BSides Scotland 2019: For Crying Out Cloud - Stu Hirst and Tash Norris
Show transcript [en]
excellent welcome this is awesome to speak here this is my home city as most of you know me no this is quite a tough crowd to speak to about half the people in the Bhrigu and that's a little bit more difficult some phones than they're speaking 200 strangers so I'm students attached we both work at the photo box group and we're going to give you a bit of an insight into our whole world really in some of the work that we've done this organization and previous ones it's some george's day today for the english people in the room i'm Scotsman describe the accent head-to-head with women here so what does anybody really even pay attention pension system Who am
I I aspired my security career at the train line I say security is PCI compliance and then I moved on to Skyscanner so I guess people who know me from up here is probably because of the work I did at Skyscanner and when capital 100 awhile in their cyber leadership now on the first abolishment citation and numerous others I'm a public speaker I guess I've said this in the last few talks I've done these things are incredibly difficult to do so anybody could get something talks in front of rooms of people I have huge respect for putting this content together it takes time they're nerve-racking things to do respectful I'm one half of cyber Scotland Connect that I've got a slide
after this if you can indulge me for for just a minute on that and also facilitating AWS security slack-jawed which is close to the thousand members now so if you're in cloud world as we are want to learn more than please find me on Twitter learn that and for focus : connect is something that Harry McLaren and I put together than that Harry's and we've got some awesome moderators as well of which there are a few of them here today and we're really an establishment that's trying to bring communities in Scotland together regardless of what you might do or want to do will be involved in we're trying to bring a public sector private sector
together to facilitate events and learnings training and all sorts of other things it's very much a work in progress and it's being driven by this community of people so if you want to know more these photos on on Twitter computers individual first year I recently changed roles so I'm now leaving absent from our whole outside option and which is pretty cool and I'm also their kV from the London I was bloomin and upset chapter she's really excited with her launch event recently you're in London regardless of what gender you identify with you're more than welcome to come and support us I'm also on the review board for DEFCON she's super cool developers treat your questions in engineering conference and
happens worldwide and and then I do a lot with I was in terms of contributing to some of the threat modeling project in CAD Street project I'm going to be covering a little bit more on threat modeling and the cloud security open source project a little bit later and talk and when I'm in key facing with a hammer at Stu's gonna kick off the first half of our journey and a throw butts and and then I'm going to pick up the second half and cover some of the engineering sector we've done so I joined photo box in May last year so I've been there about a year initially to head up some security engineering work and then really my
first foray into AWS at this company was helping moon peg who are one of our company's transition into AWS I used AWS a little bit previously but I'm by no means an expert so my role kind of shifted over that period of time and I deliberately moved my role I I wanted to move into cloud late late things and I think one of the most important bits about this piece of work was it was really the first time company-wide that somebody had had sat with these engineering teams at the start or as near to the start this journey we could get customs and things I got involved in security finds like notoriously difficult to really embed
itself at the start of our journey we normally come in way down the line or far far further afterwards where we have to then try and fix things or make ones better so that was the kind of main main piece of work that I that I got involved in last year transitioning to the double yes and I think one of the things that struck me fairly quickly is when we're not all Netflix we can't all be Netflix straight away we don't all have security engineering teams of different people and huge budgets and turnovers to drive that kind of work so you've got to start somewhere and this these were some of the things by I got involved with us
last summer and I was working so well architected reviews so they're kind of half-day sessions with AWS in their offices really working through the whole data flow and architectural setup of what it is you trying to build and they're great because you're working with the organization that you've put in your applications and things are in and security is a big part of that and we came away from that piece of work with lots of things to look at and consider that we may not have done have security not be I then did a lot of manual auditing of dev accounts and test accounts not sexy stuff from Africa I mean lots of going into the portal and
just manually looking at things and trying to find little gaps or things that I thought were wrong this is before I got into any of the tooling or any of the coolest stuff that attachment will go on and describe and that was really interesting that gave me more of an insight into how some of these parts of AWS work being the expert things like setting up graphs or at least trying to help teams make decisions on wax whether that's AWS is native product or other things on the market and then the tooling the AWS provides and to start duty it's really just being in that room with people to help making more facilitated decisions and we just
trusted advisor quite a lot so again just making sure that that was where I needed to be and happy with it their compliance related things again nothing really sexy but helping you see I in making sure you're making some good decisions and logging this isn't that comes up quite a lot around do you have a login for the various parts of [Music] so like I said I changed my role in about all the September time deliberately hasn't asked anybody to do it just decided that's what I was gonna do I'm lucky enough to work an organization that let them do that I really didn't know where to start so where do you start when you've taken on
a role to look after child security for numerous brands and I went back to risk doing what are the things that you're concerned about when you're building these technologies or data so I went back to looking at risk and this is nothing particularly funky but there's a lot of good things out there that can help with this I didn't reinvent the wheel I didn't make up these strategies these were these are things that I've taken from things that already exist but so things like the CIA's benchmarking this aisaka cloud security alliance this information is out there and don't use it if you're on the journey into the cloud organizations I've got a lot of looking into CMAs recently and I think
there were as many benchmarking guys as there are that they're there for all sorts of things desktop apps Network stuff for mobile devices not just cloud and there are a really good set of guidelines if if you can take anything away from from this particular talk other than cool stuff past days please don't have a look at the CIA's per se is benchmarking because they've certainly about it very valuable for me involved so what if I do I really just took what's in the CIS benchmarking for AWS and expanded on that latasha's helped see and some of the things we already knew as people who worked in the cloud some of the things we potentially seen
in the industry or some incident response things and tried to define eight key areas and some of the risks any business might have those things um there's a list of them on my github get it's nothing groundbreaking it's a start in place if you don't know where to look for a cloud risk if it'll give you under those eight headings and things to think about for those who saw this besides Munich talk I've added a bit to the content of this and these are some of the things you can think about in these areas and this is not just defined to cloud this could be for any network that you happen to to be in and it
certainly doesn't have to just be able to death so things like DDoS and what protection do you have do you have any more layers do you have app you have layer seven potential otters three four and laughs are you using one the amount of organizations I know that have last don't have them in blocking mode they're just their own data and logging are you logging all the various aspects of your cloud architecture decentralized those to help with your soft teams or Incident Response Teams and keys how are you protecting them are you protecting them are you rotating them how many more incidents that we hear about publicly of keys encryption need to think this this
is basic stuff these days and security but it doesn't seem to be so you can force encryption on everything enable nest of certain extent s3 we're still seeing a huge amount of incidents industry-wide around openness through buckets Tasha has got a great site I've got most in their content or gray hat and pretty welcome we have warfare where you can go and search a public open s3 buckets of things like conventions dot txt please don't use the feds cuz I think that I am which is identity and access management in Italy less how permissive is that are you giving people too much permission are you removing it when they've left the company as companies are finding that to
be a real challenge and then vulnerability management things like using up today a Mis now we're pretty agile tech business so if we pick on JIRA I know everybody's not super fun but we use it happily it's pretty much the foundation of everything we do within the team anybody who sees our boss thinness talk he sees massive on tracking things and JIRA and mapping things in JIRA and all this very clever kind of stuff so what I did was I took those business AWS risks by defying got them all into JIRA to link into our other existing risk management framework we allocate management and technical odors and stakeholders so that we can see how that
all those things are mapped together who has a an input into that particular risk fine we then link those to our ok ours which are our projects if you like all projects as well and it really allows us to define the pieces of work to then reduce those risks nothing groundbreaking but it's all done in JIRA everything we track is in u.s. our recently attached and I were in a same team together that's that's moved on as as companies tend to move quickly Thurston's ahead of map search um but the way we work or have been working is extremely agile we were working in two-week sprints initially where we split our ok hours into those nice
management chunks from the master sprints and then we see moving on things quickly but we also brought other things into that work tour as well so business as usual requests from other areas in the business for us to do work modeling or risk assessments with more incident in so we have an incident it came into our sprint wall it then had a knock-on effect of other work being pushed to the sides but that we had a mechanism there this is not our JIRA board by the way [Music] but it just gives us that mechanism to see all the work that's in flow what's being blocked what's been finished and we can then show management and also
work requests and we have a service desk created so imagine Geordi one company is easy-peasy isn't it no.11 company to join fashion a fundamentally doing war companies because we have four brands there in AWS the five brands yeah and I think one of the main things I've personally found quite tricky is the complexities of trying to manage cloud security across fundamentally four different companies different text acts different programming languages this crosses over into a lot of other areas of security officers not just cloud how do you get things in the CID Co ACD pipeline when it's full different types of codes or code bases you know things like cultures sort of our businesses one in Germany on France's language barriers
these are complexities of companies that you have to think about into business structures we've got multiple CC owns multiple heads of and then people across the leadership that we have to try and convince and sit on the right boards and certainly rightly things to influence one of the things I kicked off recently which I think has been super valuable is an AWS kilns where I bring as many of those people together in a room once a month to talk about how we align is now there are some things that we do individually as companies but also things an actor after be aligned and you've got the four levels of knowledge not just in businesses but in teams one
of the things I guess we found from some of the brands here is lots of different accounts across AWS that development environments production environments terraform versus cloud formation for your infrastructure as code again these have been different across and brands and it's hard to find where that common ground might be so lots of complexities of trying to embed what we're doing across customs burns now don't you if you've seen this already was the most important aspect of securing the cloud but it wants to be brave enough to share some no no Frisian so no I mean what's the most important aspect of securing that though something yeah yes technically is power but there's a lot
there's not a right answer to this by the way this is just them this is my experience of poverty misery so it's recruitment for me I think recruitment is probably the most important partner for the roles I've been doing over the last few years because if I don't have awesome people who can help me do the work that I think we need to do that work doesn't get done so you can have all the cool tooling you can try and get the where Netflix are on want to automate everything and get into this kind of cool compliances code world but if you don't have people with users it's go on our journey you're never going to get there so to me that
continues to be the most important thing and I would echo this for the whole industry you're not just anything cloud related through great people into your organization using the chance to learn they'll be the people at UAE so what I learned it's been has been a pretty crazy six seven eight months in a crazy take business I guess your journey has to start somewhere right if whether you're building a security team from scratch or you're doing something in our world for the cloud or ews changing their businesses takes with real time and graft is a lot of effort it's a lot of speaking to people standing firm on the ground with teams lots of investment
in just pain no doubt about trying to get those major stakeholders around the table that's difficult as well that Gilda I talked about as a commitment in time for some of the most senior people in the business or you know very difficult to find time and their diaries but it's been super valuable to get chat conversation people repeat mistakes I'm no different and with trying to find ways to make that better cloud s complex is difficult it's okay to admit that it's difficult I think security as a whole is difficult and as master mode and recruitment is key right so most of us might have taken away that's just that to leave you with what
more sign after this this is me most days of my career and I'm more comfortable with putting this out there and saying this to people people people to know we personally know the imposter syndrome thing but this is a lot of days in my career where I don't really know the right way to go but I'm trying things I'm trying to research things and trying to learn from other people either in my organization or people like yourselves in the room so it's okay to admit that and I think we should get more comfortable with about part of security there's a vast field we're trying to learn about just some things that have helped other training
platforms are available but all this is not our sales page turning these things a cloud guru at the moment for me I'm investing a lot of time in learning [Music] platform cyber e is really good because it's free so if you want something where you don't have to pay for I watched loads of talks on YouTube I don't get any strategic ideas I don't just sit and they they come out of nowhere i watch talks from people from organizations that fix these problems and then I try and work some events and Isis and dying I work I'd like to say it was all my idea but it's really not it's SlideShare so coming to see these kind
of tools where any talks is really valuable you'll take some some things from it another thing would be less so but the fact that people are willing to do it put it all out on YouTube these are all recorded these tools and SlideShare you can go and research some really really cool people in the industry who help you in the policy so I guess that's my that's my bear the talk and I'll pass over to touch with her insight into her world library that's one of my favorite resources one visit is free and but actually there's some really great content on there and then beside share I spy a game in such a weird game certain au revoir my friends
book SlideShare karaoke at anything on those web sites near karaoke and it's quite often again what happens after thunder like 2:00 a.m. when you've kind of you need to get away from what you're building with the idea is that you also you basically get a random slide deck from SlideShare and you have to jump into the group and had some really weird I had to prevent my son cloud but not I felt like like Nimbus cloud and that was I was lucky my with quite safe we're coming outside to present one they were definitely not saying what they've given so what I'm going to do is I'm gonna cover up some of things that help
to build on top of a lot of these foundations that you talked about to start to kind of progress towards real technical changes and how we are starting to enable that we are by no means a fully dev set up with the organization and it's got everything right but we're really on a journey and some of the things that I'm gonna cover actually and Seana is done a really good job of almost laying some of the the entry to those areas and I'm gonna dive into from a slightly different perspectives they should complement each other quite well and it's worth there and this isn't everything I'm also quite active on Twitter and if you're interested in when she talked
about the api's and are kind of the way we use JIRA and I posted a taxonomy a couple of days ago on Twitter where I talked about how I create tasks and derive those from objectives and business priorities so these are some of the things that I'm going to talk about and the first thing I want to kind of cover up and it's a level of empathy really right which is there's a the idea that as security people we cover so many different aspects of security but it's stopper engineers they've gone from being software engineers all of a sudden being full stack in the cloud right there covering infrastructure engineering they're right in Tara formal
confirmation whatever it is to deploy databases and servers they become DBA database admins so they've gone from this one row of running their their one thing to all of a sudden having to carry all of these responsibilities at once and I think one of the things that we can do to make it easier beyond all these technical things we're going to talk about all these processes and resources is the level of empathy for engineers you have security people I think have always had it pretty tough then haven't all these different thing right engineers it's a real learning curve and in the organizations that I've worked at least I've seen how do anyone really state engineer darlin say here's a 101
on being a DBA or here's a 101 on infrastructure administration or infrastructures appointment and I think that a level of empathy will go a long way and build in those relationships of your talents so beyond that I want to introduce my current security pyramid scheme I've been warned about this slide a couple times I once talked about my pyramid scheme in the US so I put in my Ponzi scheme someone took all of the non of civil religion so this is my security champions program the idea is that we don't scale as true people so we want to use our engineers to be our eyes and ears or shatter them Shanta that I had to be a middleman in
their team so a way to be a conduit between a Stinnett engineering team I call it my pyramid scheme the idea if I can stick I can't put the top four it's do and I can use those engineers to then talk to more and more people and to spread that message for me I'm not going to go too much into this because some of you would have seen it in your talk but I do a lot around gamification training resources and power more and one of the things I'm really pushing is first true champions to be part of our team's objectives that way when they are hosting whether they're hosting training for their college or they're coming
along standing where the cameras conferences if something they can talk about with Olivia in their recaps of their line management and something that can help you help them progress in their career we're still very much on a learning curve for security champions when I joined a probox there are a lot of people that have been voluntold I had to be security champion they'd rather in volunteering for the program some of it just shove them forward you don't know and and you'll see a real difference when that happens in your engagement levels so we worked really hard to make it a reward a thing for people to be a part of and being part of their objectives I'm hoping all day long
we're also become providing a lot of feedback so some cell line managers and really encouraging people to be a part of it and some of the things that we're looking at doing a high some things I capture the flag events where and we use things like OS top ten and we get our champion in a room and we get them to try and break into these website try and find some flags and my dearest to to reaffirm the things that we're talking about by actually perhaps if you're doing something the game of fire make it exciting and interesting for them and so there's a whole load of different stuff on that the one thing I
kind of mentioned before is it doesn't always go right about it so in being able to change your program one thing that works and one company might not work another I came from financial services with a very largely distributed organization across the US and the UK no multiple American and Canadian offices and what we found with the secure Campion's program there is we couldn't have one Scindia program we almost had to have like factions across the different areas and they had some common goals but they were mostly autonomous and we're a photo books even though we brought multiple brands and we've we've got five in total and we found that it's much easier to have that
one program because the way the organization's out so the other thing that I've been doing a lot of and for those that follow me on Twitter or see me at other talks this is my thing I love talking about Brack modeling if something we already do you don't know about it if you think about I'm parking your car in a weird dark alley you're already thinking about the things that can go wrong one of my favorite stories on this exam I like to say that my husband should do a little bit more threat modeling and he he when he wanted surprise to me we were flying to South Africa and he had the ring in his pocket
and we're going through airport security and he was like in really nervous and a bit intense and like oh man I might just relax I just just London Airport Security's not like they're gonna go right up in there or anything just chill out a little bit and here's I can't no no no I'm just just I'm really excited to go home I'm like all right and I didn't realize yet a ring in his pocket and if we got absolute security and they're really patting people down he looks at me and he says I'll race ya I am really competitive and I'd like fits of strength but more often than not I will push people out of my hair to get
somewhere so he says you'll race me I put security the first thing I do is I look at him I leave him some bags and I just walk kind of it's fast but like also not so fast to draw attention to myself away from him and after court security ages so I can't get through and I get through to the other side and I'm right there ten minutes before he is I've made sure I picked the right huge there's no crumbs in front of me or for anyone that would slow me down because I have no empathy when I'm in a competition and I get through and I'm not you so did it and he
gets through the side walls sweating so yeah I'm okay all right well it's wrong and I found out a couple days later and he proposed it's mostly it will time in person he decided he was gonna do it and rather than an airport security but one of the things that struck me was he hadn't really thought about some of the things that could go wrong it was a natural thing for him whereas I thinking security it's really easy for us to constantly be thinking about hey what can go wrong and how will that go wrong what can I do to mitigate that what can I do to get around it so now I felt for
him because he wasn't the BAPS for the room in the suitcase could bypass him as we do and literally it was an interesting challenge and I think when I start to talk about threat modeling with engineering teams the thing I start to think about is think about the value the the reason you're doing what you do and dreams I always told you know you're building this for optimization or and to fix reliability or to make it more secure that's not what gets credit Sanders going it's about features and value so while I start to do is to change that conversation which is rather than always talking about what can go wrong plus two perspectives what removes
the value of what you're doing so what takes that value away and then it becomes a much easier conversation in things that I've been playing around with is how we take that threat modeling and that traditional kind of long processes go through these four questions and which is one of many methodologies it's just the one that I prefer and fitting that into the software development lifecycle so where we've got teams working agile methodologies making sprint PI or stand-ups they don't really have time for a long time modeling session so we've playing around with how we break this down so that when teams are in a stand up and they're talking about a new feature that gonna start working
on you can quickly go round as a group and say what remove some value is that what will just stop that working the way I want it to work it's still something we're trying at the moment and I'm going to show you in a couple of slides one of my new tools that I've been working on that I'm hoping to release open-source in a couple of weeks and that I'm using to make this process a little bit easier for cloud environments these are the four questions I work through when I do a threat model they're really simple but again when I'm short on time or when I'm struggling to get that message with teams I go back to
this what would remove the value of what you're doing and that's based on a methodology by a guy called AV Dublin who is that I was Tel Aviv chapter lead and he's also really active on tubes out and that I was slack and which if you want to link to it the end let me know and I'll G up so the next thing I want to talk about and listen my other favorites to test which actually also spoke about and my challenge is no one reads a security policy right even if you have them and let's be realistic them come isn't even have security policy I am a security standards is when people do write them they seem to just
buy these vault thunders and then just throw them at their engineers they end up with you like 45 page documents with really complex wording in them and it might not even be completely relevant to what you're doing and what I found in a couple of companies I worked at is that no one is reading them and realistically like no one cars so I've been looking at writing tests and I've been trying some of the stuff that shown to fight as well which is like a really short test things like regular expressions that we'll check they're not about to commit github keys to keys it'll get used to github which there we've seen a lot of
companies do a lot of times and the other thing I've been working on and with the cloud stereos project our BDD test this is behavior driven development and the idea is we provides two tops in human readable language so your product owners your risk managers your keethy iegai whoever that is or whatever and you're a kind of compliance team looks like can contribute to these types of tests and then we have a Python library that effectively convert that and that's one of things I'm working on the moment is how I create that library to then apply this to terraform scripts or confirmation scripts so rather than using it with CLI tools to look at what's currently deployed in your cloud
infrastructure how can I embed this into the SPLC so that I mean highly our teams are interested in reading your script policy but realistically we're being honest and not and so how do I alternate that and my other kind of favorite idea from this is when you come to peace life certification you don't actually have to do a whole lot of talk into auditive you can just run through the f-feel things just run through your pipeline and hopefully everything will pass and you can generate some quantifiable documentation a test view or a PDF basis or your security stated and obviously that's a long-term goal by no means fully automating that and but it's something that I'm really really
passionate about the Mellon my other kind of idea to take some of our security standard things like oh I stopped and that our server list hopped head and start to write those his tests as well so the other piece is around elevation of privilege card games this is one of the ways that I just put my threat models and this comes back to that game of buying the security champions and with engineering teams the elevation of privileged prizes in the open-source tool set from Microsoft you can find out on github and I'll I'll have a list of all the resources that covered at the end and these are a card deck I think right 75 or 80 old cards in
there and have sample threats against your infrastructure I know these cards have been around for a really long time they are very good but again some of the language and some of the tool sets and the text fact that it talks about are and we know we know technology moves really fast right some of them are unfortunately a little bit vintage and I used to work at Apple and anything older than five years was considered vintage Apple and then to hurt me a little head and I unfortunately is that subscribe to some of the Pisan set however it's still an incredibly useful tool and it's something I found really awesome all teams you can gain the by it's there is
an actual game where you can play threats against their designs or their infrastructure you can pull out the threats it is higher than when you're doing a threat model using something like this because these teams they work on this product for a long time or they've just got this design and they've got friend new idea and you're effectively bringing them into a room and you're kind of taking a crack powerful child they've just built and rest a little time in to and but actually the more you frame it and you can a muscle that needs to be exercised and built app and it gets become a really engaging and really interesting team-building exercise with your
engineers so I decided to take this a bit further because Kings really responded to having these cards in threat models and phrases start here we work with them the OS how project he built an Alexis skill for the student they hey Alexa give me an elevation privileged rep and society to evolve this and take it a bit further to kind of bring a little bit more relevance back to what teams are doing and I set a little bit of fun and these cars security pads they're not launched yet and hope to develop engines out and I really wanted to work in a Star Trek gift because as we waiting in Star Wars that either than I'm a long truffle and
so these are the car departs so these are hopefully gonna be anything so soon providing I can actually finish working with them so if you want to continue more have a malcolm and these are taking a lot of the threats that we see in there are the ones and the news but also some other stuff that we've seen from various companies and i've got a little yes time support in as well and i'm i've done is i try to rewrite these isms and threats against new environment the idea is as a team you can either play the full game or you can just grab some cards and you can look at your design or you can look at what you're building or
even what you've already built so any stage in the SCLC and you can start to play these cards again so you can read through very mature as you're kind of thinking about the feature that you want to wear come with the idea that can help guide and give you a bit more information about what it is you're building my aim of the abstract team of once you can beat soon-to-be to is that a lot of the questions that we get from teams can be answered either through automation or through and good tooling or supports that I can spend more time on there and more in each question the design you have to touch advise so I
want to get to a point where we can start giving advice the teams when they think have got this crazy new language and I wanna whack and they actually that's great I've already been thinking about that and I want to be able to shift the focus we've got on firefight into that kind of more proactive defense than hindsight they serve your way of doing that into teams on hands that are in their security and their assessment of the project they're working on that's a cloudy cut hopefully coming soon so here they run down of some of my favorite tools that I've been using so and some haven't talked about here and they've been incredibly helpful as I am
making my last command as I join photo backs which I've been for about three months now and how custodian inverse service I'm automated I guess the Ratan's to treat configuration detection tool but you can use it prevention too and I always think how custodian gets a bit snarky because you can you can configure it so it just ungenial and says hey by the way your s3 bucket is along Turtles and or you can configure it so it's okay by the way rusty bucket is more cryptic though I deleted it and everything inside it and you can do some really cool stuff of carcass idioms to kind of make it a little bit more preventative and when I think that I've
been looking at is when I look at my aw stay and I gave through from non production environment all the way through to people I work with how I how I start to change the configuration of those tools for Cal custodian to get right more and more smokey as you kind of move up that compliance scale in a production pail and I have a security monkey on there I've got a national security monkeys and Netflix cool and hands up if anyone's ever considered a Netflix security tool yeah it was really awful and try not to swear too much oh my god it was the worst thing I've ever had to configure in my life and that
makes make some really great tools they make an awful documentation and they also do some really neat things like never update their tool sets though a lot of their dependencies will be updated over time but their tool set is in and they don't dependants little pin any versions and you shouldn't really from a security perspective and this is kind of my run it's pretty monkey actually has a lot of vulnerable dependency which they've not addressed or not the really annoying and it's a good tool for kind of looking at this true configuration of your estate but my goodness hard way and so yeah that's there's some really interesting ones that and how they're I think I've
got on there yeah parlor scouts you are again some free open-source tool so all of these are open sourced by the way and that's a really kind of big piece for me at the conference is is very interesting introducing tools I'd love to kind of pretty open sores and say Oh cam and so Prowler and scouts me again our tools that you can use with the awl Isis I'm your infrastructure and that probe Emery but if you can straight configuration and then the class through it was a project at the end which is beauty d or to make it ten the cloudy cards there and have an official projects at the moment I'm still work trying to work out
the best web shooters on the Creative Commons they will be open source they will be soon and your best bet is to follow me on Twitter shameless perk and at Tashlin are and or jingles in business yep and you'll be able to get from them both those as soon as they go live or just my head left onto project those are my favorite tools and there's a QR code here for the aw screw slack forum and the biggest piece that I would love to leave you guys with is there's a lot of stuff that I've not taught on here in your before ma but that's really key that's something that I love and that's something I use or your kind of
biggest iterative it would be to contribute back to the community whether it's a wasp or bee size or other initiatives as I'll say the many hat Club and come and ask them about it but some of the interest you and would be to continue back whether its blog post blogs videos and speaking and we're always looking for people to open source for rules for projects more stuff we're working on and that's it
[Music] so there's a lot of great content there abide enabling like Claude environments and like to make them compliant didn't make them truly secure but is like would you say and they were like securing AWS and my client environments is not easier than on Prem do you think like with all these tools and with all these like great I like mamasan services does it get easier or is it still just as if not more difficult I think it's more visible I think use pretty fun abilities and what you can do about them is way more obvious or serious and in some ways I think it's a lot harder because you go from an on-premise Kingdom expose by
default you've got like that additional layer in terms or to make your network segregation whereas natal be like to make things super easy for people you have it oh yes this is really cool thing where they make everything of it by be hard or it really annoys me and time yeah my personal perspective is higher in a way that it's more visible and so you know I feel like it's easy it's how what you should get out of this very good sir I'm a Hollywood actor a licensed service and the size about the treatment I'm finding cloud security recruitment harder than spirit mature really lucky to incite action policies I've learned a huge amount but I'm under no illusion
that they want to choose among people with that level of knowledge at this point in their career so finding that talent come in and help me on that journey is Mark said go start somewhere and even if it's learning yourself I would I say AWS is harder to secure yeah anything that knowledge from the view as opposed to Proctor as a fame as an issue this is the networking something else is there so it's a lot of premises that say yeah including the anything to help you thank you [Music]
Thank You REE good talk I've used AWS heavily and used the wealth aspects of it to secure casino wife only plugs into it load balancer or CDN basically if you use the tops you could buy one from like sofas and stuff which don't tell the rules they used which is really easy to bypass and throw them on that ball so are you guys personally for example maybe is that we shared out now do you guys used a third part that Palo Alto in the wife section marketplace in AWS or do you guys just use custom use the very basically top warps free version they just add your own careers into it because I know if you use like a lot or
it could be very expensive because it scales out if you if you attacked by some egos or something and if you have like kind of a thirty instances of a lot of running it could cost you like a lot of money so just a question of how you guys utilize in the wash um so first off its can be quite difficult so quite specific using happily have a private conversation with your afterwards well and I think from what I've seen in the custom roll shots which in the bio marketplace concentrated and a lot of time to cross see one is that they do so they're taking two I was taking Li difficult as my inability to see
Malaysian was keeping that previous experience and Martina yes I I there's still a challenge for some of the web companies to really embrace cloud and services especially so you'll see a lot they say we're embedded in the ami you're like that's great I don't have anything and so their search engine things like auto scaling license releasing in terminate mrs. Andry business and some of them take 30 minutes to release a license which is not variable in the PAL and some are making the real journey you've shown talked about mud set on the street and I spent a lot time helping the fella be open source projects that put that overhead was insane and any company I
know that is lost three have full-time people on their black ops just overall configuration which is mentally and so probably better to catch at this dude and a couple of tips on the threat modeling he's using laughs make sure you the end points of cover to make sure you know and how to turn a rule art if you get a lot of possible since those will just read is a flood changing I'm just absolutely validate that they are able to do things like scaling and licensing
[Music] great talk so I guess cloud myself it's been out for a while now have you seen some maturity of all variety in that are things improving no set myself up for it I would love to do a demo video of a great hot water for next time I'm I would go to UM if grey hat warfare calm turn illegal website tell eagle and what you do next is up to you search credentials stop CFD those the linear' with AWS silver that is the potential value get and generate native this active cute and use with you as you cook you and see how many ones also are and I think it's a lot and you get that four
million bucket back and they all have some of those delete files that just been cached by our girlfriend but at some of them are valid credentials that are valid for a little bit environment not that I've tried always get permission before you try these consoles if they don't blow to you and so no I think we're still seeing a lot of puppet buckets I think a lot of people relying on the obscure URLs to protect public objects this great out were clarified open open source will show you that's absolutely not true and I think that there are so many simple mistakes made that a lot of the really cool Street innovation and screwed architecture seems like zero test Network people
invested in you seem lost through every committee of iron policies and openness through buckets and it comes back to that when we move to the cloud and we have these kind of on-premise infrastructure it was not really easy to secure bit easier in a way when we move the crowd there was a lot of default open by open by default and that's just making way more of a pain I think it's gonna take a while and I think it really involves senders making lots of changes to their default configuration to get rid of some of these simple some of the leave then I think we'll city of accidents habits change in the credit card so if you run around how comes
subdomain take events which is a really nice Neela's hat that it'll be especially we can need fake and that was a little cool one it was really easy using feelings configuration to overtake other people's websites I'll just sitting on insulin I said and so there are some really cool new attacks coming out but very immature yeah I mean there's a competitor that's getting worse because of organizations having to file what is there more information out there yes and we will commence fixing those problems certainly in certain places might need to go to to the idea of what helps do but I think you'll see it continues to get worse it's just a microcosm of the rest of the
security industry for me where more companies are starting to have to invest in these things and probably given different as every organization just one if you think the organization isn't or won't it will because it's unruly and then he'll just come with complexities
that's just them this is shameless probably Tasha's back in Edinburgh towards the end of May with matters sunstone connect events winter here again please measure yeah thank you very much [Applause]
Related talks
58:57
1:00:00
39:07
40:53
51:15
31:37