SlideShare ist ein Scribd-Unternehmen logo

DevSecCon London 2018: A Journey to Continuous Cloud Compliance

DevSecCon
DevSecCon

PAUL SCHWARZENBERGER Access keys in GitHub, open security group rules, misconfigured Identity and Access Management roles, private SSL certificate keys kept in code repositories and open S3 buckets. Just some of the security issues which led to a journey towards automated compliance solutions for cloud infrastructure and applications. Paul describes a framework for Continuous Cloud Compliance, and demonstrates some of the techniques and tools he has used while working on cloud migration projects and operational cloud applications for both public and private sector organisations.

Technologie
1 von 12
Downloaden Sie, um offline zu lesen
LONDON 18-19 OCT 2018 A journey to continuous cloud compliance PAUL SCHWARZENBERGER
LONDON 18-19 OCT 2018 A journey to continuous cloud compliance • I joined a DevOps team as their first hands-on security specialist • I started by being polite and nice • This is the story of what happened next …
LONDON 18-19 OCT 2018 • Production application in AWS • 30 – 40 DevOps / Cloud Ops • Agile development • 2 week sprints • Most infrastructure coded • Some manual configuration A journey to continuous cloud compliance … my job was to make sure it was secure
LONDON 18-19 OCT 2018 AWS Foundations • 43 controls across 4 domains • IAM • logging • monitoring • networking I downloaded the CIS AWS Benchmark
LONDON 18-19 OCT 2018 and started with a manual review using the console … • Open security groups • Password policies not compliant • Dangerous IAM policies • Public S3 buckets • Access keys not rotated • I fixed some things myself • I asked people nicely to fix things …
LONDON 18-19 OCT 2018 Then I downloaded NCC’s Scout2 … Can you rotate your access key please? Can you reconfigure your security group please?
LONDON 18-19 OCT 2018 and moved from detection to prevention … • I wrote security tests in Python • Integrated to CI / CD pipeline • That helped • But only for those repos integrated with the security tests
LONDON 18-19 OCT 2018 So I put in automated remediation and enforcement … Tech • Cloud Custodian – Capital One • Lambda functions for notifications Example policies • Require MFA token • Access key rotation • Remove open security group rules
LONDON 18-19 OCT 2018 And then started looking for keys and secrets … GitRob • Keys • Secrets • Passwords • Public and private repositories
LONDON 18-19 OCT 2018 Continuous Cloud Compliance Framework Prevention Policy as code CI / CD pipeline tests Detection Infrastructure scans Data Discovery Remediation Serverless functions Runbooks
LONDON 18-19 OCT 2018 Contact details info@celidor.net Paul Schwarzenberger Cloud Security | DevSecOps www.celidor.co.uk @paulschwarzen Paul Schwarzenberger
LONDON 18-19 OCT 2018 Thank you

Empfohlen

DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon
 
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...DevSecCon
 
DevSecCon London 2018: Whatever happened to attack aware applications?
DevSecCon London 2018: Whatever happened to attack aware applications?DevSecCon London 2018: Whatever happened to attack aware applications?
DevSecCon London 2018: Whatever happened to attack aware applications?DevSecCon
 
Machine Learning at E*Trade
Machine Learning at E*TradeMachine Learning at E*Trade
Machine Learning at E*TradeElasticsearch
 
#MondayMoney - Public sector procurement for digital SMEs
#MondayMoney - Public sector procurement for digital SMEs#MondayMoney - Public sector procurement for digital SMEs
#MondayMoney - Public sector procurement for digital SMEsTechResort
 
Finodex - Resuls 1st and 2nd call
Finodex - Resuls 1st and 2nd callFinodex - Resuls 1st and 2nd call
Finodex - Resuls 1st and 2nd callVeronica Barchetti
 
IoT MQTT Projects For Research Students
IoT MQTT Projects For Research StudentsIoT MQTT Projects For Research Students
IoT MQTT Projects For Research StudentsPhdtopiccom
 
The Case for Disaggregation of Compute in the Data Center
The Case for Disaggregation of Compute in the Data CenterThe Case for Disaggregation of Compute in the Data Center
The Case for Disaggregation of Compute in the Data CenterJuniper Networks
 

Empfohlen

DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon
 
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...DevSecCon
 
DevSecCon London 2018: Whatever happened to attack aware applications?
DevSecCon London 2018: Whatever happened to attack aware applications?DevSecCon London 2018: Whatever happened to attack aware applications?
DevSecCon London 2018: Whatever happened to attack aware applications?DevSecCon
 
Machine Learning at E*Trade
Machine Learning at E*TradeMachine Learning at E*Trade
Machine Learning at E*TradeElasticsearch
 
#MondayMoney - Public sector procurement for digital SMEs
#MondayMoney - Public sector procurement for digital SMEs#MondayMoney - Public sector procurement for digital SMEs
#MondayMoney - Public sector procurement for digital SMEsTechResort
 
Finodex - Resuls 1st and 2nd call
Finodex - Resuls 1st and 2nd callFinodex - Resuls 1st and 2nd call
Finodex - Resuls 1st and 2nd callVeronica Barchetti
 
IoT MQTT Projects For Research Students
IoT MQTT Projects For Research StudentsIoT MQTT Projects For Research Students
IoT MQTT Projects For Research StudentsPhdtopiccom
 
The Case for Disaggregation of Compute in the Data Center
The Case for Disaggregation of Compute in the Data CenterThe Case for Disaggregation of Compute in the Data Center
The Case for Disaggregation of Compute in the Data CenterJuniper Networks
 
Products and Services - Bitdharma
Products and Services - BitdharmaProducts and Services - Bitdharma
Products and Services - BitdharmaFritz Wagner
 
Practical Applications of Blockchain Technology in the Certification Industry
Practical Applications of Blockchain Technology in the Certification IndustryPractical Applications of Blockchain Technology in the Certification Industry
Practical Applications of Blockchain Technology in the Certification IndustryIntact GmbH
 
Open source industrial IoT
Open source industrial IoTOpen source industrial IoT
Open source industrial IoTManolis Nikiforakis
 
Archangel: trusted archives of digital public records
Archangel: trusted archives of digital public recordsArchangel: trusted archives of digital public records
Archangel: trusted archives of digital public recordsCILIP
 
RIPE Atlas - A Measurement Network
RIPE Atlas - A Measurement NetworkRIPE Atlas - A Measurement Network
RIPE Atlas - A Measurement NetworkRIPE NCC
 
SFScon 2020 - Alberto Sillitti - An Analysis of Open Protocols for Smart Cities
SFScon 2020 - Alberto Sillitti - An Analysis of Open Protocols for Smart CitiesSFScon 2020 - Alberto Sillitti - An Analysis of Open Protocols for Smart Cities
SFScon 2020 - Alberto Sillitti - An Analysis of Open Protocols for Smart CitiesSouth Tyrol Free Software Conference
 
ThingStudio_persys17
ThingStudio_persys17ThingStudio_persys17
ThingStudio_persys17alessio tirabasso
 
AI-Driven Fraud Detection
AI-Driven Fraud DetectionAI-Driven Fraud Detection
AI-Driven Fraud DetectionCodit
 
FIWARE Global Summit - Welcome & Opening Remarks
FIWARE Global Summit - Welcome & Opening RemarksFIWARE Global Summit - Welcome & Opening Remarks
FIWARE Global Summit - Welcome & Opening RemarksFIWARE
 
Realtime traffic monitoring
Realtime traffic monitoringRealtime traffic monitoring
Realtime traffic monitoringSofian Hadiwijaya
 
Eclipse kura
Eclipse kuraEclipse kura
Eclipse kuraIsham Mohamed Iqbal
 
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...LibreCon
 
Always-On Web of Things Infrastructure Dynamic Software Updating
Always-On Web of Things Infrastructure Dynamic Software UpdatingAlways-On Web of Things Infrastructure Dynamic Software Updating
Always-On Web of Things Infrastructure Dynamic Software UpdatingTECO Research Group
 
ICT 2018 Smart Parking (University of Murcia, OdinS)
ICT 2018 Smart Parking (University of Murcia, OdinS)ICT 2018 Smart Parking (University of Murcia, OdinS)
ICT 2018 Smart Parking (University of Murcia, OdinS)IoTCrawler
 
SW360 Update Tooling Telco
SW360 Update Tooling TelcoSW360 Update Tooling Telco
SW360 Update Tooling TelcoShane Coughlan
 
FIWARE Global Summit - Creating Secured Value Chains for Smart Industries
FIWARE Global Summit - Creating Secured Value Chains for Smart IndustriesFIWARE Global Summit - Creating Secured Value Chains for Smart Industries
FIWARE Global Summit - Creating Secured Value Chains for Smart IndustriesFIWARE
 
Monitoring with Elastic Machine Learning at Sky
Monitoring with Elastic Machine Learning at SkyMonitoring with Elastic Machine Learning at Sky
Monitoring with Elastic Machine Learning at SkyElasticsearch
 
OSGi -Simplifying the IoT Gateway - Walt Bowers
OSGi -Simplifying the IoT Gateway - Walt BowersOSGi -Simplifying the IoT Gateway - Walt Bowers
OSGi -Simplifying the IoT Gateway - Walt Bowersmfrancis
 
FIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE
 
IoT Key Elements
IoT Key ElementsIoT Key Elements
IoT Key ElementsPeter Hanzlik
 
I can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CKI can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CKMITRE ATT&CK
 
Evolution of Container Security - What's Next?
Evolution of Container Security - What's Next?Evolution of Container Security - What's Next?
Evolution of Container Security - What's Next?Fernando Montenegro
 

Weitere ähnliche Inhalte

Was ist angesagt?

Products and Services - Bitdharma
Products and Services - BitdharmaProducts and Services - Bitdharma
Products and Services - BitdharmaFritz Wagner
 
Practical Applications of Blockchain Technology in the Certification Industry
Practical Applications of Blockchain Technology in the Certification IndustryPractical Applications of Blockchain Technology in the Certification Industry
Practical Applications of Blockchain Technology in the Certification IndustryIntact GmbH
 
Archangel: trusted archives of digital public records
Archangel: trusted archives of digital public recordsArchangel: trusted archives of digital public records
Archangel: trusted archives of digital public recordsCILIP
 
RIPE Atlas - A Measurement Network
RIPE Atlas - A Measurement NetworkRIPE Atlas - A Measurement Network
RIPE Atlas - A Measurement NetworkRIPE NCC
 
SFScon 2020 - Alberto Sillitti - An Analysis of Open Protocols for Smart Cities
SFScon 2020 - Alberto Sillitti - An Analysis of Open Protocols for Smart CitiesSFScon 2020 - Alberto Sillitti - An Analysis of Open Protocols for Smart Cities
SFScon 2020 - Alberto Sillitti - An Analysis of Open Protocols for Smart CitiesSouth Tyrol Free Software Conference
 
AI-Driven Fraud Detection
AI-Driven Fraud DetectionAI-Driven Fraud Detection
AI-Driven Fraud DetectionCodit
 
FIWARE Global Summit - Welcome & Opening Remarks
FIWARE Global Summit - Welcome & Opening RemarksFIWARE Global Summit - Welcome & Opening Remarks
FIWARE Global Summit - Welcome & Opening RemarksFIWARE
 
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...LibreCon
 
Always-On Web of Things Infrastructure Dynamic Software Updating
Always-On Web of Things Infrastructure Dynamic Software UpdatingAlways-On Web of Things Infrastructure Dynamic Software Updating
Always-On Web of Things Infrastructure Dynamic Software UpdatingTECO Research Group
 
ICT 2018 Smart Parking (University of Murcia, OdinS)
ICT 2018 Smart Parking (University of Murcia, OdinS)ICT 2018 Smart Parking (University of Murcia, OdinS)
ICT 2018 Smart Parking (University of Murcia, OdinS)IoTCrawler
 
SW360 Update Tooling Telco
SW360 Update Tooling TelcoSW360 Update Tooling Telco
SW360 Update Tooling TelcoShane Coughlan
 
FIWARE Global Summit - Creating Secured Value Chains for Smart Industries
FIWARE Global Summit - Creating Secured Value Chains for Smart IndustriesFIWARE Global Summit - Creating Secured Value Chains for Smart Industries
FIWARE Global Summit - Creating Secured Value Chains for Smart IndustriesFIWARE
 
Monitoring with Elastic Machine Learning at Sky
Monitoring with Elastic Machine Learning at SkyMonitoring with Elastic Machine Learning at Sky
Monitoring with Elastic Machine Learning at SkyElasticsearch
 
OSGi -Simplifying the IoT Gateway - Walt Bowers
OSGi -Simplifying the IoT Gateway - Walt BowersOSGi -Simplifying the IoT Gateway - Walt Bowers
OSGi -Simplifying the IoT Gateway - Walt Bowersmfrancis
 
FIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE
 

Was ist angesagt? (20)

Products and Services - Bitdharma
Products and Services - BitdharmaProducts and Services - Bitdharma
Products and Services - Bitdharma
 
Practical Applications of Blockchain Technology in the Certification Industry
Practical Applications of Blockchain Technology in the Certification IndustryPractical Applications of Blockchain Technology in the Certification Industry
Practical Applications of Blockchain Technology in the Certification Industry
 
Open source industrial IoT
Open source industrial IoTOpen source industrial IoT
Open source industrial IoT
 
Archangel: trusted archives of digital public records
Archangel: trusted archives of digital public recordsArchangel: trusted archives of digital public records
Archangel: trusted archives of digital public records
 
RIPE Atlas - A Measurement Network
RIPE Atlas - A Measurement NetworkRIPE Atlas - A Measurement Network
RIPE Atlas - A Measurement Network
 
SFScon 2020 - Alberto Sillitti - An Analysis of Open Protocols for Smart Cities
SFScon 2020 - Alberto Sillitti - An Analysis of Open Protocols for Smart CitiesSFScon 2020 - Alberto Sillitti - An Analysis of Open Protocols for Smart Cities
SFScon 2020 - Alberto Sillitti - An Analysis of Open Protocols for Smart Cities
 
ThingStudio_persys17
ThingStudio_persys17ThingStudio_persys17
ThingStudio_persys17
 
AI-Driven Fraud Detection
AI-Driven Fraud DetectionAI-Driven Fraud Detection
AI-Driven Fraud Detection
 
FIWARE Global Summit - Welcome & Opening Remarks
FIWARE Global Summit - Welcome & Opening RemarksFIWARE Global Summit - Welcome & Opening Remarks
FIWARE Global Summit - Welcome & Opening Remarks
 
Realtime traffic monitoring
Realtime traffic monitoringRealtime traffic monitoring
Realtime traffic monitoring
 
Eclipse kura
Eclipse kuraEclipse kura
Eclipse kura
 
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
 
Always-On Web of Things Infrastructure Dynamic Software Updating
Always-On Web of Things Infrastructure Dynamic Software UpdatingAlways-On Web of Things Infrastructure Dynamic Software Updating
Always-On Web of Things Infrastructure Dynamic Software Updating
 
ICT 2018 Smart Parking (University of Murcia, OdinS)
ICT 2018 Smart Parking (University of Murcia, OdinS)ICT 2018 Smart Parking (University of Murcia, OdinS)
ICT 2018 Smart Parking (University of Murcia, OdinS)
 
SW360 Update Tooling Telco
SW360 Update Tooling TelcoSW360 Update Tooling Telco
SW360 Update Tooling Telco
 
FIWARE Global Summit - Creating Secured Value Chains for Smart Industries
FIWARE Global Summit - Creating Secured Value Chains for Smart IndustriesFIWARE Global Summit - Creating Secured Value Chains for Smart Industries
FIWARE Global Summit - Creating Secured Value Chains for Smart Industries
 
Monitoring with Elastic Machine Learning at Sky
Monitoring with Elastic Machine Learning at SkyMonitoring with Elastic Machine Learning at Sky
Monitoring with Elastic Machine Learning at Sky
 
OSGi -Simplifying the IoT Gateway - Walt Bowers
OSGi -Simplifying the IoT Gateway - Walt BowersOSGi -Simplifying the IoT Gateway - Walt Bowers
OSGi -Simplifying the IoT Gateway - Walt Bowers
 
FIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access Control
 
IoT Key Elements
IoT Key ElementsIoT Key Elements
IoT Key Elements
 

Ähnlich wie DevSecCon London 2018: A Journey to Continuous Cloud Compliance

I can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CKI can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CKMITRE ATT&CK
 
Evolution of Container Security - What's Next?
Evolution of Container Security - What's Next?Evolution of Container Security - What's Next?
Evolution of Container Security - What's Next?Fernando Montenegro
 
Toronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and ThreatsToronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and ThreatsAlexandra N. Martinez
 
Cloud Best Practices
Cloud Best PracticesCloud Best Practices
Cloud Best Practicesenzoriv
 
Red flags and attention points in cloud security audit, watch the security ga...
Red flags and attention points in cloud security audit, watch the security ga...Red flags and attention points in cloud security audit, watch the security ga...
Red flags and attention points in cloud security audit, watch the security ga...Peter GEELEN ✔
 
Social connections14: Super charge your API’s with Reactive streams
Social connections14: Super charge your API’s with Reactive streamsSocial connections14: Super charge your API’s with Reactive streams
Social connections14: Super charge your API’s with Reactive streamsFrank van der Linden
 
The Gib Five - Modern IT Architecture
The Gib Five - Modern IT ArchitectureThe Gib Five - Modern IT Architecture
The Gib Five - Modern IT ArchitectureAnatole Tresch
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?Tiago Mendo
 
The Art of Container Monitoring
The Art of Container MonitoringThe Art of Container Monitoring
The Art of Container MonitoringDerek Chen
 
Perception of Security Issues in the Development of Cloud-IoT Systems by a No...
Perception of Security Issues in the Development of Cloud-IoT Systems by a No...Perception of Security Issues in the Development of Cloud-IoT Systems by a No...
Perception of Security Issues in the Development of Cloud-IoT Systems by a No...Luca Mannella
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveApigee | Google Cloud
 
Exploring DarkWeb For Threat Intelligence (SACON May 2018)
Exploring DarkWeb For Threat Intelligence (SACON May 2018)Exploring DarkWeb For Threat Intelligence (SACON May 2018)
Exploring DarkWeb For Threat Intelligence (SACON May 2018)Priyanka Aash
 
Aws user group #03 - All things Iot
Aws user group #03 - All things IotAws user group #03 - All things Iot
Aws user group #03 - All things IotPolarSeven Pty Ltd
 
Monitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in KubernetesMonitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in KubernetesMichael Ducy
 
PLNOG 13: B. van der Sloot, S. Abdel-Hafez: Running a 2 Tbps global IP networ...
PLNOG 13: B. van der Sloot, S. Abdel-Hafez: Running a 2 Tbps global IP networ...PLNOG 13: B. van der Sloot, S. Abdel-Hafez: Running a 2 Tbps global IP networ...
PLNOG 13: B. van der Sloot, S. Abdel-Hafez: Running a 2 Tbps global IP networ...PROIDEA
 
Cassandra Summit 2014: Apache Cassandra at Telefonica CBS
Cassandra Summit 2014: Apache Cassandra at Telefonica CBSCassandra Summit 2014: Apache Cassandra at Telefonica CBS
Cassandra Summit 2014: Apache Cassandra at Telefonica CBSDataStax Academy
 
Security tools
Security toolsSecurity tools
Security toolsAdri Jovin
 
Why we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibilityWhy we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibilityRecruit Technologies
 
API Gateway: Nginx way
API Gateway: Nginx wayAPI Gateway: Nginx way
API Gateway: Nginx wayinovia
 

Ähnlich wie DevSecCon London 2018: A Journey to Continuous Cloud Compliance (20)

I can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CKI can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CK
 
Evolution of Container Security - What's Next?
Evolution of Container Security - What's Next?Evolution of Container Security - What's Next?
Evolution of Container Security - What's Next?
 
Toronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and ThreatsToronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and Threats
 
Cloud Best Practices
Cloud Best PracticesCloud Best Practices
Cloud Best Practices
 
Red flags and attention points in cloud security audit, watch the security ga...
Red flags and attention points in cloud security audit, watch the security ga...Red flags and attention points in cloud security audit, watch the security ga...
Red flags and attention points in cloud security audit, watch the security ga...
 
Social connections14: Super charge your API’s with Reactive streams
Social connections14: Super charge your API’s with Reactive streamsSocial connections14: Super charge your API’s with Reactive streams
Social connections14: Super charge your API’s with Reactive streams
 
The Gib Five - Modern IT Architecture
The Gib Five - Modern IT ArchitectureThe Gib Five - Modern IT Architecture
The Gib Five - Modern IT Architecture
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?
 
The Art of Container Monitoring
The Art of Container MonitoringThe Art of Container Monitoring
The Art of Container Monitoring
 
Perception of Security Issues in the Development of Cloud-IoT Systems by a No...
Perception of Security Issues in the Development of Cloud-IoT Systems by a No...Perception of Security Issues in the Development of Cloud-IoT Systems by a No...
Perception of Security Issues in the Development of Cloud-IoT Systems by a No...
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
 
Exploring DarkWeb For Threat Intelligence (SACON May 2018)
Exploring DarkWeb For Threat Intelligence (SACON May 2018)Exploring DarkWeb For Threat Intelligence (SACON May 2018)
Exploring DarkWeb For Threat Intelligence (SACON May 2018)
 
Aws user group #03 - All things Iot
Aws user group #03 - All things IotAws user group #03 - All things Iot
Aws user group #03 - All things Iot
 
IoT solutions world congress 2018 review - Robbrecht van Amerongen - Conclusi...
IoT solutions world congress 2018 review - Robbrecht van Amerongen - Conclusi...IoT solutions world congress 2018 review - Robbrecht van Amerongen - Conclusi...
IoT solutions world congress 2018 review - Robbrecht van Amerongen - Conclusi...
 
Monitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in KubernetesMonitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in Kubernetes
 
PLNOG 13: B. van der Sloot, S. Abdel-Hafez: Running a 2 Tbps global IP networ...
PLNOG 13: B. van der Sloot, S. Abdel-Hafez: Running a 2 Tbps global IP networ...PLNOG 13: B. van der Sloot, S. Abdel-Hafez: Running a 2 Tbps global IP networ...
PLNOG 13: B. van der Sloot, S. Abdel-Hafez: Running a 2 Tbps global IP networ...
 
Cassandra Summit 2014: Apache Cassandra at Telefonica CBS
Cassandra Summit 2014: Apache Cassandra at Telefonica CBSCassandra Summit 2014: Apache Cassandra at Telefonica CBS
Cassandra Summit 2014: Apache Cassandra at Telefonica CBS
 
Security tools
Security toolsSecurity tools
Security tools
 
Why we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibilityWhy we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibility
 
API Gateway: Nginx way
API Gateway: Nginx wayAPI Gateway: Nginx way
API Gateway: Nginx way
 

Mehr von DevSecCon

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon
 
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...DevSecCon
 

Mehr von DevSecCon (20)

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for Kubernetes
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificates
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
 
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
 

Kürzlich hochgeladen

Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 

Kürzlich hochgeladen (20)

Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 

DevSecCon London 2018: A Journey to Continuous Cloud Compliance

  • 1. LONDON 18-19 OCT 2018 A journey to continuous cloud compliance PAUL SCHWARZENBERGER
  • 2. LONDON 18-19 OCT 2018 A journey to continuous cloud compliance • I joined a DevOps team as their first hands-on security specialist • I started by being polite and nice • This is the story of what happened next …
  • 3. LONDON 18-19 OCT 2018 • Production application in AWS • 30 – 40 DevOps / Cloud Ops • Agile development • 2 week sprints • Most infrastructure coded • Some manual configuration A journey to continuous cloud compliance … my job was to make sure it was secure
  • 4. LONDON 18-19 OCT 2018 AWS Foundations • 43 controls across 4 domains • IAM • logging • monitoring • networking I downloaded the CIS AWS Benchmark
  • 5. LONDON 18-19 OCT 2018 and started with a manual review using the console … • Open security groups • Password policies not compliant • Dangerous IAM policies • Public S3 buckets • Access keys not rotated • I fixed some things myself • I asked people nicely to fix things …
  • 6. LONDON 18-19 OCT 2018 Then I downloaded NCC’s Scout2 … Can you rotate your access key please? Can you reconfigure your security group please?
  • 7. LONDON 18-19 OCT 2018 and moved from detection to prevention … • I wrote security tests in Python • Integrated to CI / CD pipeline • That helped • But only for those repos integrated with the security tests
  • 8. LONDON 18-19 OCT 2018 So I put in automated remediation and enforcement … Tech • Cloud Custodian – Capital One • Lambda functions for notifications Example policies • Require MFA token • Access key rotation • Remove open security group rules
  • 9. LONDON 18-19 OCT 2018 And then started looking for keys and secrets … GitRob • Keys • Secrets • Passwords • Public and private repositories
  • 10. LONDON 18-19 OCT 2018 Continuous Cloud Compliance Framework Prevention Policy as code CI / CD pipeline tests Detection Infrastructure scans Data Discovery Remediation Serverless functions Runbooks
  • 11. LONDON 18-19 OCT 2018 Contact details info@celidor.net Paul Schwarzenberger Cloud Security | DevSecOps www.celidor.co.uk @paulschwarzen Paul Schwarzenberger
  • 12. LONDON 18-19 OCT 2018 Thank you