SlideShare a Scribd company logo

Lock it down

Peter Souter
Peter Souter

Puppet is an awesome tool to automate the configuration of your infrastructure, but it's also a potential attack vector. In this talk, we'll discuss some common patterns and changes you can make to harden your Puppet infrastructure, from the basic good practises such as data abstraction in modules, to some advanced customisation you might need in a high-security setup.

Technology
1 of 87
Download to read offline
LOCK IT DOWN! SECURING YOUR PUPPET INFRASTRUCTURE
WHO WAS AT FOSDEM?
THERE MIGHT BE A TOUCH OF DEJA VU...
QUICK SUMMARY OF THE POINTS OF GENERAL CONFIG MANAGEMENT HARDENING:
MOVE DATA OUT OF CODE ENCRYPT SENSITIVE DATA MINIMISE SURFACE AREA MONITOR, DON'T JUST LOG FIND OUT WHAT A NORMAL STATE OF YOUR MACHINES ARE, AND DETECT INTRUSIONS
BUT WE'RE GOING TO FOCUS MORE ON PUPPET SPECIFIC THINGS HERE!
WHO AM I? > Peter Souter > @petersouter > @petems - IRC/GitHub > Professional Services Engineer at Puppet Labs > Work with customers when they buy services and teach Puppet Classes!
WHAT IS THIS ALL ABOUT?HTTPS://FLIC.KR/P/BHYT8B
PUPPET IS AN AWESOME TOOL FOR SECURITY PURPOSES!
AUDITING LOGGING MONITORING FIXING CONFIGURATION DRIFT HARDENING
BUT WHAT ABOUT PUPPET ITSELF?
HOW DO WE HARDEN PUPPET ITSELF?
WHAT I'M NOT GOING TO TALK ABOUT...
LETS START WITH BASICS...
REDUCING THE ATTACK SURFACE
REMOVING SENSITIVE DATA FROM LOGS
EASIEST WAY...
SHOW_DIFF = FALSE
MORE COMPLEX...
CUSTOM TYPES AND PROVIDERS
PUPPET USER TYPE
YOU CAN DO THIS TOO!
TAKEN FROMhttps://github.com/ openstack/puppet-barbican/ blob/master/lib/puppet/ provider/barbican_config/ ini_setting.rb
NODE-ENCRYPT(WE'LL COME BACK TO THIS IN THE ENCRYPTION PART!)
REMOVE DATA FROM CODE
ESPECIALLY ORGANISATION SPECIFIC DATA!
HIERA IS HERE TO SAVE THE DAY!
BAD
GOOD
ROLES AND PROFILES PATTERN FOR HELPS WITH THIS!
ABSTRACTING IMPLEMENTATON SPECIFICS AWAY
ORGANISATION SPECIFIC DATA IN HIERA ORGANISATION SPECIFC SETUP IN ROLE AND PROFILE WRAPPERS
ADVANTAGE: NOT ONLY MORE SECURE: CLEANER CODE THAT'S MORE REUSABLE!
THEORETICAL SCENARIO:
YOU SHOULD BE ABLE TO RELEASE MOST CODE YOU WRITE PUBLICALLY WITHOUT ANY SORT OF SECURITY ISSUES
ANYTHING SENSITIVE SHOULD BE KEPT IN HIERA
EXAMPLE: GDS
SOME AWESOME SHELL COMMANDS TO CHECK YOUR CODE...
CHECK COMMITS
CHECK UNIQUE STRINGS
HTTPS://GITHUB.COM/ ALPHAGOV/GOVUK- PUPPET
HTTPS:// GDSTECHNOLOGY.BLOG.GO V.UK/2016/01/19/ OPENING-GOV-UKS- PUPPET-REPOSITORY/
SENSIBLE DEFAULTS ARE IMPORTANT TOO!
STORY TIME!
IF YOU'RE INTERESTED IN THE STEPS TO RELEASE YOUR PUPPET MODULES, I HIGHLY RECOMEND WATCHING ELIZABETH'S TALK! :D
YOUR DATA SHOULD IS NOW SEPARATED. HOORAY!
BUT IT'S PLAINTEXT. BOO!
ENCRYPTION
PUPPET - HIERA-EYAML
BAD
GOOD
WHAT ABOUT THE AGENT DECRYPTING THE INFORMATION FROM THE MASTER?
NODE-ENCRYPT
"THE PUPPET MASTER WILL ENCRYPT THE CONTENT OF THE FILE USING THAT AGENT'S PUBLIC KEY. ONLY THAT AGENT WILL BE ABLE TO DECRYPT IT-- USING ITS PRIVATE KEY, OF COURSE. THE ACTUAL PLAIN-TEXT CONTENT OF THE FILE WILL NEVER EXIST IN THE CATALOG OR IN ANY REPORTS."
http://binford2k.com/ content/2015/12/sharing- secrets-puppet-secretly
TRUSTED FACTS IF YOU'RE CLASSIFING FACTS OR USING THEM AS PART OF YOUR HIERACHY...
HOW TRUSTWORTHY ARE THOSE FACTS?
BASICALLY, NOT MUCH:
A few special trusted facts appear in a $trusted hash. They can be accessed in manifests as $trusted['fact_name']. The variable name $trusted is reserved, so local scopes cannot re-use it. Normal facts are self-reported by the node, and nothing guarantees their accuracy. Trusted facts are extracted from the node’s certificate, which can prove that the CA checked and approved them. This makes them useful for deciding whether a given node should receive sensitive data in its catalog. https://docs.puppetlabs.com/puppet/latest/reference/ lang_facts_and_builtin_vars.html#trusted-facts
CSR EXTENSIONS
AWS EXAMPLE #!/bin/sh if [ ! -d /etc/puppetlabs/puppet ]; then mkdir /etc/puppetlabs/puppet fi cat > /etc/puppetlabs/puppet/csr_attributes.yaml << YAML custom_attributes: 1.2.840.113549.1.9.7: mySuperAwesomePassword extension_requests: pp_instance_id: $(curl -s http://169.254.169.254/latest/meta-data/instance-id) pp_image_name: $(curl -s http://169.254.169.254/latest/meta-data/ami-id)
if !empty( $trusted['extensions']['pp_role'] ) { include "role::${trusted['extensions']['pp_role']}" }
TRUSTED FACTS FOR HIERA-HIERACHY'S
BAD
GOOD
POLICY BASED AUTOSIGNING
BASIC EXAMPLE
# Spin through attributes and find our custom attribute to check against atts.each do |a| if (a.oid=="extReq") val = a.value.value.first.value.first.value if val[0].value == "1.3.6.1.4.1.34380.1.1.4" #pp_preshared_key key = val[1].value.strip end end end # If the key for the attribute matches, sign # Otherwise, exit 1 and don't sign if key == "EXAMPLE_TRUSTED_KEY" print "Matchn" exit 0 else print "No matchn" exit 1 end
IF YOU EMBED A UNIQUE PRE-SHARED KEY IN EACH NODE WHEN YOU PROVISION IT, AND PROVIDE YOUR POLICY EXECUTABLE WITH A DATABASE OF THESE KEYS, YOUR AUTOSIGNING SECURITY WILL BE AS GOOD AS YOUR HANDLING OF THE KEYS — AS LONG AS IT’S IMPRACTICAL FOR AN ATTACKER TO ACQUIRE A PSK, IT WILL BE IMPRACTICAL FOR THEM TO ACQUIRE A SIGNED CERTIFICATE. https://docs.puppetlabs.com/puppet/latest/reference/ ssl_autosign.html#security-implications-of-policy- based-autosigning
DON'T FORGET TO CHECK https:// puppetlabs.com/ security
QUESTIONS?

Recommended

Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Peter Souter
 
Kan du få data tilbake igjen fra dine Elasticsearch snapshots?
Kan du få data tilbake igjen fra dine Elasticsearch snapshots?Kan du få data tilbake igjen fra dine Elasticsearch snapshots?
Kan du få data tilbake igjen fra dine Elasticsearch snapshots?Jan Fredrik Wedén
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC IdentityMarc Littlemore
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5Jayesh Patel
 
Android Tamer: Virtual Machine for Android (Security) Professionals
Android Tamer: Virtual Machine for Android (Security) ProfessionalsAndroid Tamer: Virtual Machine for Android (Security) Professionals
Android Tamer: Virtual Machine for Android (Security) ProfessionalsAnant Shrivastava
 
Making AI based monitoring a platform feature with the power of BOSH
Making AI based monitoring a platform feature with the power of BOSHMaking AI based monitoring a platform feature with the power of BOSH
Making AI based monitoring a platform feature with the power of BOSHMike Villiger
 
Are you ready to be hacked?
Are you ready to be hacked?Are you ready to be hacked?
Are you ready to be hacked?Daniel Kanchev
 

Recommended

Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Peter Souter
 
Kan du få data tilbake igjen fra dine Elasticsearch snapshots?
Kan du få data tilbake igjen fra dine Elasticsearch snapshots?Kan du få data tilbake igjen fra dine Elasticsearch snapshots?
Kan du få data tilbake igjen fra dine Elasticsearch snapshots?Jan Fredrik Wedén
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC IdentityMarc Littlemore
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5Jayesh Patel
 
Android Tamer: Virtual Machine for Android (Security) Professionals
Android Tamer: Virtual Machine for Android (Security) ProfessionalsAndroid Tamer: Virtual Machine for Android (Security) Professionals
Android Tamer: Virtual Machine for Android (Security) ProfessionalsAnant Shrivastava
 
Making AI based monitoring a platform feature with the power of BOSH
Making AI based monitoring a platform feature with the power of BOSHMaking AI based monitoring a platform feature with the power of BOSH
Making AI based monitoring a platform feature with the power of BOSHMike Villiger
 
Are you ready to be hacked?
Are you ready to be hacked?Are you ready to be hacked?
Are you ready to be hacked?Daniel Kanchev
 
Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.Tomek Cejner
 
Designing Secure APIs
Designing Secure APIsDesigning Secure APIs
Designing Secure APIsSteven Chen
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)xsist10
 
Hashicorp Vault Associate Certification Concepts Part 2
Hashicorp Vault Associate Certification Concepts Part 2 Hashicorp Vault Associate Certification Concepts Part 2
Hashicorp Vault Associate Certification Concepts Part 2 Adnan Rashid
 
Build and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityBuild and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityT.Rob Wyatt
 
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesDecrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesBlueboxer2014
 
Vincent Kok - Microservices 5 things I wish I'd known - Codemotion Milan 2017
Vincent Kok - Microservices 5 things I wish I'd known - Codemotion Milan 2017Vincent Kok - Microservices 5 things I wish I'd known - Codemotion Milan 2017
Vincent Kok - Microservices 5 things I wish I'd known - Codemotion Milan 2017Codemotion
 
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017Vincent Kok
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conferencexsist10
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?centralohioissa
 
Security theatre (Scotland php)
Security theatre (Scotland php)Security theatre (Scotland php)
Security theatre (Scotland php)xsist10
 
Drupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityDrupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityGeorge Boobyer
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Security Theatre - Confoo
Security Theatre - ConfooSecurity Theatre - Confoo
Security Theatre - Confooxsist10
 
Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Beneluxxsist10
 
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and InfraLock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and InfraVMware Tanzu
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Matt Raible
 
Stop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by designStop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by designPatrick Walsh
 
Meraki Virtual Hackathon: app for Splunk Phantom
Meraki Virtual Hackathon: app for Splunk PhantomMeraki Virtual Hackathon: app for Splunk Phantom
Meraki Virtual Hackathon: app for Splunk PhantomJoel W. King
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...Matt Raible
 
Head in the Clouds: Testing Infra as Code - Config Management 2020
Head in the Clouds: Testing Infra as Code - Config Management 2020Head in the Clouds: Testing Infra as Code - Config Management 2020
Head in the Clouds: Testing Infra as Code - Config Management 2020Peter Souter
 
I don't know what I'm Doing: A newbie guide for Golang for DevOps
I don't know what I'm Doing: A newbie guide for Golang for DevOpsI don't know what I'm Doing: A newbie guide for Golang for DevOps
I don't know what I'm Doing: A newbie guide for Golang for DevOpsPeter Souter
 

More Related Content

Similar to Lock it down

Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.Tomek Cejner
 
Designing Secure APIs
Designing Secure APIsDesigning Secure APIs
Designing Secure APIsSteven Chen
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)xsist10
 
Hashicorp Vault Associate Certification Concepts Part 2
Hashicorp Vault Associate Certification Concepts Part 2 Hashicorp Vault Associate Certification Concepts Part 2
Hashicorp Vault Associate Certification Concepts Part 2 Adnan Rashid
 
Build and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityBuild and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityT.Rob Wyatt
 
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesDecrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesBlueboxer2014
 
Vincent Kok - Microservices 5 things I wish I'd known - Codemotion Milan 2017
Vincent Kok - Microservices 5 things I wish I'd known - Codemotion Milan 2017Vincent Kok - Microservices 5 things I wish I'd known - Codemotion Milan 2017
Vincent Kok - Microservices 5 things I wish I'd known - Codemotion Milan 2017Codemotion
 
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017Vincent Kok
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conferencexsist10
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?centralohioissa
 
Security theatre (Scotland php)
Security theatre (Scotland php)Security theatre (Scotland php)
Security theatre (Scotland php)xsist10
 
Drupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityDrupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityGeorge Boobyer
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Security Theatre - Confoo
Security Theatre - ConfooSecurity Theatre - Confoo
Security Theatre - Confooxsist10
 
Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Beneluxxsist10
 
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and InfraLock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and InfraVMware Tanzu
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Matt Raible
 
Stop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by designStop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by designPatrick Walsh
 
Meraki Virtual Hackathon: app for Splunk Phantom
Meraki Virtual Hackathon: app for Splunk PhantomMeraki Virtual Hackathon: app for Splunk Phantom
Meraki Virtual Hackathon: app for Splunk PhantomJoel W. King
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...Matt Raible
 

Similar to Lock it down (20)

Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.
 
Designing Secure APIs
Designing Secure APIsDesigning Secure APIs
Designing Secure APIs
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
 
Hashicorp Vault Associate Certification Concepts Part 2
Hashicorp Vault Associate Certification Concepts Part 2 Hashicorp Vault Associate Certification Concepts Part 2
Hashicorp Vault Associate Certification Concepts Part 2
 
Build and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityBuild and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of Mediocrity
 
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesDecrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
 
Vincent Kok - Microservices 5 things I wish I'd known - Codemotion Milan 2017
Vincent Kok - Microservices 5 things I wish I'd known - Codemotion Milan 2017Vincent Kok - Microservices 5 things I wish I'd known - Codemotion Milan 2017
Vincent Kok - Microservices 5 things I wish I'd known - Codemotion Milan 2017
 
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
 
Security theatre (Scotland php)
Security theatre (Scotland php)Security theatre (Scotland php)
Security theatre (Scotland php)
 
Drupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityDrupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurity
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Security Theatre - Confoo
Security Theatre - ConfooSecurity Theatre - Confoo
Security Theatre - Confoo
 
Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Benelux
 
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and InfraLock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
 
Stop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by designStop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by design
 
Meraki Virtual Hackathon: app for Splunk Phantom
Meraki Virtual Hackathon: app for Splunk PhantomMeraki Virtual Hackathon: app for Splunk Phantom
Meraki Virtual Hackathon: app for Splunk Phantom
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
 

More from Peter Souter

Head in the Clouds: Testing Infra as Code - Config Management 2020
Head in the Clouds: Testing Infra as Code - Config Management 2020Head in the Clouds: Testing Infra as Code - Config Management 2020
Head in the Clouds: Testing Infra as Code - Config Management 2020Peter Souter
 
I don't know what I'm Doing: A newbie guide for Golang for DevOps
I don't know what I'm Doing: A newbie guide for Golang for DevOpsI don't know what I'm Doing: A newbie guide for Golang for DevOps
I don't know what I'm Doing: A newbie guide for Golang for DevOpsPeter Souter
 
Consul Connect - EPAM SEC - 22nd september 2018
Consul Connect - EPAM SEC - 22nd september 2018Consul Connect - EPAM SEC - 22nd september 2018
Consul Connect - EPAM SEC - 22nd september 2018Peter Souter
 
Monitoring a Vault and Consul cluster - 24th May 2018
Monitoring a Vault and Consul cluster - 24th May 2018Monitoring a Vault and Consul cluster - 24th May 2018
Monitoring a Vault and Consul cluster - 24th May 2018Peter Souter
 
Maintaining Layer 8
Maintaining Layer 8Maintaining Layer 8
Maintaining Layer 8Peter Souter
 
Knee deep in the undef - Tales from refactoring old Puppet codebases
Knee deep in the undef - Tales from refactoring old Puppet codebasesKnee deep in the undef - Tales from refactoring old Puppet codebases
Knee deep in the undef - Tales from refactoring old Puppet codebasesPeter Souter
 
Compliance and auditing with Puppet
Compliance and auditing with PuppetCompliance and auditing with Puppet
Compliance and auditing with PuppetPeter Souter
 
Puppet module anti patterns
Puppet module anti patternsPuppet module anti patterns
Puppet module anti patternsPeter Souter
 
Little Puppet Tools To Make Your Life Better
Little Puppet Tools To Make Your Life BetterLittle Puppet Tools To Make Your Life Better
Little Puppet Tools To Make Your Life BetterPeter Souter
 
Testing servers like software
Testing servers like softwareTesting servers like software
Testing servers like softwarePeter Souter
 

More from Peter Souter (10)

Head in the Clouds: Testing Infra as Code - Config Management 2020
Head in the Clouds: Testing Infra as Code - Config Management 2020Head in the Clouds: Testing Infra as Code - Config Management 2020
Head in the Clouds: Testing Infra as Code - Config Management 2020
 
I don't know what I'm Doing: A newbie guide for Golang for DevOps
I don't know what I'm Doing: A newbie guide for Golang for DevOpsI don't know what I'm Doing: A newbie guide for Golang for DevOps
I don't know what I'm Doing: A newbie guide for Golang for DevOps
 
Consul Connect - EPAM SEC - 22nd september 2018
Consul Connect - EPAM SEC - 22nd september 2018Consul Connect - EPAM SEC - 22nd september 2018
Consul Connect - EPAM SEC - 22nd september 2018
 
Monitoring a Vault and Consul cluster - 24th May 2018
Monitoring a Vault and Consul cluster - 24th May 2018Monitoring a Vault and Consul cluster - 24th May 2018
Monitoring a Vault and Consul cluster - 24th May 2018
 
Maintaining Layer 8
Maintaining Layer 8Maintaining Layer 8
Maintaining Layer 8
 
Knee deep in the undef - Tales from refactoring old Puppet codebases
Knee deep in the undef - Tales from refactoring old Puppet codebasesKnee deep in the undef - Tales from refactoring old Puppet codebases
Knee deep in the undef - Tales from refactoring old Puppet codebases
 
Compliance and auditing with Puppet
Compliance and auditing with PuppetCompliance and auditing with Puppet
Compliance and auditing with Puppet
 
Puppet module anti patterns
Puppet module anti patternsPuppet module anti patterns
Puppet module anti patterns
 
Little Puppet Tools To Make Your Life Better
Little Puppet Tools To Make Your Life BetterLittle Puppet Tools To Make Your Life Better
Little Puppet Tools To Make Your Life Better
 
Testing servers like software
Testing servers like softwareTesting servers like software
Testing servers like software
 

Recently uploaded

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 

Recently uploaded (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Lock it down