The second DevSecOps meetup for year 2018 was another exciting night.
Stats: We had about 71 RSVPs
Talk 1: Security Challenges in DevOps
Speaker: Wynand Viljoen, Offensive CyberSecurity Researcher
The talk was about war stories from the 22yrs of experience that Wynand has in Tech. He spoke about how tech was about problem solving at it’s initial stages when internet was still just a “thing”.
Then came ITIL, which slowed everything down. The byproduct of ITIL was the Waterfall methodologies which resulted in segmenting the technology stream from one unit to specific roles e.g — developers, sys admins, managers etc
The current transformation is from ITIL to DevOps where agility is the name of the game. Waterfall is being transformed to SCRUMs. Quick feedback is the name of the game.
He shared insights on the change in CI/CD pipeline to include “Continous Secuirty” is every stage of the pipeline to find and patch low level fruits before the artefact created by the CI/CD pipeline reaches a pentester.
He dwelled into some of the tools that he has seen in the wild for SAST, SCA and DAST. He highly recommends the OWASP Proactive Controls as must read for anyone starting their journey to include “Continous Secuirty” into a CI/CD pipeline.
There were interesting anecdotes throughout the talk which resonanted with the attendees.
The last slide was a wrap up of what he would love for not to see more of when he runs pentest next time.
The whole slide deck can be found here.
Talk 2: Long living Creds in Cloud?
Speaker: Ashish Rajan
The talk was inspired by conversation I participated in around the use of long term access keys. This topic surfaced after the recent cryptojack attack on Telsa
I encourage users to use the temporary credential providing services from Cloud Providers like AWS STS, Azure SAS to avoid being in the situation of lost access keys in the wild.
I spoke about problem that could be created because of long term keys and how to solve this problem. I did acknowledge that a lot of times we are forced to use long term access keys on products, which are still adapting to be usable in cloud.
I spoke about the tools available in the market to enable the use of temporary credentials (e.g saml2aws)
I spoke about the best practices around AWS-STS, I didn’t have an equivalent for Azure SAS but should be able to fill that gap someday.
I spoke about the gotchas with the use of temporary tokens — hackers exploiting SSRF attack on EC2 instances because Instance Profile did not have SourceIP filtering enabled.
Big takeaway —
- Have a process for what needs to be included in an incident response plan, if long term access keys are discovered to be compromised
- Use STS but if using an XML parser or whereever applicable — include SourceIP condition in your IAM Instance Profile Role
The full slides of my talk can be found here.
I already have an exciting talk lined up for you next month. Hope to see everyone on the next one.