why we can't have nice things, a tale of woe and a hope for the future

Why We Can’t Have Nice Things A Tale of Woe, and Hope for the Future

Pete Cheslock

@petecheslock

l of C

Dev Ops Sec

@petecheslock

DevOps

@hijinksensue

@petecheslock

Pete CheslockNot an InfoSec

Twitters: @petecheslock

theshipshow.com

threatstack.com

– President Josiah Bartlet

"The most costly disruptions always

happen when something we take

completely for granted stops working for a

minute."

@petecheslock

It’s time that we recognize that all these new tools which are helping to enable our teams to work so well are also introducing new attack vectors.

@petecheslock

risk = (threat) x (probability) x (business impact)

http://sysadvent.blogspot.com/2014/12/day-24-12-days-of-secdevops.html

- Jen Andre

@petecheslock

What data are you sending?

What happens if that system is compromised?

@petecheslock

WE TAKE SECURITY SERIOUSLY

http://blog.b3k.us/2012/01/24/some-rules.html

“These are not features: Security, Availability, Performance.”- Benjamin Black

@petecheslock

https://github.com/codahale/sneakerhttps://vaultproject.iohttps://github.com/square/keywhizhttps://github.com/LuminalOSS/credstashhttps://github.com/oleiade/trousseau - Storing sensitive data

https://github.com/cloudflare/redoctober - High value secrets

https://github.com/jschauma/jass - really helpful tool for sharing of secrets using SSH keys.

@petecheslock

Keep It Simple

Skip the ITIL IR Plan for now

@petecheslock

“FWIW, I have most of a sub-key implementation done, but that still won’t solve your problem, as it will be years before that implementation is widely deployed…”

@petecheslock

Compile your Source Build a Package Sign the Package Test the Package

Deploy the Package

You can’t hate the curl bash and be OK deploying from Github

@petecheslock

aptly deb-s3

freight/sync to s3 packagecloud.io

@petecheslock

https://www.ssllabs.com/ssltest/

@petecheslock

Safe Access to Production

@petecheslock

– Mark Burgess

“Every time someone logs onto a system interactively, they compromise everyone's

knowledge of that system”

@petecheslock

Trust, but Verify.

@petecheslock

auditd + OSSEC

…and SELinux

http://stopdisablingselinux.com/

@petecheslock

Controlled Access Protection Profilehttp://www.commoncriteriaportal.org/files/ppfiles/capp.pdf

Labeled Security Protection Profilehttp://www.commoncriteriaportal.org/files/ppfiles/lspp.pdf

National Industrial Security Program Operating Manual (NISPOM)http://www.fas.org/sgp/library/nispom.htm

Security Technical Implementation Guideshttp://iase.disa.mil/stigs/Pages/index.aspx

@petecheslock

Start Small

Identify High Risks

@petecheslock

Security Culture is People

@petecheslock

why we can't have nice things, a tale of woe and a hope for the future

petecheslock cheslocknot

security seriouslyhttp

industrial security

key implementation

high risks

petechesl access

pete time

new tools

Technology

stadsnieuws woe week35

stadsnieuws woe week46

woe unto you lawyers

woe rassegna stampa

heralds of woe

stadsnieuws woe week44

babylonian woe, the - david astle

ths is why we can't have nice things: a project risk...

woe unto you, lawyers! - jordan...

storage.googleapis.com - mo. woe woe woe 00, woe kokomo -...

woe from wit

woe to live on

this is why we can't have nice things

macarthur, sydney ~ wellbeing or woe

erin hoffman-john - effective games: why we can't have nice...

why we can't have nice things

fawn woe rcs presentation

woe, lo, go

4 tales of zombie woe

woe is i.pdf