DevOps：Security 干我何事？

tags: DevOpsDays Taipei 2018 9/12 11:20~12:00 Track B

簡報

Security Gene in Development

Penertration Testing Need to be Fast…（來不及）

• Static application security testing (SAST)

  • e.g. Docker image security scan

• Runtime application self-protection (RASP)

• Dynamic application securtiy testing(DAST)

• Interactive application security testging(

  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  IAST)

程式碼中要有自動化的防禦機制(?)

RASP Agent + DASH = IAST

系統要做滲透測試，人類也要做

1. 利用人類的貪婪與恐懼

貪婪: 簡單的 星巴克買一送一 就很容易釣到
恐懼: 給你一封通知(email?) 說你的帳號被盜用了，然後給一個假的網站link, 看起來跟Gmail Login 畫面很像

https://github.com/ustayready/CredSniper

Secret Management

Infrastructure must be code

• Private network vs Public Network
  • k8s
  • DB
  • NAT gateway
  • …

一定要區分內網網路，不要讓服務裸奔

• public network

  • LB
  • …

• Infrastructure As Code

  • Ansible, Chef,
  • …

System Management

​​​​- Authentication(Later)
​​​​- Authorization(Later)
​​​​- Secret Management (HashiCorp Vault)
​​​​- Don't Share Account
​​​​- Least privilege Policy
​​​​- Log Everything
​​​​- Manage and Record Privileged Activity (Later)
​​​​- Alert and Notify of Suspicious Activity (Later)
​​​​- Identity Centralize and Unify

• 不同系統避免用重複的帳密

Ａ：我需要sudo權限去部署

Using ChatBot
前置條件：自動化技術要先做好
參考:Ansible and ChatOps. Get started

如何 patch vulnerability

場外聊天室，歡迎在下方喇賽

後方聽眾覺得小聲

大會不知道可不可以提供頭戴麥克風
小城大大內建人肉自動調節音量的功能

AGC 啊 (automatically gain control)

星巴克這魚餌到底有多少人愛用？ ＸＤ

最大的弱點是人