SlideShare a Scribd company logo

Thinking Evil Thoughts

Gareth Rushgrove
Gareth Rushgrove

A talk from Software Circus 2016 in Amsterdam, all about Threat Modeling by example.

Technology
1 of 96
Download to read offline
(without introducing more risk) Thinking Evil Thoughts Puppet Gareth Rushgrove A taste of threat modeling
(without introducing more risk) @garethr
(without introducing more risk) Gareth Rushgrove
(without introducing more risk) This Talk What to expect
- What is threat modeling? - Getting the scope right - Identifying risks - Using conferences to hack people Gareth Rushgrove
Introduce some security language to help you navigate the domain Gareth Rushgrove
Dive straight into examples Gareth Rushgrove
Empower you to ask questions more than provide easy answers Gareth Rushgrove
(without introducing more risk) Threat modeling A brief introduction
Gareth Rushgrove a procedure for optimizing network security by identifying objectives and vulnerabilities THREAT MODELING
- Determine scope - Identify threat agents and attacks - Understand existing countermeasures - Identify vulnerabilities - Prioritise risks - Identify countermeasures Gareth Rushgrove https://www.owasp.org/index.php/Category:Threat_Modeling
Inside each of us, there is the seed of both good and evil. It's a constant struggle as to which one will win. Gareth Rushgrove “ ”Eric Burdon
(without introducing more risk) Think evil.
(without introducing more risk) Getting the scope rights Avoiding gaps in your threat model
Ignoring part of your system when considering security is a common mistake Gareth Rushgrove
Gareth Rushgrove the attack surface of a software environment is the sum of the different points (the "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment. ATTACK SURFACE
(without introducing more risk) Example What is Production? Gareth Rushgrove
LOAD BALANCER FRONT END BACK END DATABASE PRODUCTION?
LOAD BALANCER FRONT END BACK END DATABASE PRODUCTION? PEOPLE DESKTOPS CI SERVER
LOAD BALANCER FRONT END BACK END DATABASE PRODUCTION? PEOPLE DESKTOPS CI SERVER HYPERVISOR MANAGEMENT MONITORING
Do you protect your CI stack as well as your production database? Gareth Rushgrove
Could I execute a query on your production database if I compromised your CI server? Gareth Rushgrove
Example Third party services Gareth Rushgrove
Gareth Rushgrove an entity which facilitates interactions between two parties who both trust the third party TRUSTED THIRD PARTY
Gareth Rushgrove a term in computer science and security used to describe a boundary where program data or execution changes its level of "trust". The term refers to any distinct boundary within which a system trusts all sub-systems (including data). TRUST BOUNDARY
Gareth Rushgrove
Why Serverless is a bad name Gareth Rushgrove
(without introducing more risk) There are still servers somewhere Gareth Rushgrove
How you think about the servers changes, and the respective risks and mitigations change. But servers still exist. Gareth Rushgrove
Why NoOps is a bad name Gareth Rushgrove
How you think about operations changes, and the respective risks and mitigations change. But operations still exist. Gareth Rushgrove
Your attack surface is bigger than you think Gareth Rushgrove
(without introducing more risk) Identifying risks The need to understand your system
Differences in how you perceive a system and how it actually works can be used to exploit it Gareth Rushgrove
Example Immutable infrastructure Gareth Rushgrove
Out systems are immutable, we don’t need runtime file integrity checking Gareth Rushgrove “ ”A possibly naive developer
Gareth Rushgrove unchanging over time or unable to be changed. synonyms: unchangeable, fixed IMMUTABLE
(without introducing more risk) Containers are not immutable by default Gareth Rushgrove
(without introducing more risk) Containers are not immutable by default Gareth Rushgrove
(without introducing more risk) Gareth Rushgrove $ docker run -d alpine /bin/sh -c "while true; do echo hello world; sleep 1; done"
(without introducing more risk) Gareth Rushgrove $ docker exec a7a01beb14de touch /tmp/surprise
(without introducing more risk) Gareth Rushgrove $ docker diff a7a01beb14de C /tmp A /tmp/surprise
(without introducing more risk) Gareth Rushgrove $ docker run --read-only -d alpine /bin/sh -c "while true; do echo hello world; sleep 1; done"
(without introducing more risk) Gareth Rushgrove $ docker exec 379150b2cf05 touch /tmp/surprise touch: cannot touch '/tmp/surprise': Read-only file syste
(without introducing more risk) Do your immutable EC2 instances have read-only filesystems? Gareth Rushgrove
(without introducing more risk) Most Immutable Infrastructure isn’t Gareth Rushgrove
(without introducing more risk) Without technical controls you only have social guarantees of immutability Gareth Rushgrove
(without introducing more risk) Hacking conferences Looking for vulnerabilities
Let’s assume your applications and infrastructure are super secure* Gareth Rushgrove * This probably isn’t true. You should worry about that as well.
- Penetration testing - Intrusion detection system - Web application firewall - Network firewalls - Malware scanning - Configuration management Gareth Rushgrove
Gareth Rushgrove How secure is your laptop?
- Hand maintained configuration - Updated whenever - No central monitoring - Administrative access - Single factor authentication Gareth Rushgrove
Can you push new Docker images from your laptop? Gareth Rushgrove
Can you create jobs on your Jenkins instance from your laptop? Gareth Rushgrove
Can you launch new replication controllers from your laptop? Gareth Rushgrove
Can you release new functions to Lambda from your laptop? Gareth Rushgrove
Real world threat
(without introducing more risk) As a hacker how do I own your laptop? The fun stuff
Where can I find hundreds of developer laptops… Gareth Rushgrove
Developer Conferences are a Target Rich Environment Gareth Rushgrove
Gareth Rushgrove More Internet Some Internet Marks iPhone FREE CONFERENCE WIFI Hacked Android CONFERENCE VENUE Private Software Circus Company next door Coffee shop downstairs Software Circus II Docker Corp Avengers Tower FON My Blackberry Nokia4ever ABANK
Gareth Rushgrove More Internet Some Internet Marks iPhone FREE CONFERENCE WIFI Hacked Android CONFERENCE VENUE Private Software Circus Company next door Coffee shop downstairs Software Circus II Docker Corp Avengers Tower FON My Blackberry Nokia4ever ABANK This is the official conference wifi right?
Gareth Rushgrove More Internet Some Internet Marks iPhone FREE CONFERENCE WIFI Hacked Android CONFERENCE VENUE Private Software Circus Company next door Coffee shop downstairs Software Circus II Docker Corp Avengers Tower FON My Blackberry Nokia4ever ABANK Or is it this one? Whatever, both work
Devices exist to man-in-the-middle wireless networks Gareth Rushgrove
Who has ever picked up a USB memory stick at a conference? Gareth Rushgrove
Gareth Rushgrove
USB devices exist which will run a script on connect (normally by impersonating a keyboard) Gareth Rushgrove
(without introducing more risk) DELAY 1000 COMMAND SPACE DELAY 500 STRING Terminal DELAY 500 ENTER DELAY 800 STRING echo 'RSA_PUB_ID' >> ~/.ssh/authorized_keys ENTER DELAY 1000 STRING killall Terminal ENTER Add my public key https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---OSX-Passwordless-SSH-access-%28ssh-keys%29
Local databases
Lots of people here are on Twitter and using the conference hashtag Gareth Rushgrove
Lots of people here are on GitHub with the same username Gareth Rushgrove
(without introducing more risk) $ curl -s https://api.github.com/users/<username>/events/public | jq '.[].payload.commits[0].author.email' | sort | uniq | grep -v "null" Email from GitHub user
an e-mail spoofing fraud attempt that targets a specific organization or individual, seeking unauthorized access to confidential data. Gareth Rushgrove SPEAR PHISHING
Hi <your name> Great to see you at <conference name here> last week. I thought you’d be interested in the container testing tool I mentioned. http://nothingevilhere.com. Would love to know what you think. Hopefully see you at DockerCon next year too.
(without introducing more risk) So you’re saying we’re all doomed? This is quite depressing now I think about it
Part of threat modeling is coming up with suitable mitigations to the risks identified Gareth Rushgrove
- 2 factor authentication - Time-limited credentials - Separation of duties - Two person rule - Configuration management Gareth Rushgrove
having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task is an internal control intended to prevent fraud and error. Gareth Rushgrove SEPARATION OF DUTIES
a control mechanism designed to achieve a high level of security for especially critical material or operations. Under this rule all access and actions requires the presence of two authorized people at all times. Gareth Rushgrove TWO-PERSON RULE
Gareth Rushgrove a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence and determines if information obtained by adversaries could be interpreted to be useful to them. OPERATIONAL SECURITY (OPSEC)
Once you understand the threat you can seek out specific guidance Gareth Rushgrove
- Protect data in transit - Protect data at rest - Authentication - Secure boot - Platform integrity and sandboxing - Application whitelisting Gareth Rushgrove - Malicious code detection - Security policy enforcement - External interface protection - Device update policy - Event collection and analysis - Incident response https://www.cesg.gov.uk/guidance/end-user-devices-security-principles
Education. Education. Education. Gareth Rushgrove
Gareth Rushgrove
(without introducing more risk) Conclusions If all you remember is…
With Cloud Native approaches developers are nearer to production than ever before Gareth Rushgrove
The efficiency of modern tooling introduces new threats, and magnifies existing ones Gareth Rushgrove
Existing mitigations and security controls won’t be enough. You need to collaborate with security colleagues on new approaches Gareth Rushgrove
Threat modeling should be part of your development process Gareth Rushgrove
Gareth Rushgrove
Elevation of privilege
Gareth Rushgrove
(without introducing more risk) Thanks And any questions?

Recommended

Communications Between Tribes
Communications Between TribesCommunications Between Tribes
Communications Between TribesGareth Rushgrove
 
Two Sides of Google Infrastructure for Everyone Else
Two Sides of Google Infrastructure for Everyone ElseTwo Sides of Google Infrastructure for Everyone Else
Two Sides of Google Infrastructure for Everyone ElseGareth Rushgrove
 
DOES16 London - Gareth Rushgrove - Communication Between Tribes: A Story of S...
DOES16 London - Gareth Rushgrove - Communication Between Tribes: A Story of S...DOES16 London - Gareth Rushgrove - Communication Between Tribes: A Story of S...
DOES16 London - Gareth Rushgrove - Communication Between Tribes: A Story of S...Gene Kim
 
Empire Work shop
Empire Work shopEmpire Work shop
Empire Work shopHaydn Johnson
 
Bsides to 2016-penetration-testing
Bsides to 2016-penetration-testingBsides to 2016-penetration-testing
Bsides to 2016-penetration-testingHaydn Johnson
 
The Challenges of Container Configuration
The Challenges of Container ConfigurationThe Challenges of Container Configuration
The Challenges of Container ConfigurationGareth Rushgrove
 
Puppet and Openshift
Puppet and OpenshiftPuppet and Openshift
Puppet and OpenshiftGareth Rushgrove
 
OlinData Puppet Presentation for MOSC 2012
OlinData Puppet Presentation for MOSC 2012OlinData Puppet Presentation for MOSC 2012
OlinData Puppet Presentation for MOSC 2012Walter Heck
 

Recommended

Communications Between Tribes
Communications Between TribesCommunications Between Tribes
Communications Between TribesGareth Rushgrove
 
Two Sides of Google Infrastructure for Everyone Else
Two Sides of Google Infrastructure for Everyone ElseTwo Sides of Google Infrastructure for Everyone Else
Two Sides of Google Infrastructure for Everyone ElseGareth Rushgrove
 
DOES16 London - Gareth Rushgrove - Communication Between Tribes: A Story of S...
DOES16 London - Gareth Rushgrove - Communication Between Tribes: A Story of S...DOES16 London - Gareth Rushgrove - Communication Between Tribes: A Story of S...
DOES16 London - Gareth Rushgrove - Communication Between Tribes: A Story of S...Gene Kim
 
Empire Work shop
Empire Work shopEmpire Work shop
Empire Work shopHaydn Johnson
 
Bsides to 2016-penetration-testing
Bsides to 2016-penetration-testingBsides to 2016-penetration-testing
Bsides to 2016-penetration-testingHaydn Johnson
 
The Challenges of Container Configuration
The Challenges of Container ConfigurationThe Challenges of Container Configuration
The Challenges of Container ConfigurationGareth Rushgrove
 
Puppet and Openshift
Puppet and OpenshiftPuppet and Openshift
Puppet and OpenshiftGareth Rushgrove
 
OlinData Puppet Presentation for MOSC 2012
OlinData Puppet Presentation for MOSC 2012OlinData Puppet Presentation for MOSC 2012
OlinData Puppet Presentation for MOSC 2012Walter Heck
 
Puppet User Group Presentation - 15 March 2012
Puppet User Group Presentation - 15 March 2012Puppet User Group Presentation - 15 March 2012
Puppet User Group Presentation - 15 March 2012Walter Heck
 
Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5Puppet
 
PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet
PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, PuppetPuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet
PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, PuppetPuppet
 
Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5Puppet
 
Network Automation at Shapeways
Network Automation at ShapewaysNetwork Automation at Shapeways
Network Automation at ShapewaysPuppet
 
Demystifying TLS
Demystifying TLSDemystifying TLS
Demystifying TLSPuppet
 
Introduction to Puppet Enterprise
Introduction to Puppet EnterpriseIntroduction to Puppet Enterprise
Introduction to Puppet EnterprisePuppet
 
Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5Puppet
 
Introduction to Puppet Enterprise
Introduction to Puppet EnterpriseIntroduction to Puppet Enterprise
Introduction to Puppet EnterprisePuppet
 
Introduction to Puppet Enterprise
Introduction to Puppet EnterpriseIntroduction to Puppet Enterprise
Introduction to Puppet EnterprisePuppet
 
Adopting Kubernetes with Puppet
Adopting Kubernetes with PuppetAdopting Kubernetes with Puppet
Adopting Kubernetes with PuppetPuppet
 
What to Build with Google App Engine
What to Build with Google App EngineWhat to Build with Google App Engine
What to Build with Google App EngineGareth Rushgrove
 
Puppet Data Mining
Puppet Data MiningPuppet Data Mining
Puppet Data MiningGareth Rushgrove
 
Developing IoT devices. Creating wearables with the new LinkIt™ 2523 HDK by SAC
Developing IoT devices. Creating wearables with the new LinkIt™ 2523 HDK by SACDeveloping IoT devices. Creating wearables with the new LinkIt™ 2523 HDK by SAC
Developing IoT devices. Creating wearables with the new LinkIt™ 2523 HDK by SACMediaTek Labs
 
OlinData Puppet Presentation for DevOps Singapore meet-up
OlinData Puppet Presentation for DevOps Singapore meet-upOlinData Puppet Presentation for DevOps Singapore meet-up
OlinData Puppet Presentation for DevOps Singapore meet-upWalter Heck
 
PuppetConf. 2016: Puppet Best Practices: Roles & Profiles – Gary Larizza, Puppet
PuppetConf. 2016: Puppet Best Practices: Roles & Profiles – Gary Larizza, PuppetPuppetConf. 2016: Puppet Best Practices: Roles & Profiles – Gary Larizza, Puppet
PuppetConf. 2016: Puppet Best Practices: Roles & Profiles – Gary Larizza, PuppetPuppet
 
Getting Started With Puppet - Chad Metcalf
Getting Started With Puppet - Chad MetcalfGetting Started With Puppet - Chad Metcalf
Getting Started With Puppet - Chad MetcalfPuppet
 
What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4Puppet
 
Advice on how to get started — and ahead — in a career in DevOps
Advice on how to get started — and ahead — in a career in DevOpsAdvice on how to get started — and ahead — in a career in DevOps
Advice on how to get started — and ahead — in a career in DevOpsPuppet
 
PuppetConf 2016: Device-Based Modules: Making Them as Simple as a Light Switc...
PuppetConf 2016: Device-Based Modules: Making Them as Simple as a Light Switc...PuppetConf 2016: Device-Based Modules: Making Them as Simple as a Light Switc...
PuppetConf 2016: Device-Based Modules: Making Them as Simple as a Light Switc...Puppet
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?Graham Charters
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 

More Related Content

Viewers also liked

Puppet User Group Presentation - 15 March 2012
Puppet User Group Presentation - 15 March 2012Puppet User Group Presentation - 15 March 2012
Puppet User Group Presentation - 15 March 2012Walter Heck
 
Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5Puppet
 
PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet
PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, PuppetPuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet
PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, PuppetPuppet
 
Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5Puppet
 
Network Automation at Shapeways
Network Automation at ShapewaysNetwork Automation at Shapeways
Network Automation at ShapewaysPuppet
 
Demystifying TLS
Demystifying TLSDemystifying TLS
Demystifying TLSPuppet
 
Introduction to Puppet Enterprise
Introduction to Puppet EnterpriseIntroduction to Puppet Enterprise
Introduction to Puppet EnterprisePuppet
 
Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5Puppet
 
Introduction to Puppet Enterprise
Introduction to Puppet EnterpriseIntroduction to Puppet Enterprise
Introduction to Puppet EnterprisePuppet
 
Introduction to Puppet Enterprise
Introduction to Puppet EnterpriseIntroduction to Puppet Enterprise
Introduction to Puppet EnterprisePuppet
 
Adopting Kubernetes with Puppet
Adopting Kubernetes with PuppetAdopting Kubernetes with Puppet
Adopting Kubernetes with PuppetPuppet
 
What to Build with Google App Engine
What to Build with Google App EngineWhat to Build with Google App Engine
What to Build with Google App EngineGareth Rushgrove
 
Developing IoT devices. Creating wearables with the new LinkIt™ 2523 HDK by SAC
Developing IoT devices. Creating wearables with the new LinkIt™ 2523 HDK by SACDeveloping IoT devices. Creating wearables with the new LinkIt™ 2523 HDK by SAC
Developing IoT devices. Creating wearables with the new LinkIt™ 2523 HDK by SACMediaTek Labs
 
OlinData Puppet Presentation for DevOps Singapore meet-up
OlinData Puppet Presentation for DevOps Singapore meet-upOlinData Puppet Presentation for DevOps Singapore meet-up
OlinData Puppet Presentation for DevOps Singapore meet-upWalter Heck
 
PuppetConf. 2016: Puppet Best Practices: Roles & Profiles – Gary Larizza, Puppet
PuppetConf. 2016: Puppet Best Practices: Roles & Profiles – Gary Larizza, PuppetPuppetConf. 2016: Puppet Best Practices: Roles & Profiles – Gary Larizza, Puppet
PuppetConf. 2016: Puppet Best Practices: Roles & Profiles – Gary Larizza, PuppetPuppet
 
Getting Started With Puppet - Chad Metcalf
Getting Started With Puppet - Chad MetcalfGetting Started With Puppet - Chad Metcalf
Getting Started With Puppet - Chad MetcalfPuppet
 
What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4Puppet
 
Advice on how to get started — and ahead — in a career in DevOps
Advice on how to get started — and ahead — in a career in DevOpsAdvice on how to get started — and ahead — in a career in DevOps
Advice on how to get started — and ahead — in a career in DevOpsPuppet
 
PuppetConf 2016: Device-Based Modules: Making Them as Simple as a Light Switc...
PuppetConf 2016: Device-Based Modules: Making Them as Simple as a Light Switc...PuppetConf 2016: Device-Based Modules: Making Them as Simple as a Light Switc...
PuppetConf 2016: Device-Based Modules: Making Them as Simple as a Light Switc...Puppet
 

Viewers also liked (20)

Puppet User Group Presentation - 15 March 2012
Puppet User Group Presentation - 15 March 2012Puppet User Group Presentation - 15 March 2012
Puppet User Group Presentation - 15 March 2012
 
Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5
 
PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet
PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, PuppetPuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet
PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet
 
Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5
 
Network Automation at Shapeways
Network Automation at ShapewaysNetwork Automation at Shapeways
Network Automation at Shapeways
 
Demystifying TLS
Demystifying TLSDemystifying TLS
Demystifying TLS
 
Introduction to Puppet Enterprise
Introduction to Puppet EnterpriseIntroduction to Puppet Enterprise
Introduction to Puppet Enterprise
 
Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5
 
Introduction to Puppet Enterprise
Introduction to Puppet EnterpriseIntroduction to Puppet Enterprise
Introduction to Puppet Enterprise
 
Introduction to Puppet Enterprise
Introduction to Puppet EnterpriseIntroduction to Puppet Enterprise
Introduction to Puppet Enterprise
 
Adopting Kubernetes with Puppet
Adopting Kubernetes with PuppetAdopting Kubernetes with Puppet
Adopting Kubernetes with Puppet
 
What to Build with Google App Engine
What to Build with Google App EngineWhat to Build with Google App Engine
What to Build with Google App Engine
 
Puppet Data Mining
Puppet Data MiningPuppet Data Mining
Puppet Data Mining
 
Developing IoT devices. Creating wearables with the new LinkIt™ 2523 HDK by SAC
Developing IoT devices. Creating wearables with the new LinkIt™ 2523 HDK by SACDeveloping IoT devices. Creating wearables with the new LinkIt™ 2523 HDK by SAC
Developing IoT devices. Creating wearables with the new LinkIt™ 2523 HDK by SAC
 
OlinData Puppet Presentation for DevOps Singapore meet-up
OlinData Puppet Presentation for DevOps Singapore meet-upOlinData Puppet Presentation for DevOps Singapore meet-up
OlinData Puppet Presentation for DevOps Singapore meet-up
 
PuppetConf. 2016: Puppet Best Practices: Roles & Profiles – Gary Larizza, Puppet
PuppetConf. 2016: Puppet Best Practices: Roles & Profiles – Gary Larizza, PuppetPuppetConf. 2016: Puppet Best Practices: Roles & Profiles – Gary Larizza, Puppet
PuppetConf. 2016: Puppet Best Practices: Roles & Profiles – Gary Larizza, Puppet
 
Getting Started With Puppet - Chad Metcalf
Getting Started With Puppet - Chad MetcalfGetting Started With Puppet - Chad Metcalf
Getting Started With Puppet - Chad Metcalf
 
What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4
 
Advice on how to get started — and ahead — in a career in DevOps
Advice on how to get started — and ahead — in a career in DevOpsAdvice on how to get started — and ahead — in a career in DevOps
Advice on how to get started — and ahead — in a career in DevOps
 
PuppetConf 2016: Device-Based Modules: Making Them as Simple as a Light Switc...
PuppetConf 2016: Device-Based Modules: Making Them as Simple as a Light Switc...PuppetConf 2016: Device-Based Modules: Making Them as Simple as a Light Switc...
PuppetConf 2016: Device-Based Modules: Making Them as Simple as a Light Switc...
 

Similar to Thinking Evil Thoughts

How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?Graham Charters
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
Cloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive Security
Cloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive SecurityCloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive Security
Cloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive SecurityCloudreach
 
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteIdentifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteChris Burgess
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Dinis Cruz
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...DTM Security
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your BrowserAchim D. Brucker
 
Securing the “Weakest Link”
Securing the “Weakest Link”Securing the “Weakest Link”
Securing the “Weakest Link”Priyanka Aash
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsRedhuntLabs2
 
WithSecure Deepguard WhitePaper
WithSecure Deepguard WhitePaperWithSecure Deepguard WhitePaper
WithSecure Deepguard WhitePaperlincktello
 
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainPutting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainJames Wickett
 
BriefingsDirect Transcript--How security leverages virtualization to counter ...
BriefingsDirect Transcript--How security leverages virtualization to counter ...BriefingsDirect Transcript--How security leverages virtualization to counter ...
BriefingsDirect Transcript--How security leverages virtualization to counter ...Dana Gardner
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksCiNPA Security SIG
 

Similar to Thinking Evil Thoughts (20)

How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!
 
Cloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive Security
Cloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive SecurityCloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive Security
Cloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive Security
 
App locker
App lockerApp locker
App locker
 
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteIdentifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
 
Securing the “Weakest Link”
Securing the “Weakest Link”Securing the “Weakest Link”
Securing the “Weakest Link”
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
WithSecure Deepguard WhitePaper
WithSecure Deepguard WhitePaperWithSecure Deepguard WhitePaper
WithSecure Deepguard WhitePaper
 
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainPutting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps Toolchain
 
Ethical hacking presentation
Ethical hacking presentationEthical hacking presentation
Ethical hacking presentation
 
BriefingsDirect Transcript--How security leverages virtualization to counter ...
BriefingsDirect Transcript--How security leverages virtualization to counter ...BriefingsDirect Transcript--How security leverages virtualization to counter ...
BriefingsDirect Transcript--How security leverages virtualization to counter ...
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 

More from Gareth Rushgrove

Config managament for development environments ii
Config managament for development environments iiConfig managament for development environments ii
Config managament for development environments iiGareth Rushgrove
 
Vagrant and Configuration Management
Vagrant and Configuration ManagementVagrant and Configuration Management
Vagrant and Configuration ManagementGareth Rushgrove
 
You're Going To Need A Bigger Toolbox
You're Going To Need A Bigger ToolboxYou're Going To Need A Bigger Toolbox
You're Going To Need A Bigger ToolboxGareth Rushgrove
 
Automating web site deployment
Automating web site deploymentAutomating web site deployment
Automating web site deploymentGareth Rushgrove
 
Message Queues for Web Applications
Message Queues for Web ApplicationsMessage Queues for Web Applications
Message Queues for Web ApplicationsGareth Rushgrove
 
Beyond basic web development
Beyond basic web developmentBeyond basic web development
Beyond basic web developmentGareth Rushgrove
 
Self Education for Web Professionals
Self Education for Web ProfessionalsSelf Education for Web Professionals
Self Education for Web ProfessionalsGareth Rushgrove
 
App Engine for Python Developers
App Engine for Python DevelopersApp Engine for Python Developers
App Engine for Python DevelopersGareth Rushgrove
 
Testing Django Applications
Testing Django ApplicationsTesting Django Applications
Testing Django ApplicationsGareth Rushgrove
 
Design Strategies for a Distributed Web
Design Strategies for a Distributed WebDesign Strategies for a Distributed Web
Design Strategies for a Distributed WebGareth Rushgrove
 
Things you probably don't do (or tying to make project automation sexy)
Things you probably don't do (or tying to make project automation sexy)Things you probably don't do (or tying to make project automation sexy)
Things you probably don't do (or tying to make project automation sexy)Gareth Rushgrove
 
Notes from (Web 2.0) Revolution
Notes from (Web 2.0) RevolutionNotes from (Web 2.0) Revolution
Notes from (Web 2.0) RevolutionGareth Rushgrove
 

More from Gareth Rushgrove (20)

Web operations
Web operationsWeb operations
Web operations
 
Learnings from govuk
Learnings from govukLearnings from govuk
Learnings from govuk
 
Config managament for development environments ii
Config managament for development environments iiConfig managament for development environments ii
Config managament for development environments ii
 
Varnish Caching
Varnish CachingVarnish Caching
Varnish Caching
 
Vagrant and Configuration Management
Vagrant and Configuration ManagementVagrant and Configuration Management
Vagrant and Configuration Management
 
Metrics with Ganglia
Metrics with GangliaMetrics with Ganglia
Metrics with Ganglia
 
You're Going To Need A Bigger Toolbox
You're Going To Need A Bigger ToolboxYou're Going To Need A Bigger Toolbox
You're Going To Need A Bigger Toolbox
 
Devops
DevopsDevops
Devops
 
Automating web site deployment
Automating web site deploymentAutomating web site deployment
Automating web site deployment
 
Message Queues for Web Applications
Message Queues for Web ApplicationsMessage Queues for Web Applications
Message Queues for Web Applications
 
Beyond basic web development
Beyond basic web developmentBeyond basic web development
Beyond basic web development
 
Self Education for Web Professionals
Self Education for Web ProfessionalsSelf Education for Web Professionals
Self Education for Web Professionals
 
App Engine for Python Developers
App Engine for Python DevelopersApp Engine for Python Developers
App Engine for Python Developers
 
Testing Django Applications
Testing Django ApplicationsTesting Django Applications
Testing Django Applications
 
Design Strategies for a Distributed Web
Design Strategies for a Distributed WebDesign Strategies for a Distributed Web
Design Strategies for a Distributed Web
 
A First Class Web Citizen
A First Class Web CitizenA First Class Web Citizen
A First Class Web Citizen
 
Parsing Microformats
Parsing MicroformatsParsing Microformats
Parsing Microformats
 
Things you probably don't do (or tying to make project automation sexy)
Things you probably don't do (or tying to make project automation sexy)Things you probably don't do (or tying to make project automation sexy)
Things you probably don't do (or tying to make project automation sexy)
 
Notes from (Web 2.0) Revolution
Notes from (Web 2.0) RevolutionNotes from (Web 2.0) Revolution
Notes from (Web 2.0) Revolution
 
Rails flavoured OpenId
Rails flavoured OpenIdRails flavoured OpenId
Rails flavoured OpenId
 

Recently uploaded

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Thinking Evil Thoughts

  • 1. (without introducing more risk) Thinking Evil Thoughts Puppet Gareth Rushgrove A taste of threat modeling
  • 2. (without introducing more risk) @garethr
  • 3. (without introducing more risk) Gareth Rushgrove
  • 4. (without introducing more risk) This Talk What to expect
  • 5. - What is threat modeling? - Getting the scope right - Identifying risks - Using conferences to hack people Gareth Rushgrove
  • 6. Introduce some security language to help you navigate the domain Gareth Rushgrove
  • 7. Dive straight into examples Gareth Rushgrove
  • 8. Empower you to ask questions more than provide easy answers Gareth Rushgrove
  • 9. (without introducing more risk) Threat modeling A brief introduction
  • 10. Gareth Rushgrove a procedure for optimizing network security by identifying objectives and vulnerabilities THREAT MODELING
  • 11. - Determine scope - Identify threat agents and attacks - Understand existing countermeasures - Identify vulnerabilities - Prioritise risks - Identify countermeasures Gareth Rushgrove https://www.owasp.org/index.php/Category:Threat_Modeling
  • 12. Inside each of us, there is the seed of both good and evil. It's a constant struggle as to which one will win. Gareth Rushgrove “ ”Eric Burdon
  • 13. (without introducing more risk) Think evil.
  • 14. (without introducing more risk) Getting the scope rights Avoiding gaps in your threat model
  • 15. Ignoring part of your system when considering security is a common mistake Gareth Rushgrove
  • 16. Gareth Rushgrove the attack surface of a software environment is the sum of the different points (the "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment. ATTACK SURFACE
  • 17. (without introducing more risk) Example What is Production? Gareth Rushgrove
  • 18. LOAD BALANCER FRONT END BACK END DATABASE PRODUCTION?
  • 19. LOAD BALANCER FRONT END BACK END DATABASE PRODUCTION? PEOPLE DESKTOPS CI SERVER
  • 20. LOAD BALANCER FRONT END BACK END DATABASE PRODUCTION? PEOPLE DESKTOPS CI SERVER HYPERVISOR MANAGEMENT MONITORING
  • 21. Do you protect your CI stack as well as your production database? Gareth Rushgrove
  • 22. Could I execute a query on your production database if I compromised your CI server? Gareth Rushgrove
  • 24. Gareth Rushgrove an entity which facilitates interactions between two parties who both trust the third party TRUSTED THIRD PARTY
  • 25. Gareth Rushgrove a term in computer science and security used to describe a boundary where program data or execution changes its level of "trust". The term refers to any distinct boundary within which a system trusts all sub-systems (including data). TRUST BOUNDARY
  • 27. Why Serverless is a bad name Gareth Rushgrove
  • 28. (without introducing more risk) There are still servers somewhere Gareth Rushgrove
  • 29. How you think about the servers changes, and the respective risks and mitigations change. But servers still exist. Gareth Rushgrove
  • 30. Why NoOps is a bad name Gareth Rushgrove
  • 31.
  • 32.
  • 33. How you think about operations changes, and the respective risks and mitigations change. But operations still exist. Gareth Rushgrove
  • 34. Your attack surface is bigger than you think Gareth Rushgrove
  • 35. (without introducing more risk) Identifying risks The need to understand your system
  • 36. Differences in how you perceive a system and how it actually works can be used to exploit it Gareth Rushgrove
  • 38. Out systems are immutable, we don’t need runtime file integrity checking Gareth Rushgrove “ ”A possibly naive developer
  • 39. Gareth Rushgrove unchanging over time or unable to be changed. synonyms: unchangeable, fixed IMMUTABLE
  • 40. (without introducing more risk) Containers are not immutable by default Gareth Rushgrove
  • 41. (without introducing more risk) Containers are not immutable by default Gareth Rushgrove
  • 42. (without introducing more risk) Gareth Rushgrove $ docker run -d alpine /bin/sh -c "while true; do echo hello world; sleep 1; done"
  • 43. (without introducing more risk) Gareth Rushgrove $ docker exec a7a01beb14de touch /tmp/surprise
  • 44. (without introducing more risk) Gareth Rushgrove $ docker diff a7a01beb14de C /tmp A /tmp/surprise
  • 45. (without introducing more risk) Gareth Rushgrove $ docker run --read-only -d alpine /bin/sh -c "while true; do echo hello world; sleep 1; done"
  • 46. (without introducing more risk) Gareth Rushgrove $ docker exec 379150b2cf05 touch /tmp/surprise touch: cannot touch '/tmp/surprise': Read-only file syste
  • 47. (without introducing more risk) Do your immutable EC2 instances have read-only filesystems? Gareth Rushgrove
  • 48. (without introducing more risk) Most Immutable Infrastructure isn’t Gareth Rushgrove
  • 49. (without introducing more risk) Without technical controls you only have social guarantees of immutability Gareth Rushgrove
  • 50. (without introducing more risk) Hacking conferences Looking for vulnerabilities
  • 51. Let’s assume your applications and infrastructure are super secure* Gareth Rushgrove * This probably isn’t true. You should worry about that as well.
  • 52. - Penetration testing - Intrusion detection system - Web application firewall - Network firewalls - Malware scanning - Configuration management Gareth Rushgrove
  • 53. Gareth Rushgrove How secure is your laptop?
  • 54. - Hand maintained configuration - Updated whenever - No central monitoring - Administrative access - Single factor authentication Gareth Rushgrove
  • 55. Can you push new Docker images from your laptop? Gareth Rushgrove
  • 56. Can you create jobs on your Jenkins instance from your laptop? Gareth Rushgrove
  • 57. Can you launch new replication controllers from your laptop? Gareth Rushgrove
  • 58. Can you release new functions to Lambda from your laptop? Gareth Rushgrove
  • 60. (without introducing more risk) As a hacker how do I own your laptop? The fun stuff
  • 61. Where can I find hundreds of developer laptops… Gareth Rushgrove
  • 62. Developer Conferences are a Target Rich Environment Gareth Rushgrove
  • 63. Gareth Rushgrove More Internet Some Internet Marks iPhone FREE CONFERENCE WIFI Hacked Android CONFERENCE VENUE Private Software Circus Company next door Coffee shop downstairs Software Circus II Docker Corp Avengers Tower FON My Blackberry Nokia4ever ABANK
  • 64. Gareth Rushgrove More Internet Some Internet Marks iPhone FREE CONFERENCE WIFI Hacked Android CONFERENCE VENUE Private Software Circus Company next door Coffee shop downstairs Software Circus II Docker Corp Avengers Tower FON My Blackberry Nokia4ever ABANK This is the official conference wifi right?
  • 65. Gareth Rushgrove More Internet Some Internet Marks iPhone FREE CONFERENCE WIFI Hacked Android CONFERENCE VENUE Private Software Circus Company next door Coffee shop downstairs Software Circus II Docker Corp Avengers Tower FON My Blackberry Nokia4ever ABANK Or is it this one? Whatever, both work
  • 66. Devices exist to man-in-the-middle wireless networks Gareth Rushgrove
  • 67. Who has ever picked up a USB memory stick at a conference? Gareth Rushgrove
  • 69. USB devices exist which will run a script on connect (normally by impersonating a keyboard) Gareth Rushgrove
  • 70. (without introducing more risk) DELAY 1000 COMMAND SPACE DELAY 500 STRING Terminal DELAY 500 ENTER DELAY 800 STRING echo 'RSA_PUB_ID' >> ~/.ssh/authorized_keys ENTER DELAY 1000 STRING killall Terminal ENTER Add my public key https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---OSX-Passwordless-SSH-access-%28ssh-keys%29
  • 72. Lots of people here are on Twitter and using the conference hashtag Gareth Rushgrove
  • 73. Lots of people here are on GitHub with the same username Gareth Rushgrove
  • 74. (without introducing more risk) $ curl -s https://api.github.com/users/<username>/events/public | jq '.[].payload.commits[0].author.email' | sort | uniq | grep -v "null" Email from GitHub user
  • 75. an e-mail spoofing fraud attempt that targets a specific organization or individual, seeking unauthorized access to confidential data. Gareth Rushgrove SPEAR PHISHING
  • 76. Hi <your name> Great to see you at <conference name here> last week. I thought you’d be interested in the container testing tool I mentioned. http://nothingevilhere.com. Would love to know what you think. Hopefully see you at DockerCon next year too.
  • 77. (without introducing more risk) So you’re saying we’re all doomed? This is quite depressing now I think about it
  • 78. Part of threat modeling is coming up with suitable mitigations to the risks identified Gareth Rushgrove
  • 79. - 2 factor authentication - Time-limited credentials - Separation of duties - Two person rule - Configuration management Gareth Rushgrove
  • 80. having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task is an internal control intended to prevent fraud and error. Gareth Rushgrove SEPARATION OF DUTIES
  • 81. a control mechanism designed to achieve a high level of security for especially critical material or operations. Under this rule all access and actions requires the presence of two authorized people at all times. Gareth Rushgrove TWO-PERSON RULE
  • 82. Gareth Rushgrove a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence and determines if information obtained by adversaries could be interpreted to be useful to them. OPERATIONAL SECURITY (OPSEC)
  • 83. Once you understand the threat you can seek out specific guidance Gareth Rushgrove
  • 84.
  • 85. - Protect data in transit - Protect data at rest - Authentication - Secure boot - Platform integrity and sandboxing - Application whitelisting Gareth Rushgrove - Malicious code detection - Security policy enforcement - External interface protection - Device update policy - Event collection and analysis - Incident response https://www.cesg.gov.uk/guidance/end-user-devices-security-principles
  • 88. (without introducing more risk) Conclusions If all you remember is…
  • 89. With Cloud Native approaches developers are nearer to production than ever before Gareth Rushgrove
  • 90. The efficiency of modern tooling introduces new threats, and magnifies existing ones Gareth Rushgrove
  • 91. Existing mitigations and security controls won’t be enough. You need to collaborate with security colleagues on new approaches Gareth Rushgrove
  • 92. Threat modeling should be part of your development process Gareth Rushgrove
  • 96. (without introducing more risk) Thanks And any questions?