Learnings from DevSecOps Meetup Melbourne — S01E01- Jan,2018
Yesterday, we held the first DevSecOps Meetup for 2018- S01E01. These are the highlights from what I learned from the meetup.
Talk 1:
Seth van Buren
Principal DevOps Consultant, Versent
Seth, spoke about how his passion for making his team not login into a server, unless it’s a break-glass scenario, lead him to Netflix Bless.
Netflix Bless, in their own words “an SSH Certificate Authority that runs as a AWS Lambda function”
The talk was about his journey on how he spent 2 days reading, implementing and automating portions of the Netflix Bless setup, request cert and cert cleanup process.
There was a lot of sweat, tears of joy experienced throughout the journey by Seth and the demo-gods smiled at him for a demo of his automated solution. As part of his demo, he used AWS Cloudformation to setup the Netflix Bless server and a bash script to store his private key in Unicreds which was used to request a new temporary certificate from the Bless server. The steps were as follows:
- Authenticate to AWS using saml2aws
- The returned STS tokens were used to run a AWS Cloudformation which created the required resources for his solution (e.g IAM Role, KMS Key, EC2 instance (Bastion), Security Group, Lambda functions etc)
- The STS token was used to store private key into Unicreds
- The public key was used to request a temporary certificate from Netflix Bless server
- The temporary certificate is valid for 2mins
- He demonstrated a login into the Bastion box using the temporary certificate
- He demonstrated the login did not work after 2mins
It takes a bit to understand the deeper working of the solution. Hats off to Seth to take the time to understand the solution and automate a lot of it.
If you have any questions, do reach out to him on Linkedin
Talk 2:
Adrian Kitto
Independent Security Architect
Adrian talked about “SHIFTING SECURITY TO THE LEFT”. Adrian has been quite a strong advocate of encouraging security to work with the DevOps team and vice-versa. He shared his experience on how traditionally security has been branded as the “No-sayers”. There are under-lying comments to each side of the story
Traditional approach:
Corporate Security — “We are brought in 2 or less days before production deployment and when we see a problem, we are frowned upon for saying No”
DevOps — “← Fill rants from internet about why security is a blocker→ ”
New approach:
Shift security to the left, this is his advice for both sides:
Advise for Security
- Standardise Language — speak their language
- Reach out! Offer to attend standups
- Be prepared to share options
- Get development related certification to understand common developer terms in the products you focus on.
Advise for Developers
Very similar to Security folks :)
- Standardise Language — speak their language
- Avoid dismissing or ignoring corporate security processes and policies
- Become informed of what the drivers for your security professionals decisions as they might have been instructed to abide by.
- Consider getting a security certification e.g CompITA(for developers with technical interest in security) or CRISC (for Team Managers)
The attendees loved this presentation had the presented approach to security is different to what people have seen in their organisations. There was a lot of questions on how others can reach out to people in the community e.g Adrian Kitto, yours truly :) who are leading by example on how security can become an enabler if all of us work together.
Other News:
- The search is always on for speakers for
- Security Debate between hackers and security engineers is being held on 6th Feb,2018 in Melbourne. There are a heaps of local security legends in the panel. If you have not RSVP’d, you can do it only the link here. Only 100 seats are left now. Hurry up!
Please feel free to reach out, if I have mis-represented anything here.
Peace out!
