The slides listed below are reflective of the numerous talks conducted at the monthly meet-up DevSecOps - London Gathering organised by VR Security.
These "Gatherings" are only possible through the various support provided by a number of vendors (silent partners) and professionals.
Chris Rutter: Avoiding the Security Brick
This is a continuation of Chris Rutter's security talks (typically focused around Threat Modelling). In this talk Chris will explore real techniques, both technical and organisational, to introduce security into DevOps without hitting people with bricks [Not literally].
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, January 2019)
An introduction to Istio security, looking at how Istio helps to keeps your security team happy by satisfying Kubernetes security requirements for multi-tenancy, and your developers happy by reducing implementation effort. Istio is still an evolving technology, and outstanding issues and impending improvements will be discussed.
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, January 2019)
I’ll show what Istio is, and how it does what it does. We’ll explore that from the point of view of one packet travelling in from the internet and back out again, to show us all the major data and control plane components.
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, January 2019)
A look at historical Kubernetes breaches, the high level security primitives, and an overview of multi-tenancy models in Kubernetes.
August 2018: DevSecOps - London Gathering
Threat Modelling can be a laborious and time-consuming exercise, which is not a happy marriage with CI and DevOps methodologies. In this talk, I shall outline my Rapid Threat Model Prototyping paradigm, which I have successfully been using both at Visa and Photobox. My method enables automation and inclusion into fast-moving development cycles and is well-suited for today's IT environments.
Practical Steps For Securing Containers - Liz Rice
Security is a key concern for application developers and operations teams, as well as security professionals. What do I need to do in the face of new threats like Meltdown and Spectre? What happens when the next big issue comes along? What should my priorities be? How do containers help? In this talk we’ll demonstrate some common attacks live, and show how you can effectively defend your container deployment against them, using a combination of best practices, configuration, and tools.
The Bastion Server That Isn't There ... Joshua Kite
The standard approach to setting up a bastion server (or jump box) has enough weaknesses already. Managing secure access to your VPC's for hundreds of users and hundreds of servers increases these exponentially.
I found the available solutions lacking.
Here I briefly cover the issues and present a working production solution immutably deploying ssh bastion access as a stateless service on AWS, managed entirely with Terraform - no build chain, no registries, no secrets management and instantaneous access.
The result is a bastion server that isn't there, until the moment a user calls for it and then it can be their special snowflake, just for them, briefly, until it's gone.
Continuous Security: From tins to containers - Now what!
Information Security departments often view containers as challenging to manage (code moves too fast for risk analysis, thousands of containers with limited visibility or control). Government organizations such as NIST have come out with guidelines for Application Container Security, while serverless technologies such as Azure Container Instances or AWS Fargate create additional challenges regarding how security risks are managed.
The mechanics behind how attackers exploit simple programming mistakes ...
A good defense against insecure code requires understanding the mechanics behind how attackers exploit simple programming mistakes. Developers today face a massive onslaught of new and old attack vectors in both the code they write and the open source they use.
Vulnerability management in DevSecOps: Easy Concept But Harder To Execute
Vulnerability Risk Management is certainly one of the most critical security processes in any company. Attacks on applications and systems can be divided into two categories: exploiting one or more vulnerabilities, or exploiting a human - typically by social engineering. Most sophisticated attacks use a combination of the above. To defend against the former, organisations have developed processes to detect, analyse and remediate vulnerabilities. The key question any organisation should be asking when planning DevSecOps, in the scope of vulnerability management, is whether any of their existing processes need to change and how much. The talk will explain a built about best practice process in a traditional organisation and then dissect individual areas in the view of DevSecOps. Prepare to challenge and be challenged discussing this boring yet critical subject.
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - In the beginning there was a file and it contained all the passwords in the plain text, but then someone stole all the passwords, so we don't do that anymore. In this talk I will explore how secret management has evolved over the years, what is the common path to maturity, what good looks like and why "Just use HashiCorp Vault" is a good heuristic. Explore with me the perils of storing secrets in Jenkins, how ansible-vault leads to disasters and where does CyberArk Conjur sit in all of this.
DevSecOps The Evolution of DevOps
Have you ever asked yourself the following questions:
What does DevSecOps means?
How is this different from DevOps?
What can we learn from the DevOps movement?
DevSecOps Pipeline - Example (Not just Tools)
Typically a lot of organisations focuses on tools to factor into the Pipeline. However the Security Assurance approach is just as important if not more. So throwing this diagram out to spark discussions. Discuss :-)