BUSINESS

View Slide

PRIMARY GOAL OF A
SOFTWARE DEVELOPER

View Slide

SALES MAKE MONEY,
ENGINEERS COST MONEY

View Slide

WASTE AND HUBRIS

View Slide

"I am not a salesperson,
I am just a developer"
— well known developer

View Slide

CAPITAL ALLOCATION

View Slide

Technical debt can have massive interest when not
addressed. People don't even realize how much interest
they're paying until they stop paying it. Imagine paying back
a rather reasonable loan and suddenly you have 50x more
money at the end of each month. The problem is that most
people don't bo ther estimating their tech debt.
— Anna Filina

View Slide

Later equals never
— Dave LeBlanc

View Slide

WHAT IS THE MANDATE OF
A SOFTWARE ENGINEER?

View Slide

Your mandate as a software engineer is
to find solutions for the problems presented,
with acceptable compromises between time, cost and
quality, with buy-in from the management/leadership.

View Slide


View Slide

ENGINEERING OBSESSION

View Slide

I might not have to work with you,
you will have to work with someone like me,
so you better be prepared

View Slide

OK.... SECURITY?

View Slide

BUSINESS EXPERIENCE AND SECURITY
ARE AFTERTHOUGHT

View Slide

BY THINKING IN TERMS OF BUSINESS
EXPERIENCE AND COST AND EXPENSES
SECURITY STARTS TO CLIMB MORE AND
MORE ON THE PRIORITY LIST

View Slide

LOW HANGING FRUIT

View Slide


View Slide

COMMON WAYS OF REVEALING YOUR SECRETS?
> making your information public, for example by
committing them to the repository (and making the repo
public)
> malicious party gaining access to your infrastructure,
ie server

View Slide

MALICIOUS PARTY GAINING ACCESS TO
YOUR INFRASTRUCTURE, IE SERVER

View Slide

# location: /etc/pam_scripts/login-email-notification.sh
#!/bin/sh
EMAIL_TO="[email protected]"
EMAIL_FROM="[email protected]"
SUBJECT="SSH Login Notification"
MESSAGE="
A user signed into your server through SSH.
-------------------------------------------
Username: ${PAM_USER}
IP Address: ${PAM_RHOST}"
if [ ${PAM_TYPE} = "open_session" ]; then
echo "${MESSAGE}" | mail -n -r "${EMAIL_FROM}" -s "${SUBJECT}" "${EMAIL_TO}"
fi
exit 0
# location: /etc/pam.d/sshd
# Login Email Notification
session required pam_exec.so /etc/pam_scripts/login-email-notification.sh

View Slide

You don't store your users passwords in your database,
yet the access-credentials to said database are written
down in cleartext in a file on your server. Sounds
familiar?
— Andreas Heigl

View Slide

STORY TIME!

View Slide

ANOTHER ONE!
IN CASE YOU ARE STILL NOT CONVINCED

View Slide

ENVIRONMENT VARIABLES

View Slide


View Slide

tr '\0' '\n' < /proc//environ

View Slide

CONTAINERS!!!111
docker inspect -f` or `docker inspect -f \
'{{range $index, $value := .Config.Env}}{{println $value}}{{end}}' \
container_name

View Slide

web_app:
image: code4hire/dev-images:php-7.2-cli
hostname: "web_app"
working_dir: ${WEB_DESTINATION_PATH}
volumes:
- ${WEB_APP_PATH}:${WEB_DESTINATION_PATH}
- ${WEB_REPORTS_PATH}:${WEB_REPORTS_DESTINATION_PATH}
- ./auth.json:/root/.composer/auth.json
- "${DATA_PATH}/datadog:/var/run/datadog:ro"
environment:
- APPLICATION_ENV=${APPLICATION_ENV}
- WEB_LOGGER_NAME=${WEB_LOGGER_NAME}
- WEB_LOG_PATH=${WEB_LOG_PATH}
- WEB_LOG_LEVEL=${LOG_LEVEL}
- WEB_LOG_TO_CONSOLE=${LOG_TO_CONSOLE}
- SENTRY_DSN=${SENTRY_DSN}
- RMQ_HOST=${RMQ_HOST}
- RMQ_PORT=${RMQ_PORT}
- RMQ_USERNAME=${RMQ_USERNAME}
- RMQ_PASSWORD=${RMQ_PASSWORD}
- RMQ_VHOST=${RMQ_VHOST}
- RMQ_PREFETCH_COUNT=${RMQ_PREFETCH_COUNT}
- RMQ_DEFAULT_EXCHANGE_NAME=${RMQ_DEFAULT_EXCHANGE_NAME}
- RMQ_DEFAULT_EXCHANGE_TYPE=${RMQ_DEFAULT_EXCHANGE_TYPE}
...

View Slide

DOCKER SECRETS!!!
/run/secrets/NAME

View Slide

OPS TEAM ALLOWS THIS!

View Slide

LIABILITY

View Slide

INSURANCE

View Slide

CERTIFICATION

View Slide

BUSINESS EXPERIENCE
SECURITY
COST/DAMAGE CONTROL

View Slide

HOW CAN THIS SITUATION BE
IMPROVED?
SECRETS MANAGEMENT
APPLICATIONS

View Slide

IMPORTANT FEATURES FOR ANY OF THESE SYSTEMS
SHOULD BE:
> Ease of setup and operation

View Slide

SHOULD BE:
> Secret rotation

View Slide

SHOULD BE:
> Secret rotation
> Dynamic secrets

View Slide

SHOULD BE:
> Secret rotation
> Dynamic secrets
> Encryption in transport and at rest, and choices of
backends

View Slide

SHOULD BE:
> Secret rotation
> Dynamic secrets
> Encryption in transport and at rest, and choices of
backends
> Cost

View Slide

Ansible Vault, Barbican, Chef Data Bags, Chef Vault,
Citadel, Confidant, Configuration Storage Systems
(Consul, etcd, Zookeeper), Conjur, Crypt, EJSON, Keywhiz,
Knox, Red October, Trousseau, Vault (Hashicorp)

View Slide

AWS SECRETS MANAGER

View Slide

EXAMPLE 1: PRODUCTION-SCALE WEB APPLICATION
Cost Dimensions
- 2 SSH keys per server and 5 database credentials per database.
- 2 API calls per SSH key per day. 24 API calls per database credential per day.
- 7 API calls per database credential per week to rotate credentials safely.
15 secrets (2 SSH keys * 1 load balancer
+ 2 SSH keys * 2 web servers
+ 2 SSH keys * 2 app servers
+ 5 database credentials * 1 database)
@ $0.40 / secret / month
4,040 API calls (2 SSH keys/server * 5 servers * 1 API call/day * 30 days
+ 5 database credentials * 1 database * 24 API calls/day * 30 days
+ 5 database credentials * 1 database * 7 API calls/week * 4 weeks) @ $0.05/10,000 calls
$6.02 TOTAL (PER MONTH)

View Slide

EXAMPLE 2: USING EPHEMERAL SECRETS TO AUTHENTICATE MICRO
SERVICES
Cost Dimensions
5M secrets (each valid for 1 hour).
2 API calls per secret per month.
Note: Since these secrets are stored in Secrets Manager for an hour,
the price per secret is calculated as
$0.40 * 1 hour / (30 days * 24 hours) = $0.00056 / secret/ hour
$2,800.00 5M secrets @ $0.00056 / secret/ hour
$50.00 10M API calls (5M secret * 2 API calls) @ $0.05/10,000 calls
$2,850.00 TOTAL (PER MONTH)

View Slide

HASHICORP VAULT

View Slide

GOOD FIT?

View Slide

SECURITY MODEL
> confidentiality
> integrity
> availability
> accountability
> authentication.

View Slide


View Slide

SHAMIR'S SECRET SHARING ALGORITHM

View Slide


View Slide

UNSEALED

View Slide

FIRST CONTACT

View Slide

POLICY

View Slide

UNSEALED AND READY

View Slide

VAULT STATUS
$ vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.0.2
Cluster Name vault-cluster-3cdf26fe
Cluster ID 08082f3a-b58d-1abf-a770-fbb8d87359ee
HA Enabled false

View Slide

WRITE A SECRET
$ vault kv put secret/hello foo=world excited=yes
Key Value
--- -----
created_time 2019-02-04T19:54:03.250328Z
deletion_time n/a
destroyed false
version 2
$ curl \
-H "X-Vault-Token: $VAULT_TOKEN" \
-H "Content-Type: application/json" \
-X POST \
-d '{"foo":"world"}' \
-d '{"excited":"yes"}' \
http://127.0.0.1:8200/v1/secret/hello

View Slide

READ A SECRET
$ vault kv get secret/hello
====== Metadata ======
Key Value
--- -----
created_time 2019-02-04T19:54:03.250328Z
deletion_time n/a
destroyed false
version 2
===== Data =====
Key Value
--- -----
excited yes
foo world
$ curl \
-H "X-Vault-Token: $VAULT_TOKEN" \
-X LIST \
http://127.0.0.1:8200/v1/secret/hello

View Slide

READ ONLY THE VALUE FOR A SECRET
$ vault kv get -field=excited secret/hello
yes
$ curl \
-H "X-Vault-Token: $TOKEN" \
-X GET \
http://127.0.0.1:8200/v1/secret/hello/excited

View Slide

JSON? SURE
$ vault kv get -format=json secret/hello | jq -r .data.data.excited
yes

View Slide

DELETE A SECRET
$ vault kv delete secret/hello
Success! Data deleted (if it existed) at: secret/hello
$ curl \
--header "X-Vault-Token: $VAULT_TOKEN \
--request DELETE \
https://127.0.0.1:8200/v1/secret/hello

View Slide

PHP
$client = new \GuzzleHttp\Client([
'base_uri' => $baseUrl,
'timeout' => 2.0,
'headers' => [
'X-Vault-Token' => $accessToken,
'Accept' => 'application/json',
]
]);
$response = $client->request('GET', '/v1/secret/hello/excited');
$response->getBody()->seek(0);
$output = json_decode(trim($responseBody->getContents()));
print_r($output->data->excited)
yes

View Slide

EVERYTHING IS AWESOME? RIGHT?
WELL...

View Slide

SEALING/UNSEALING

View Slide

HTTP CALLS

View Slide

FINAL WORDS

View Slide

average cost of a large data breach (in which more than
one million records are lost) in 2018 was
$3.9 MILLION DOLLARS

View Slide

THE END

View Slide

Seatec Astronomy

Seatec Astronomy

Vranac Srdjan

More Decks by Vranac Srdjan

Other Decks in Technology

Featured

Transcript