Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Scaling Security - Confidence 2014 - security@prezi

The prezi security team (Attila Zseller, Robert Kiss, Mihaly Zagon) sharing experience about scaling security in an ever-changing agile environment.
by

Mihaly Zagon

on 23 February 2015

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Scaling Security - Confidence 2014 - security@prezi

something
We

devops
building blocks
full-stack engineers
We don't block...
blocking doesn't scale!
automation
integration
evangelisation
...except in case of PRIO1
Information Sharing
There's a
responsible leader
in the team, who
has to be informed
about everything.
It is a
signal
to all of our developers
to drop whatever else
they’re working on.
Monitoring
Real-time monitoring
RECAP: OUR GOAL
influence developers
they influence the code
Prezi becomes more secure
we need reliable feedback
Internal Feedback
developer's feedback
anything more practical?
what is the next most important task?
do we have the proper
monitoring system?
most probable attack vectors?
Real-world Feedback
do we have both offensive & defensive mindset?
http://www.agarri.fr/docs/Easy_hacks_for_complex_apps-INS14.pdf
Accept the fact that we suck
Encourage people to remind us about this
Learn from the mistakes
Suck less
The Bug Bounty
World Domination Plan
the hard part
part of the "full stack"
automated alerts
helps to visually spot issues
data in real-time
auditd
CSP
app level logs
suricata
xss hooks
clear signals & alerts
Do it well, and it scales!
5-10 hrs/week
950+ unique submissions
not calculable workload
avg. 28 mail/week
60+ paid issues
1 HN front page for a day
-19dB SNR
Postmortems
checking logs 0/24
vs
Keep Focus
auditd is powerful
when code breaks
prezi
enumeration
jenkins
became
public
Postmortems
when infra breaks
goal
: have security in developers minds
security model
comments & mails
solutions
prevention
Presentation.objects.get_by_id_or_oid
zuibackend.cache.get_prezi
cloudtrail
EDDA
reddalert
full stack from raw logs to visualization and alerting
monitoring
Effective & Independent
every team is a "mini-startup"
object enumeration
refresh list of repositories
clone / pull
check every diff
alert on interesting ones
manual review
arbitrary code execution
directory traversal
open redirect
object enumeration
security monkey
detecting risky changes
Reddalert
non-blocking
easy to extend
can use any other datasource
We are agile
code
commit
test
deploy
run
(exploit)
"shit happens, the only question is when"
400+ repository
400+ / day
600+ jenkins job
100+ deploy / week
400+ AWS instance
awful lot of languages
Copyright © 2006-2014 Arcitura Education Inc.
Scaling Security
security@ .com
check_id: chef_new_vhost
path: /cookbooks/sentry/recipes/ec2.rb
commit: https://github.com/prezi/prezi-chef/commit/3fc9e30...
matching line: +apache_vhost "sentry.prezi.com" do
repo name: prezi-chef
Hungarian rock band
https://github.com/Netflix/edda
logs
metrics
dashboards
...
Security issues are just another type of bugs!
huge amount of events
valid alerts
Robi
Misi
Attila
EC2
VPC
ELB
security
groups
sit back and relax
we have a security team
share ideas
share knowledge
no dummy examples
tech breakfast
brownbag talks
security 101 during bootcamp
today: 80+ engineers
postmortems
Using Elasticsearch and Kibana
Code review
Risky changes in our codebase
Repoguard
monitoring git commits
~20 alert / day
70+ rules
Validating Alerts
Alert != Issue
authorization bypass
Infra-level Changes
We

Netflix and EDDA
EDDA
AWS
sounds like CloudTrail...?
our security monkey
https://github.com/prezi/reddalert
built around EDDA
AMI
(new AMIs)
ELBS
(suspicious open ports)
SECGROUPS
(suspicious open ports)
IAM
(new IAM accounts)
INSTANCETAGS
(new/missing tags)
S3ACL
(publicly readable files)
Plugin:
secgroups
Subject:
sg-2d345678
Alert:
{
'fromPort': 9080,
'ipRanges': [u'0.0.0.0/0'],
'toPort': 9080,
'ipProtocol': u'tcp',
'port_open': True,
'machines': [u'i-12345678 (1.2.3.4): web-app']
}
"I thought that we need this cos it did not work, and after we fixed, I forgot to remove it from the security group."
INFRA
C O D E
http://
file://
F E E D B A C K S
S C A L E
zipped prezi
Amazon Metadata Service
http://169.254.169.254/latest/meta-data/
Full transcript