Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

DevSecCon Seattle 2019: Containerizing IT Security Knowledge

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige

Hier ansehen

1 von 15 Anzeige

DevSecCon Seattle 2019: Containerizing IT Security Knowledge

Herunterladen, um offline zu lesen

Kristóf Tóth
Software Engineer at Avatao

The world is getting eaten alive by software. At this point, almost nothing can be done without interacting with some sort of software system. Not even buying your groceries.
As we keep dumping out huge piles of code like there is no tomorrow, our far from perfect systems keep getting worse and worse from a security standpoint.
What could possibly go wrong?

We believe that education is the missing link.
As appsec is still a curiosity topic on top universities, freshly graduated engineers simply have no clue. And how could they?
The number of programmers keeps on doubling every few years and generations of software professionals are stuck without a proper background in ITSec.
As this trend continues, our responsibility to do something about this is on the rise.

In hopes of fighting this trend, we, at Avatao, have decided to share some of our dreams with the community.
Our Tutorial Framework allows you to easily create interactive learning environments running inside Docker containers.
These environments are capable of automatically guiding users through a set of topics by allowing them to interact with real software through a simple web browser.
Users can attack webservices, write code to fix them or use a terminal to deploy websites by creating and pushing git tags.
Nothing here is a mock-up: Every software component is real.

In this talk, I am going to demonstrate the capabilities of the framework, talk about the technology behind it and explore some use cases for it.
During the session we will open source the framework with the hope of creating a better, secure future together.

Kristóf Tóth
Software Engineer at Avatao

The world is getting eaten alive by software. At this point, almost nothing can be done without interacting with some sort of software system. Not even buying your groceries.
As we keep dumping out huge piles of code like there is no tomorrow, our far from perfect systems keep getting worse and worse from a security standpoint.
What could possibly go wrong?

We believe that education is the missing link.
As appsec is still a curiosity topic on top universities, freshly graduated engineers simply have no clue. And how could they?
The number of programmers keeps on doubling every few years and generations of software professionals are stuck without a proper background in ITSec.
As this trend continues, our responsibility to do something about this is on the rise.

In hopes of fighting this trend, we, at Avatao, have decided to share some of our dreams with the community.
Our Tutorial Framework allows you to easily create interactive learning environments running inside Docker containers.
These environments are capable of automatically guiding users through a set of topics by allowing them to interact with real software through a simple web browser.
Users can attack webservices, write code to fix them or use a terminal to deploy websites by creating and pushing git tags.
Nothing here is a mock-up: Every software component is real.

In this talk, I am going to demonstrate the capabilities of the framework, talk about the technology behind it and explore some use cases for it.
During the session we will open source the framework with the hope of creating a better, secure future together.

Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie DevSecCon Seattle 2019: Containerizing IT Security Knowledge (20)

Anzeige

Weitere von DevSecCon (20)

Aktuellste (20)

Anzeige

DevSecCon Seattle 2019: Containerizing IT Security Knowledge

  1. 1. Seattle | September 16-17, 2019 Containerizing IT Security Knowledge KRISTÓF TÓTH
  2. 2. Seattle | September 16-17, 2019 Something is wrong with security • 3 billion Yahoo accounts hacked (2016) • Marriott breach leaks data of 500 million guests (2018) • Facebook hack leaves 540 million accounts exposed (2019) • This doesn’t seem right...
  3. 3. Seattle | September 16-17, 2019 Why are we failing? • The amount of programmers is doubling every few years • ITSec training is still a curiosity at many universities • Generations of engineers without a proper background in security • Education is the missing link
  4. 4. Seattle | September 16-17, 2019 Tutorial Framework – What? • Helps you creating interactive learning environments • Automatically guide the user through topics ... • ... by making them interact with real software • A hybrid of training videos and hacking labs • Accessible through a browser • Package & ship the whole thing in containers • TL;DR hacking labs on crack
  5. 5. Seattle | September 16-17, 2019 Tutorial demo
  6. 6. Seattle | September 16-17, 2019 What is the value? • ”Smart security sandboxes” • Self-guided learning without previous knowledge • Learn by experimenting with real software • Hands-on experience without a learning curve
  7. 7. Seattle | September 16-17, 2019 It’s for you! • For trainers & teachers • For students & professionals • For the community • Fast & easy development • No proprietary software involved, all open source • Independent of the Avatao platform, but allows easy integration
  8. 8. Seattle | September 16-17, 2019 You get a set of useful components • State tracking • An IDE, console and terminal • Chat to communicate with user • Process management, live logs • And more ...
  9. 9. Seattle | September 16-17, 2019 How it works • Multiple processes running in a container (tini + supervisord) • Nginx serving an Angular SPA • Custom IPC daemon • Used for RPC and event advertisement • Connected to processes over ZeroMQ • Connected to frontend over WebSockets
  10. 10. Seattle | September 16-17, 2019 IPC daemon • Simple JSON based message format • Used for RPC and event advertisement • Routes messages between ZeroMQ & WebSockets • Processes can connect to it via: • ZeroMQ sockets • POSIX named pipes • ...
  11. 11. Seattle | September 16-17, 2019 IPC daemon
  12. 12. Seattle | September 16-17, 2019 How do you use it? • Built in components use our messaging daemon to communicate • You can control them via a simple JSON API • They broadcast relevant events • Fill a container with the software you need and instrument TFW
  13. 13. Seattle | September 16-17, 2019 Framework demo
  14. 14. Seattle | September 16-17, 2019 Giving back to the community • Where can I get it? • Licensed under the GNU LGPLv3 • Available on GitHub: • github.com/avatao-content/baseimage-tutorial-framework • github.com/avatao-content/frontend-tutorial-framework • github.com/avatao-content/test-tutorial-framework
  15. 15. Seattle | September 16-17, 2019 Thank you for listening! Questions?

×