1 00:00:00,000 --> 00:00:08,469 foreign 2 00:00:00,500 --> 00:00:08,469 [Music] 3 00:00:11,099 --> 00:00:16,080 good afternoon and welcome to Security 4 00:00:14,280 --> 00:00:18,300 in the open 5 00:00:16,080 --> 00:00:20,939 incident detection and response for open 6 00:00:18,300 --> 00:00:23,100 source with Aleister Chapman 7 00:00:20,939 --> 00:00:25,260 Alistar is a senior Cloud security 8 00:00:23,100 --> 00:00:26,699 engineer at Red Hat specializing in 9 00:00:25,260 --> 00:00:29,220 incident response and security 10 00:00:26,699 --> 00:00:32,040 architecture for public and hybrid Cloud 11 00:00:29,220 --> 00:00:33,840 environments today Alistair will present 12 00:00:32,040 --> 00:00:35,520 a broad rundown of all the new and 13 00:00:33,840 --> 00:00:37,559 exciting ways that things can go wrong 14 00:00:35,520 --> 00:00:40,050 in your security when working in the 15 00:00:37,559 --> 00:00:40,820 open please welcome Alistar 16 00:00:40,050 --> 00:00:44,049 [Applause] 17 00:00:40,820 --> 00:00:44,049 [Music] 18 00:00:44,160 --> 00:00:47,640 all right thank you and welcome everyone 19 00:00:46,079 --> 00:00:49,079 to the Melbourne convention Exhibition 20 00:00:47,640 --> 00:00:50,219 Center and the home stretch of 21 00:00:49,079 --> 00:00:52,140 everything open we're getting to the end 22 00:00:50,219 --> 00:00:53,399 there before we get into today I do want 23 00:00:52,140 --> 00:00:54,719 to acknowledge the traditional owners of 24 00:00:53,399 --> 00:00:56,520 this land the Warren Jerry were wrong 25 00:00:54,719 --> 00:00:57,960 people of the cooling Nation pay my 26 00:00:56,520 --> 00:00:59,520 respects to their Elders past and 27 00:00:57,960 --> 00:01:01,140 present and dwellers of all First 28 00:00:59,520 --> 00:01:02,760 Nations communities that join us this 29 00:01:01,140 --> 00:01:04,860 week and recognize this land's 30 00:01:02,760 --> 00:01:06,740 significance to those people for over 2 31 00:01:04,860 --> 00:01:08,939 000 generations and recognize that while 32 00:01:06,740 --> 00:01:10,799 sovereigns are for all of us to enjoy 33 00:01:08,939 --> 00:01:12,479 sovereignty was never seeded 34 00:01:10,799 --> 00:01:14,280 one more step before we dive in and 35 00:01:12,479 --> 00:01:16,200 that's covering who I am my name is 36 00:01:14,280 --> 00:01:17,760 Alistair Chapman I'm a senior Cloud 37 00:01:16,200 --> 00:01:20,159 security engineer based in Brisbane 38 00:01:17,760 --> 00:01:22,439 Australia I do work for red hat but to 39 00:01:20,159 --> 00:01:23,640 be clear this is all my view so while a 40 00:01:22,439 --> 00:01:25,140 lot of what I'll be covering today has 41 00:01:23,640 --> 00:01:26,700 been Guided by my experience at red hat 42 00:01:25,140 --> 00:01:28,740 if you don't like it complain at me not 43 00:01:26,700 --> 00:01:30,900 my boss you can find me basically 44 00:01:28,740 --> 00:01:32,280 everywhere is AGC 93 and so I get to 45 00:01:30,900 --> 00:01:33,840 enjoy the wonders of open source 46 00:01:32,280 --> 00:01:35,880 security from both sides I work in 47 00:01:33,840 --> 00:01:38,040 security for an open source company and 48 00:01:35,880 --> 00:01:39,659 as outside of work I tend to build a lot 49 00:01:38,040 --> 00:01:41,540 of Open Source software because I guess 50 00:01:39,659 --> 00:01:43,500 I hate myself 51 00:01:41,540 --> 00:01:46,140 so 52 00:01:43,500 --> 00:01:47,280 we'll get into a the trust me it's okay 53 00:01:46,140 --> 00:01:49,200 this is the only bit of audience 54 00:01:47,280 --> 00:01:50,579 participation in the entire thing 55 00:01:49,200 --> 00:01:52,200 I understand this is all the Spectrum 56 00:01:50,579 --> 00:01:54,119 but if I had to ask the audience to pick 57 00:01:52,200 --> 00:01:56,040 one of these three that you would 58 00:01:54,119 --> 00:01:59,040 identify with can I get a show of hands 59 00:01:56,040 --> 00:02:01,680 who would be in the developer camp 60 00:01:59,040 --> 00:02:03,659 big chunk operations non-code something 61 00:02:01,680 --> 00:02:04,680 like that all right and any fellow 62 00:02:03,659 --> 00:02:06,479 security 63 00:02:04,680 --> 00:02:08,099 that's us that's just a smaller number 64 00:02:06,479 --> 00:02:09,780 as I expected 65 00:02:08,099 --> 00:02:11,400 okay so with that out of the way let's 66 00:02:09,780 --> 00:02:13,020 cover what I want to talk about today as 67 00:02:11,400 --> 00:02:14,819 a few of you may have noticed there's 68 00:02:13,020 --> 00:02:16,739 been quite a few excellent talks in open 69 00:02:14,819 --> 00:02:17,879 source and security already this week so 70 00:02:16,739 --> 00:02:19,620 I'm going to be focusing a little less 71 00:02:17,879 --> 00:02:21,180 on areas like data privacy or 72 00:02:19,620 --> 00:02:22,560 vulnerability management and a bit more 73 00:02:21,180 --> 00:02:24,180 on my area of expertise which is 74 00:02:22,560 --> 00:02:25,200 internet protection instrument response 75 00:02:24,180 --> 00:02:26,760 and the cloud 76 00:02:25,200 --> 00:02:27,540 if you're looking for a lot more details 77 00:02:26,760 --> 00:02:28,920 there's been a bunch of other 78 00:02:27,540 --> 00:02:30,000 presentations this week that you might 79 00:02:28,920 --> 00:02:31,319 find interesting 80 00:02:30,000 --> 00:02:32,819 um particularly I don't want to call out 81 00:02:31,319 --> 00:02:33,959 William Brown and Fraser tweedale both 82 00:02:32,819 --> 00:02:35,940 did excellent talks on specific 83 00:02:33,959 --> 00:02:37,080 Technologies and Alex Murray from 84 00:02:35,940 --> 00:02:38,340 canonical did a really good talk 85 00:02:37,080 --> 00:02:40,739 yesterday on vulnerability management 86 00:02:38,340 --> 00:02:42,060 that for people building the code side 87 00:02:40,739 --> 00:02:44,400 of their projects 88 00:02:42,060 --> 00:02:45,480 might be particularly valuable so so we 89 00:02:44,400 --> 00:02:47,400 can go too far so that's what we're 90 00:02:45,480 --> 00:02:49,500 going through today the risks what makes 91 00:02:47,400 --> 00:02:51,720 it different working in open source what 92 00:02:49,500 --> 00:02:52,920 to watch for which is detection how to 93 00:02:51,720 --> 00:02:55,319 actually handle when something happens 94 00:02:52,920 --> 00:02:57,000 response and how you can control the 95 00:02:55,319 --> 00:02:58,379 risks in your project and learn from any 96 00:02:57,000 --> 00:02:59,760 incidents that you do have which is 97 00:02:58,379 --> 00:03:02,519 protecting 98 00:02:59,760 --> 00:03:04,200 so security for open source is not 99 00:03:02,519 --> 00:03:05,879 completely different to security for 100 00:03:04,200 --> 00:03:07,620 proprietary projects or corporate 101 00:03:05,879 --> 00:03:09,360 software any of the traditional software 102 00:03:07,620 --> 00:03:11,040 markets so there's plenty of useful 103 00:03:09,360 --> 00:03:13,080 information to be gained from security 104 00:03:11,040 --> 00:03:15,120 communities that being said the most 105 00:03:13,080 --> 00:03:17,280 common things that are really specific 106 00:03:15,120 --> 00:03:18,800 to open source in our in my experience 107 00:03:17,280 --> 00:03:21,720 boils down to probably three principles 108 00:03:18,800 --> 00:03:23,879 there's a really really blurry line 109 00:03:21,720 --> 00:03:25,739 between what's private and public both 110 00:03:23,879 --> 00:03:26,940 from an information from infrastructure 111 00:03:25,739 --> 00:03:28,560 from code all those sorts of things 112 00:03:26,940 --> 00:03:29,879 you're having to constantly deal with 113 00:03:28,560 --> 00:03:31,500 contributions from untrusted third 114 00:03:29,879 --> 00:03:33,900 parties Because the Internet is a wild 115 00:03:31,500 --> 00:03:35,280 and dangerous place and your tooling and 116 00:03:33,900 --> 00:03:36,959 infrastructure is much more likely to be 117 00:03:35,280 --> 00:03:39,180 available to everyone than you might be 118 00:03:36,959 --> 00:03:40,560 used to in for example a proprietary or 119 00:03:39,180 --> 00:03:42,000 more corporate focused development 120 00:03:40,560 --> 00:03:43,860 environment that doesn't work with as 121 00:03:42,000 --> 00:03:45,239 much open source 122 00:03:43,860 --> 00:03:47,099 but if we're going to talk about open 123 00:03:45,239 --> 00:03:48,659 source security we need to look at the 124 00:03:47,099 --> 00:03:50,340 number one source of problems the 125 00:03:48,659 --> 00:03:52,140 Boogeyman in the night the Specter 126 00:03:50,340 --> 00:03:54,599 around the corner the demon that haunts 127 00:03:52,140 --> 00:03:56,459 the dreams of every infosec person who 128 00:03:54,599 --> 00:03:59,099 has to work with open source software 129 00:03:56,459 --> 00:04:02,700 and that is the horror that is get push 130 00:03:59,099 --> 00:04:04,500 because I cannot explain how many of the 131 00:04:02,700 --> 00:04:06,239 problems that you'll find in open source 132 00:04:04,500 --> 00:04:07,799 projects comes down to someone get 133 00:04:06,239 --> 00:04:09,120 pushing something they shouldn't have or 134 00:04:07,799 --> 00:04:11,640 not get pushing something they should 135 00:04:09,120 --> 00:04:14,040 have now it is a bit reductive so we'll 136 00:04:11,640 --> 00:04:16,019 it'll come up a few times but the 137 00:04:14,040 --> 00:04:17,579 explanation I'd like to give is that you 138 00:04:16,019 --> 00:04:19,680 need to treat get push like you do so 139 00:04:17,579 --> 00:04:21,540 you know to borrow the excellent lecture 140 00:04:19,680 --> 00:04:23,460 message respect the privacy of others 141 00:04:21,540 --> 00:04:25,259 think before you type and with great 142 00:04:23,460 --> 00:04:26,759 power comes great responsibility because 143 00:04:25,259 --> 00:04:28,560 there is a lot of things you can do to 144 00:04:26,759 --> 00:04:30,060 your project with a simple git push that 145 00:04:28,560 --> 00:04:32,759 probably don't seem so important at the 146 00:04:30,060 --> 00:04:34,460 time but very much will be often too 147 00:04:32,759 --> 00:04:37,380 late 148 00:04:34,460 --> 00:04:39,540 so let's have a bit of a bird's eye view 149 00:04:37,380 --> 00:04:41,100 on instant response process now I know 150 00:04:39,540 --> 00:04:42,540 flow charts are kind of not really 151 00:04:41,100 --> 00:04:43,860 everyone's idea of a good time and 152 00:04:42,540 --> 00:04:45,120 probably everyone's getting flashbacks 153 00:04:43,860 --> 00:04:47,580 to every bad corporate training session 154 00:04:45,120 --> 00:04:49,380 they've been sat through but here is the 155 00:04:47,580 --> 00:04:51,960 the overall bird's eye view of how 156 00:04:49,380 --> 00:04:54,120 incident response gets treated these 157 00:04:51,960 --> 00:04:57,240 steps are roughly paraphrased from a 158 00:04:54,120 --> 00:04:58,620 guide from the US nist document 861 the 159 00:04:57,240 --> 00:04:59,460 computer security incident handling 160 00:04:58,620 --> 00:05:01,080 guide 161 00:04:59,460 --> 00:05:02,400 if you really want to learn more about 162 00:05:01,080 --> 00:05:04,740 incident handling and how security 163 00:05:02,400 --> 00:05:06,419 operations teams do incident response 164 00:05:04,740 --> 00:05:08,160 it's an excellent resource there's a lot 165 00:05:06,419 --> 00:05:10,080 of really good information in there it's 166 00:05:08,160 --> 00:05:12,300 also an 80-page document published by a 167 00:05:10,080 --> 00:05:14,699 US government agency so it's not exactly 168 00:05:12,300 --> 00:05:16,860 the most accessible of resources but if 169 00:05:14,699 --> 00:05:18,240 you are interested in this 861 is very 170 00:05:16,860 --> 00:05:19,500 good 171 00:05:18,240 --> 00:05:21,419 you say probably don't need all the 172 00:05:19,500 --> 00:05:23,039 details so we'll just look at this basic 173 00:05:21,419 --> 00:05:24,300 of view which is that you start with 174 00:05:23,039 --> 00:05:26,880 preparation that's where you're doing 175 00:05:24,300 --> 00:05:28,320 risk analysis threat modeling looking at 176 00:05:26,880 --> 00:05:29,940 your project working out what you need 177 00:05:28,320 --> 00:05:31,680 to be worried about you move into 178 00:05:29,940 --> 00:05:33,479 detection and Analysis that's how do you 179 00:05:31,680 --> 00:05:35,100 spot when something happens what do you 180 00:05:33,479 --> 00:05:36,900 what are you watching in your projects 181 00:05:35,100 --> 00:05:37,919 to make sure that things are working the 182 00:05:36,900 --> 00:05:40,080 way they should 183 00:05:37,919 --> 00:05:41,820 when something happens how do you know 184 00:05:40,080 --> 00:05:43,680 it happened when something does happen 185 00:05:41,820 --> 00:05:46,139 you move into contain and recover that 186 00:05:43,680 --> 00:05:48,000 is the oh God something's gone terribly 187 00:05:46,139 --> 00:05:50,460 terribly wrong how do I 188 00:05:48,000 --> 00:05:51,539 fit X whether that's getting an attacker 189 00:05:50,460 --> 00:05:52,880 out of your project fixing a 190 00:05:51,539 --> 00:05:55,199 vulnerability that's been introduced 191 00:05:52,880 --> 00:05:56,460 trying to recover infrastructure that 192 00:05:55,199 --> 00:05:58,380 may have been impacted by an outage 193 00:05:56,460 --> 00:06:00,240 there's lots of possible things and 194 00:05:58,380 --> 00:06:02,039 those steps feedback into each other so 195 00:06:00,240 --> 00:06:04,620 as you recover whatever incident has 196 00:06:02,039 --> 00:06:06,419 happened you'll find more things recover 197 00:06:04,620 --> 00:06:08,039 those find more things 198 00:06:06,419 --> 00:06:09,840 after everything's cleared up you can 199 00:06:08,039 --> 00:06:11,699 move to post internet activity which is 200 00:06:09,840 --> 00:06:13,139 the simplified version is that that's 201 00:06:11,699 --> 00:06:14,400 where you learn from all the absolute 202 00:06:13,139 --> 00:06:16,560 Horrors that you've just had to walk 203 00:06:14,400 --> 00:06:18,300 through the lessons from the post intern 204 00:06:16,560 --> 00:06:21,060 activity will then feed back to your 205 00:06:18,300 --> 00:06:22,620 preparation so that you can ideally be 206 00:06:21,060 --> 00:06:24,360 better prepared and have better 207 00:06:22,620 --> 00:06:25,919 detection analysis in place to stop it 208 00:06:24,360 --> 00:06:29,280 from happening again 209 00:06:25,919 --> 00:06:31,139 so that's the overall view uh it's gonna 210 00:06:29,280 --> 00:06:32,880 today is going to jump around a bit but 211 00:06:31,139 --> 00:06:34,860 we'll try and stick roughly to that sort 212 00:06:32,880 --> 00:06:37,139 of view of things 213 00:06:34,860 --> 00:06:39,120 so for that first part preparation and 214 00:06:37,139 --> 00:06:41,940 planning how do you plan for the worst 215 00:06:39,120 --> 00:06:43,800 case scenario because it's very easy to 216 00:06:41,940 --> 00:06:47,699 think Ah that's not going to apply to me 217 00:06:43,800 --> 00:06:49,620 but sometimes it will and the wonders of 218 00:06:47,699 --> 00:06:51,539 the internet and both the most positive 219 00:06:49,620 --> 00:06:53,699 and least positive ways means that 220 00:06:51,539 --> 00:06:55,740 you're there's not really any reliable 221 00:06:53,699 --> 00:06:57,479 predictor of whether your project or the 222 00:06:55,740 --> 00:06:58,979 team you work with is actually going to 223 00:06:57,479 --> 00:07:00,900 be affected by this there's plenty of 224 00:06:58,979 --> 00:07:03,000 projects out there that have one 225 00:07:00,900 --> 00:07:04,440 maintainer and six users that are just 226 00:07:03,000 --> 00:07:07,080 as vulnerable to someone trying to 227 00:07:04,440 --> 00:07:08,940 inject malware into their package or a 228 00:07:07,080 --> 00:07:10,979 massive organization with huge security 229 00:07:08,940 --> 00:07:12,600 operations teams that still get done 230 00:07:10,979 --> 00:07:14,460 because someone pushed their AWS key to 231 00:07:12,600 --> 00:07:16,440 GitHub there's not really a clear 232 00:07:14,460 --> 00:07:18,240 division of what makes a project more or 233 00:07:16,440 --> 00:07:20,819 less at risk 234 00:07:18,240 --> 00:07:22,139 which means it's not just about I should 235 00:07:20,819 --> 00:07:24,120 stop and point out too it's not just 236 00:07:22,139 --> 00:07:26,340 about your code that while everyone's 237 00:07:24,120 --> 00:07:27,780 immediate instinct is vulnerabilities in 238 00:07:26,340 --> 00:07:29,400 my code there's a lot more to your 239 00:07:27,780 --> 00:07:31,440 average project as they grow gain 240 00:07:29,400 --> 00:07:32,880 complexity users there's a lot of 241 00:07:31,440 --> 00:07:34,560 expectations from users around how 242 00:07:32,880 --> 00:07:37,139 projects operate that means you've got 243 00:07:34,560 --> 00:07:38,699 things like documentation demo sites uh 244 00:07:37,139 --> 00:07:40,080 projects running hosted versions of 245 00:07:38,699 --> 00:07:41,580 their projects whether that's for 246 00:07:40,080 --> 00:07:43,680 demonstration purposes or as actual 247 00:07:41,580 --> 00:07:46,080 Services there's a lot of infrastructure 248 00:07:43,680 --> 00:07:47,880 and tools surrounding a project that are 249 00:07:46,080 --> 00:07:49,740 just as important as the actual code 250 00:07:47,880 --> 00:07:52,440 there's plenty of scenarios where you 251 00:07:49,740 --> 00:07:54,180 might be the greatest c-sharp or Haskell 252 00:07:52,440 --> 00:07:55,500 or Java developer but you'll still 253 00:07:54,180 --> 00:07:56,759 introduce problems because while you 254 00:07:55,500 --> 00:07:59,940 might be great at those you're probably 255 00:07:56,759 --> 00:08:01,259 not quite so crash out at terraform 256 00:07:59,940 --> 00:08:02,580 and there's a lot of Open Source 257 00:08:01,259 --> 00:08:05,940 maintainers uh 258 00:08:02,580 --> 00:08:07,380 let's go with uh hesitant to look at the 259 00:08:05,940 --> 00:08:09,720 full process of proper risk management 260 00:08:07,380 --> 00:08:11,039 and that's for a good reason risk 261 00:08:09,720 --> 00:08:12,479 management is kind of hard and not 262 00:08:11,039 --> 00:08:14,099 something that a lot of developers are 263 00:08:12,479 --> 00:08:16,319 going to enjoy you're going to sit down 264 00:08:14,099 --> 00:08:17,819 and go I've got two hours to work on 265 00:08:16,319 --> 00:08:19,379 some stuff I can bang out this really 266 00:08:17,819 --> 00:08:21,780 cool re-implementation of a feature I 267 00:08:19,379 --> 00:08:23,580 don't like from two weeks ago or I could 268 00:08:21,780 --> 00:08:24,960 spend two hours reading PDFs about how 269 00:08:23,580 --> 00:08:26,819 to do accurate threat modeling of my 270 00:08:24,960 --> 00:08:29,220 project and this has made no no one's 271 00:08:26,819 --> 00:08:30,780 doing that so there is a a tendency to 272 00:08:29,220 --> 00:08:32,520 lean towards winging it 273 00:08:30,780 --> 00:08:34,500 I'm going to say from my point of view 274 00:08:32,520 --> 00:08:35,880 bad idea because it's much better to be 275 00:08:34,500 --> 00:08:37,680 over prepared than underprepared when it 276 00:08:35,880 --> 00:08:40,080 comes to security 277 00:08:37,680 --> 00:08:41,339 so what should you be worried about and 278 00:08:40,080 --> 00:08:42,779 honestly that's the most important 279 00:08:41,339 --> 00:08:44,159 question you need to answer if there's 280 00:08:42,779 --> 00:08:45,839 anything you take from today you need to 281 00:08:44,159 --> 00:08:47,580 have an answer to that question because 282 00:08:45,839 --> 00:08:49,800 the answer to that question will vary 283 00:08:47,580 --> 00:08:51,839 based on your project your team what 284 00:08:49,800 --> 00:08:53,760 your users do how your software is 285 00:08:51,839 --> 00:08:56,040 implemented what other services you have 286 00:08:53,760 --> 00:08:57,540 all those sorts of things it's it's very 287 00:08:56,040 --> 00:08:59,220 nice to be able to sit around go how am 288 00:08:57,540 --> 00:09:00,839 I going to be able to improve my project 289 00:08:59,220 --> 00:09:02,399 security posture but the only way to 290 00:09:00,839 --> 00:09:04,860 answer that is to know what you need to 291 00:09:02,399 --> 00:09:06,420 improve so as an example if you're an 292 00:09:04,860 --> 00:09:08,040 upstream supplier to a lot of other 293 00:09:06,420 --> 00:09:09,480 packages you probably need to be more 294 00:09:08,040 --> 00:09:11,100 worried about supply chain attacks where 295 00:09:09,480 --> 00:09:12,680 someone inserts bad code into your 296 00:09:11,100 --> 00:09:15,000 package to try and get to someone else 297 00:09:12,680 --> 00:09:16,560 conversely if you're working in some 298 00:09:15,000 --> 00:09:18,779 ecosystems malicious package 299 00:09:16,560 --> 00:09:20,580 substitution might be more important in 300 00:09:18,779 --> 00:09:23,279 our experience things like the python 301 00:09:20,580 --> 00:09:25,680 pit repository or npm are magnets for 302 00:09:23,279 --> 00:09:27,360 not necessarily poorly maintained but 303 00:09:25,680 --> 00:09:28,800 small scale packages that people don't 304 00:09:27,360 --> 00:09:30,660 necessarily think about not necessarily 305 00:09:28,800 --> 00:09:33,000 conducting audits of being used to 306 00:09:30,660 --> 00:09:34,920 introduce all sorts of Badness 307 00:09:33,000 --> 00:09:36,120 the infrastructure takeover is much more 308 00:09:34,920 --> 00:09:38,459 important if you do have a lot more 309 00:09:36,120 --> 00:09:40,380 infrastructure if you're running like a 310 00:09:38,459 --> 00:09:42,300 something that can be self-hosted but 311 00:09:40,380 --> 00:09:44,040 also running a hosted version someone 312 00:09:42,300 --> 00:09:45,420 taking that over is going to impact your 313 00:09:44,040 --> 00:09:47,279 project just as much as the code that 314 00:09:45,420 --> 00:09:50,040 you're shipping likewise if you're doing 315 00:09:47,279 --> 00:09:52,019 open source work for a company if you're 316 00:09:50,040 --> 00:09:53,820 open source component is just one small 317 00:09:52,019 --> 00:09:54,680 part of a much larger potentially not 318 00:09:53,820 --> 00:09:57,240 open 319 00:09:54,680 --> 00:09:58,620 project or organization 320 00:09:57,240 --> 00:10:00,360 people might be trying to get into your 321 00:09:58,620 --> 00:10:01,980 project as a way to get to the rest of 322 00:10:00,360 --> 00:10:04,320 whatever they're actually after 323 00:10:01,980 --> 00:10:05,760 there's a lot of scenarios you need to 324 00:10:04,320 --> 00:10:07,320 be prepared for so you need to sit down 325 00:10:05,760 --> 00:10:09,480 look at your project look at your users 326 00:10:07,320 --> 00:10:10,920 and think about what do I what am I most 327 00:10:09,480 --> 00:10:12,360 worried about 328 00:10:10,920 --> 00:10:14,459 once you have that answer it becomes a 329 00:10:12,360 --> 00:10:15,660 lot easier to do other things including 330 00:10:14,459 --> 00:10:17,040 the fact you need to think like the bad 331 00:10:15,660 --> 00:10:18,839 guy here and the first thing the bad guy 332 00:10:17,040 --> 00:10:20,940 is going to want to do is reconnaissance 333 00:10:18,839 --> 00:10:22,260 reconnaissance is a very easy term for 334 00:10:20,940 --> 00:10:23,940 infrastic people to throw around because 335 00:10:22,260 --> 00:10:26,220 basically it just means looking for 336 00:10:23,940 --> 00:10:28,560 stuff what you're looking for varies 337 00:10:26,220 --> 00:10:29,880 wildly but you're looking for as an 338 00:10:28,560 --> 00:10:31,740 attacker you're looking for ways to get 339 00:10:29,880 --> 00:10:32,940 in ways to get to what you want what 340 00:10:31,740 --> 00:10:35,040 might be in there that you might want 341 00:10:32,940 --> 00:10:37,500 all sorts of things what defenses are in 342 00:10:35,040 --> 00:10:39,480 place do as the target I'm attacking 343 00:10:37,500 --> 00:10:41,580 going to have a proficient security team 344 00:10:39,480 --> 00:10:43,380 who are looking for me or is it just two 345 00:10:41,580 --> 00:10:45,779 guys on GitHub there's a lot of things 346 00:10:43,380 --> 00:10:47,820 there the problem is that basically all 347 00:10:45,779 --> 00:10:49,440 of those questions are answered by your 348 00:10:47,820 --> 00:10:50,820 excellent documentation and all your 349 00:10:49,440 --> 00:10:52,380 very detailed bug trackers and 350 00:10:50,820 --> 00:10:54,240 automations and everything are telling 351 00:10:52,380 --> 00:10:55,380 the attackers quit answers to all the 352 00:10:54,240 --> 00:10:56,760 questions they need to know they're 353 00:10:55,380 --> 00:10:58,500 going to sit down and say oh I wonder 354 00:10:56,760 --> 00:10:59,579 how this thing's been built and if 355 00:10:58,500 --> 00:11:01,140 they're needing to answer that question 356 00:10:59,579 --> 00:11:02,339 for a proprietary clothes Source product 357 00:11:01,140 --> 00:11:03,899 they're probably gonna have to dig 358 00:11:02,339 --> 00:11:06,120 around the server headers and work out 359 00:11:03,899 --> 00:11:07,260 what where the oh sorry let's have 360 00:11:06,120 --> 00:11:09,240 headers compilation artifacts and 361 00:11:07,260 --> 00:11:11,220 workout what server might be building 362 00:11:09,240 --> 00:11:12,839 this yours is a nice big yaml file your 363 00:11:11,220 --> 00:11:14,339 repo that tells you exactly what GitHub 364 00:11:12,839 --> 00:11:15,480 running you're using there's a lot of 365 00:11:14,339 --> 00:11:16,920 things you're giving away for free 366 00:11:15,480 --> 00:11:18,180 because that's how open source works 367 00:11:16,920 --> 00:11:20,700 that attackers are going to be able to 368 00:11:18,180 --> 00:11:22,740 use against you that's not to say you 369 00:11:20,700 --> 00:11:23,820 shouldn't be providing those things it's 370 00:11:22,740 --> 00:11:26,399 that you need to be aware that 371 00:11:23,820 --> 00:11:28,560 everything you know they also know 372 00:11:26,399 --> 00:11:30,180 and it's about a lot more than just your 373 00:11:28,560 --> 00:11:32,459 code all those things there developer 374 00:11:30,180 --> 00:11:33,839 tooling Parts if you have contacts of 375 00:11:32,459 --> 00:11:35,820 you if you have a problem with X 376 00:11:33,839 --> 00:11:37,500 component talk to so and so even small 377 00:11:35,820 --> 00:11:40,200 details like you'll see automations for 378 00:11:37,500 --> 00:11:41,880 issues of you know this if you open an 379 00:11:40,200 --> 00:11:43,380 issue and tag it with this component 380 00:11:41,880 --> 00:11:44,880 it'll automatically say oh the last 381 00:11:43,380 --> 00:11:47,100 person who committed to this was so and 382 00:11:44,880 --> 00:11:48,420 so now an attacker knows exactly who 383 00:11:47,100 --> 00:11:49,920 wrote that code and can look into that 384 00:11:48,420 --> 00:11:51,959 in more detail 385 00:11:49,920 --> 00:11:53,640 there's a lot of issues that can come up 386 00:11:51,959 --> 00:11:56,040 because you're having to provide a lot 387 00:11:53,640 --> 00:11:57,899 of information to contributors 388 00:11:56,040 --> 00:12:00,180 which comes to the actual working in the 389 00:11:57,899 --> 00:12:01,980 open side of it there's these are these 390 00:12:00,180 --> 00:12:03,420 are a reasonably surface level one so I 391 00:12:01,980 --> 00:12:05,160 suspect a lot of you would intuitively 392 00:12:03,420 --> 00:12:06,360 understand that there's downsides to 393 00:12:05,160 --> 00:12:07,980 work in an open source from a security 394 00:12:06,360 --> 00:12:09,959 point of view you can't fix something 395 00:12:07,980 --> 00:12:11,940 without telling everyone exactly what 396 00:12:09,959 --> 00:12:13,800 you fixed there's a reason that for 397 00:12:11,940 --> 00:12:15,480 example cves are frequently embargoed 398 00:12:13,800 --> 00:12:16,980 and teams like ours will have to deal 399 00:12:15,480 --> 00:12:19,079 with patches and fixes and roll out new 400 00:12:16,980 --> 00:12:20,700 packages without ever revealing what it 401 00:12:19,079 --> 00:12:22,740 was that we fixed because it's a nice 402 00:12:20,700 --> 00:12:25,079 big shopping list to attack us of ah yes 403 00:12:22,740 --> 00:12:26,940 this specific function in these specific 404 00:12:25,079 --> 00:12:29,040 versions has a buffer overflow that you 405 00:12:26,940 --> 00:12:30,300 trigger using this code we don't really 406 00:12:29,040 --> 00:12:32,399 want to give that away while that's 407 00:12:30,300 --> 00:12:33,839 still out in the wild so every commit 408 00:12:32,399 --> 00:12:35,040 you make is a nice convenient summary 409 00:12:33,839 --> 00:12:36,720 for anyone who wants to introduce 410 00:12:35,040 --> 00:12:38,760 Badness or find problems in your project 411 00:12:36,720 --> 00:12:40,019 of any mistakes vulnerabilities anything 412 00:12:38,760 --> 00:12:41,459 like that 413 00:12:40,019 --> 00:12:42,839 one of the other things that's easy to 414 00:12:41,459 --> 00:12:45,300 forget is that there is no quick enough 415 00:12:42,839 --> 00:12:46,620 that the way the internet works is that 416 00:12:45,300 --> 00:12:49,200 if you have pushed a commit to GitHub 417 00:12:46,620 --> 00:12:51,240 it's gone it doesn't matter if you fixed 418 00:12:49,200 --> 00:12:52,860 it 30 seconds later because github's API 419 00:12:51,240 --> 00:12:55,440 picked it up published it to anyone who 420 00:12:52,860 --> 00:12:56,820 uses their API and it's out there so to 421 00:12:55,440 --> 00:12:59,100 use the example that we see very 422 00:12:56,820 --> 00:13:01,380 frequently API keys there are plenty of 423 00:12:59,100 --> 00:13:02,880 people who will push their AWS API key 424 00:13:01,380 --> 00:13:04,200 then like 30 seconds later oh [ __ ] fix 425 00:13:02,880 --> 00:13:05,940 that and they'll even do a proper job 426 00:13:04,200 --> 00:13:07,440 with Git remove all the old references 427 00:13:05,940 --> 00:13:08,579 to the commit and it's great but it 428 00:13:07,440 --> 00:13:10,200 doesn't matter because github's already 429 00:13:08,579 --> 00:13:11,880 published the original commit to their 430 00:13:10,200 --> 00:13:14,100 API feed and it's probably on Twitter 431 00:13:11,880 --> 00:13:16,019 because there are so many Bots running 432 00:13:14,100 --> 00:13:19,260 doing exactly that of just scraping 433 00:13:16,019 --> 00:13:20,760 GitHub apis looking for keys and secrets 434 00:13:19,260 --> 00:13:23,040 the other big one being the obvious one 435 00:13:20,760 --> 00:13:24,899 of there's no boundary you can't rely on 436 00:13:23,040 --> 00:13:27,420 your firewall because you're on GitHub 437 00:13:24,899 --> 00:13:28,440 there's no convenient oh you know they 438 00:13:27,420 --> 00:13:29,760 won't be able to operate in this 439 00:13:28,440 --> 00:13:31,920 environment because this environment's 440 00:13:29,760 --> 00:13:34,019 only for this it's the internet there is 441 00:13:31,920 --> 00:13:36,180 no perimeter it's just [ __ ] Wild West 442 00:13:34,019 --> 00:13:37,620 out here so the traditional wisdom you 443 00:13:36,180 --> 00:13:39,959 might find around security projects 444 00:13:37,620 --> 00:13:41,519 won't always apply to open source 445 00:13:39,959 --> 00:13:42,779 projects that are particularly if you're 446 00:13:41,519 --> 00:13:46,220 running your infrastructure in the open 447 00:13:42,779 --> 00:13:46,220 as much as you are your code 448 00:13:46,260 --> 00:13:49,920 one also is that I would specifically 449 00:13:48,480 --> 00:13:51,420 call that did briefly mention earlier is 450 00:13:49,920 --> 00:13:53,579 the outer loop things that it's easy to 451 00:13:51,420 --> 00:13:55,620 forget your public bug trackers are a 452 00:13:53,579 --> 00:13:57,000 One-Stop shop of vulnerabilities not 453 00:13:55,620 --> 00:13:58,980 even just in the sense of finding 454 00:13:57,000 --> 00:14:00,240 vulnerability and putting a bug in there 455 00:13:58,980 --> 00:14:01,920 but it's also an easy way for an 456 00:14:00,240 --> 00:14:03,839 attacker to see how often bugs are 457 00:14:01,920 --> 00:14:05,040 popping up in a certain chunk of code if 458 00:14:03,839 --> 00:14:07,200 there's a really crucial part of your 459 00:14:05,040 --> 00:14:08,519 code that no one's looked at in three 460 00:14:07,200 --> 00:14:10,380 years that's probably where they're 461 00:14:08,519 --> 00:14:12,660 going to look at and likewise if there's 462 00:14:10,380 --> 00:14:14,279 you know to borrow a talk from earlier 463 00:14:12,660 --> 00:14:15,779 if you've got this great kotlin app and 464 00:14:14,279 --> 00:14:16,920 then there's this weird nugget of go 465 00:14:15,779 --> 00:14:18,300 laying code in there that you're not 466 00:14:16,920 --> 00:14:19,500 really sure why it's there they're 467 00:14:18,300 --> 00:14:20,639 probably going to look there because the 468 00:14:19,500 --> 00:14:23,040 odds are high that it might not have 469 00:14:20,639 --> 00:14:23,700 been reviewed as well just based on the 470 00:14:23,040 --> 00:14:26,160 numbers 471 00:14:23,700 --> 00:14:27,180 likewise while in corporate environments 472 00:14:26,160 --> 00:14:28,740 it's very good to sit down and say okay 473 00:14:27,180 --> 00:14:30,480 this is restricted information this is 474 00:14:28,740 --> 00:14:32,339 confidential information this is you 475 00:14:30,480 --> 00:14:34,079 know public but not entirely and this is 476 00:14:32,339 --> 00:14:36,720 everything it's the Internet it's all 477 00:14:34,079 --> 00:14:38,940 public there's no boundaries there so 478 00:14:36,720 --> 00:14:40,620 even if your project has guidelines on 479 00:14:38,940 --> 00:14:42,720 what information can and can't be shared 480 00:14:40,620 --> 00:14:44,519 that will only take you so far 481 00:14:42,720 --> 00:14:46,019 and things like build pipelines we'll 482 00:14:44,519 --> 00:14:48,240 cover by build pipelines in a bit more 483 00:14:46,019 --> 00:14:50,279 detail but it's very easy to forget that 484 00:14:48,240 --> 00:14:52,500 every push of code you run isn't just 485 00:14:50,279 --> 00:14:54,120 code being put in a git repo it's code 486 00:14:52,500 --> 00:14:55,980 that's being executed on someone else's 487 00:14:54,120 --> 00:14:57,540 server and doing things and reporting 488 00:14:55,980 --> 00:14:59,339 that output potentially to the entire 489 00:14:57,540 --> 00:15:02,760 internet so the issues you can run into 490 00:14:59,339 --> 00:15:04,380 there are not always super obvious 491 00:15:02,760 --> 00:15:06,060 there are a lot of ways to help that 492 00:15:04,380 --> 00:15:07,500 yeah we'll depend about help absolutely 493 00:15:06,060 --> 00:15:08,880 depend about is great it'll tell you 494 00:15:07,500 --> 00:15:10,260 exactly when you've got vulnerable 495 00:15:08,880 --> 00:15:11,459 packages tell you when you need to 496 00:15:10,260 --> 00:15:13,139 update your builds for out of date 497 00:15:11,459 --> 00:15:14,699 Runners all these sorts of things is it 498 00:15:13,139 --> 00:15:16,740 going to stop a determined attacker from 499 00:15:14,699 --> 00:15:18,660 finding a hole absolutely not so make 500 00:15:16,740 --> 00:15:19,920 use of the things you can make sure 501 00:15:18,660 --> 00:15:22,440 you're prepared for the stuff that you 502 00:15:19,920 --> 00:15:23,760 can't necessarily fix 503 00:15:22,440 --> 00:15:25,860 ing out the white noise is very 504 00:15:23,760 --> 00:15:27,540 important if you're running a large 505 00:15:25,860 --> 00:15:29,160 scale project you are going to get a lot 506 00:15:27,540 --> 00:15:30,420 of reports particularly I don't 507 00:15:29,160 --> 00:15:31,920 specifically if you're running a bug 508 00:15:30,420 --> 00:15:34,620 Bounty program if you're on a bug Bounty 509 00:15:31,920 --> 00:15:36,779 program this is 100 times worse you will 510 00:15:34,620 --> 00:15:39,300 get reports for every [ __ ] reason 511 00:15:36,779 --> 00:15:41,220 you've ever heard sorry excuse me and 512 00:15:39,300 --> 00:15:42,600 it's going to happen that everyone will 513 00:15:41,220 --> 00:15:45,000 tell you oh do you know your github's 514 00:15:42,600 --> 00:15:48,440 public like we get those reports at Red 515 00:15:45,000 --> 00:15:51,600 Hat we're aware we noticed 516 00:15:48,440 --> 00:15:53,519 we you'll get reports of oh your bug 517 00:15:51,600 --> 00:15:54,899 track is free I'm sure Mozilla is very 518 00:15:53,519 --> 00:15:58,139 sick of finding out their bugs ill is 519 00:15:54,899 --> 00:15:59,699 open to the public it's kind of the idea 520 00:15:58,139 --> 00:16:01,199 all of those things that we take for 521 00:15:59,699 --> 00:16:03,000 granted is just going to clog up your 522 00:16:01,199 --> 00:16:04,440 reporting parts so it's not to say that 523 00:16:03,000 --> 00:16:05,820 these reports aren't valuable it's that 524 00:16:04,440 --> 00:16:07,139 you need to have a way of tuning out the 525 00:16:05,820 --> 00:16:08,459 white noise so that you're finding out 526 00:16:07,139 --> 00:16:09,779 the stuff that is actually important 527 00:16:08,459 --> 00:16:11,279 because you really don't want to have to 528 00:16:09,779 --> 00:16:13,139 deal with every time someone sends you a 529 00:16:11,279 --> 00:16:15,480 thing saying do you know your Pub your 530 00:16:13,139 --> 00:16:17,160 files are public we know that what we 531 00:16:15,480 --> 00:16:18,420 need to know is did you know your jira 532 00:16:17,160 --> 00:16:20,100 configs are public because you probably 533 00:16:18,420 --> 00:16:21,180 didn't want those to be public those 534 00:16:20,100 --> 00:16:22,500 sorts of things so it's particularly 535 00:16:21,180 --> 00:16:24,480 important if you're working with bug 536 00:16:22,500 --> 00:16:26,160 bounties or where your project is part 537 00:16:24,480 --> 00:16:27,240 of a larger one where there's going to 538 00:16:26,160 --> 00:16:29,100 be things that you don't want to be 539 00:16:27,240 --> 00:16:30,360 public and things you do want to be you 540 00:16:29,100 --> 00:16:32,519 need to have a reliable way in your 541 00:16:30,360 --> 00:16:34,500 project of tuning out the terrible white 542 00:16:32,519 --> 00:16:35,639 noise from people whose reports you 543 00:16:34,500 --> 00:16:37,259 probably don't care about from the ones 544 00:16:35,639 --> 00:16:38,579 that are very important 545 00:16:37,259 --> 00:16:39,899 that's particularly important there's 546 00:16:38,579 --> 00:16:42,000 been a couple references this week to 547 00:16:39,899 --> 00:16:43,620 disclosure policies have a disclosure 548 00:16:42,000 --> 00:16:46,139 policy so the people who are doing the 549 00:16:43,620 --> 00:16:48,660 proper way doing a dual and have found a 550 00:16:46,139 --> 00:16:50,639 real security issue can follow a proper 551 00:16:48,660 --> 00:16:52,079 process added bonus you can immediately 552 00:16:50,639 --> 00:16:54,120 close in issues that don't follow the 553 00:16:52,079 --> 00:16:55,740 proper process and a lot of people are 554 00:16:54,120 --> 00:16:56,880 not going to be following that and if 555 00:16:55,740 --> 00:16:59,339 they're not the odds of their report 556 00:16:56,880 --> 00:17:00,600 being good are quite low so that's an 557 00:16:59,339 --> 00:17:03,839 easy way to get a lot of the white noise 558 00:17:00,600 --> 00:17:06,179 out of the way at once 559 00:17:03,839 --> 00:17:09,000 so now let's look at specifically 560 00:17:06,179 --> 00:17:10,620 infrastructure because a lot of Open 561 00:17:09,000 --> 00:17:13,319 Source work will be from people who are 562 00:17:10,620 --> 00:17:15,000 very very very very very good at code a 563 00:17:13,319 --> 00:17:17,520 lot of developers that do are not great 564 00:17:15,000 --> 00:17:18,780 sys admins as a lot of hard learned 565 00:17:17,520 --> 00:17:21,059 lessons in the devops movement have 566 00:17:18,780 --> 00:17:23,160 found the skill sets are not the same 567 00:17:21,059 --> 00:17:24,419 but if you are running a project that 568 00:17:23,160 --> 00:17:25,740 has a lot of infrastructure around it 569 00:17:24,419 --> 00:17:27,660 and the vast majority of Open Source 570 00:17:25,740 --> 00:17:29,820 projects have at least some you need to 571 00:17:27,660 --> 00:17:31,080 be aware of that infrastructure I was 572 00:17:29,820 --> 00:17:33,780 saying earlier there's everything from 573 00:17:31,080 --> 00:17:35,520 docs to demo sites hosted versions 574 00:17:33,780 --> 00:17:36,660 there's lots of scenarios where you 575 00:17:35,520 --> 00:17:38,700 might have more infrastructure than 576 00:17:36,660 --> 00:17:40,320 you're expecting to have 577 00:17:38,700 --> 00:17:42,120 even one of the smallest details will 578 00:17:40,320 --> 00:17:43,919 come back to is domain names 579 00:17:42,120 --> 00:17:45,240 so what should you be looking for and 580 00:17:43,919 --> 00:17:46,980 there's a lot of text but it's not too 581 00:17:45,240 --> 00:17:48,120 bad we'll cover keys and secrets a bit 582 00:17:46,980 --> 00:17:49,799 more in a second but the important one 583 00:17:48,120 --> 00:17:51,179 is that there is so many keys and 584 00:17:49,799 --> 00:17:52,500 secrets and you need to have a way of 585 00:17:51,179 --> 00:17:54,059 managing them 586 00:17:52,500 --> 00:17:55,980 runaway bills can be a problem if you 587 00:17:54,059 --> 00:17:58,200 have an AWS account attached to your 588 00:17:55,980 --> 00:17:59,700 project or you're using a paid GitHub 589 00:17:58,200 --> 00:18:01,740 plan that has unlimited build minutes 590 00:17:59,700 --> 00:18:03,360 it's very easy for you to knock off on 591 00:18:01,740 --> 00:18:05,520 Friday go down the pub come back and you 592 00:18:03,360 --> 00:18:07,200 owe them 150 000 because someone found a 593 00:18:05,520 --> 00:18:08,160 bug in your build pipeline you don't 594 00:18:07,200 --> 00:18:09,480 want to have to deal with that because 595 00:18:08,160 --> 00:18:11,760 they're not going to follow your work 596 00:18:09,480 --> 00:18:13,679 schedule the odds of the attacker being 597 00:18:11,760 --> 00:18:16,320 someone in your time zone working to 598 00:18:13,679 --> 00:18:18,059 business hours is pretty low so you need 599 00:18:16,320 --> 00:18:19,640 to be aware that that's going to happen 600 00:18:18,059 --> 00:18:21,539 and be prepared with both 601 00:18:19,640 --> 00:18:23,220 well-documented processes for people who 602 00:18:21,539 --> 00:18:24,900 are in that time zone and automation for 603 00:18:23,220 --> 00:18:26,700 when no one's around 604 00:18:24,900 --> 00:18:28,200 service accounts can be an issue there's 605 00:18:26,700 --> 00:18:29,400 a lot of issues a lot of scenarios where 606 00:18:28,200 --> 00:18:31,440 developers like oh just spin up the 607 00:18:29,400 --> 00:18:33,299 service account it'll be fine and that 608 00:18:31,440 --> 00:18:34,620 convenience is very good it does come at 609 00:18:33,299 --> 00:18:35,940 a cost and frequently that cost is 610 00:18:34,620 --> 00:18:37,860 measured with the number of zeros that 611 00:18:35,940 --> 00:18:39,120 comes after it because again it's very 612 00:18:37,860 --> 00:18:41,220 easy if someone gets that service 613 00:18:39,120 --> 00:18:43,140 account that unless you are looking for 614 00:18:41,220 --> 00:18:45,120 it you might not notice for ages what 615 00:18:43,140 --> 00:18:46,559 bills have been run up by that account 616 00:18:45,120 --> 00:18:47,700 pull requests is an important one that I 617 00:18:46,559 --> 00:18:49,679 think most people will understand but 618 00:18:47,700 --> 00:18:52,200 want to call out specifically you can't 619 00:18:49,679 --> 00:18:54,840 trust the internet just generally that's 620 00:18:52,200 --> 00:18:56,880 good life advice and you really can't 621 00:18:54,840 --> 00:18:58,679 trust pull requests on GitHub so things 622 00:18:56,880 --> 00:19:00,660 like GitHub actions that will fire off 623 00:18:58,679 --> 00:19:03,360 in every pull request that's good but 624 00:19:00,660 --> 00:19:04,980 you need to be you while GitHub will try 625 00:19:03,360 --> 00:19:06,419 and protect you it can't protect you 626 00:19:04,980 --> 00:19:07,679 from everything and you need to be aware 627 00:19:06,419 --> 00:19:09,299 that someone's probably going to try and 628 00:19:07,679 --> 00:19:10,860 put in a pull request that tries to 629 00:19:09,299 --> 00:19:12,780 print out all your environment variables 630 00:19:10,860 --> 00:19:14,760 which probably includes all of your API 631 00:19:12,780 --> 00:19:16,500 Keys things like that can be a problem 632 00:19:14,760 --> 00:19:19,140 so you can Implement things like not 633 00:19:16,500 --> 00:19:21,299 running not running build pipelines on 634 00:19:19,140 --> 00:19:23,160 first contributions or only running them 635 00:19:21,299 --> 00:19:24,360 after someone okay is a code review 636 00:19:23,160 --> 00:19:25,980 things like that there's a lot of 637 00:19:24,360 --> 00:19:27,539 scenarios you can do because you want to 638 00:19:25,980 --> 00:19:29,160 avoid as much as possible running 639 00:19:27,539 --> 00:19:30,780 someone else's code that you've never 640 00:19:29,160 --> 00:19:33,360 looked at because they have looked at it 641 00:19:30,780 --> 00:19:35,640 and it's probably not good 642 00:19:33,360 --> 00:19:36,780 secrets Secrets management is hard 643 00:19:35,640 --> 00:19:38,179 apparently 644 00:19:36,780 --> 00:19:40,700 because 645 00:19:38,179 --> 00:19:43,620 it's 646 00:19:40,700 --> 00:19:46,799 again I cannot under it I cannot under 647 00:19:43,620 --> 00:19:48,240 convey how many issue security incidents 648 00:19:46,799 --> 00:19:50,520 and open source projects come from 649 00:19:48,240 --> 00:19:52,799 people pushing credentials to GitHub uh 650 00:19:50,520 --> 00:19:53,940 while I was doing this slide I yeah they 651 00:19:52,799 --> 00:19:55,620 previously I'd had those names on the 652 00:19:53,940 --> 00:19:57,720 bottom that was just grabbed directly 653 00:19:55,620 --> 00:19:59,760 from the GitHub events API wasn't even 654 00:19:57,720 --> 00:20:02,340 looking for it found someone's AWS API 655 00:19:59,760 --> 00:20:04,679 key in the GitHub events API because 656 00:20:02,340 --> 00:20:06,720 this happens now sometimes a lot of the 657 00:20:04,679 --> 00:20:08,340 time sorry I should say it's genuine 658 00:20:06,720 --> 00:20:09,840 honest mistake someone's trying to put 659 00:20:08,340 --> 00:20:11,340 in a placeholder and accidentally puts 660 00:20:09,840 --> 00:20:13,320 in the real one someone's putting in 661 00:20:11,340 --> 00:20:14,880 test data and the test data actually as 662 00:20:13,320 --> 00:20:16,080 it turns out isn't test data and it's 663 00:20:14,880 --> 00:20:17,820 real data 664 00:20:16,080 --> 00:20:19,500 putting in configuration examples in 665 00:20:17,820 --> 00:20:21,840 your documentation say no here's where 666 00:20:19,500 --> 00:20:23,760 you set your AWS access key ID and you 667 00:20:21,840 --> 00:20:25,640 set it just like this with my access key 668 00:20:23,760 --> 00:20:27,960 ID maybe don't 669 00:20:25,640 --> 00:20:29,400 things like that it can happen very 670 00:20:27,960 --> 00:20:31,080 frequently but just like there's so many 671 00:20:29,400 --> 00:20:33,419 things in security if you plan ahead and 672 00:20:31,080 --> 00:20:34,500 use proper Secrets management the odds 673 00:20:33,419 --> 00:20:36,720 of someone pushing their credentials 674 00:20:34,500 --> 00:20:38,940 direct to GitHub are a lot lower same 675 00:20:36,720 --> 00:20:40,799 vein of the sort of infrastructure one 676 00:20:38,940 --> 00:20:42,780 if you're running your docs on your own 677 00:20:40,799 --> 00:20:44,820 server or you have a hosted work one 678 00:20:42,780 --> 00:20:46,200 don't open SSH to the internet and 679 00:20:44,820 --> 00:20:48,480 certainly don't open SSH to the internet 680 00:20:46,200 --> 00:20:50,820 with root SSH enabled with a password of 681 00:20:48,480 --> 00:20:53,100 one two three four five six because it's 682 00:20:50,820 --> 00:20:55,080 going to get popped in like seconds yeah 683 00:20:53,100 --> 00:20:57,000 the days of Internet of obscurity and 684 00:20:55,080 --> 00:20:58,860 the internet have long since passed and 685 00:20:57,000 --> 00:21:00,419 if you leave vulnerable if you leave 686 00:20:58,860 --> 00:21:02,460 weak infrastructure on the Internet it's 687 00:21:00,419 --> 00:21:03,960 not yours anymore it's probably someone 688 00:21:02,460 --> 00:21:05,220 doing crypto Mining and it's saying 689 00:21:03,960 --> 00:21:06,240 something where someone dropping a 690 00:21:05,220 --> 00:21:07,679 crypto monitor on your server is 691 00:21:06,240 --> 00:21:09,419 realistically the best case scenario 692 00:21:07,679 --> 00:21:11,760 because it could be a lot worse 693 00:21:09,419 --> 00:21:13,440 service management is hard and I will 694 00:21:11,760 --> 00:21:14,940 admit it actually is hard but it's 695 00:21:13,440 --> 00:21:17,039 important to have a plan beforehand 696 00:21:14,940 --> 00:21:18,720 there's no shortage of really good even 697 00:21:17,039 --> 00:21:20,760 open source password managers out there 698 00:21:18,720 --> 00:21:21,960 even tools like GitHub and gitlab will 699 00:21:20,760 --> 00:21:24,179 provide you a lot of tools to try and 700 00:21:21,960 --> 00:21:26,580 make Secrets management easier use them 701 00:21:24,179 --> 00:21:28,500 even in small teams sign up for bit 702 00:21:26,580 --> 00:21:30,480 Warden use gitlab Secrets whatever you 703 00:21:28,500 --> 00:21:31,919 want to do ansible vault is a nice easy 704 00:21:30,480 --> 00:21:33,299 one where as long as you can share the 705 00:21:31,919 --> 00:21:34,860 password you can dump as much as you 706 00:21:33,299 --> 00:21:36,179 want in there and that file can be 707 00:21:34,860 --> 00:21:38,220 public because it's all encrypted to 708 00:21:36,179 --> 00:21:40,140 that there's a lot of ways to do it use 709 00:21:38,220 --> 00:21:43,380 them 710 00:21:40,140 --> 00:21:44,760 so that's planning mostly 711 00:21:43,380 --> 00:21:46,740 it's all about actually dealing with 712 00:21:44,760 --> 00:21:47,940 incidents there's two halves of that 713 00:21:46,740 --> 00:21:49,559 which is finding out what happened 714 00:21:47,940 --> 00:21:52,860 finding out oh hang on that doesn't seem 715 00:21:49,559 --> 00:21:54,539 good to oh no this is real bad 716 00:21:52,860 --> 00:21:55,740 there's there's a lot of scenarios here 717 00:21:54,539 --> 00:21:57,419 and this is one where I'm going to have 718 00:21:55,740 --> 00:21:58,799 to be fairly high level and you need to 719 00:21:57,419 --> 00:22:01,559 use the threat modeling we were talking 720 00:21:58,799 --> 00:22:02,760 about earlier to adapt to your project 721 00:22:01,559 --> 00:22:03,720 and the risks that you're trying to 722 00:22:02,760 --> 00:22:05,760 prevent 723 00:22:03,720 --> 00:22:07,380 so if we look first at detection you 724 00:22:05,760 --> 00:22:09,360 need to know there's a fire before you 725 00:22:07,380 --> 00:22:11,340 can put it out and there's only so that 726 00:22:09,360 --> 00:22:12,900 only works yeah the classic scenario if 727 00:22:11,340 --> 00:22:14,520 you'll be able to smell the smoke no 728 00:22:12,900 --> 00:22:16,260 github's got the smoke you're at home 729 00:22:14,520 --> 00:22:17,640 and it's a great time you need to be 730 00:22:16,260 --> 00:22:19,980 able to detect when something's happened 731 00:22:17,640 --> 00:22:21,900 to your project 732 00:22:19,980 --> 00:22:23,520 now there's plenty of static analysis 733 00:22:21,900 --> 00:22:25,140 tooling to find problems in your code 734 00:22:23,520 --> 00:22:27,840 there's ways to improve the security of 735 00:22:25,140 --> 00:22:29,340 your specific implementation 736 00:22:27,840 --> 00:22:31,020 while it's very satisfying to have a 737 00:22:29,340 --> 00:22:32,400 readme absolutely chock full of badges 738 00:22:31,020 --> 00:22:34,500 covering all the infinite variations of 739 00:22:32,400 --> 00:22:36,179 coverage tools test Suites you know 740 00:22:34,500 --> 00:22:37,799 browser compatibility testing that sort 741 00:22:36,179 --> 00:22:39,900 of thing you need to applying the same 742 00:22:37,799 --> 00:22:41,640 level of rigor to everything else about 743 00:22:39,900 --> 00:22:43,380 your project your GitHub actions 744 00:22:41,640 --> 00:22:45,659 pipelines should be validated just as 745 00:22:43,380 --> 00:22:47,220 much as your actual code is every one of 746 00:22:45,659 --> 00:22:49,500 your configuration files you implement 747 00:22:47,220 --> 00:22:50,640 even test ones and examples should be 748 00:22:49,500 --> 00:22:52,799 running through linters so that you 749 00:22:50,640 --> 00:22:54,179 don't for example push your AWS API keys 750 00:22:52,799 --> 00:22:55,260 to GitHub are you spotting a recurring 751 00:22:54,179 --> 00:22:57,360 theme yet 752 00:22:55,260 --> 00:22:58,620 there's just as many potential problems 753 00:22:57,360 --> 00:23:00,179 in your project infrastructure as they 754 00:22:58,620 --> 00:23:01,320 might be in your code so while static 755 00:23:00,179 --> 00:23:03,240 analysis tools are very easy to 756 00:23:01,320 --> 00:23:04,500 implement this stuff is a lot harder 757 00:23:03,240 --> 00:23:05,760 because you need to tailor it to your 758 00:23:04,500 --> 00:23:07,200 project 759 00:23:05,760 --> 00:23:10,500 sometimes it's also very easy to forget 760 00:23:07,200 --> 00:23:12,539 the smallest unit of risk which is your 761 00:23:10,500 --> 00:23:13,620 account your project can have the 762 00:23:12,539 --> 00:23:15,720 greatest thing on the planet but if your 763 00:23:13,620 --> 00:23:17,640 GitHub account has a terrible password a 764 00:23:15,720 --> 00:23:18,840 no two Factor who cares they're just 765 00:23:17,640 --> 00:23:20,700 going to log in as you and turn off all 766 00:23:18,840 --> 00:23:21,960 that good stuff so your accounts are 767 00:23:20,700 --> 00:23:24,480 just as important as the project 768 00:23:21,960 --> 00:23:26,460 infrastructure so use two-factor use 769 00:23:24,480 --> 00:23:28,140 Uber Keys use web orphan there's a lot 770 00:23:26,460 --> 00:23:29,220 of ways you can do to actually improve 771 00:23:28,140 --> 00:23:31,260 your security viewer account that 772 00:23:29,220 --> 00:23:32,760 prevents also reduces the likelihood of 773 00:23:31,260 --> 00:23:34,799 someone getting into the project through 774 00:23:32,760 --> 00:23:36,480 you add a bonus you can gloat over 775 00:23:34,799 --> 00:23:38,280 whichever of your fellow maintainers did 776 00:23:36,480 --> 00:23:40,380 get popped that your account's fine they 777 00:23:38,280 --> 00:23:42,240 were the problem get get it get their 778 00:23:40,380 --> 00:23:44,220 [ __ ] together one of the simplest things 779 00:23:42,240 --> 00:23:46,140 you can use for this is emails that 780 00:23:44,220 --> 00:23:48,240 every platform will send you so many 781 00:23:46,140 --> 00:23:49,620 emails so many emails and it's very 782 00:23:48,240 --> 00:23:51,299 tempting to just have a rule that says 783 00:23:49,620 --> 00:23:53,159 does it come from GitHub send it to 784 00:23:51,299 --> 00:23:54,360 Archive because I don't care you don't 785 00:23:53,159 --> 00:23:56,520 want to do that you want to actually sit 786 00:23:54,360 --> 00:23:58,080 down and set up which of these alerts do 787 00:23:56,520 --> 00:23:59,580 I care about turn on the ones you do 788 00:23:58,080 --> 00:24:01,679 turn off the ones you don't and then 789 00:23:59,580 --> 00:24:03,299 actually read the emails because they 790 00:24:01,679 --> 00:24:05,100 will tell you important things you're 791 00:24:03,299 --> 00:24:07,440 depend about summaries you're probably 792 00:24:05,100 --> 00:24:08,700 just archiving you get a lot of them but 793 00:24:07,440 --> 00:24:10,020 finding out that there's a critical 794 00:24:08,700 --> 00:24:11,400 vulnerability in your project is a lot 795 00:24:10,020 --> 00:24:14,039 more important than finding out that 796 00:24:11,400 --> 00:24:15,419 leftpad got updated again as a lot of 797 00:24:14,039 --> 00:24:17,400 very gray area in there and you need to 798 00:24:15,419 --> 00:24:18,539 make sure that you can find the things 799 00:24:17,400 --> 00:24:20,580 that matter 800 00:24:18,539 --> 00:24:21,659 so again identify the key risks I was 801 00:24:20,580 --> 00:24:23,340 talking about earlier that you need to 802 00:24:21,659 --> 00:24:24,900 match that to your project we can't tell 803 00:24:23,340 --> 00:24:25,799 you what the answer is there use what 804 00:24:24,900 --> 00:24:27,539 the platform offers whether that's 805 00:24:25,799 --> 00:24:28,620 emails or a lot of platforms will have 806 00:24:27,539 --> 00:24:30,539 their own apps that can do push 807 00:24:28,620 --> 00:24:32,700 notifications all those sorts of things 808 00:24:30,539 --> 00:24:34,980 whatever it is you're watching you want 809 00:24:32,700 --> 00:24:36,600 to find out about it as fast as possible 810 00:24:34,980 --> 00:24:38,700 make it hard to undo this one's 811 00:24:36,600 --> 00:24:39,840 important because it's not always of a 812 00:24:38,700 --> 00:24:40,980 huge importance to you know small 813 00:24:39,840 --> 00:24:42,840 projects with small number of 814 00:24:40,980 --> 00:24:44,340 maintainers working on some code but if 815 00:24:42,840 --> 00:24:46,080 your alerts can be bypassed by someone 816 00:24:44,340 --> 00:24:48,360 who's really trying to they're not going 817 00:24:46,080 --> 00:24:50,460 to be much help so again if your GitHub 818 00:24:48,360 --> 00:24:51,960 account gets popped they can just go in 819 00:24:50,460 --> 00:24:54,059 and turn off all those alerts you'll 820 00:24:51,960 --> 00:24:55,320 spend a lot of effort putting in and you 821 00:24:54,059 --> 00:24:57,000 need to be prepared for that scenario 822 00:24:55,320 --> 00:24:59,460 and it's where we'll come back later to 823 00:24:57,000 --> 00:25:01,140 logging but things like alerting on if 824 00:24:59,460 --> 00:25:02,580 there's no alerts for a while that can 825 00:25:01,140 --> 00:25:03,419 sometimes be a sign of problems of Their 826 00:25:02,580 --> 00:25:05,159 Own 827 00:25:03,419 --> 00:25:06,539 so you need to watch what matters and 828 00:25:05,159 --> 00:25:07,620 across the entire team particularly if 829 00:25:06,539 --> 00:25:09,720 you have other maintainers on the 830 00:25:07,620 --> 00:25:12,299 project 831 00:25:09,720 --> 00:25:14,520 remember two is very easy to Shadow it 832 00:25:12,299 --> 00:25:16,320 yourself and immediate presumption is 833 00:25:14,520 --> 00:25:17,580 probably oh I don't I'm you know three 834 00:25:16,320 --> 00:25:19,559 maintainers I'm not worried about Shadow 835 00:25:17,580 --> 00:25:22,080 I.T it's very easy to Shadow I.T 836 00:25:19,559 --> 00:25:23,820 yourself because you'll have set 837 00:25:22,080 --> 00:25:25,260 something up two years ago at night 838 00:25:23,820 --> 00:25:27,179 because you're worried about something 839 00:25:25,260 --> 00:25:28,799 and you just installed a few packages 840 00:25:27,179 --> 00:25:30,240 and I'll look now it runs did you 841 00:25:28,799 --> 00:25:31,980 document that because I'm guessing you 842 00:25:30,240 --> 00:25:34,320 probably didn't I never do and you've 843 00:25:31,980 --> 00:25:36,240 just Shadow at yourself and those will 844 00:25:34,320 --> 00:25:37,200 come back to haunt you in very real 845 00:25:36,240 --> 00:25:39,059 terms 846 00:25:37,200 --> 00:25:41,159 it's obviously much more of a risk and 847 00:25:39,059 --> 00:25:44,120 larger projects and organizations but 848 00:25:41,159 --> 00:25:46,559 keep it in mind and on that same vein 849 00:25:44,120 --> 00:25:48,600 you want the safe process to be simple 850 00:25:46,559 --> 00:25:49,919 because otherwise whether it's you or 851 00:25:48,600 --> 00:25:51,299 another maintainer you'll do it the 852 00:25:49,919 --> 00:25:52,559 unsafe way and you'll probably pay for 853 00:25:51,299 --> 00:25:54,179 that later 854 00:25:52,559 --> 00:25:56,039 it's an example even a project with a 855 00:25:54,179 --> 00:25:57,720 handful of maintainers who owns the 856 00:25:56,039 --> 00:26:00,000 domains for your project 857 00:25:57,720 --> 00:26:02,460 have a DOT IO or whatever else very cool 858 00:26:00,000 --> 00:26:04,500 catchy short domain name whose account 859 00:26:02,460 --> 00:26:06,120 is that on and is that account well 860 00:26:04,500 --> 00:26:07,440 protected because if it's not someone's 861 00:26:06,120 --> 00:26:09,240 going to redirect your Project's 862 00:26:07,440 --> 00:26:11,760 excellent nice little Hugo built 863 00:26:09,240 --> 00:26:13,080 Dockside to malware and now all of your 864 00:26:11,760 --> 00:26:14,640 users are getting served malware every 865 00:26:13,080 --> 00:26:16,620 time they open your Dockside that's 866 00:26:14,640 --> 00:26:19,140 probably not what you want because it's 867 00:26:16,620 --> 00:26:20,580 not being properly managed so created a 868 00:26:19,140 --> 00:26:22,380 teams account with whatever registry I 869 00:26:20,580 --> 00:26:23,880 use put the password in that Secrets 870 00:26:22,380 --> 00:26:26,220 management you definitely have set up 871 00:26:23,880 --> 00:26:28,500 and you're already a long way to being 872 00:26:26,220 --> 00:26:30,779 able to avoid a lot of those scenarios 873 00:26:28,500 --> 00:26:32,039 so and likewise for maintainers prepare 874 00:26:30,779 --> 00:26:34,020 for the scenario where maintainers out 875 00:26:32,039 --> 00:26:36,299 if you're dealing with a problem with 876 00:26:34,020 --> 00:26:38,159 your domain name and the only maintainer 877 00:26:36,299 --> 00:26:39,840 who has the red has the login to the 878 00:26:38,159 --> 00:26:40,980 registry is on holiday for the next 879 00:26:39,840 --> 00:26:42,659 three weeks 880 00:26:40,980 --> 00:26:44,460 do you have a plan for that scenario 881 00:26:42,659 --> 00:26:45,960 because a lot of teams won't and that 882 00:26:44,460 --> 00:26:46,980 can make things very difficult to deal 883 00:26:45,960 --> 00:26:48,299 with 884 00:26:46,980 --> 00:26:50,640 particularly when you get to the 885 00:26:48,299 --> 00:26:53,279 incident response stage I.E you've got 886 00:26:50,640 --> 00:26:55,559 alerts that say that's not good what are 887 00:26:53,279 --> 00:26:57,419 you going to do now because a lot of 888 00:26:55,559 --> 00:27:00,179 teams it can be very easy you'll be like 889 00:26:57,419 --> 00:27:02,460 oh I'm sure it won't happen it might 890 00:27:00,179 --> 00:27:04,799 and a lot of teams including ours where 891 00:27:02,460 --> 00:27:07,440 I thought yeah I work in a full-scale 892 00:27:04,799 --> 00:27:09,120 full size team of incredibly capable 893 00:27:07,440 --> 00:27:10,620 security engineers and we still can't 894 00:27:09,120 --> 00:27:12,539 catch everything not in a million years 895 00:27:10,620 --> 00:27:14,640 so we get very good at cleaning up 896 00:27:12,539 --> 00:27:16,559 afterwards you guys want to also be as 897 00:27:14,640 --> 00:27:17,760 good as you can at that process 898 00:27:16,559 --> 00:27:18,840 we talked earlier about making sure 899 00:27:17,760 --> 00:27:20,400 you're getting alerts for important 900 00:27:18,840 --> 00:27:23,100 events here's where that's important 901 00:27:20,400 --> 00:27:24,960 because that alert the time it takes for 902 00:27:23,100 --> 00:27:28,080 you to get that alert find out what it 903 00:27:24,960 --> 00:27:30,240 means action it and clean up after it is 904 00:27:28,080 --> 00:27:32,159 crucial the shorter that time window the 905 00:27:30,240 --> 00:27:33,779 better because speed is absolutely key 906 00:27:32,159 --> 00:27:35,580 you need to know the moment something 907 00:27:33,779 --> 00:27:37,799 happens and be able to very quickly 908 00:27:35,580 --> 00:27:39,600 identify is that a problem and what's 909 00:27:37,799 --> 00:27:41,159 the problem because if you can't your 910 00:27:39,600 --> 00:27:43,140 attacker's just free to do whatever they 911 00:27:41,159 --> 00:27:45,360 want to do in the first place 912 00:27:43,140 --> 00:27:47,340 attackers will have automation to use 913 00:27:45,360 --> 00:27:48,900 the cloud as an example if you don't 914 00:27:47,340 --> 00:27:52,020 think attackers are using terraform to 915 00:27:48,900 --> 00:27:54,240 deploy stuff to pop to AWS accounts have 916 00:27:52,020 --> 00:27:55,919 I got bad news for you there's a lot of 917 00:27:54,240 --> 00:27:57,120 terraform out there you need to be not 918 00:27:55,919 --> 00:27:58,740 just automating things but automating 919 00:27:57,120 --> 00:27:59,640 things better than your the attackers 920 00:27:58,740 --> 00:28:01,500 will be 921 00:27:59,640 --> 00:28:03,120 we all love over engineering things over 922 00:28:01,500 --> 00:28:04,980 engineering things is great more things 923 00:28:03,120 --> 00:28:06,419 to over engineer right here automate 924 00:28:04,980 --> 00:28:08,520 stuff 925 00:28:06,419 --> 00:28:10,380 log everything logging everything is 926 00:28:08,520 --> 00:28:11,520 absolutely crucial for reasons we'll get 927 00:28:10,380 --> 00:28:12,539 back to as well because you need to be 928 00:28:11,520 --> 00:28:14,580 able to not just tell when something 929 00:28:12,539 --> 00:28:15,900 happened but what happened and the 930 00:28:14,580 --> 00:28:17,880 faster you can piece together exactly 931 00:28:15,900 --> 00:28:19,860 what they did and in what order the 932 00:28:17,880 --> 00:28:21,539 faster you can undo that so the more you 933 00:28:19,860 --> 00:28:23,460 can piece together and the quicker you 934 00:28:21,539 --> 00:28:25,620 get a holistic view of that the faster 935 00:28:23,460 --> 00:28:27,720 you can undo damage from a potential 936 00:28:25,620 --> 00:28:29,760 attacker 937 00:28:27,720 --> 00:28:31,200 Don't Panic though it's very easy to go 938 00:28:29,760 --> 00:28:32,700 this is the first time I've had to deal 939 00:28:31,200 --> 00:28:35,159 with security incident and someone's 940 00:28:32,700 --> 00:28:37,080 just changed our dock site to serve 941 00:28:35,159 --> 00:28:38,460 crypto miners to unsuspecting browsers 942 00:28:37,080 --> 00:28:40,200 oh God what do I do I'm just going to 943 00:28:38,460 --> 00:28:41,640 turn off the server no when the 944 00:28:40,200 --> 00:28:43,080 proverbials hit the fan you want to be 945 00:28:41,640 --> 00:28:45,480 turning off the fan not tearing it out 946 00:28:43,080 --> 00:28:47,039 of the ceiling and it's important to 947 00:28:45,480 --> 00:28:49,020 respond as quickly as you can but 948 00:28:47,039 --> 00:28:50,640 without panicking and that is part of 949 00:28:49,020 --> 00:28:52,980 why again the preparation phase is so 950 00:28:50,640 --> 00:28:55,799 important if you have documentation or 951 00:28:52,980 --> 00:28:57,840 processes on what to do when X you can 952 00:28:55,799 --> 00:29:00,240 just follow that thing followed quickly 953 00:28:57,840 --> 00:29:01,860 but just follow the guide it reduces the 954 00:29:00,240 --> 00:29:03,539 chance of a mistake you make making 955 00:29:01,860 --> 00:29:05,400 things worse that one also actually 956 00:29:03,539 --> 00:29:07,740 applies to vulnerabilities how many 957 00:29:05,400 --> 00:29:09,419 times did it take to fix log4j too many 958 00:29:07,740 --> 00:29:10,740 because it's very easy to go oh God we 959 00:29:09,419 --> 00:29:12,720 need to fix something and introduce more 960 00:29:10,740 --> 00:29:15,120 bugs likewise things like backboarding 961 00:29:12,720 --> 00:29:17,039 backboarding is hard because you can 962 00:29:15,120 --> 00:29:18,960 bring new bugs with you when you cherry 963 00:29:17,039 --> 00:29:21,299 pick future commits there's a lot of 964 00:29:18,960 --> 00:29:22,980 problems there same applies to incident 965 00:29:21,299 --> 00:29:25,500 response that you want to be trying to 966 00:29:22,980 --> 00:29:27,120 fix the problem without adding more 967 00:29:25,500 --> 00:29:29,039 one of the big ones that is easy to 968 00:29:27,120 --> 00:29:30,539 forget for non-security people is to 969 00:29:29,039 --> 00:29:31,740 preserve what you can because you won't 970 00:29:30,539 --> 00:29:32,940 be able to learn anything from an 971 00:29:31,740 --> 00:29:34,860 incident if you don't have any evidence 972 00:29:32,940 --> 00:29:36,720 of what happened so to use the example 973 00:29:34,860 --> 00:29:38,220 of AWS if someone's in your AWS account 974 00:29:36,720 --> 00:29:40,140 spinning up crypto miners in every 975 00:29:38,220 --> 00:29:42,120 region they have available 976 00:29:40,140 --> 00:29:43,440 stop those instances don't terminate 977 00:29:42,120 --> 00:29:45,360 them because you terminate them they're 978 00:29:43,440 --> 00:29:46,919 gone if you've rotated the keys and you 979 00:29:45,360 --> 00:29:48,480 terminate the instances you have no idea 980 00:29:46,919 --> 00:29:49,799 how they got in it's probably going to 981 00:29:48,480 --> 00:29:51,299 happen again in two weeks because you 982 00:29:49,799 --> 00:29:53,100 won't have known what happened if you 983 00:29:51,299 --> 00:29:54,419 stop those instances you can get a 984 00:29:53,100 --> 00:29:56,220 snapshot of the disk have a look 985 00:29:54,419 --> 00:29:57,960 sometimes it's very simple look at the 986 00:29:56,220 --> 00:30:00,419 disk look at bash history and oh look I 987 00:29:57,960 --> 00:30:01,919 had a terrible root password on SSH sure 988 00:30:00,419 --> 00:30:03,480 sometimes it's quite difficult and 989 00:30:01,919 --> 00:30:05,399 that's when you go find someone who's 990 00:30:03,480 --> 00:30:06,720 into security and has a lot of free time 991 00:30:05,399 --> 00:30:08,640 for some reason to help you with 992 00:30:06,720 --> 00:30:10,020 forensics to find out what actually 993 00:30:08,640 --> 00:30:12,059 happened 994 00:30:10,020 --> 00:30:13,860 because you do want to know what 995 00:30:12,059 --> 00:30:15,840 happened we'll get to that the next one 996 00:30:13,860 --> 00:30:17,039 the other one which is a very Niche case 997 00:30:15,840 --> 00:30:20,640 but particularly important for really 998 00:30:17,039 --> 00:30:22,380 big projects plan for a hostile attacker 999 00:30:20,640 --> 00:30:24,120 year to use the AWS example if you've 1000 00:30:22,380 --> 00:30:27,419 pushed your AWS API keys to GitHub and 1001 00:30:24,120 --> 00:30:30,000 someone's in your AWS okay 1002 00:30:27,419 --> 00:30:31,320 they're going to be really 1003 00:30:30,000 --> 00:30:32,640 really and you might go in and go ah 1004 00:30:31,320 --> 00:30:34,020 I've got them now and rotate that 1005 00:30:32,640 --> 00:30:35,940 credential you've got them did you 1006 00:30:34,020 --> 00:30:37,260 rotate the three new keys they made in 1007 00:30:35,940 --> 00:30:39,059 three different regions one of which 1008 00:30:37,260 --> 00:30:40,380 with a different name possibly not 1009 00:30:39,059 --> 00:30:42,480 you're now going to have to go in and 1010 00:30:40,380 --> 00:30:44,039 undo each of those in order because if 1011 00:30:42,480 --> 00:30:45,539 you leave even one there too long they 1012 00:30:44,039 --> 00:30:47,399 use that key to generate more keys 1013 00:30:45,539 --> 00:30:49,500 likewise there's a lot of other weird 1014 00:30:47,399 --> 00:30:52,140 junk you can do create a new instance 1015 00:30:49,500 --> 00:30:53,340 with an attached IEM role now unless 1016 00:30:52,140 --> 00:30:55,200 you've also turned off that instance 1017 00:30:53,340 --> 00:30:55,860 they still have IAM access to your 1018 00:30:55,200 --> 00:30:57,600 account 1019 00:30:55,860 --> 00:30:59,340 the scenario where you have an actual 1020 00:30:57,600 --> 00:31:00,779 active hostile attacker is not something 1021 00:30:59,340 --> 00:31:02,580 most projects are going to be dealing 1022 00:31:00,779 --> 00:31:04,799 with but if you think your project might 1023 00:31:02,580 --> 00:31:06,360 plan for it and that's where that 1024 00:31:04,799 --> 00:31:07,799 process is writing down the process 1025 00:31:06,360 --> 00:31:09,960 becomes very important because things 1026 00:31:07,799 --> 00:31:11,220 like order of operations is crucial you 1027 00:31:09,960 --> 00:31:14,539 need to be able to kick someone out and 1028 00:31:11,220 --> 00:31:14,539 have them actually stay out 1029 00:31:14,820 --> 00:31:19,740 which comes back to prevention how do we 1030 00:31:17,279 --> 00:31:22,460 learn from having made some terrible 1031 00:31:19,740 --> 00:31:22,460 terrible mistakes 1032 00:31:22,799 --> 00:31:26,159 you need to know how it happened that's 1033 00:31:24,840 --> 00:31:27,120 looking at where things like forensics 1034 00:31:26,159 --> 00:31:28,799 that you're not always going to need 1035 00:31:27,120 --> 00:31:31,559 forensics sometimes it's going to be oh 1036 00:31:28,799 --> 00:31:33,539 that's my AWS key in our readme that's 1037 00:31:31,559 --> 00:31:36,360 probably why sometimes it'll be really 1038 00:31:33,539 --> 00:31:38,039 complicated like there's examples of for 1039 00:31:36,360 --> 00:31:39,720 example generating passwords that happen 1040 00:31:38,039 --> 00:31:41,700 to be the same as default passwords 1041 00:31:39,720 --> 00:31:43,799 that's very unlucky but could happen 1042 00:31:41,700 --> 00:31:45,000 there's lots of things that you need to 1043 00:31:43,799 --> 00:31:45,840 be able to know how it happened if 1044 00:31:45,000 --> 00:31:48,360 you're going to stop it from happening 1045 00:31:45,840 --> 00:31:50,220 again the second much more important 1046 00:31:48,360 --> 00:31:51,480 part how can you stop it from happening 1047 00:31:50,220 --> 00:31:52,980 again 1048 00:31:51,480 --> 00:31:54,840 to use the example of if you've push 1049 00:31:52,980 --> 00:31:56,399 your AWS kids to GitHub how do you stop 1050 00:31:54,840 --> 00:31:58,380 yourself doing that things like get 1051 00:31:56,399 --> 00:32:00,480 leaks is an excellent way too and we'll 1052 00:31:58,380 --> 00:32:02,760 cover that of 1053 00:32:00,480 --> 00:32:04,380 what do you need to know to stop it from 1054 00:32:02,760 --> 00:32:05,820 happening again and not necessarily the 1055 00:32:04,380 --> 00:32:08,039 exact same one you don't want to set up 1056 00:32:05,820 --> 00:32:10,320 a rule to a pre-commit hook to say don't 1057 00:32:08,039 --> 00:32:12,600 push this string you need to say how do 1058 00:32:10,320 --> 00:32:13,919 I stop pushing keys to get up maybe I 1059 00:32:12,600 --> 00:32:15,539 could start using ansible a bit Warden 1060 00:32:13,919 --> 00:32:16,980 or whatever else likewise for 1061 00:32:15,539 --> 00:32:18,360 infrastructure 1062 00:32:16,980 --> 00:32:20,760 if I've got automatic automatic 1063 00:32:18,360 --> 00:32:22,620 pipelines running how do I stop not just 1064 00:32:20,760 --> 00:32:24,659 this attacker don't Blacklist the user 1065 00:32:22,620 --> 00:32:26,100 but change how the build pipeline runs 1066 00:32:24,659 --> 00:32:27,240 to maybe not expose so much valuable 1067 00:32:26,100 --> 00:32:29,760 information 1068 00:32:27,240 --> 00:32:32,460 and the last one is limiting impact no 1069 00:32:29,760 --> 00:32:33,960 prevention is perfect again I work in a 1070 00:32:32,460 --> 00:32:35,760 massive team full of incredibly capable 1071 00:32:33,960 --> 00:32:37,679 security people and we can't stop it 1072 00:32:35,760 --> 00:32:39,179 happening Optus couldn't Medicare could 1073 00:32:37,679 --> 00:32:41,279 medibank couldn't but that's its own 1074 00:32:39,179 --> 00:32:43,740 problem and 1075 00:32:41,279 --> 00:32:45,480 you want to be able to limit how bad the 1076 00:32:43,740 --> 00:32:47,159 impact is just as much as you want to be 1077 00:32:45,480 --> 00:32:48,720 able to stop it happening if you can't 1078 00:32:47,159 --> 00:32:50,580 stop someone getting into your AWS 1079 00:32:48,720 --> 00:32:53,279 account it would be good if you have 1080 00:32:50,580 --> 00:32:55,679 really restrictive cost caps on there if 1081 00:32:53,279 --> 00:32:57,659 you're if you need to run GitHub actions 1082 00:32:55,679 --> 00:32:59,700 on every single commit from a third 1083 00:32:57,659 --> 00:33:02,159 party untrusted contributor that's great 1084 00:32:59,700 --> 00:33:03,779 maybe don't include all of your API keys 1085 00:33:02,159 --> 00:33:05,039 with every build pipeline because you 1086 00:33:03,779 --> 00:33:07,020 don't want them to have access to those 1087 00:33:05,039 --> 00:33:08,880 things no prevention is perfect but 1088 00:33:07,020 --> 00:33:12,419 limiting impact will make it a lot 1089 00:33:08,880 --> 00:33:15,080 easier on you and your team to stop the 1090 00:33:12,419 --> 00:33:15,080 worst happening 1091 00:33:15,539 --> 00:33:19,080 summary of that is prevention is still 1092 00:33:17,279 --> 00:33:21,360 better you want to catch things before 1093 00:33:19,080 --> 00:33:24,480 they happen as much as possible and even 1094 00:33:21,360 --> 00:33:26,820 better is stop the actual root class of 1095 00:33:24,480 --> 00:33:28,740 the problem so to prevent pushing API 1096 00:33:26,820 --> 00:33:31,620 keys to GitHub things like get leaks if 1097 00:33:28,740 --> 00:33:33,539 any of you've anyone heard of get leaks 1098 00:33:31,620 --> 00:33:35,640 one that's good get leaks is an 1099 00:33:33,539 --> 00:33:37,320 excellent project that you can use to 1100 00:33:35,640 --> 00:33:38,640 set up as pre-commered hooks or you can 1101 00:33:37,320 --> 00:33:40,860 run it on your own infrastructure it's 1102 00:33:38,640 --> 00:33:43,019 very flexible and it will do things like 1103 00:33:40,860 --> 00:33:45,539 scan your git and it will tell you when 1104 00:33:43,019 --> 00:33:48,059 you push API keys and you can set up to 1105 00:33:45,539 --> 00:33:50,279 find a lot of things AWS keys if your 1106 00:33:48,059 --> 00:33:52,320 application has its own secret Keys you 1107 00:33:50,279 --> 00:33:54,240 know C values anything like that you can 1108 00:33:52,320 --> 00:33:55,500 set those up to say tell me before this 1109 00:33:54,240 --> 00:33:57,000 happens and there's a lot of different 1110 00:33:55,500 --> 00:33:58,320 ways of using get leaks and it's not the 1111 00:33:57,000 --> 00:33:59,760 only one that's get Secrets as a few 1112 00:33:58,320 --> 00:34:01,380 others there's lots of ways of 1113 00:33:59,760 --> 00:34:02,760 preventing things happening before they 1114 00:34:01,380 --> 00:34:04,679 make it to the internet because remember 1115 00:34:02,760 --> 00:34:06,059 from way back at the start once it's on 1116 00:34:04,679 --> 00:34:07,500 the Internet it's gone you've lost it 1117 00:34:06,059 --> 00:34:09,899 it's it's all over it's in someone 1118 00:34:07,500 --> 00:34:11,040 else's hands so catching things first is 1119 00:34:09,899 --> 00:34:13,260 always much better 1120 00:34:11,040 --> 00:34:15,000 that also comes back to things like 1121 00:34:13,260 --> 00:34:16,379 guidance and documentation if you don't 1122 00:34:15,000 --> 00:34:18,119 have developer guides and contribution 1123 00:34:16,379 --> 00:34:20,220 guides a there's a bunch of docs people 1124 00:34:18,119 --> 00:34:22,200 in this room who are coming for you and 1125 00:34:20,220 --> 00:34:23,580 you should this is a good example to get 1126 00:34:22,200 --> 00:34:24,960 those that if you have contribution 1127 00:34:23,580 --> 00:34:26,580 guides and developer guides explaining 1128 00:34:24,960 --> 00:34:28,919 how to set up the tooling properly and 1129 00:34:26,580 --> 00:34:30,480 in a safe way a your developer is going 1130 00:34:28,919 --> 00:34:31,679 to be much much happier just being able 1131 00:34:30,480 --> 00:34:33,960 to follow three steps in a markdown 1132 00:34:31,679 --> 00:34:35,940 document than just yellowing it and 1133 00:34:33,960 --> 00:34:38,520 hoping they set things up right 1134 00:34:35,940 --> 00:34:39,839 added bonus you can say you're going to 1135 00:34:38,520 --> 00:34:43,080 need this pre-commit hook to make sure 1136 00:34:39,839 --> 00:34:44,820 you don't commit your own AWS keys 1137 00:34:43,080 --> 00:34:47,220 make security part of the overall 1138 00:34:44,820 --> 00:34:48,480 project process as I'm saying you've 1139 00:34:47,220 --> 00:34:49,800 probably already automated a lot of 1140 00:34:48,480 --> 00:34:53,099 things sometimes it's something as 1141 00:34:49,800 --> 00:34:54,599 simple as having a small amount of build 1142 00:34:53,099 --> 00:34:55,919 pipeline running sometimes it's really 1143 00:34:54,599 --> 00:34:57,720 complicated stuff being able to deploy 1144 00:34:55,919 --> 00:35:00,720 entire environments from GitHub or from 1145 00:34:57,720 --> 00:35:02,339 gitlab maybe running Jenkins for reasons 1146 00:35:00,720 --> 00:35:03,960 I'm not going to ask you there's a lot 1147 00:35:02,339 --> 00:35:05,640 of scenarios where you might have a lot 1148 00:35:03,960 --> 00:35:08,400 of automation running make those 1149 00:35:05,640 --> 00:35:10,980 automations a secure the automations and 1150 00:35:08,400 --> 00:35:12,900 make sure that the processes that you're 1151 00:35:10,980 --> 00:35:15,000 automating are secure processes because 1152 00:35:12,900 --> 00:35:16,380 the only thing worse than a automated 1153 00:35:15,000 --> 00:35:18,359 system being taken over is an automated 1154 00:35:16,380 --> 00:35:20,160 system introducing something if you have 1155 00:35:18,359 --> 00:35:23,339 automated systems that just deploy code 1156 00:35:20,160 --> 00:35:25,020 with zero user interaction the odds of 1157 00:35:23,339 --> 00:35:26,220 it deploying a vulnerability are quite 1158 00:35:25,020 --> 00:35:28,380 High 1159 00:35:26,220 --> 00:35:30,480 now there are middle grounds with that 1160 00:35:28,380 --> 00:35:32,579 where there can be too much automation 1161 00:35:30,480 --> 00:35:34,260 if you automate so that it just like the 1162 00:35:32,579 --> 00:35:36,300 entire release process is zero human 1163 00:35:34,260 --> 00:35:38,160 interaction then if someone manages to 1164 00:35:36,300 --> 00:35:40,260 sneak in a vulnerability you have no 1165 00:35:38,160 --> 00:35:41,880 chance to catch it and that can be bad 1166 00:35:40,260 --> 00:35:42,839 and that's a really a threat modeling 1167 00:35:41,880 --> 00:35:44,460 thing of is that something you're 1168 00:35:42,839 --> 00:35:45,960 worried about maybe you have a 1169 00:35:44,460 --> 00:35:47,339 completely automated process with one 1170 00:35:45,960 --> 00:35:48,839 step in the middle it requires an actual 1171 00:35:47,339 --> 00:35:50,339 human to say you know that looks good 1172 00:35:48,839 --> 00:35:52,200 there's plenty of those available for 1173 00:35:50,339 --> 00:35:53,579 GitHub or gitlab things like that or if 1174 00:35:52,200 --> 00:35:55,079 you're dealing with a larger team have 1175 00:35:53,579 --> 00:35:56,820 that as part of your process that one 1176 00:35:55,079 --> 00:35:58,200 person doesn't do the release one person 1177 00:35:56,820 --> 00:36:00,599 does most of the release and a second 1178 00:35:58,200 --> 00:36:02,880 person checks so you can over automate 1179 00:36:00,599 --> 00:36:05,520 but automation's still better than not 1180 00:36:02,880 --> 00:36:07,140 some solutions just aren't technical I 1181 00:36:05,520 --> 00:36:08,760 am a very technical person but I still 1182 00:36:07,140 --> 00:36:10,500 have to spend a lot of my days telling 1183 00:36:08,760 --> 00:36:12,300 people to stop making bad decisions 1184 00:36:10,500 --> 00:36:13,560 because at the end of the day we're all 1185 00:36:12,300 --> 00:36:15,180 fleshy humans at the end of the keyboard 1186 00:36:13,560 --> 00:36:16,800 and we're the ones making the mistakes 1187 00:36:15,180 --> 00:36:18,060 sometimes we'll make the same mistake 1188 00:36:16,800 --> 00:36:18,900 over and over again and that's where you 1189 00:36:18,060 --> 00:36:21,060 have to break out the Technical 1190 00:36:18,900 --> 00:36:22,980 Solutions sometimes it's someone using 1191 00:36:21,060 --> 00:36:24,359 the technical things exactly right but 1192 00:36:22,980 --> 00:36:26,460 differently to how you thought they 1193 00:36:24,359 --> 00:36:28,500 would and that's a case where you've got 1194 00:36:26,460 --> 00:36:29,940 to stop and think do I teach people how 1195 00:36:28,500 --> 00:36:31,320 to do it the way I thought or do I 1196 00:36:29,940 --> 00:36:33,359 prepare my project for someone doing 1197 00:36:31,320 --> 00:36:34,560 things differently to how I do summer 1198 00:36:33,359 --> 00:36:36,540 Solutions aren't going to be technical 1199 00:36:34,560 --> 00:36:38,099 but I suspect a lot of people who are 1200 00:36:36,540 --> 00:36:39,420 working on open source are looking for 1201 00:36:38,099 --> 00:36:41,099 Technical Solutions wherever they can 1202 00:36:39,420 --> 00:36:42,720 the hammer and nail problem strikes 1203 00:36:41,099 --> 00:36:44,160 again sometimes you're just going to 1204 00:36:42,720 --> 00:36:45,240 have to deal with the fact that humans 1205 00:36:44,160 --> 00:36:47,420 are the ones interacting with your 1206 00:36:45,240 --> 00:36:47,420 project 1207 00:36:47,460 --> 00:36:50,280 so 1208 00:36:49,079 --> 00:36:51,359 what have we learned theoretically 1209 00:36:50,280 --> 00:36:52,320 hopefully 1210 00:36:51,359 --> 00:36:53,460 something here it is a lot more than 1211 00:36:52,320 --> 00:36:54,540 just your code preventing 1212 00:36:53,460 --> 00:36:56,040 vulnerabilities from making it into your 1213 00:36:54,540 --> 00:36:58,320 code is very important but it's not the 1214 00:36:56,040 --> 00:37:00,060 only thing planning ahead will 100 pay 1215 00:36:58,320 --> 00:37:02,220 off no matter how much you think this is 1216 00:37:00,060 --> 00:37:04,500 a bunch of wasted effort it might be and 1217 00:37:02,220 --> 00:37:06,660 that is the best case scenario the ideal 1218 00:37:04,500 --> 00:37:09,119 world is you spent hours and hours 1219 00:37:06,660 --> 00:37:10,920 crafting an Immaculate security response 1220 00:37:09,119 --> 00:37:13,200 process and if you never have to use it 1221 00:37:10,920 --> 00:37:14,700 hell yes win because take it from me 1222 00:37:13,200 --> 00:37:16,079 it's much worse when you do have to use 1223 00:37:14,700 --> 00:37:18,240 it 1224 00:37:16,079 --> 00:37:19,619 document everything automate what you 1225 00:37:18,240 --> 00:37:21,180 can it's where we go back to there's 1226 00:37:19,619 --> 00:37:23,640 limits to automation but document 1227 00:37:21,180 --> 00:37:25,380 everything as much as possible not just 1228 00:37:23,640 --> 00:37:27,240 so that you reduce the chance of 1229 00:37:25,380 --> 00:37:29,220 mistakes but so that you have documented 1230 00:37:27,240 --> 00:37:31,380 process for fixing mistakes 1231 00:37:29,220 --> 00:37:33,180 use tooling and processes to reduce your 1232 00:37:31,380 --> 00:37:34,920 risks things like build pipelines are 1233 00:37:33,180 --> 00:37:36,000 very good for not introducing bugs use 1234 00:37:34,920 --> 00:37:37,560 them to also not introduce 1235 00:37:36,000 --> 00:37:40,020 vulnerabilities or introduce 1236 00:37:37,560 --> 00:37:41,700 misconfigurations you need to be able to 1237 00:37:40,020 --> 00:37:43,680 use things like it leaks or get secrets 1238 00:37:41,700 --> 00:37:45,359 to try and minimize how often your 1239 00:37:43,680 --> 00:37:47,220 leaking Secrets or leaking information 1240 00:37:45,359 --> 00:37:49,200 that turns out shouldn't be on the 1241 00:37:47,220 --> 00:37:50,640 internet there's a lot of situations 1242 00:37:49,200 --> 00:37:52,500 there that you need to adapt to your 1243 00:37:50,640 --> 00:37:53,700 project and if anything I should have 1244 00:37:52,500 --> 00:37:54,900 put one at the top there the number one 1245 00:37:53,700 --> 00:37:57,119 is make sure it matches your project 1246 00:37:54,900 --> 00:37:58,740 there'll be no shortage of think pieces 1247 00:37:57,119 --> 00:38:01,079 online about here's the steps you should 1248 00:37:58,740 --> 00:38:03,240 take to secure your project I'm doing 1249 00:38:01,079 --> 00:38:05,579 one of those live right now you need to 1250 00:38:03,240 --> 00:38:06,839 match all of these guidance to what your 1251 00:38:05,579 --> 00:38:09,000 project needs and the threats you're 1252 00:38:06,839 --> 00:38:10,680 likely to be facing don't push your API 1253 00:38:09,000 --> 00:38:12,000 keys to GitHub I don't know how many 1254 00:38:10,680 --> 00:38:14,240 times I have to say this but apparently 1255 00:38:12,000 --> 00:38:14,240 more 1256 00:38:16,579 --> 00:38:20,700 everyone's laughing going ah I'm not 1257 00:38:18,540 --> 00:38:21,900 going to do that yes you are one of you 1258 00:38:20,700 --> 00:38:24,020 is going to 1259 00:38:21,900 --> 00:38:26,700 don't don't open SSH to the internet 1260 00:38:24,020 --> 00:38:27,960 common mistake but worth pointing out 1261 00:38:26,700 --> 00:38:29,460 but particularly in the era of public 1262 00:38:27,960 --> 00:38:30,780 Cloud it's pretty easy to think of an 1263 00:38:29,460 --> 00:38:32,579 instance in Euros Euro account as oh 1264 00:38:30,780 --> 00:38:34,320 yeah that's just mine if it's got an 1265 00:38:32,579 --> 00:38:37,079 internet connection it's on the internet 1266 00:38:34,320 --> 00:38:38,760 if it's got SSH maybe don't enable root 1267 00:38:37,079 --> 00:38:40,859 like to start with and if you really 1268 00:38:38,760 --> 00:38:43,200 need route do not have a password and 1269 00:38:40,859 --> 00:38:44,520 really do not have a bad password yes 1270 00:38:43,200 --> 00:38:45,540 like when you're thinking of it's still 1271 00:38:44,520 --> 00:38:46,920 bad 1272 00:38:45,540 --> 00:38:48,720 but there's a lot of things you can do 1273 00:38:46,920 --> 00:38:51,480 to just cover off the low hanging fruit 1274 00:38:48,720 --> 00:38:54,240 very very quickly 1275 00:38:51,480 --> 00:38:56,400 that was very rapid 1276 00:38:54,240 --> 00:38:58,020 photo if there's a lot of it sounds like 1277 00:38:56,400 --> 00:39:00,300 a lot of effort for not a lot of work 1278 00:38:58,020 --> 00:39:02,160 but again take me it's better to do the 1279 00:39:00,300 --> 00:39:03,780 work and not have to use it than to have 1280 00:39:02,160 --> 00:39:05,940 not done the work and be flailing around 1281 00:39:03,780 --> 00:39:07,000 in the aftermath going oh the mistakes 1282 00:39:05,940 --> 00:39:10,120 we have made 1283 00:39:07,000 --> 00:39:13,330 [Music] 1284 00:39:10,120 --> 00:39:13,330 [Applause] 1285 00:39:14,900 --> 00:39:19,740 I think we have a couple of minutes 1286 00:39:17,500 --> 00:39:20,700 [Applause] 1287 00:39:19,740 --> 00:39:23,520 we've got a couple minutes for questions 1288 00:39:20,700 --> 00:39:24,960 yep we've got six minutes we've got any 1289 00:39:23,520 --> 00:39:28,050 questions I'll bring the mic around 1290 00:39:24,960 --> 00:39:28,050 [Music] 1291 00:39:30,060 --> 00:39:38,280 good day thank you for that excuse me 1292 00:39:34,320 --> 00:39:41,579 um feels like one of the ways that we 1293 00:39:38,280 --> 00:39:42,780 need to improve our Securities by 1294 00:39:41,579 --> 00:39:45,960 practicing 1295 00:39:42,780 --> 00:39:48,980 these kinds of responses how can 1296 00:39:45,960 --> 00:39:53,040 developers practice 1297 00:39:48,980 --> 00:39:54,780 yeah right it's hard the to use the 1298 00:39:53,040 --> 00:39:56,460 example that we would use an actual 1299 00:39:54,780 --> 00:39:58,619 response team it's a very common tactic 1300 00:39:56,460 --> 00:40:01,560 to actually have tabletop exercises 1301 00:39:58,619 --> 00:40:03,240 where we'll sit down and run through you 1302 00:40:01,560 --> 00:40:05,220 know it's like any other tabletop 1303 00:40:03,240 --> 00:40:07,140 scenario someone says X has happened 1304 00:40:05,220 --> 00:40:08,940 what do you do okay now why has happened 1305 00:40:07,140 --> 00:40:10,020 what do you do so and so forth and 1306 00:40:08,940 --> 00:40:11,640 sometimes that's really complicated 1307 00:40:10,020 --> 00:40:13,020 setting up lab environments and testing 1308 00:40:11,640 --> 00:40:15,060 out how it works and having to discover 1309 00:40:13,020 --> 00:40:16,800 things you go but sometimes it's just 1310 00:40:15,060 --> 00:40:19,200 sitting down and going oh I don't do X 1311 00:40:16,800 --> 00:40:22,140 all right you found y all right I go do 1312 00:40:19,200 --> 00:40:23,520 Zed that can be hard particularly if no 1313 00:40:22,140 --> 00:40:24,720 one involved in the project has a lot of 1314 00:40:23,520 --> 00:40:26,579 security experience to be able to 1315 00:40:24,720 --> 00:40:28,680 formulate those scenarios but there are 1316 00:40:26,579 --> 00:40:29,940 a lot of Guides Online for running those 1317 00:40:28,680 --> 00:40:31,980 they're particularly good if you're 1318 00:40:29,940 --> 00:40:33,720 working in a team if it's small scale 1319 00:40:31,980 --> 00:40:35,339 ones one of the easiest ones I can 1320 00:40:33,720 --> 00:40:37,020 probably recommend is just reading all 1321 00:40:35,339 --> 00:40:38,520 the postmortems you get from incidents 1322 00:40:37,020 --> 00:40:40,079 that when companies have an incident 1323 00:40:38,520 --> 00:40:41,820 they'll publish this is what happened 1324 00:40:40,079 --> 00:40:44,040 and they'll have big timelines of we 1325 00:40:41,820 --> 00:40:45,540 responded with X Y and Z or correction 1326 00:40:44,040 --> 00:40:47,880 they should be publishing those things 1327 00:40:45,540 --> 00:40:49,500 because it helps increase trust but just 1328 00:40:47,880 --> 00:40:51,540 as crucial you can read those to find 1329 00:40:49,500 --> 00:40:52,859 out what they did and get an idea you 1330 00:40:51,540 --> 00:40:55,200 know to use some even some of the 1331 00:40:52,859 --> 00:40:57,300 highest profile ones the first thing 1332 00:40:55,200 --> 00:40:59,160 that happens is someone leaked a key or 1333 00:40:57,300 --> 00:41:01,140 someone had a bad password and you can 1334 00:40:59,160 --> 00:41:03,540 follow their timeline of okay they did 1335 00:41:01,140 --> 00:41:04,619 this how would I do that they did that 1336 00:41:03,540 --> 00:41:07,859 okay I'm never going to have that 1337 00:41:04,619 --> 00:41:09,359 scenario cool who cares what if it was X 1338 00:41:07,859 --> 00:41:10,320 so I think if you've got a larger team 1339 00:41:09,359 --> 00:41:11,700 and you really want to get into it 1340 00:41:10,320 --> 00:41:13,680 tabletop's a really valuable exercise 1341 00:41:11,700 --> 00:41:15,000 for smaller teams probably the easiest 1342 00:41:13,680 --> 00:41:16,980 low commitment one I can recommend is 1343 00:41:15,000 --> 00:41:19,820 just really going to some detail on some 1344 00:41:16,980 --> 00:41:19,820 of those post-mortems 1345 00:41:25,050 --> 00:41:28,300 [Music] 1346 00:41:30,079 --> 00:41:34,859 dynamically allocated as a lot of Home 1347 00:41:32,820 --> 00:41:37,500 setups do 1348 00:41:34,859 --> 00:41:39,540 um so what would you do in terms of SSH 1349 00:41:37,500 --> 00:41:40,560 you said don't open it up to the 1350 00:41:39,540 --> 00:41:42,060 Internet 1351 00:41:40,560 --> 00:41:42,900 so yeah there's a couple of options 1352 00:41:42,060 --> 00:41:44,460 there 1353 00:41:42,900 --> 00:41:46,560 um there are some software solutions 1354 00:41:44,460 --> 00:41:47,640 that if you that I I won't say get into 1355 00:41:46,560 --> 00:41:48,960 if you don't already know them because 1356 00:41:47,640 --> 00:41:50,820 they're a fairly advisable learning 1357 00:41:48,960 --> 00:41:52,920 curve but things like cloudflare tunnels 1358 00:41:50,820 --> 00:41:54,300 or other L2 mesh technology can be quite 1359 00:41:52,920 --> 00:41:56,400 useful because you can install that 1360 00:41:54,300 --> 00:41:58,320 agent then close it down as far as that 1361 00:41:56,400 --> 00:41:59,880 that's concerned and it's you know 1362 00:41:58,320 --> 00:42:01,800 without getting into too much complexity 1363 00:41:59,880 --> 00:42:04,200 it's essentially being vpned into that 1364 00:42:01,800 --> 00:42:05,640 host so that's one effect the other one 1365 00:42:04,200 --> 00:42:07,260 that's a very low-tech solution but 1366 00:42:05,640 --> 00:42:09,300 honestly not the worst is just every 1367 00:42:07,260 --> 00:42:11,520 time your IP changes go change your AWS 1368 00:42:09,300 --> 00:42:13,440 Security Group rules you know I'm also 1369 00:42:11,520 --> 00:42:15,060 on a dynamic IP but my IP only changes 1370 00:42:13,440 --> 00:42:16,859 probably at most once a couple every 1371 00:42:15,060 --> 00:42:18,480 couple of weeks I just go update those 1372 00:42:16,859 --> 00:42:19,920 Security Group rules 1373 00:42:18,480 --> 00:42:21,960 um the other one being that there is a 1374 00:42:19,920 --> 00:42:24,720 little bit of obscurity don't put on in 1375 00:42:21,960 --> 00:42:27,119 Port 22 don't open Root because the vast 1376 00:42:24,720 --> 00:42:28,560 majority of probate amps are on 22 to 1377 00:42:27,119 --> 00:42:31,079 root if you have a different 1378 00:42:28,560 --> 00:42:32,280 administrative user you've anyone who's 1379 00:42:31,079 --> 00:42:34,260 looked at failed to ban logs will have 1380 00:42:32,280 --> 00:42:36,240 seen that A administrative user with a 1381 00:42:34,260 --> 00:42:38,160 name other than admin or root is 1382 00:42:36,240 --> 00:42:39,839 probably not getting tried very often so 1383 00:42:38,160 --> 00:42:41,579 those probably the easy ones is see if 1384 00:42:39,839 --> 00:42:43,200 there's another method activity just 1385 00:42:41,579 --> 00:42:44,280 update your firewall rules when it 1386 00:42:43,200 --> 00:42:47,760 changes 1387 00:42:44,280 --> 00:42:49,560 chat and a little bit of obscurity 1388 00:42:47,760 --> 00:42:53,180 probably got time for one more anyone 1389 00:42:49,560 --> 00:42:53,180 else in fraserhead one down here 1390 00:42:56,579 --> 00:43:04,560 how can we test the logging and 1391 00:43:00,839 --> 00:43:06,119 monitoring and alerting yeah that one's 1392 00:43:04,560 --> 00:43:07,680 tricky as well 1393 00:43:06,119 --> 00:43:08,880 um one of the things I'll call out with 1394 00:43:07,680 --> 00:43:10,680 this specifically like being able to 1395 00:43:08,880 --> 00:43:12,540 tell when something doesn't happen is 1396 00:43:10,680 --> 00:43:14,099 what we would refer to as canaries if 1397 00:43:12,540 --> 00:43:16,200 you have if you're monitoring the logs 1398 00:43:14,099 --> 00:43:17,400 for a system make sure through whatever 1399 00:43:16,200 --> 00:43:18,780 method there's a lot of different ways 1400 00:43:17,400 --> 00:43:21,060 of doing it that you get a consistent 1401 00:43:18,780 --> 00:43:22,680 log event sometimes it's a heartbeat or 1402 00:43:21,060 --> 00:43:24,900 a canary or whatever that just sends a 1403 00:43:22,680 --> 00:43:26,280 single log line that says alive once 1404 00:43:24,900 --> 00:43:27,599 every four hours whatever then you can 1405 00:43:26,280 --> 00:43:29,160 alert that it's been more than four 1406 00:43:27,599 --> 00:43:31,020 hours we haven't got one that's a 1407 00:43:29,160 --> 00:43:32,160 problem for being able to pick up actual 1408 00:43:31,020 --> 00:43:34,859 Badness 1409 00:43:32,160 --> 00:43:36,300 it's a lot of it is just having to trust 1410 00:43:34,859 --> 00:43:37,740 your work some of it is if you have 1411 00:43:36,300 --> 00:43:39,900 enough evidence you can basically replay 1412 00:43:37,740 --> 00:43:41,220 the attack if you're if you have enough 1413 00:43:39,900 --> 00:43:43,500 evidence from an attack to say okay 1414 00:43:41,220 --> 00:43:46,200 someone used an API key to issue these 1415 00:43:43,500 --> 00:43:47,700 S3 calls and then did X 1416 00:43:46,200 --> 00:43:51,119 get one of your developers to do that 1417 00:43:47,700 --> 00:43:52,380 just say use your API key do these steps 1418 00:43:51,119 --> 00:43:54,119 and hopefully you'll get a bunch of 1419 00:43:52,380 --> 00:43:56,760 alerts show up 1420 00:43:54,119 --> 00:43:58,020 um there's it's hard to just give the 1421 00:43:56,760 --> 00:43:59,460 universal answer for how do we test 1422 00:43:58,020 --> 00:44:01,140 logging into learning but the short 1423 00:43:59,460 --> 00:44:02,520 version is probably make sure you're 1424 00:44:01,140 --> 00:44:03,960 actually getting the logs and have a way 1425 00:44:02,520 --> 00:44:06,660 of finding out when you are or are not 1426 00:44:03,960 --> 00:44:08,160 getting them and as much as you can try 1427 00:44:06,660 --> 00:44:09,480 to do the thing that you're supposed to 1428 00:44:08,160 --> 00:44:10,920 pick up and make sure you actually pick 1429 00:44:09,480 --> 00:44:12,780 up on it 1430 00:44:10,920 --> 00:44:15,000 we do have another one back there if we 1431 00:44:12,780 --> 00:44:16,800 have time yeah there we go 1432 00:44:15,000 --> 00:44:20,000 time for one more 1433 00:44:16,800 --> 00:44:20,000 it wasn't circuitry 1434 00:44:21,839 --> 00:44:25,800 something I noticed a lot with cloud 1435 00:44:23,460 --> 00:44:27,599 services and other sasers is that auto 1436 00:44:25,800 --> 00:44:29,640 locks are usually behind some sort of 1437 00:44:27,599 --> 00:44:33,020 enterprising paywall as an open source 1438 00:44:29,640 --> 00:44:35,819 project that perhaps you know wants to 1439 00:44:33,020 --> 00:44:37,920 make sure that all of us don't have a 1440 00:44:35,819 --> 00:44:39,540 various sector or something in them 1441 00:44:37,920 --> 00:44:41,579 is there 1442 00:44:39,540 --> 00:44:43,560 um any movement or something in terms of 1443 00:44:41,579 --> 00:44:45,180 getting the auto locks for products or 1444 00:44:43,560 --> 00:44:47,520 like 1445 00:44:45,180 --> 00:44:50,099 how do you do it when you knock on a 10 1446 00:44:47,520 --> 00:44:52,319 000 a year the Enterprise plan yeah so 1447 00:44:50,099 --> 00:44:53,579 that one's I thought it was I guess I 1448 00:44:52,319 --> 00:44:55,140 didn't know that I cut for time on that 1449 00:44:53,579 --> 00:44:56,579 basis that there is a problem with 1450 00:44:55,140 --> 00:44:58,380 logging which is yet where do you put 1451 00:44:56,579 --> 00:45:00,720 the logs that a lot of services will ask 1452 00:44:58,380 --> 00:45:02,940 to ask you a lot of money to run their 1453 00:45:00,720 --> 00:45:04,380 own Auto logging situations but you also 1454 00:45:02,940 --> 00:45:06,119 can't really just say oh just run your 1455 00:45:04,380 --> 00:45:07,920 own elk stack and secure that and put 1456 00:45:06,119 --> 00:45:10,500 all the logs there it'll be fine if you 1457 00:45:07,920 --> 00:45:11,640 can help go for that run run out run 1458 00:45:10,500 --> 00:45:13,020 Splunk whatever you want to use and 1459 00:45:11,640 --> 00:45:14,400 alert on that stuff but you don't always 1460 00:45:13,020 --> 00:45:15,780 want to have to do that in terms of 1461 00:45:14,400 --> 00:45:18,180 getting audit logs out of the platform 1462 00:45:15,780 --> 00:45:20,040 there's not a lot we can do there was a 1463 00:45:18,180 --> 00:45:22,200 talk earlier in the week on ocsf which 1464 00:45:20,040 --> 00:45:24,240 is a event standard that like for 1465 00:45:22,200 --> 00:45:26,040 example AWS can output Cloud trails in a 1466 00:45:24,240 --> 00:45:28,020 nice predictable schema that you can 1467 00:45:26,040 --> 00:45:29,099 then process with any number of things 1468 00:45:28,020 --> 00:45:30,480 like yeah you can set up with a log 1469 00:45:29,099 --> 00:45:32,520 stack you can also just run GitHub 1470 00:45:30,480 --> 00:45:35,119 actions on the outputs lots of other 1471 00:45:32,520 --> 00:45:37,680 things you can do 1472 00:45:35,119 --> 00:45:39,480 they have their own stupid format with a 1473 00:45:37,680 --> 00:45:41,339 lot of extra detail you don't need a lot 1474 00:45:39,480 --> 00:45:42,960 of details you may want but aren't they 1475 00:45:41,339 --> 00:45:44,099 all those sorts of things the short 1476 00:45:42,960 --> 00:45:45,300 version which isn't very helpful answer 1477 00:45:44,099 --> 00:45:46,740 to your question is there isn't a 1478 00:45:45,300 --> 00:45:48,119 convenient answer 1479 00:45:46,740 --> 00:45:49,800 um and you will have to sort of adapt 1480 00:45:48,119 --> 00:45:51,839 how you get audit logs to what logs 1481 00:45:49,800 --> 00:45:53,339 you're looking for and what you have 1482 00:45:51,839 --> 00:45:55,619 available to you if you can run your own 1483 00:45:53,339 --> 00:45:56,940 stack and secure it do it there if you 1484 00:45:55,619 --> 00:45:59,520 can't you might have to Jank it up a bit 1485 00:45:56,940 --> 00:46:03,079 with CI jobs or schedule jobs that sort 1486 00:45:59,520 --> 00:46:03,079 of thing is that answer roughly 1487 00:46:13,440 --> 00:46:16,800 okay yeah sorry so GitHub GitHub to use 1488 00:46:15,599 --> 00:46:18,060 github's example it's audit logs are 1489 00:46:16,800 --> 00:46:18,900 only available Enterprise plans yet 1490 00:46:18,060 --> 00:46:20,700 there's no solution for that 1491 00:46:18,900 --> 00:46:23,339 unfortunately that's just them being bad 1492 00:46:20,700 --> 00:46:24,560 people and those logs those those logs 1493 00:46:23,339 --> 00:46:27,000 are only available if you pay the money 1494 00:46:24,560 --> 00:46:28,680 we can't really solve that the best 1495 00:46:27,000 --> 00:46:30,119 thing I can give is that if you're in a 1496 00:46:28,680 --> 00:46:32,400 position where you can like if you are 1497 00:46:30,119 --> 00:46:34,319 doing open source at a company make them 1498 00:46:32,400 --> 00:46:36,060 pay for Enterprise because that's the 1499 00:46:34,319 --> 00:46:37,560 value add is whatever amount of money 1500 00:46:36,060 --> 00:46:39,300 you have to pay GitHub to get those logs 1501 00:46:37,560 --> 00:46:41,099 it's worth it for the thing you can 1502 00:46:39,300 --> 00:46:43,200 avoid from being able to process those 1503 00:46:41,099 --> 00:46:45,180 logs 1504 00:46:43,200 --> 00:46:46,740 anyone but unfortunately there's not 1505 00:46:45,180 --> 00:46:48,540 really I haven't seen any particularly 1506 00:46:46,740 --> 00:46:50,400 effective solutions to be able to get 1507 00:46:48,540 --> 00:46:52,380 logs from platforms that would otherwise 1508 00:46:50,400 --> 00:46:53,819 charge you for them best I can say is 1509 00:46:52,380 --> 00:46:55,740 you're kind of gonna have to pay them 1510 00:46:53,819 --> 00:46:56,940 sometimes or change vendor if that's an 1511 00:46:55,740 --> 00:46:59,040 option 1512 00:46:56,940 --> 00:47:00,300 thank you for that we'll have to wrap it 1513 00:46:59,040 --> 00:47:03,319 up there and thank you very much 1514 00:47:00,300 --> 00:47:03,319 Aleister thank you 1515 00:47:04,150 --> 00:47:08,269 [Applause]