Security, Automation, and Containing Sick Software

All Day DevOps is just around the corner and I couldn’t be more excited to discuss what I’ve been up to lately.

Although I’ve taken a bit of a speaking hiatus over the summer, I haven’t been idle by any means. During the work day I’ve been busy Terraforming Kubernetes in AWS using kops and helm and on-boarding many disparate development teams worldwide onto a centralized security platform I envisioned in the cloud. After business hours, I spent a lot of my spare time designing secure AWS architectures, penetration testing, escalating privileges, and having quite a bit of fun executing social engineering campaigns. Too much fun actually.

One may ask: What does penetration testing, social engineering, and DevOps have in common?

Well… Security…hear me out…

There are a plethora of tools available for penetration testers and Ethical Hackers to use as they evaluate application security but unfortunately most of these are extremely old, are an idea that has somewhat died, or are so damn complicated that installation and configuration are a nightmare. As a Security Architect and former Enterprise Architect with a major love crush on containerization I saw an opportunity. Containerize all the things. You see — I’ve used these tools quite often and have often experienced the nightmares of using such antiquated software.

Take this as an example: one of the tools that I use regularly to create penetration test reports is built with dependencies on Ruby 2.1.5. As everyone should know, there are a plethora of vulnerabilities out there targeted at this platform, but more importantly it’s no longer supported. To any organization, utilization of such a tool introduces unnecessary risks into the business and as a Security Professional relying on it puts my customers and employer at risk as well.

Regardless of the fact that I’m not a big fan of Ruby (that’s a separate conversation for another day) what I decided to do was containerize the beast. I wont get into the headache and lost hours of life doing it here but I promise I will publish another article on it when I release the code on Gihub. What I do want to point out is how I dealt with mitigating the security risks with compensating controls — and this is what I plan on digging into during my talk at All Day DevOps this year.

If you’ve been at or seen my other talks, I’ve talked about the utopia of a security influenced DevOps culture as well as key places in the SDLC where an organization can integrate security tools and extract valuable KPI’s. During this talk I’m going to dig a bit deeper and introduce a number of additional concepts that help secure applications as they are running in production.

Registration is free for the conference so I hope you all can attend and hear my discussion about automated container cycling and how it can be used to frustrate hackers, binary scrambling and killing the zero day, and pulling KPIs out of other toolsets into your SDLC

I hope this helps to take security to a new level in DevSecOps and in your business.

Register now at https://www.alldaydevops.com

Share