Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my...
Transcript of Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my...
![Page 1: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/1.jpg)
Peter SouterTechnical Account Manager | Puppet
@petersouter
![Page 2: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/2.jpg)
2
Who am I?
@petersouter
Technical Account Manager
6 years using Puppet
2 years @ Puppet Inc
Work with customers on their holistic Puppet Program
Help customers get the best use of Puppet
Evangelise and work with the community
petems IRC/Slack/GitHub
![Page 3: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/3.jpg)
3
I’m super excited to be hereMy first ever talk slot at a DevOpsDays!
![Page 4: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/4.jpg)
4
I’m slowly hitting all my Tech Talk Ambitions
● Speak at FOSDEM - Done! 2016● Speak at Config Management Camp - Done! 2016
● Speak at PuppetConf - Done! 2016● Speak at a DevOpsDays - Done! 2017
● Speak at LISA - WIP● Speak at a VelocityConf - WIP
![Page 5: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/5.jpg)
5
So what are we here to talk about?We’re in the Security Slot right? So let's talk security!
![Page 6: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/6.jpg)
6
Every time someone uses this picture, Pete Cheslock gets his wings!
https://twitter.com/petecheslock/status/595617204273618944
![Page 7: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/7.jpg)
7
● What are the risks of leaking secrets in your infrastructure?
● How can prevent leaks from your Infrastructure as code?
● What parts of the DevOps toolchain can help you?
● How do you detect leaks and what can you do when they happen?
What are we going to cover?
https://flic.kr/p/7LcF2W
![Page 8: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/8.jpg)
8
So what are secrets in IaC?It’s always good to define something if you’re discussing it
![Page 9: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/9.jpg)
9
What are secrets in IT?
RadioactiveConsequences are dire from a leak
ExamplesPasswords, API Keys, SSH Keys, SSL Certs...
SmallA few kb at most
RequiredThe infrastructure won't work without them!
https://flic.kr/p/dHrwpb
![Page 10: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/10.jpg)
The RisksHow bad could it be?
10
![Page 11: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/11.jpg)
11
We’ve all seen things like this...
![Page 12: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/12.jpg)
12
● Ransom
● Data theft
● Loss of Customers
● Legal and PR fires
Worst Case Scenario: Organisational Catastrophe
![Page 13: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/13.jpg)
Preventing LeaksPlugging the holes
13
![Page 14: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/14.jpg)
First things first: Remove existing plaintext secrets
14
Clean up the current codebase and keep it clean
![Page 15: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/15.jpg)
Trufflehog
15https://github.com/dxa4481/truffleHog
![Page 16: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/16.jpg)
--------------------------------------------------------------------
gittyleaks' Bot Detective at work ...
--------------------------------------------------------------------
file: site/profiles/templates/rhn/RHN-ORG-TRUSTED-SSL-CERT.erb
what: Key
value: (2048
match:
Public-Key: (2048 bit)
num_of_revisions: 59
Gittyleaks
16https://github.com/kootenpv/gittyleaks
![Page 17: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/17.jpg)
GitRob
17https://github.com/michenriksen/gitrob
![Page 18: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/18.jpg)
Manual Grepping
18
$ git grep -i -e
"(api\\|key\\|username\\|user\\|pw\\|password\\|pass\\|email\\|mail
)" -- `git ls-files | grep -v .html` | cat
![Page 19: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/19.jpg)
Build pipelines are super useful for preventing the re-introduction of leaks
19
![Page 20: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/20.jpg)
Danger.systems
20https://github.com/Netflix/Scumblr
![Page 21: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/21.jpg)
Danger.systems
21https://github.com/getsentry/sentry/blob/ac8fe045fb161e67140d5d2959381b74f0738dc8/Dangerfile
# set the patterns to watch and warn about if they need security review
@S_SECURITY_FILE_PATTERN ||= /Dangerfile|(auth|login|permission|email|twofactor|sudo).*\.py/
...
warn("Changes require @getsentry/security sign-off")
message = "### Security concerns found\n\n"
securityMatches.to_set.each do |m|
message << "- #{m}\n"
end
markdown(message)
![Page 22: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/22.jpg)
Then figure out how to protect those secrets
22
Encryption, architectural changes or moving to a secret service
![Page 23: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/23.jpg)
Most Infrastructure as Code tools have a separate data layer
23
![Page 24: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/24.jpg)
Puppet uses Hiera as a data layer
24
gitlab::gitlab_rails_config:
ldap_enabled: true
ldap_servers:
acmeldapserver:
label: 'acme LDAP'
host: 'ldap.acme.net'
port: 389
uid: 'uid'
method: 'plain'
bind_dn: 'UID=puppetmaster,OU=System,OU=Accounts,DC=acme,DC=net'
password: 'puppetmaster'
active_directory: false
allow_username_or_email_login: false
block_auto_created_users: false
base: 'OU=People,OU=Accounts,DC=acme,DC=net'
user_filter: '(|(description=Systems Administrator)(description=Systems Developer)(description=Manager))'
![Page 25: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/25.jpg)
Bad!Plaintext :(
25
![Page 26: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/26.jpg)
26
![Page 27: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/27.jpg)
Good!Encrypted :D
27
![Page 28: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/28.jpg)
28
![Page 29: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/29.jpg)
29https://github.com/TomPoulton/hiera-eyaml
hiera-eyaml
![Page 30: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/30.jpg)
30
Theoretically, you should be able to release the of the code you write publically
without any sort of security issues
![Page 31: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/31.jpg)
31
This is actually a tenet of 12 Factor Apps...
Apps sometimes store config as constants in the code. This is a violation of twelve-factor, which requires strict separation of config from code. Config varies substantially across deploys, code does not.
A litmus test for whether an app has all config correctly factored out of the code is whether the codebase could be made open source at any moment, without compromising any credentials.
Note that this definition of “config” does not include internal application config, such as config/routes.rb in Rails, or how code modules are connected in Spring. This type of config does not vary between deploys, and so is best done in the code.
http://12factor.net/config
![Page 32: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/32.jpg)
Example: GDSGovernment Digital Service, UK
32
![Page 33: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/33.jpg)
33
Meeting the Digital Service Standard
To meet point 8 (understand security and privacy issues) you must:
● Make all new source code open and reusable
● Publish code under an appropriate licence
● Explain your reasoning for any code you haven’t made open
You’ll have to explain how you did this at your service assessments.
https://www.gov.uk/service-manual/technology/making-source-code-open-and-reusable
![Page 34: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/34.jpg)
34
Meeting the Digital Service StandardWhen GOV.UK was first set up we were unable to publish our Puppet repository because our code and secrets were tied together. This goes against patterns like the 12-factor app which “requires strict separation of config from code”
This wasn’t true for our Puppet repository, but we gradually moved our credentials into a separate repository (rotating them as we did so).
“A litmus test for whether an app has all config correctly factored out of the code is whether the codebase could be made open source at any moment, without compromising any credentials.”
![Page 35: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/35.jpg)
35
$ strings modules/**/*.pp | tr ' '
'\n' | sort -n | uniq | view -
Check code for unique strings that look secret-y
Note: Requires zsh for the strings function!
![Page 36: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/36.jpg)
It’s not just the code!Git commits can contain sensitive data
36
![Page 37: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/37.jpg)
37
$ git commit -a -m "Changed the
password to password1"
![Page 38: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/38.jpg)
38
$ while read line; do echo $line;
git --no-pager log -p -S $line; done
< puppet_search
Manually searching through git commits for sensitive information...
![Page 39: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/39.jpg)
39
Opening GOV.UK’s Puppet Repository https://gdstechnology.blog.gov.uk/2016/01/19/opening-gov-uks-puppet-repository/
Git Repo https://github.com/alphagov/govuk-puppet
Want to know more?
![Page 40: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/40.jpg)
The ToolchainWhat existing tooling can be used to help?
40
![Page 41: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/41.jpg)
Command Line Encryption
41
● Can be operationally difficult, not always designed with config management in mind
● Key rotation is still a PITA● Big trend right now for cool companies to write
encryption and secret handling apps in Go: YMMV on this...
Examples: GPG, mozzila/sops, Shopify/ejson
![Page 42: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/42.jpg)
Secret Servers: Why?
42
● Dynamic secrets● ACL (Access control policies)● Leasing and renewal● Revocation● Encryption● Auditing● Supportability
Examples: Vault, Conjur, Keywhiz, Confidant, CyberArk
![Page 43: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/43.jpg)
Cloud Native Secret Services
43
● AWS: KMS● GCE: KMS● Azure: Key Vault● Openstack: Barbican
![Page 44: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/44.jpg)
44
● TranscryptGit-CryptBlackbox
● High operational overhead
● Encrypting files, not data
● Good Summary: Turtles All The Way Down: Storing Secrets in the Cloud and in the Data Center
VCS based encryption
http://danielsomerfield.github.io/turtles
https://www.youtube.com/watch?v=OUSvv2maMYI
![Page 45: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/45.jpg)
Detecting leaks and reactingHow to keep your head when everyone’s losing theirs
45
![Page 46: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/46.jpg)
Generic procedure upon the detection of leaked credentials
46
● Roll new keys and reset passwords● Monitor systems for intrusive behaviour● Recreate machines from base● Keep track of actions for post-mortem
![Page 47: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/47.jpg)
Scumblr
47https://github.com/Netflix/Scumblr
![Page 48: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/48.jpg)
Gitleaks.com
48
![Page 49: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/49.jpg)
Gitleaks.com
49
Gone?
![Page 50: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/50.jpg)
Unfortunately, there’s no silver bullet to detect leaked secrets
50
![Page 51: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/51.jpg)
A lot of it is about monitoring and metrics, gating and reviews
51
![Page 52: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/52.jpg)
Outliers and anomaliesare what to look for
52
![Page 53: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/53.jpg)
53
It’s largely a people and process problem
![Page 54: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/54.jpg)
Who here has aHIDS system operating?
54
![Page 55: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/55.jpg)
Credential gets leaked → Unusual activity logged and alerted → Blue team goes out and fixes things
55
![Page 56: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/56.jpg)
Making sure security is part of your workflow, rather than an afterthought“Shift security left”
56
![Page 57: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/57.jpg)
57
“security must “shift left,” earlier into design and coding and into the automated test cycles, instead of waiting until the system is designed and built and then trying to fit some security checks just before release”
- DevOpsSec: Delivering Secure Software Through Continuous Delivery, Jim Bird
Shifting left
![Page 58: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/58.jpg)
58
How do we pro-actively guard against secrets being leaked?
● Game days and internal evil attempt teams● Continuous security integration (CI tests/code-review)● Dedicated security stories for sprints
○ Evil users or (mis)use cases○ https://www.owasp.org/index.php/Application_Threat_Modeling
● Embedded security team members● Pentests - internal and external
![Page 59: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/59.jpg)
59
Game Day example: Agent spoofingLet's say someone gets access to an agent machine.
What’s the worst they can do?What information can they fetch?
What passwords do they have locally?What can they detect remotely?
![Page 60: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/60.jpg)
60
Game Day example: Laptop theftGive someone a standard workstation
Are your workstation FDE?What credentials are on the average machine?
How much damage can they do?How long does it take to be detected?
![Page 61: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/61.jpg)
SummaryWhat have we learnt?
61
![Page 62: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/62.jpg)
Leaking things is badConsequences are dire
62
![Page 63: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/63.jpg)
Start by removing plaintext secretsMake sure the code is clean enough to be released
63
![Page 64: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/64.jpg)
Make sure the data is kept secretWith tooling that fits with your workflows and architecture
64
![Page 65: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/65.jpg)
Ensure that those secrets are kept secretPeople, processes and automated testing
65
![Page 66: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/66.jpg)
Know what to do when things go wrongRunbooks, workflows, game day trainings and such
66
![Page 67: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/67.jpg)
Move security leftMake it a part of your process, rather than an afterthought
67
![Page 68: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/68.jpg)
● Behind Closed Doors - Managing Passwords in a Dangerous World - Noah Kantrowitzhttps://coderanger.net/talks/secrets/
● Turtles All The Way Down Storing Secrets in the Cloud and in the Data Center - Daniel Somerfieldhttp://danielsomerfield.github.io/turtles
● Secrets and LIE-abilities: The State of Modern Secret Management - Jeff Nickoloffhttps://medium.com/on-docker/secrets-and-lie-abilities-the-state-of-modern-secret-management-2017-c82ec9136a3d
● Detecting and Mitigating Secret-Key Leaks in Source Code Repositories - https://people.eecs.berkeley.edu/~rohanpadhye/files/key_leaks-msr15.pdf
● Infrastructure Secret Management Software Overviewhttps://gist.github.com/maxvt/bb49a6c7243163b8120625fc8ae3f3cd
68
Want to know more?
![Page 69: Peter Souter - assets.devopsdays.org › events › 2017 › ... · 4 I’m slowly hitting all my Tech Talk Ambitions Speak at FOSDEM - Done! 2016 Speak at Config Management Camp](https://reader033.fdocuments.in/reader033/viewer/2022060320/5f0d16847e708231d4389eab/html5/thumbnails/69.jpg)
Q&A