SlideShare a Scribd company logo

Building a (Really) Secure Cloud Product

Guy K. Kloss
Guy K. Kloss

Guest lecture to Master of Information Security and Digital Forensics students at Auckland University of Technology (AUT) on the development of the MEGAchat Cloud application.

Internet
1 of 36
Download to read offline
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Building a (Really) Secure Cloud Product Guest Lecture for Master of Information Security and Digital Forensics Guy Kloss gk@mega.co.nz Lead Software Developer Mega Limited 30 March 2015 Guy Kloss | Building a (Really) Secure Cloud Product 1/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 2/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 3/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation The Product: MEGAchat A Cloud-based internet chat system Voice, Video and Text chat capable Offers multiple device capability for each participant (transparent synchronisation, consistent view of chat) To work in browser as well as native/mobile app Guy Kloss | Building a (Really) Secure Cloud Product 4/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation The Product: MEGAchat Why “Really” Secure? Everybody says they’re secure . . . “Security Theatre” . . . We’re doing it (we say) . . . . . . and like to be confirmed or disproven in it. → Bug bounty! (for chat so far one paid out) Guy Kloss | Building a (Really) Secure Cloud Product 5/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Security Theatre Guy Kloss | Building a (Really) Secure Cloud Product 6/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Security Theatre http://geekandpoke.typepad.com/geekandpoke/2009/12/security-theatre.html Guy Kloss | Building a (Really) Secure Cloud Product 7/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Early Adopters Guy Kloss | Building a (Really) Secure Cloud Product 8/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 9/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation For the Chat System Desired properties: Confidentiality Identity authenticity Message authenticity Forward secrecy Session freshness Plausible deniability Room participants consistency Chat transcript consistency Reducie foot print of “leaking” meta-data Guy Kloss | Building a (Really) Secure Cloud Product 10/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Meta-Data? c by Michael J. Swart http://michaeljswart.com/2011/06/meta-aggregate/ Guy Kloss | Building a (Really) Secure Cloud Product 11/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Meta-Data? Guy Kloss | Building a (Really) Secure Cloud Product 12/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Sparseness of Meta-Data Don’t store what you don’t need Then nobody can come and ask you to “comply” If you must, do it so you can’t be compromised (e. g. passwords, salted and hashed, so not even you know them in plain) → Proper mechanisms for authentication and password management/storage On Mega Most meta-data only known to customer (encrypted) Company only knows what’s needed to manage the platform and interactions Guy Kloss | Building a (Really) Secure Cloud Product 13/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Crypto? It’s really difficult to get this right! Avoid writing it, if you can! Use off-the-shelf frameworks/helpers/packages → If you’re writing AES in your code, you’re probably doing it wrong If you can’t help it and have to build it yourself Make the conceptual system not suck! Make the implementation not suck! Guy Kloss | Building a (Really) Secure Cloud Product 14/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Crypto? The maths is good, it’s the implementation that sucks: “No matter how strong the crypto was, he attackers walked around it,” – “Crypto Won’t Save You Either”, Peter Gutmann, 2014 http://regmedia.co.uk/2014/05/16/0955_peter_gutmann.pdf Guy Kloss | Building a (Really) Secure Cloud Product 15/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 16/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Choice of System Components Robust base OS → Security, maintenance, reliability Many features are not necessarily important Evaluate/select server (software) carefully For required features Go get rid of not required features → Security, maintenance, reliability Is Cloud scalability a relevant factor? → Distribution, clustering, replication, . . . Guy Kloss | Building a (Really) Secure Cloud Product 17/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Choice of System Components (continued) Prefer open source solutions Auditable Many eyes Mostly more secure If well maintained, usually very quick fixes (e. g. on security) Guy Kloss | Building a (Really) Secure Cloud Product 18/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Secure System Setup Shut down unneeded services Configure systems securely Turn off what’s not needed Don’t log everything (production in debug mode?) Get the SSL/TLS configuration right! https://mozilla.github.io/server-side-tls/ ssl-config-generator/ Need bad examples? https://httpswatch.nz/ https://httpswatch.com/ Use additional protection schems CSP – Content Security Policy HSTS – HTTP Strict Transport Security CORS – Cross Origin Resource Sharing Guy Kloss | Building a (Really) Secure Cloud Product 19/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Secure System Setup SSL Labs Server Test SSL Labs is your friend https://www.ssllabs.com Guy Kloss | Building a (Really) Secure Cloud Product 20/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Secure System Setup Keep system upgraded (esp. security fixes quickly), short reaction times Best one service per (virtual) host (don’t slam them onto one host) Use logfiles with logrotation on a system level wisely Allows for forensic analysis later Without it, you’ve shut yourself out from most root cause analysis Stay on top of security things This can be hard work! Guy Kloss | Building a (Really) Secure Cloud Product 21/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation (Automatic) Monitoring Load (CPU, network I/O, memory, . . . ) Availability & functionality Check for “odd behaviour” Guy Kloss | Building a (Really) Secure Cloud Product 22/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 23/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation System/Infrastructure Level Always use HTTPS/SSL/TLS as a minimum Too bad the whole CA system and SSL is a bit broken And some of the ciphers/cipher suites “advertised” for use are also broken On the client side, always verify the full certificate chain Many tools/implementations are lazy by default (in Java, Python, C/C++, . . . ) Prefer to use certificate pinning E. g. a mobile app for a known service Recent Superfish scandal with Lenovo and others Guy Kloss | Building a (Really) Secure Cloud Product 24/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Application Layer User to server Commonly username/password Alternative: Certificates, other authentication mechanisms Too many concepts for secure authentication, beyond the scope of this talk User to user Difficult if one can’t trust the platform/server On Mega Verification of user’s public (signing) key via fingerprint comparison (out of band) Authenticating further crypto keys via signature by authenticated key pair Guy Kloss | Building a (Really) Secure Cloud Product 25/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Avoid Security Warnings “MRI Shows Our Brain Shuts Down When We See Security Warnings on Computers” http://ema-tech.blogspot.co.nz/2015/03/mri-shows-our-brain-shuts-down-when-we.html Guy Kloss | Building a (Really) Secure Cloud Product 26/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Trust from the “Community” Open source it! Really! Make the money with your service, not the code. Why & What? For peer review/audits At least the core of the security-related stuff Really important for crypto! Wouldn’t it be more secure if it was proprietary/closed? Guy Kloss | Building a (Really) Secure Cloud Product 27/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 28/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation The “Big Problem” (TM) Use secured protocols Nothing available to solve our problem We had to “roll our own” . . . Guy Kloss | Building a (Really) Secure Cloud Product 29/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Key Design Features of Chat Protocol Group chat capable (multiple “devices” of identities) Outsiders can’t eavesdrop (decrypt) New members only participate after “join” Excluded members cannot decrypt any more Guy Kloss | Building a (Really) Secure Cloud Product 30/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Anticipate what could go wrong! Guy Kloss | Building a (Really) Secure Cloud Product 31/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Desired Security Properties Confidentiality → Needs to be encrypted Forward secrecy → Using (group) Diffie-Hellman with ephemeral key pairs Identity authenticity → Sign some confirmation with identity key Message authenticity → Sign messages with member’s session signing key Session freshness → Use of nonces (to avoid replay attacks) Guy Kloss | Building a (Really) Secure Cloud Product 32/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Desired Security Properties Plausible deniability → Ephemeral signing keys for every individual session (private key published at the end) Room participants consistency → Key agreement requires participation of every member Chat transcript consistency → Agreed and cryptographically enforced partial ordering Reducing the foot print of “leaking” meta-data → Exponential message size padding Guy Kloss | Building a (Really) Secure Cloud Product 33/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 34/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Do it right! Follow best practices . . . Follow OWASP, that’s much more comprehensive than this talk on this subject Open Web Application Security Project http://owasp.org Guy Kloss | Building a (Really) Secure Cloud Product 35/36
The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Questions? Be Safe! Guy Kloss gk@mega.co.nz Guy Kloss | Building a (Really) Secure Cloud Product 36/36

Recommended

How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
 
Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)abend_cve_9999_0001
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpThe Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpJames Wickett
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019James Wickett
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureStefan Streichsbier
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security LintersEricBrown328
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
 

Recommended

How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
 
Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)abend_cve_9999_0001
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpThe Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpJames Wickett
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019James Wickett
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureStefan Streichsbier
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security LintersEricBrown328
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
IntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchIntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchJasonRomero21
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-NapocaFrom Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napocajerryhargrove
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019 Elizabeth Ayer
 
Fences and Gates: Designing Ops for DevOps
Fences and Gates: Designing Ops for DevOpsFences and Gates: Designing Ops for DevOps
Fences and Gates: Designing Ops for DevOpsDan Illson
 
DevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS LaneDevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS LaneJames Wickett
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett
 
How to be your Security Team's Best Friend
How to be your Security Team's Best FriendHow to be your Security Team's Best Friend
How to be your Security Team's Best FriendEmilyGladstoneCole
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationVMware Tanzu
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOpsMichelangelo van Dam
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...Black Duck by Synopsys
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveColin Domoney
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
 
A DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleA DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleJames Wickett
 
OWASP Bay Area Meetup - DevSecOps the Kubernetes Way
OWASP Bay Area Meetup - DevSecOps the Kubernetes WayOWASP Bay Area Meetup - DevSecOps the Kubernetes Way
OWASP Bay Area Meetup - DevSecOps the Kubernetes WayJimmy Mesta
 
Api gitlab: configurazione dei progetti as a service
Api gitlab: configurazione dei progetti as a serviceApi gitlab: configurazione dei progetti as a service
Api gitlab: configurazione dei progetti as a serviceEmerasoft, solutions to collaborate
 
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...Weaveworks
 

More Related Content

What's hot

DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
IntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchIntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchJasonRomero21
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-NapocaFrom Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napocajerryhargrove
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019 Elizabeth Ayer
 
Fences and Gates: Designing Ops for DevOps
Fences and Gates: Designing Ops for DevOpsFences and Gates: Designing Ops for DevOps
Fences and Gates: Designing Ops for DevOpsDan Illson
 
DevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS LaneDevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS LaneJames Wickett
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett
 
How to be your Security Team's Best Friend
How to be your Security Team's Best FriendHow to be your Security Team's Best Friend
How to be your Security Team's Best FriendEmilyGladstoneCole
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationVMware Tanzu
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...Black Duck by Synopsys
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveColin Domoney
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
 
A DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleA DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleJames Wickett
 
OWASP Bay Area Meetup - DevSecOps the Kubernetes Way
OWASP Bay Area Meetup - DevSecOps the Kubernetes WayOWASP Bay Area Meetup - DevSecOps the Kubernetes Way
OWASP Bay Area Meetup - DevSecOps the Kubernetes WayJimmy Mesta
 

What's hot (20)

DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
IntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchIntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitch
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-NapocaFrom Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
 
Fences and Gates: Designing Ops for DevOps
Fences and Gates: Designing Ops for DevOpsFences and Gates: Designing Ops for DevOps
Fences and Gates: Designing Ops for DevOps
 
DevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS LaneDevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS Lane
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019
 
How to be your Security Team's Best Friend
How to be your Security Team's Best FriendHow to be your Security Team's Best Friend
How to be your Security Team's Best Friend
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot Application
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
 
A DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleA DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and People
 
OWASP Bay Area Meetup - DevSecOps the Kubernetes Way
OWASP Bay Area Meetup - DevSecOps the Kubernetes WayOWASP Bay Area Meetup - DevSecOps the Kubernetes Way
OWASP Bay Area Meetup - DevSecOps the Kubernetes Way
 

Similar to Building a (Really) Secure Cloud Product

Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...Weaveworks
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Weaveworks
 
Alexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of AppliancesAlexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of AppliancesPositive Hack Days
 
Monitoring large scale Docker production environments
Monitoring large scale Docker production environmentsMonitoring large scale Docker production environments
Monitoring large scale Docker production environmentsAlois Reitbauer
 
11 0029-01 selling development tools in the cloud
11 0029-01 selling development tools in the cloud11 0029-01 selling development tools in the cloud
11 0029-01 selling development tools in the cloudJohn McDonald
 
BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!Parasoft
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWebinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWeaveworks
 
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayCreating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayHeroku
 
Security and Advanced Automation in the Enterprise
Security and Advanced Automation in the EnterpriseSecurity and Advanced Automation in the Enterprise
Security and Advanced Automation in the EnterpriseAmazon Web Services
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdWeaveworks
 
Automate Cloud and Application Security Deployments with Barracuda and Puppet...
Automate Cloud and Application Security Deployments with Barracuda and Puppet...Automate Cloud and Application Security Deployments with Barracuda and Puppet...
Automate Cloud and Application Security Deployments with Barracuda and Puppet...Claire Priester Papas
 
Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022Radu Vunvulea
 
Highway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup DublinHighway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup DublinChristian Deger
 
Exploring the GitHub Service Universe
Exploring the GitHub Service UniverseExploring the GitHub Service Universe
Exploring the GitHub Service UniverseBjörn Kimminich
 
Mulesoft Meetup Roma - Monitoring Framework & DevOps.pptx
Mulesoft Meetup Roma - Monitoring Framework & DevOps.pptxMulesoft Meetup Roma - Monitoring Framework & DevOps.pptx
Mulesoft Meetup Roma - Monitoring Framework & DevOps.pptxAlfonso Martino
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesKai Wähner
 

Similar to Building a (Really) Secure Cloud Product (20)

Api gitlab: configurazione dei progetti as a service
Api gitlab: configurazione dei progetti as a serviceApi gitlab: configurazione dei progetti as a service
Api gitlab: configurazione dei progetti as a service
 
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
 
Alexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of AppliancesAlexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of Appliances
 
Alexander Antukh
Alexander AntukhAlexander Antukh
Alexander Antukh
 
Monitoring large scale Docker production environments
Monitoring large scale Docker production environmentsMonitoring large scale Docker production environments
Monitoring large scale Docker production environments
 
11 0029-01 selling development tools in the cloud
11 0029-01 selling development tools in the cloud11 0029-01 selling development tools in the cloud
11 0029-01 selling development tools in the cloud
 
2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil
 
BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWebinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
 
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayCreating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
 
Security and Advanced Automation in the Enterprise
Security and Advanced Automation in the EnterpriseSecurity and Advanced Automation in the Enterprise
Security and Advanced Automation in the Enterprise
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
 
Automate Cloud and Application Security Deployments with Barracuda and Puppet...
Automate Cloud and Application Security Deployments with Barracuda and Puppet...Automate Cloud and Application Security Deployments with Barracuda and Puppet...
Automate Cloud and Application Security Deployments with Barracuda and Puppet...
 
Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022
 
Highway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup DublinHighway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup Dublin
 
Exploring the GitHub Service Universe
Exploring the GitHub Service UniverseExploring the GitHub Service Universe
Exploring the GitHub Service Universe
 
Mulesoft Meetup Roma - Monitoring Framework & DevOps.pptx
Mulesoft Meetup Roma - Monitoring Framework & DevOps.pptxMulesoft Meetup Roma - Monitoring Framework & DevOps.pptx
Mulesoft Meetup Roma - Monitoring Framework & DevOps.pptx
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
 

More from Guy K. Kloss

Kauri ID - A Self-Sovereign, Blockchain-based Identity System
Kauri ID - A Self-Sovereign, Blockchain-based Identity SystemKauri ID - A Self-Sovereign, Blockchain-based Identity System
Kauri ID - A Self-Sovereign, Blockchain-based Identity SystemGuy K. Kloss
 
Qrious about Insights -- Big Data in the Real World
Qrious about Insights -- Big Data in the Real WorldQrious about Insights -- Big Data in the Real World
Qrious about Insights -- Big Data in the Real WorldGuy K. Kloss
 
WTF is Blockchain???
WTF is Blockchain???WTF is Blockchain???
WTF is Blockchain???Guy K. Kloss
 
Representational State Transfer (REST) and HATEOAS
Representational State Transfer (REST) and HATEOASRepresentational State Transfer (REST) and HATEOAS
Representational State Transfer (REST) and HATEOASGuy K. Kloss
 
Introduction to LaTeX (For Word users)
Introduction to LaTeX (For Word users) Introduction to LaTeX (For Word users)
Introduction to LaTeX (For Word users)Guy K. Kloss
 
MataNui - Building a Grid Data Infrastructure that "doesn't suck!"
MataNui - Building a Grid Data Infrastructure that "doesn't suck!"MataNui - Building a Grid Data Infrastructure that "doesn't suck!"
MataNui - Building a Grid Data Infrastructure that "doesn't suck!"Guy K. Kloss
 
Operations Research and Optimization in Python using PuLP
Operations Research and Optimization in Python using PuLPOperations Research and Optimization in Python using PuLP
Operations Research and Optimization in Python using PuLPGuy K. Kloss
 
Python Data Plotting and Visualisation Extravaganza
Python Data Plotting and Visualisation ExtravaganzaPython Data Plotting and Visualisation Extravaganza
Python Data Plotting and Visualisation ExtravaganzaGuy K. Kloss
 
Lecture "Open Source and Open Content"
Lecture "Open Source and Open Content"Lecture "Open Source and Open Content"
Lecture "Open Source and Open Content"Guy K. Kloss
 
Version Control with Subversion
Version Control with SubversionVersion Control with Subversion
Version Control with SubversionGuy K. Kloss
 
Beating the (sh** out of the) GIL - Multithreading vs. Multiprocessing
Beating the (sh** out of the) GIL - Multithreading vs. MultiprocessingBeating the (sh** out of the) GIL - Multithreading vs. Multiprocessing
Beating the (sh** out of the) GIL - Multithreading vs. MultiprocessingGuy K. Kloss
 
Thinking Hybrid - Python/C++ Integration
Thinking Hybrid - Python/C++ IntegrationThinking Hybrid - Python/C++ Integration
Thinking Hybrid - Python/C++ IntegrationGuy K. Kloss
 
Thinking Hybrid - Python/C++ Integration
Thinking Hybrid - Python/C++ IntegrationThinking Hybrid - Python/C++ Integration
Thinking Hybrid - Python/C++ IntegrationGuy K. Kloss
 
Gaining Colour Stability in Live Image Capturing
Gaining Colour Stability in Live Image CapturingGaining Colour Stability in Live Image Capturing
Gaining Colour Stability in Live Image CapturingGuy K. Kloss
 
LaTeX Introduction for Word Users
LaTeX Introduction for Word UsersLaTeX Introduction for Word Users
LaTeX Introduction for Word UsersGuy K. Kloss
 
Thinking Hybrid - Python/C++ Integration
Thinking Hybrid - Python/C++ IntegrationThinking Hybrid - Python/C++ Integration
Thinking Hybrid - Python/C++ IntegrationGuy K. Kloss
 

More from Guy K. Kloss (16)

Kauri ID - A Self-Sovereign, Blockchain-based Identity System
Kauri ID - A Self-Sovereign, Blockchain-based Identity SystemKauri ID - A Self-Sovereign, Blockchain-based Identity System
Kauri ID - A Self-Sovereign, Blockchain-based Identity System
 
Qrious about Insights -- Big Data in the Real World
Qrious about Insights -- Big Data in the Real WorldQrious about Insights -- Big Data in the Real World
Qrious about Insights -- Big Data in the Real World
 
WTF is Blockchain???
WTF is Blockchain???WTF is Blockchain???
WTF is Blockchain???
 
Representational State Transfer (REST) and HATEOAS
Representational State Transfer (REST) and HATEOASRepresentational State Transfer (REST) and HATEOAS
Representational State Transfer (REST) and HATEOAS
 
Introduction to LaTeX (For Word users)
Introduction to LaTeX (For Word users) Introduction to LaTeX (For Word users)
Introduction to LaTeX (For Word users)
 
MataNui - Building a Grid Data Infrastructure that "doesn't suck!"
MataNui - Building a Grid Data Infrastructure that "doesn't suck!"MataNui - Building a Grid Data Infrastructure that "doesn't suck!"
MataNui - Building a Grid Data Infrastructure that "doesn't suck!"
 
Operations Research and Optimization in Python using PuLP
Operations Research and Optimization in Python using PuLPOperations Research and Optimization in Python using PuLP
Operations Research and Optimization in Python using PuLP
 
Python Data Plotting and Visualisation Extravaganza
Python Data Plotting and Visualisation ExtravaganzaPython Data Plotting and Visualisation Extravaganza
Python Data Plotting and Visualisation Extravaganza
 
Lecture "Open Source and Open Content"
Lecture "Open Source and Open Content"Lecture "Open Source and Open Content"
Lecture "Open Source and Open Content"
 
Version Control with Subversion
Version Control with SubversionVersion Control with Subversion
Version Control with Subversion
 
Beating the (sh** out of the) GIL - Multithreading vs. Multiprocessing
Beating the (sh** out of the) GIL - Multithreading vs. MultiprocessingBeating the (sh** out of the) GIL - Multithreading vs. Multiprocessing
Beating the (sh** out of the) GIL - Multithreading vs. Multiprocessing
 
Thinking Hybrid - Python/C++ Integration
Thinking Hybrid - Python/C++ IntegrationThinking Hybrid - Python/C++ Integration
Thinking Hybrid - Python/C++ Integration
 
Thinking Hybrid - Python/C++ Integration
Thinking Hybrid - Python/C++ IntegrationThinking Hybrid - Python/C++ Integration
Thinking Hybrid - Python/C++ Integration
 
Gaining Colour Stability in Live Image Capturing
Gaining Colour Stability in Live Image CapturingGaining Colour Stability in Live Image Capturing
Gaining Colour Stability in Live Image Capturing
 
LaTeX Introduction for Word Users
LaTeX Introduction for Word UsersLaTeX Introduction for Word Users
LaTeX Introduction for Word Users
 
Thinking Hybrid - Python/C++ Integration
Thinking Hybrid - Python/C++ IntegrationThinking Hybrid - Python/C++ Integration
Thinking Hybrid - Python/C++ Integration
 

Recently uploaded

Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleanscorenetworkseo
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 

Recently uploaded (20)

Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleans
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 

Building a (Really) Secure Cloud Product

  • 1. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Building a (Really) Secure Cloud Product Guest Lecture for Master of Information Security and Digital Forensics Guy Kloss gk@mega.co.nz Lead Software Developer Mega Limited 30 March 2015 Guy Kloss | Building a (Really) Secure Cloud Product 1/36
  • 2. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 2/36
  • 3. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 3/36
  • 4. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation The Product: MEGAchat A Cloud-based internet chat system Voice, Video and Text chat capable Offers multiple device capability for each participant (transparent synchronisation, consistent view of chat) To work in browser as well as native/mobile app Guy Kloss | Building a (Really) Secure Cloud Product 4/36
  • 5. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation The Product: MEGAchat Why “Really” Secure? Everybody says they’re secure . . . “Security Theatre” . . . We’re doing it (we say) . . . . . . and like to be confirmed or disproven in it. → Bug bounty! (for chat so far one paid out) Guy Kloss | Building a (Really) Secure Cloud Product 5/36
  • 6. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Security Theatre Guy Kloss | Building a (Really) Secure Cloud Product 6/36
  • 7. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Security Theatre http://geekandpoke.typepad.com/geekandpoke/2009/12/security-theatre.html Guy Kloss | Building a (Really) Secure Cloud Product 7/36
  • 8. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Early Adopters Guy Kloss | Building a (Really) Secure Cloud Product 8/36
  • 9. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 9/36
  • 10. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation For the Chat System Desired properties: Confidentiality Identity authenticity Message authenticity Forward secrecy Session freshness Plausible deniability Room participants consistency Chat transcript consistency Reducie foot print of “leaking” meta-data Guy Kloss | Building a (Really) Secure Cloud Product 10/36
  • 11. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Meta-Data? c by Michael J. Swart http://michaeljswart.com/2011/06/meta-aggregate/ Guy Kloss | Building a (Really) Secure Cloud Product 11/36
  • 12. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Meta-Data? Guy Kloss | Building a (Really) Secure Cloud Product 12/36
  • 13. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Sparseness of Meta-Data Don’t store what you don’t need Then nobody can come and ask you to “comply” If you must, do it so you can’t be compromised (e. g. passwords, salted and hashed, so not even you know them in plain) → Proper mechanisms for authentication and password management/storage On Mega Most meta-data only known to customer (encrypted) Company only knows what’s needed to manage the platform and interactions Guy Kloss | Building a (Really) Secure Cloud Product 13/36
  • 14. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Crypto? It’s really difficult to get this right! Avoid writing it, if you can! Use off-the-shelf frameworks/helpers/packages → If you’re writing AES in your code, you’re probably doing it wrong If you can’t help it and have to build it yourself Make the conceptual system not suck! Make the implementation not suck! Guy Kloss | Building a (Really) Secure Cloud Product 14/36
  • 15. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Crypto? The maths is good, it’s the implementation that sucks: “No matter how strong the crypto was, he attackers walked around it,” – “Crypto Won’t Save You Either”, Peter Gutmann, 2014 http://regmedia.co.uk/2014/05/16/0955_peter_gutmann.pdf Guy Kloss | Building a (Really) Secure Cloud Product 15/36
  • 16. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 16/36
  • 17. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Choice of System Components Robust base OS → Security, maintenance, reliability Many features are not necessarily important Evaluate/select server (software) carefully For required features Go get rid of not required features → Security, maintenance, reliability Is Cloud scalability a relevant factor? → Distribution, clustering, replication, . . . Guy Kloss | Building a (Really) Secure Cloud Product 17/36
  • 18. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Choice of System Components (continued) Prefer open source solutions Auditable Many eyes Mostly more secure If well maintained, usually very quick fixes (e. g. on security) Guy Kloss | Building a (Really) Secure Cloud Product 18/36
  • 19. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Secure System Setup Shut down unneeded services Configure systems securely Turn off what’s not needed Don’t log everything (production in debug mode?) Get the SSL/TLS configuration right! https://mozilla.github.io/server-side-tls/ ssl-config-generator/ Need bad examples? https://httpswatch.nz/ https://httpswatch.com/ Use additional protection schems CSP – Content Security Policy HSTS – HTTP Strict Transport Security CORS – Cross Origin Resource Sharing Guy Kloss | Building a (Really) Secure Cloud Product 19/36
  • 20. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Secure System Setup SSL Labs Server Test SSL Labs is your friend https://www.ssllabs.com Guy Kloss | Building a (Really) Secure Cloud Product 20/36
  • 21. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Secure System Setup Keep system upgraded (esp. security fixes quickly), short reaction times Best one service per (virtual) host (don’t slam them onto one host) Use logfiles with logrotation on a system level wisely Allows for forensic analysis later Without it, you’ve shut yourself out from most root cause analysis Stay on top of security things This can be hard work! Guy Kloss | Building a (Really) Secure Cloud Product 21/36
  • 22. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation (Automatic) Monitoring Load (CPU, network I/O, memory, . . . ) Availability & functionality Check for “odd behaviour” Guy Kloss | Building a (Really) Secure Cloud Product 22/36
  • 23. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 23/36
  • 24. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation System/Infrastructure Level Always use HTTPS/SSL/TLS as a minimum Too bad the whole CA system and SSL is a bit broken And some of the ciphers/cipher suites “advertised” for use are also broken On the client side, always verify the full certificate chain Many tools/implementations are lazy by default (in Java, Python, C/C++, . . . ) Prefer to use certificate pinning E. g. a mobile app for a known service Recent Superfish scandal with Lenovo and others Guy Kloss | Building a (Really) Secure Cloud Product 24/36
  • 25. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Application Layer User to server Commonly username/password Alternative: Certificates, other authentication mechanisms Too many concepts for secure authentication, beyond the scope of this talk User to user Difficult if one can’t trust the platform/server On Mega Verification of user’s public (signing) key via fingerprint comparison (out of band) Authenticating further crypto keys via signature by authenticated key pair Guy Kloss | Building a (Really) Secure Cloud Product 25/36
  • 26. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Avoid Security Warnings “MRI Shows Our Brain Shuts Down When We See Security Warnings on Computers” http://ema-tech.blogspot.co.nz/2015/03/mri-shows-our-brain-shuts-down-when-we.html Guy Kloss | Building a (Really) Secure Cloud Product 26/36
  • 27. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Trust from the “Community” Open source it! Really! Make the money with your service, not the code. Why & What? For peer review/audits At least the core of the security-related stuff Really important for crypto! Wouldn’t it be more secure if it was proprietary/closed? Guy Kloss | Building a (Really) Secure Cloud Product 27/36
  • 28. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 28/36
  • 29. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation The “Big Problem” (TM) Use secured protocols Nothing available to solve our problem We had to “roll our own” . . . Guy Kloss | Building a (Really) Secure Cloud Product 29/36
  • 30. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Key Design Features of Chat Protocol Group chat capable (multiple “devices” of identities) Outsiders can’t eavesdrop (decrypt) New members only participate after “join” Excluded members cannot decrypt any more Guy Kloss | Building a (Really) Secure Cloud Product 30/36
  • 31. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Anticipate what could go wrong! Guy Kloss | Building a (Really) Secure Cloud Product 31/36
  • 32. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Desired Security Properties Confidentiality → Needs to be encrypted Forward secrecy → Using (group) Diffie-Hellman with ephemeral key pairs Identity authenticity → Sign some confirmation with identity key Message authenticity → Sign messages with member’s session signing key Session freshness → Use of nonces (to avoid replay attacks) Guy Kloss | Building a (Really) Secure Cloud Product 32/36
  • 33. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Desired Security Properties Plausible deniability → Ephemeral signing keys for every individual session (private key published at the end) Room participants consistency → Key agreement requires participation of every member Chat transcript consistency → Agreed and cryptographically enforced partial ordering Reducing the foot print of “leaking” meta-data → Exponential message size padding Guy Kloss | Building a (Really) Secure Cloud Product 33/36
  • 34. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Outline 1 The Product: MEGAchat 2 What is Security? 3 Infrastructure 4 Trust/Authentication 5 Protocols 6 Client/Server Implementation Guy Kloss | Building a (Really) Secure Cloud Product 34/36
  • 35. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Do it right! Follow best practices . . . Follow OWASP, that’s much more comprehensive than this talk on this subject Open Web Application Security Project http://owasp.org Guy Kloss | Building a (Really) Secure Cloud Product 35/36
  • 36. The Product: MEGAchat What is Security? Infrastructure Trust/Authentication Protocols Client/Server Implementation Questions? Be Safe! Guy Kloss gk@mega.co.nz Guy Kloss | Building a (Really) Secure Cloud Product 36/36