BSides Amman 2021 2nd Edition - Talks Day
Show transcript [en]
are super important for forming a successful apsec program um we're going to talk about fundamentals of forming an absence program and then what are these actual practical pragmatic steps to build the program i'm gonna share hopefully if we have enough time some metrics that will help you measure the success of your program and then we're gonna go to q a at the end so a lot of us attending this talk because we really want to learn how to spin up a good appsic program but appsec if you think about it is pretty complex space right it's very time consuming and it's resource intensive and there is really no one framework that can give you all the information
that you need but we know as a security practitioners uh there are a lot of uh things that we want to get into right so a security practitioner you actually have to deal with security reviews you have probably to spin up some scanners maybe there are some applications you need to do pen testing for um maybe you there is a specific part of the organization where you have to evaluate some sort of like encryption implementation of course and all that stuff is if you think about it is really part of an aptic right and that's what we basically can refer to as an absolute program or absolute definition which is basically all these things together right so it's an umbrella term
uh that really refers of the to the process of finding and fixing and preventing security vulnerabilities at the application level as part of the sdl and if you're not familiar with sdl is basically the software development lifecycle it's when you form the the application or the software you have to go through these building steps but as someone who is basically security journalist and a lot of us we were security journalists uh why do you need an appsic program um you go to your office and you start doing security reviews um you run some scans like why do you actually need an upset program well according to a report from saab 84 percent of security incidents
happened the application layer that's pretty huge number making it the number one attack surface for attackers and as you probably know if you if you're running an application in production if somebody finds only one single one and i'm talking about critical ones like somebody found remote code execution for example on your production server it's done right like they can jeopardize the whole security of your application and so it's super important for us to think about apsec as holistic view of the security for your application and remember there is no application security silver bullet uh and i'm not gonna give you that in this talk um hopefully i'm gonna be sharing my own experience and also give you some tips on how to
form a successful uptech program and uh one thing to remember is that driving the down the application risk um because really the end goal for all of us even appsec or non-optic is really driving down the risk for your application or your organization requires us to do both proactive and reactive processes so the the main goal of this talk is really to share perspective on how we can appropriately form this absence program based on both proactive and reactive processes um a lot of people frequently misunderstand aptic and um they get confused sometimes on like where should i start where should i begin what things or frameworks should be i should be using and as a result of that as as you can
see that there will actually try to do security and they don't deliver uh the appropriate results so they deliver like some sort of like sub bar results where they uh don't um necessarily understand all the details of what could go wrong in the application or what could go wrong in the infrastructure itself so one thing i want to emphasize in this talk is that there is really no one correct way to build an abstract program and this is basically based on the experience that i had and also based on the understanding is that every company has its own problems and its own security issues and so forming an application security would all depends on how your
organization is structured and how is your organization is doing or caring about security like for example netflix don't have the concepts of gates we have the concepts of guardrails so but some some regulated organizations like banks for example they they have gates because that's that's part of their regulations and so uh hopefully in in this talk um i'll really share my understanding and lessons i learned uh working in the apsec in the optic field on security field in general and the um top companies in the silicon valley and hopefully this experience will be useful for people who actually wants to dive deep into the uh those lessons learned and um apply them into the organization or the
security team if you're running one uh some premier knowledge i would say pretty much everyone should be familiar with this if we not this is the software development cycle i mentioned earlier which basically if you're developing a software it has to go through planning analysis and design implementation testing and maintenance and we're going to mention this sdl process along the way all right so let's talk about the philosophy of modern apsec i really like those terms of uh philosophy in the modern optic because really gives us understanding of what things that will guide us through the process of forming an absolute successful optic program so the first thing i mentioned is don't create gates but guardrails and
developers has a lot of things to worry about right they have to worry about writing software testing it push it into production build it make sure it's built successfully and it's free but it's free of bugs right and maybe the last thing they have to worry about security right uh although security is super important so you don't you don't want to really create gates along the way and again it all depends on the organization right some regulated organizations require you to create gates but generally speaking the approach should be really uh to not create gates but guard rates and this makes this will ensure that your developers have uh freedom to do the things that you
want while maintaining security and this doesn't come with by itself it has to come with you as a security team being enablers and not gatekeepers and when i say enablers i mean what i mean by that is you actually want to make sure that your developers have the necessary tools for them and i say tools i say security tools for them to do the things that you ask them to do right you can't just bring a problem without a solution you can't just tell your developer hey can you go and fix this problem without telling them how to fix it and maybe giving them the right tuning to fix it so you always want to be
enabler automation is is key i can't emphasize this enough you as a as a developer or as a security team it's impossible to scale security by just doing hiring and we're going to talk about that in more details but think about this you know you're working in a startup or an organization where it has hundreds maybe thousands of microservices you can't just hire so many people to do this work so try to automate as much as you can and that's a really key philosophy thing it is impossible for you to do security day one or week one it's it's just impractical right and you want to make sure that you're actually doing security uh improvements over time and you can
measure that over time as well um so it's incremental security improvements over time and really this gives you the understanding that growing growing security over time is is a is a marathon is not a sprint you can't just think about building one tool that will fix everything you have to kind of think a holistic approach take a holistic approach to your organization this is very important which is uh you want to provide a consistent experience to your developers and when i say consistent experience is based on two links that you provide them you don't want to confuse them with so many toolings and also you want you don't want to give them so many different
security guidance so make it consistent and developers will like to work with you more and this brings us to the next one which is think about this as a partnership with your developers because when you're partnering with someone that means you're both equally working on achieving the actual goal as opposed to just telling your developer hey can you like throwing a bunch of bugs on them and just telling them to fix all of that stuff so partnering with them meaning you actually both work together to get to a proper security solution that will help you achieve your aptic goal and last but not least is always shift left i really like the idea of shift lift we're
going to talk about it in more details in a little bit but shift left approach means you do security early in the process of the development life cycle so think about like scanning earlier uh doing maybe some sort of ide checking so do security early and will catch things early so it doesn't it's fixed early so before it goes out of the door all right so we talked about these philosophies now let's talk about some guiding principles um again this is not an exhaustive list but it should help should help you establish a baseline so the first thing is don't ever squash every single bug try killing butt classes i really like the idea of
finding a solution that killing like that contributes massively to killing a lot of bugs as opposed to just trying to find solutions that will fix single bikes so when if you think about some proper guiding principle um keep that in mind and you're gonna like once you start working on like forming abstech programs you'll see a lot of things that i'm not talking about like low hanging fruits i'm talking about really specific bug classes they're going to see frequently and so for you to be able to get rid of that you have to think about solution that will try to kill the whole by classes so instead of uh just have a band-aid on that on things
really think about uh creating some sort of uh a solution or maybe building a library that will contribute into killing all that by classes uh i really i'd like to advocate for immutable infrastructure and declarative ci um immutable infrastructure means you have an infrastructure where all the changes are tracked and um basically you you have a same understanding or same uh replicas of infrastructure across the the globe and you have a lot of differences this way you're actually you know that all these instances have the same exact copy of the operating system and the libraries that are installed there and also declarative ci meaning you're basically tracking everything in a controlled version or source code
version control and you're tracking all the changes so you can actually do checkings there um focus on rolling out paved roads and when i say paved road meaning really um i mentioned earlier you want to be enablers for your developers so really help them create tooling that will make their life easier for example if you're telling all the time if you're telling them all the time hey can you implement this authentication or can you add authorization for your application if you can just give them the tooling i'll make your their life much easier and also will ensure that they all use the same tool across all the applications you want to make security frictionless and this is very important because
when you ask your developer to create to fix a specific security problem or implement a solution uh you don't want them to spend a lot of time doing it um that is going to increase their cognitive load so you want to make sure that you're you're tuning that you're giving to them is smooth and easy to implement and doesn't take a lot of their time you want to create a consistent guidance between the appsec team and developers and when i say guidance it's basically what the developers needs to do in case they want to for example let's say take their app on the internet or they want to connect their app into an infrastructure that talks to third party or vendors
so you want to make sure that you're always giving them the consistent guidance especially if you have different people in the absence team given different guidance you don't want that to happen and you want to also catch all low-hanging fruits and those are usually the things that gets people or companies breached unfortunately um they there is no really like specific um reference to this but think about it if if you have a bunch of like rces on the production remote code executions or sql injection issues think about that there are a lot of script kitties that can just run scanners on your infrastructure and find those and you don't want that to happen right so try to catch all these slang hand low
hanging fruits as soon as possible and last but not least is really define what sdl means to develop steam the reason i mentioned that is because working with devops teams sometimes uh tends to be um more of like you tell them basically what to do as opposed to um partnering with them so i really like the idea of partnering with even your devops team and defining what what exactly are you trying to accomplish and be reasonable about your security asks all right so we talked about the philosophy and guiding principles let's spend a little bit of time here talk about the fundamentals of forming an absence program so from my own experience fully integrating eptic into the sdl is
the major challenge and you might think about two approaches here one is i can just use vendor tooling and have them do all the work which does work for a lot of companies right but not all the time your developer or your vendor tooling actually has a smooth integration may require a lot of changes and may require your devops team to make a lot of changes um so the other thing also you wanna create some sort of like a mature development culture right so you don't want your organization to have so many different tooling so many different languages so many different frameworks it makes it so much harder to do upsick and so you want to define some sort of uh
requirements of what would be the paved road solution for uh web application for example framework what would be the paid route solution for an authorization system uh but let's talk about those fundamentals right now for you to be able to actually form a successful abstract program there are a couple of things you want to keep in mind the first thing is you want to know all your assets they always say that you can't fix what you don't know right so knowing all the assets in the company will allow you to quickly understand if something goes wrong where else is this thing going wrong if somebody finds a bug on one instance where else is that issue can be found
and so you you have a catalog of all your assets into one place and we're going to talk about that as well you want to determine your assets risks um you want to know what are the most riskiest assets and so you can focus more on those things as opposed to just less riskiest assets and you want to understand what is in your code and when i say what's in your code is really about understanding of what exactly is being supported what frameworks what libraries are being used with third-party libraries being pulled etc uh you want to use the right tools uh you don't want to spend your time thinking about um using 1000 open source tools right
it's just not scalable it's not maintainable so you want to think about what is the right tool for my organization what is the right tool for this particular part of the infrastructure you want to also create security guidance and security guidance is super important because you end up having so many conversations with so many people about the same thing and so having one security guidance that you can share with all those people will help you tremendously and seen this from previous experience where you talk to this team they're doing something and they talk the other team they're doing something similar but they're using different security tooling or libraries and so you have kind of make it consistent for them
you want to train your developers um a lot of people have different opinions on this but um really you want to train your developers but you don't expect them to be security experts and the last but not least is the embrace security self-service um scaling aptique is is a major challenge as we mentioned in the beginning and so you want to put a lot of time to think about how can you actually create some sort of self-service tooling that will help your developers and self-service can be either like a library that they can use on their own or could be a guidance that you're actually telling them what to do and so they can self-serve themselves
without going back and asking secure team imagine you have a company with 2 000 3 000 10 000 developers and you have 100 people in the security team it's just not going to scale all right so now we talked about philosophies guidelines and we touch based on the the major fundamentals of forming an apsec let's now talk about these steps and again i want to emphasize that this is not the only way that you can do absolute and this is just reference from my own experience and of course a lot of people can do things differently but this is been showed a lot of success in major tech companies uh doing security or doing apsec
so the first thing you want to do is as i mentioned you actually need to build an asset inventory you want to know all your assets that exist in your organization if you don't have an asset inventory it's a big problem um it's i really like this quote from jeremiah grossman who's the founder of white hat security these days the biggest absence risk are websites that you don't know you own it's actually very 100 true imagine you um are required to patch a problem like for example struts vulnerability and you want to know what applications are using this struts version if you don't have an s inventory you have to go and reach out to all the
developers and you might or might not get 100 coverage but if you have 100 coverage on the asset inventory then you can just simply query and the query will return back all the uh assets that are actually using uh this the the applications that are using strat's vulnerability for example and the nice thing about building an ass inventory is that um you can um you can use etls and if you're not familiar with etls there's this extract transform load it's basically a form of uh data loading transformation so basically if you have like dns data and you want to put this data as inventory and create some sort of etls that takes this data from your
dns provider maybe route 53 and put it into your asset inventory now if you have a dns problem or if you want to query what this app is being used for then you can query this dns information and get the data back and you can also create some sort of graph database so you can build relationships between all these components you want to identify risky assets and this is very important because you want to focus on those and you want to focus on creating solutions and paved roads and controls over all these risky assets um and so you can determine the based on the risk factors for example is this internet facing does it actually talk to payment does it
process payment um so those are usually tends to be risky assets uh because you know as you probably know like working for example at banks banks is a regulated industry where they focus so much on payments infrastructure and so those are always going to be risky assets as opposed to just an application that shows um news um you can look at something called fair model is pretty good framework it's fair stands for factor analysis of information risk and really provides a model for you to understand and analyze and quantify cyber risks and operation risk in financial terms so you can say if this app has ever had a remote code execution it will cost the company for example
million dollar something like this um shift lift approach we talked briefly about shiftlift and you want to get all that stuff earlier in the development lifecycle so think about having some sort of source coded station and developers workstation you can develop things like source code analysis and tests semigrip is pretty good neat tool that you can create some sort of checking on the code itself you can use ide plugins so you can for example recommend to developers to use a specific library and you can also use cli scanners this is part of the compilation process especially if you're using cc plus plus it's super important for you to catch those low hanging like buffer overflow issues
all right next step is now you have dealt with the workstations and um try to basically integrate shift left approach into the security of uh for the developers now you have to kind of look at the infrastructure side of things so if you're not familiar with a ci cd is continuous integration continuous delivery infrastructure it's basically a term that we refer to when we build an infrastructure that allows developers to push code to production without having to worry too much about the details of building and deploying so tens things get to get really hairy when we talk about ci cd infrastructure because there is a just a bunch of secrets that laying around and usually in those systems and the
reason for that is because all these different components has to talk to each other so they should form some sort of identity that requires maybe api tokens or um some sort of secrets that needs to talk and um i can emphasize that this secrets thing should really just die and go away and instead companies should form some sort of pki system that uses mutual tls um you want to make sure that there's least privilege you don't want your if you're running jenkins for example you don't want all the developers have access to the same jenkins instances um this is pretty bad even using jenkins is pretty bad but like in general if you're using a ci system that has
all developers have access to that's a blessed problem uh so you want to undefine based uh service accounts and those base service accounts basically the accounts that gets created for the machinery to talk to another service so you identify those and usually those have some sort of secrets that make sure that it gets rotated uh you want to make sure that there is secure pipeline configuration and monitoring and auditing um integrity of the build pipeline you can do some sort of cryptographic checking to make sure that the integrity is not flawed and last but not least is the module signing which basically uh when you when you push a new artifact you want to make sure that this module
is signed so you know it's actually coming from the right developers container security is very important and the reason i mentioned container security is because a lot of modern organizations they use containers and orchestration like kubernetes and those specific type of software requires a lot of understanding of what could go wrong there and so things like for example you have to look at from the absence perspective is really avoid for example privileged containers because privileged containers allow you to escape from the actual container and to the host and um if an attacker get access there then they can compromise the host itself uh you want to remove all the dangerous linux capabilities um it's um it's very important to
understand that uh when you form when the container gets created it inherits some linux capabilities so you want to make sure that you don't have that and um you want to form some sort of container network traffic monitoring if one container gets compromised you want to know what sort of suspicious traffic could uh originate from that container that you can detect it earlier you want to actually secure the the host itself because the host is the the infrastructure of the server that hosts all these containers and so compromising that host means the attacker will compromise the whole internal infrastructure and you want to scan for malicious containers um we've seen in the past people pushing stuff onto docker hub
that contains malicious code um you want to develop tools for that helps appsec team and so for example um credentials is is a very important thing to think about so develop some tooling that will help developers know how to manage credentials and not just only how but like some sort of like uh information enforcement mechanisms that you can tell developers this is a library you're going to use to store secrets and then you're going to create scanners that will detect the absence of this control
um people tends to create a lot of tooling for aptik to scan the infrastructure but they forget to secure their own infrastructure so one of the things the key important thing about when you build an upset infrastructure is really make sure it's secure make sure that you're doing all the hygiene of killing the tech debt and um make sure that your all your configurations are secure the last thing you want to you want to end up with is having your summer attackers compromising your absence infrastructure so just very important thing to keep in mind um you want to really leverage modern devops environments so this is not exhaustive it's just an examples of things you can use
for example automated pull requests if you want to fix something you want to ask your developer to fix something you could just send them a pull request to fix it and that will make their life much much easier this is probably easier than it's done but just something to think about you want to really emphasize and encourage developers to use infrastructure as code and infrastructure is called refers to things like terraform hashicorp telephone example of these where you can use it to deploy and configuration changes and it helps you because you can have all the stuff in one file and so you can write checks security checks to go over specific things that might be
my might cause a security problem so you can easily do that and you can ensure that all everything is tracked in the source code repository um one of the more main things you want to do as part of forming an apsec is develop a vulnerability management program and vulnerability management program is one of the key things and sometimes this forms under app 6 some other companies form it under different teams but the way modern orgs they they have one management under apsec so think about all the stuff we mentioned create uh as an inventory create some sort of repository of all the things that you want to know about especially when it comes to oss
stuff it's it's very important for you to keep track of that because imagine all these dependencies of libraries that you get spoiled when you build an application and imagine one of them is just malicious um i gave a talk of black hat about that so check out the talk on youtube um it's about oss practical approach to finding immediate security issues at scale now the last thing is really try to measure and evaluate and it prioritizes your vulnerabilities it's impossible to fix all the vulnerabilities so you have to think about what are the most pressing issues that you need to get your developers to fix um and usually those affects the high risk apps and that's why you want to form
some sort of identification of what are these risky assets in your organization would look like and briefly mention about this check out my talk about the dependency analysis and third party libraries this is a very important subject you can just ignore that especially with modern agile development where you have thousands of developers building thousands and millions of different libraries they pull into their application you need to have full visibility over that static and dynamic analysis some companies prefer to use third-party tooling because this is a really hard problem to solve and of course the hard problem to solve is because it there's a lot of false positives basically um so zest and dusts are the most common things people use to
find identify anti-patterns or vulnerabilities in code static analysis looks at the actual code dynamic analysis is doing some sort of behavior tricking or maybe at run time when your application is running and so it detects things as the application is running there's a bunch of vendor tools i can't recommend any vendor tools here because not advertising talk but check out some open source stuff as well uh but i really like some grip for like sas stuff because it you can quickly write your own checking without having to think too much about how to do that you want to have a bug bounty program um this is uh started back in 2009 and 2010 and um many companies big then after
that started embracing this idea of bug bounty so the but if you're not familiar with bug bounty it's basically um you're exchanging bugs with money for develop for security researchers and it encourages the responsible disclosure so if the researcher found a bug in your organization they can report it to you they're not allowed to talk about it and then in exchange you actually give them a bounty reward and it really saves money saves you a lot of money because you don't have to do a lot of pen testing um and also it's breaches are more expensive if company gets breached it's it's very very expensive so the total amount of money you're paying for research is not
comparable to how much you're going to pay for breaches and pen tests most companies have actually bug bounty program the most common black platforms for bug bounty is hacker one and back crowd they actually do the first level try edging you want to create those tooling that you have you can help your developers to pave the road and think about tuning that commonly are used across all the organization or infrastructure is like you want to have edge proxy right you can inject everything into that each proxy from tooling perspective scanning web application firewalls you want to have really a pedro tool for authentication and authorization because you don't the last thing you want to do
is having too many authentication systems laying around and maybe some of them are not secure enough you want to create a security self service and um as i said scaling appsic program is is a major challenge and so the thing that will allow you to scale upsick is really create self-service that developers themselves themselves can go and uh do the actual thing that you want them to do without having to refer back to you and that can be a form of guidance or tooling or some sort of a dashboard it also the nice thing about self-service is actually identifies outliers in your infrastructure so when you actually provide this self-service when developers reach out to you that means
that specific guidance or service didn't meet their expectation and so that that means you actually they are doing something that unexpected or they are derailing from the actual page thing so now you can identify all these things in your infrastructure and adapt accordingly uh you want to create an on-call scheduler and you know somebody reports an issue on bike crowd bike bounty or hacker one in the middle of the night you need someone to get into it right so you want to form sort of distribution on the apsec team where rotation can vary right like maybe you have one um five or two or three members of the team um everyone every week you have one member
to do on call rotation and so that person is on call 24 hours seven days a week uh that doesn't mean they have to work seven days a week but they just have to keep their phone with them so in case something happened they can get paged um you want to actually create a champion program and i'll go super fast because we only have 10 minutes left um really security champion allows you to scale security as well those champions basically act as a voice of security and think about them as people who are interested in security but work with your developer work as a software engineer so you can nominate those and teach them security and of course
those people be the actual engineers who are interested in learning more about security um you know you want to connect with others doing security um this is you know by you know having you now joining this uh talk is basically sort of you accomplish that you connect with other people doing security um you want to build a strong relationship with developers i think we briefly mentioned that about partnership and so working um working with infosec is kind of inherently social activity so you know it it really like you wanna you wanna have a good relationship with developers and so you can get your asks delivered and also you can have a good healthy understanding from both sides on
when you discuss security problems uh least privilege eddie like this tool replicate developed by netflix the reason i like this tool is because it takes away permissions over time so um you run it and over time it keeps checking does this developer need this permission and it checks the logs and if not then it takes it away of course developers can return regain those permissions but you can achieve these privileges over time by default uh there are these are some existing frameworks for uh or maturity models for not necessarily absent but like very close to apsec that you can check out um now the question is like what type of people you want to hire for aptik
of course people who can write and read code this is very important because those developers or those apps members they're going to spend a lot of time with developers discussing security issues and discussing code problems so you want to know you want to hire people who actually can write and read code um and remember hiring teams don't really scale but as i said automation and self-service does so focus on those two key things um and of course hire people who can embrace attackers mindset because they you want those people to be understanding how specific attacks happen and so they can better understand how to develop more scanning or solutions for these problems you want to train them teach them how to
be effective effectively writing bugs sorry reports and bugs and documentations otherwise your findings will be hard to sell so you want to teach them how to do that check out these trainings very useful trainings sans offensive security and black hat there's a workshop tomorrow so make sure you attend that as well um and yeah those are pretty good presentation uh trainings if you really want to send your absent team and get them to uplevel their security knowledge um they you can have them attend conferences and um i mean the fact you're here that's that's one conference um but also check out like those other conferences a lot of these conferences are in us but um remember like all these
conferences these days are streamed live or the records are actually on youtube so what structure works well for modern apsec i would say there is no one answer i really like this structure because it's sort of forms into three separate categories uh you want to have the operational stuff and that's maybe taken care of by oncol and then you have the security partnership and those are the people who are driving the holistic security improvements to drive down risk and then you have the automation team or the appsec engineering and those are the people who are doing scanning and self-service and creating inventories and stuff like that i really recommend uh you read scaling aptic and netflix by
asta singhal um it's a pretty good blog post that talks in details about these things um i'm gonna go quickly into matrix uh because we only have five minutes left um so uh you now all that's you did all that stuff now you wanna know how good are you doing in terms of matrix right so there are three primary metrics technical operational and executive um before we even understand like what metrics we are going to work with in our process we need to understand what basic flaw would be work with the metrics so as you can see here we must first understand that discover and define what our metrics will be right and then the second phase would be
acquisition of data a good matrix is really good as far as the quality of your data is concerned and finally is the evaluation and understanding of the data some some sort of like technical metrics you can look at is the number of bonds found over time the severity type of bonds you found discovery methods time to remediate again this stock presentation will be shared with the group so if you haven't caught any of these quickly then um just remember we're going to get the copy of the slides you're going to collect those metrics using tools and calling in apis that will help you automate the collection of those matrix so you can put them all in one dashboard
the second one is the operational matrix those are basically helps the security org see patterns and weaknesses in the in the application security program and it will also help you understand the risks and trends some sort of operation matrix you can collect visibility for example how complete is your testing coverage risks which system have the highest number of vulnerabilities and remediation and improvements executive metrics how the application secure program improved security risk posture overall those will be actually important for your executive or leadership team because they really don't necessarily care about specific vulnerabilities and the details of your absolute technical scanners they just need to know those sort of metrics um and remember that you actually need
to present problems and offer solutions and problems with that solutions are problems nobody wants to deal with uh can't in this talk uh without talking about open source scaling up second netflix until they are sick so um try to open source things if you work on open source stuff it helps the community helps you on your resume um really check out this scaling app stick on netflix viasta it's pretty good blog post and last but not least is the tl dr sake it's a newsletter by uh clint my friend um weekly uh talks about apps6 stuff it's you can check out this url and sign up key takeaways uh take the journey as a marathon not a sprint
try to automate everything focus on security by design and killing by classes self-service and chime programs help you scale tremendously and uh yeah and uh i think we have three minutes for questions uh i'm not sure um if we have any questions in the chat uh thank you so much for the uh for the talk it was really nice actually uh i can't see many questions in the chat but uh
uh how does it really work all the talk about shift left and the security stuff because when we talk when we attend all the sessions netflix and big firms and application production um always mentioned netflix and others as an example of how security is very very very well centered of everything in the organization and application development from experience do you think that all what has been mentioned actually works in real life or it's only theoretical uh what these what this what do you think about that because we always use this example even us and enjoy them for example we use netflix as an example but does it really work yeah that's a that's a good question so
all the things i mentioned are actually not theoretical they are actually 100 practical and if you think that companies like big firms uh not necessarily netflix but like really big tech companies um keeping up with the developers and the code and the infrastructure is is a major challenge right and that's not a secret thing it's it's a known thing but everything i mentioned is really boils down to how much of that stuff is gonna help you reduce the risk overall and if you have a company that you want to implement security uh apsec program or even having just some security practitioners those are the first steps for you to be to build a successful program and
are those the only things of course not um i mean we and netflix like do a lot of other things right this is just part of the infrastructure or part of the puzzle but if you think about it from an overall perspective your your end goal is really to reduce the risk and it varies from company to company those things might not work for regulated industry like banks but it could work very well for startups maybe or two companies that really embrace the um the idea of uh having both security and developers partnering together to improve security overall um so i don't know if that answers your question yes it does it happens yeah it works yeah absolutely
one hundred percent thank you thank you i have a question about it yeah traditionally in traditional arts and programs the nutrition testing used to be a gate essential state before releasing the application to the next step going live with the application now how do you see penetration testing in modern that's important do it do do anything it's gonna it can still be an acquired step or it's step for testing or it's gonna be actually yeah they see that traditional dentist will die in the future should not be there what what's your take on that yeah yeah just actually from specialists yeah i think this is a this is actually a great question and if you think about like modern apsec
or modern modern infrastructures in general there has been a lot of shift towards modern frameworks that have security by default right so a lot of companies for example use django or they use um spring framework right and usually those frameworks come with a lot of security built in in these frameworks that will unlikely that um something could go wrong right so that's the first thing so there has been a lot of shift towards those frameworks the second thing is there is a lot of companies there there are a lot of companies are doing bug bounty today right so although this is happens after the application gets out of out of gate or out of the door
you still have researchers finding those things in exchange for reward and if you think about pen testing pen testing is not cheap right so if you have to do pen tests for each individual app it probably going to cost you a lot of money versus having a bug monthly program where you probably end up paying way less amount of money over time and they actually provide you with good quality reports so the way i think about it is if you're really actually doing shift lift and using modern frameworks i would say pentest can come only for really very high risky assets for the assets that you you can't just jeopardize security for those assets because if it happens
the impact for the risk is very high so that i think again there's no right or wrong answer but i think my from my perspective pentest is still a requirement but it all depends on your organization if you're just doing agile development with no frameworks in mind you're doing everything internally and you don't have any sort of shift lift approaches you don't you don't have like maybe security team yeah i would say probably pen test is a requirement for you but if you have a good security team and you have you're shifting left and you have a lot of scanners uh that detects long low hanging fruits and you have a good bug bounty program
you just need pen tests for the high risk assets thank allah and i have a question from beyond highly out what are the most recommended frameworks and standards to secure apis securing apis yes um yeah most recommended frameworks understand yeah so uh there is a lot of references on owasp for securing apis so you can check out the wasp api security recommendations um it all depends on how you're going to structure the api if it's rest api grpc or something else but typically the things that really important for any api is make sure that it's it's using tls https and make sure that it has some sort of authentication and also authorization and if this apis
requires that another service has to talk to this service then make sure that you're creating some sort of mutual tls connection um of course there's a bunch of other things you can do like wasp top 10 to make sure that there's no xss there's no ccr of issues no there's no ssr of issues um so there's there's a lot of things that can be done on the api side but those are most of the common ones that we implement yeah maybe api management tools also platforms can also help you meant to to manage all the apis in one platform and do some level of security there so everything just managed them yeah fast api management i have lost the question
i noticed i noticed there is a gap between developers and secure and security engineers usually security engineers don't know development and developers don't know security so this actually creates lots of problem in securing your application making sure that you know uh in shifting left this is crucial actually so how can we like maybe cultural issues sometimes in the organization to like you you don't want to get it's not your business to get into my code it's not your security is my business i don't know it's complicated yeah yeah i know i i totally agree with you actually i uh i think this is a very important um thing to highlight is when i mentioned uh about the
um the the the shift lift approach and you want to train your developers right you don't want them to be security experts but you want to train them enough that they understand security but all that stuff cannot uh be encompassed without having a partnership approach um the partnership approach is the key right because as you can as you said right there is a disconnect between developers and uh the uh the security engineers uh because they don't necessarily have this partnership approach right if you have a partnership approach you build good relationship with your developers then it it comes naturally that your developer will listen to you and they will actually try to not just listen to you but help you
improve security they might have other ideas right that will improve overall security for the company so it's very important that both should work together they should talk more and they both should understand like developers should understand security but you don't want them to be security experts and of course giving them the right tuning and enable them to have the right tooling to build security yeah perfect yes we are wrapping up but we have two questions the first one from nadim how would one go about remediating an incomplete asset inventory and keeping gaps to the minimum to a minimum that in that regard and the second question do we need to have output encoding when using apis to prevent from
crosstalk scripting noting that apis are used in web mobile and tv apps yes um so so the first question is the about the assets um this is a major challenge and i i think i briefly mentioned the slides that you want to prioritize your things that you want to fix right you have an asset inventory a bunch of bugs right or a bunch of security issues how would you go about that so i i actually shared a lot of details in my black hat talk but if you want just the tldr try to create some sort of triaging mechanism this stretching mechanism takes into consideration things like what is what is the riskiest assets what
are the riskiest issues affecting my app meaning like what is the cbs score for those things and is the uh application that is being impacted actually is the security issue actually uh can be compromised from outside or um can be affected by like actual attackers from outside so you have to kind of create some sort of prioritization strategy that will help you remediate those again you'll never be able to remediate everything you just need to prioritize so that's that's the first question the second question is the output encoding uh yes you need to do that because actually in web views in ios and android you can still have xss issues um i gave presentation back in
2011 about having an xss in android and ios using web views so um yes you still need to do output encoding and uh appropriately also doing sanitization on the input so you don't have to worry about this but yes output encoding is is important for tv ui and the mobile webview stuff
okay great i think um awesome uh thank you so much thank you so much allah this was really uh very insightful talk from you and um and really well coherent about that security and um and we had really a very interesting audience with us we had pleasure having you with us hope you will see you in amman soon yeah thank you for having me appreciate it yes we are so happy thank you so much thank you thank you so guys um the next session with mazen will start in five minutes let's just have a small break and we will we'll stay we will remain online if you want to stay we are still here and madison will join us in a bit we'll
talk about terraforms hi mazan yes uh so let's just uh give everyone the break five minutes break yes few minutes and also
okay
okay so we're back um good poison everywhere also for everyone wants to join uh mazen we will make you as presenter now all right
we are very glad that you are with us today in this talk um you can start first as if you like to by introducing yourself um and also speaking english and in arabic as you like but we have um english speakers in english only speakers in the audience i can see on the snd list so please you can yes you can start we're we are really happy to have you with us and i'm sure um you will cover a very interesting topic a very hot topic about the terraforms and not only there are forms attacking them so it will be really interesting and it's also emerging in jordan so it would be very uh fruitful and thoughtful for you to
add to talk to us about it thank you so much and please feel free to start thank you very much i'm really glad to be here uh by the way do you think uh we should uh have the session in english instead of arabic i thought to have it in arabic for essence as you like i'm trying i'm looking at that in this list more than 50. yes no no we have english speakers there are many so only okay it's fine like uh i think we can have it in english then yes yes for the old attendees if you if anything is not clear please let us know and you can ask questions the questions
tab or the chat we will see it and we'll be following on it for sure just one second
so yeah attacking terraform environments thank you everyone for tuning in today to do today's talk today i have a really interesting topic to talk about it's about attacking terraform how we can approach a company that is using terraform and how we can exploit her from instances in our favor uh it would be a technical topic i would cover uh everything related to terraform and how we can exploit it and how we can use it in compromising the infrastructure of a company with real world examples and scenarios i'm excited so let's start before we start uh a bit about me i'm mad ahmed i'm an application security and offensive security engineer i also founded 400 io the
next generation continuous security platform for assets discovery and the attack surface and also i am a conditional quantity hunter i was acknowledged before for by facebook twitter linkedin zoom and many more and i'm in love with cloud security so security automation with sick ops but anything that is related to cloud is uh what i am really passionate about so legend of today first we start with the background of what stir from how it works just to get things starting and then why would like to why do we care about learning how to attract reform and then the attack vectors and scenarios that we're gonna have uh today and then the recommendations of the talk and then we wrap up with questions
so what's uh infrastructure is good let's go back in the old days where the clouds were relatively a new thing people would be just uh let's say let's take aws as i would take and over in this talk i would be talking about aws as the main cloud provider but this applies to every help provider so back in the day people would be going to aws and then they would be deploying in uh i don't know a database instance or an ec2 instance or a speed bucket or anything like that they would be doing this through the console uh or like they would go on login and then they would just follow the amazing dashboard that
aws have and then that they would have their instance up and running one is good the problem is as the company scale this becomes tedious to manage to secure to view from different uh perspectives so one is if you have 100 like two or three assets or five or 20 that would wouldn't be a problem but if you have a hundred or a thousand assets and you would like to review all of their configuration if you order their policies continuously check them and whenever something is new being deployed you definitely want to have this being done in a manual check well you are signing off paperwork for example like in the really old days where people are
doing this you would like to have it in a more modernized way so how this is being done today is using infrastructure as a code let's say we're going to take the same exact scenario of deploying to aws and me nathan i would like to deploy an ec2 instance i would be writing a terraform code or an iec code that would say hey i would like to deploy this ec2 instance with this configuration with this network uh security group or all of the things that they have and then it would be passing through uh through the view from uh people who are responsible for that the infrastructure team the security team etc and then it would get a peer review
that there after that will be able to emerge well being able to write this in code give you so much of features uh in the beginning it's definitely hard to do like to establish and the like the beginning of the program uh let's say for uh modernizing your cloud uh program but as you go all along with this this become really beneficial because when you are writing uh your uh your infrastructure resources as code you can have this code being archived and documented using something like get for example and then when you deploy it or you push it as a it into github for example and then you have it in a key r and then you have people you can invite
to listen for the thoughts and comments and typical code review then you would be able to get much more feedback and of course better security better infrastructure configuration and not only that if you can have it just within the same get flow [Music] get workflow then you would be able to implement ci so that it can do different security checks different configuration checks before even having someone uh actually reviewing it so ci is amazing and having this with infrastructures code is also amazing so there is no real reason that i can say do not go with infrastructure as code it's really cool you should be doing this because of so many features that would bring of course this is not a marketing
talk i'm not going to talk about terraform or and how cool it will make your infrastructure is and just saying that infrastructure as code is really important today so what's terraform terraform is an open source infrastructure as code software tool that was developed by hash corp and it uses this uh language called htl for writing configuration code and then the deployment happens through terraform where you would be lighting the entire configuration and then you would push it to three form and third phone would be analyzing the code and then execute it and apply it for you and why am i talking about terraform instead of all of the other iac providers or orchestrators because their phone today is the most
popular one on this planet there are there is aws confirmation there is uh i think palumi and many other i think but their form is in the top of this list and recently they have reached 100 million downloads so you can imagine how big uh telephone is in the cloud market today the cool thing about terraform and the idea of using terraform is it's cloud diagnostic you don't it's not like cloud aws cloud formation where you are writing configurations specifically made for aws you can write the same uh telephone code to deploy for uh and different resources in aws and the same code can deploy to azure or gcp or any provider that you have in mind while
this is sounds amazing enough imagine that if a terraform is supporting more than a thousand uh providers so you can write different code or or ic uh ise code to manage your entire infrastructure for every almost every single provider that you would be using i have seen instances where people are writing telephone code to manage their github repositories it's going crazy
so how does this one work you have the protection a practitioner or the user being deploying into uh uh would like to deploy something and then they would be writing the code and then this code will be pushed to something called uh i'd like to a service in perform called the terraform plan and from plan would be analyzing the code and tell you hey um your you have these changes that are happening these things are being added and these things are being destroyed fyi would you like to continue if you would like to continue usa jump from apply and then you can have the same thing running again with an actual action of deploying the
resources and boom you have your resources up and running and while this sounds good if you are trying to model this from a secret perspective you would see that the cool thing here or the thing that you need to focus on is what is being on this uh red circle here the code that you would write and uh you would be pushed to an instance that of terraform that is responsible for applying uh planning and applying the change and this change if let's say terraform would like to deploy something in aws this means that this instance have access to administrator access to this uh to this account or this provider this means that this server if
it has been compliance or something bad happens to it then you will be able to compromise the other account through this instance so if this is controlling gcp azure i don't know cloudflare for dns or or whatever resource or like a provider that you're using with then probably if you compromise this you would be able to access the remaining amazing so yeah with great power comes great responsibility this is the exact part that you can say with terraform terraform controller has access to everything how it works when you are deploying things um in telephone perform documents every single thing that you are deploying and uh within your resources and then it's it stores them into something
called the state file and this state file would have configuration uh configuration uh notes about everything and then when you are deploying again it will check the state file to see the delta and see what's being changed if something's been changing here then it will tell you about it and then it will be added to the state file also it stores the um the outputs for different things from the api calls so you would find stuff here if you get the chance to access it like i said five what i'm saying is if you have get object x like uh i am policy uh rule uh i'm access here for the sp bucket that is used for
storing data from seed files this would maybe grant you access to access keys database passwords everything that could be interesting could be fine there so yeah after even getting this the this i am user would that you would probably get would have administrator access uh policy because therefore would ideally want this to deploy things to aws so if you get the key that is being used by terraform boom you're in as an admin let me get some water here
yep so this is the first thing that to to think about when you're attacking a company that has terraform uh for their first success code look for this sv bucket that would have uh state files that are being used within terraform when you find this you have access to that this is game over but state files are not only there let's talk about states on data from enterprise so we have a typical environment where people are using the telephone binary to do deployments and still like you have the other way of using telephone enterprise where you have an enterprise level of doing disciplines and and uh it's similar to from cloud if anyone used it but this
one would allow you to host the entire thing within your infrastructure you would deploy an instance you would you would specify how you'd like to store your state files and then you would grant it at different accesses that would need to do the changes and then boom the okay [Music] so here we talked about having it on s3 but it with therefore enterprise you have other options you can store it in a postgresql you can an rds and mountain desk or you can even have it in the same instance and different ways so if you get access to anything uh uh that is hosting these state files this is totally good for you you reach
a great level you probably are capable of compromising the entire infrastructure now but if you did not release that one like by its own and you were able to compromise the terraform instance you then you compromise the infrastructure because it has access to everything that is needed
another thing that they have is every theme tip if you ever seen a control like if you ever compromise a tfe instance this is the best place for attack persistence the reason is no one really ever touches this after a successful deployment and regrets really happens because this is a production and sensitive environment and people would really want it to be up and running the entire time most of the updates are not as critical as the uh would take someone to go and update it so people typically ignore it if you compromise a terraform enterprise instance would be a great place to store your attack persistence oh by the way it come pre-installed with almost the
every single tool that you would need by default and yep and ah yeah of course definitely it has the latest uh database credentials because if someone is deploying something or changing something or rotating a key the key would still be stored in the state file so if someone really felt that something is bad happening you can go up to uh like the uh twitter from and deploy and rotate the key and then with that they receive the key probably it will be stored and perform again so yeah that would be cool if you do this and just send me a tweet about this or any red team engagement i mean of course and by the way uh so from enterprise
it's quite popular of the internet there are companies has have they're from enterprise explosive internet this is a bad practice you should never expose uh this instance to the internet you should have it on an isolated vpc where only authorized ips or authorized parties can access to it these are some filters that you can use to find ones hopefully your company he's not there within this uh list another thing if you let's say the first uh first two or first tricks don't really work with you you can think about abusing perform apis and how this one works is true from ap there from uh enterprise and telephone cloud i gives you an a full api that could allow you to do
all of the things that you would be doing well using terraform cloud or enterprise and this uh this api could be used in to reviewing the state file that is already as discussed it's really important to have it saved instance and uh insist or mark it as a sensitive thing so if it wasn't possible for you to confirm as the database responsible for storing the state files it's possible to ask her from cloud or from enterprise to print it in plain text nicely and it works it's very fun this would mostly contain sensitive data as we talked earlier all right and now let's jump into the another fun vector that they have this was initially documented by uh
alex k he is a security researcher that wrote about it on the other uh blog about her from plan rce and this seems to be some sort of a by design issue with terraform but people weren't really talking about it how it works is like if you use if you use this attack in a reward scenario and you have access to push code into a git repository and then this get get repository would be running ci on on get on github or on a different or in the code in general that you have that are being uh planned then it's most likely that you would be able to get remote code execution within the terraform instance that is
running the ci because how it works is you can write a provider that would be able to uh to execute code by default you you uh perform providers are like you can easily go and create a provider and then push it to your from provider uh there from providers to history and from there you would be able to import it from externally and then when you import this one and you install it and download it and install it and then you use it in a code or you call it then it would be invoked when this happens you get an instant good execution it i don't know how terraform is not really fixing this i haven't really seen a way to fix it
but this is an actual thing and it's really bad so how it works is a person that submits a pr can see it can execute a payload and compromise the term from instance and just to add this since anyone can able to is able to push code into the terraform uh provider's history maybe it enough chances that someone is looking for that and it will get detected someone figured out that there is an api that is also provided by terraform to execute external programs on as terraform code and then takes the input of that at the output of that code and the that command into terraform sounds like a very useful feature but man this is bad
why because someone can submit a pr with a file called point.tf with this code and guess what this code this command will be executed on the terraform enterprise instance and it will not generate any errors because it's throwing or outputting a valid json i personally tried it in different experiments and it was functioning in different places it works on the cli it works on enterprise at the from enterprise level and there is no way to fix it okay uh now we're reaching the end of the talk and what should we do here first be careful it's pretty difficult to maintain a secure terraform environment the electriform has done amazing work on the groud and the
developer toolkit that can be used for automating the deployments and managing your infrastructure there are many things to do when it comes to the security oh well this is not really nice thing to have on livestock i think i'll use myself
also long but uh yeah uh as i was saying vehicles really hard to do that uh to maintain a secure terraform environment being careful is my recommendation here also if you are storing your your uh your state files in sve you can implement a bucket access policy that prevents other users from accessing any resource within this bucket other than this particular terraform user that is is managing your the state file this would be really useful so someone would be able to list out the bucket but then when they go and they will try to retrieve this object they would get a for like a 403 or something and you are safe for this face and maybe if you have
login enabled maybe you would get alert that someone is trying to fetch this resource and you can do access upon that maybe you're already compromised and someone is trying to pivot into your network to get better access just throwing ideas that could be useful here also continuously update and review your ntfe instance it can be easily forgetting the noise no one is really going and uh looking in and checking how it uh how like how is it working unless it's down or something bad happens in the of in the typical cases nothing but happens no one gets uh logs in and of course this is bad you should continuously review it and be careful in permitting people to
have right access on any branch that they're from regis repository it can lead to a direct code execution and there is no way to patch it and the problem here is since there is no way to patch it and at the same time companies typically have give right access to everyone to write to non-protected branches then what happens here is anyone within the company on the typical setup would be able to push code to their terraform to the tfe server and then they would get access to that server because of this vulnerability uh how to to fix it this is uh something that is still not known how to do that uh everyone in the cloud security committee
is trying to brainstorm ideas uh explain different ways until an official patch comes from true from but in the midwest yeah hopefully uh all stays the same uh and secure anyway uh also maintain uh the term enterprise uh instance in an isolated vpc you don't want to have it uh being public in the internet in the office that there is a zero day that people are exporting you don't want people to mass scan your the internet and look up for your phone enterprise instances and then they would go and explore uh exploit yours and yeah this would be a direct little bit the uh another thing is heat files are sensitive they contain data that ranges
from database passwords to certificates and access keys so you can treat them as sensitive data and to add at the end final thoughts
their phone is amazing it runs several security features and uh when implementing ic within terraform but still with great power comes great responsibility protect your terraform environment because things can go bad easily and of course stay safe set up persistent monitor like full hunt to discover shadow i.t use configurations and mistakenly exposed services take letter from instance that we talked about and with that being said thank you very much let's start with the questions thank you amazon um i have personally i have many questions to ask about that topic um starting from the recommendations so do you think it's too early for big organizations or financial institutes to start using terror forums considering the attack surface and that
such if is it too early for us for example to use it or no we can we can maintain a balance uh no it's not i don't think that it's too early for uh organizations even uh if it's a sensitive organization like financial organizations to use telephone or infrastructure as code in general the problem comes when the security team would not really putting a lot of focus on the infrastructure and s-code security here then these were the problems would come up but in general using terraform is really helpful once because let's say that the other choices that you would have is to deploy things using the console or using the api but how would you really manage this
within a company that has uh that deploys let's say 100 assets every month you simply can't so with terraform at least you would be able to run free checks uh using uh on the ci before even the security team comes up and review it you would be able to have different compliance and configuration checks done there are tools that are really readily available there like i don't know tfsec checkoff and center policy for sure a tool by hashicorp and if you implement this and implement a property i then when if the build is is succeeding then you would be able to to go and have a layer two evaluation of the infrastructure change to see if there's
anything bad but it like the amount of things that are helpful that it brings is much more than the cons
okay okay another question about the tools supportability for terraform and the clouds any both ways uh theta form on gcp is it different than terraform on aws is it different uh for f5 than palo alto or cisco uh or any other uh you know there are so many factors when it comes to using uh an infrastructure as a code tool yep you're right so what is the differences you're only focusing on aws about the topic or it's general uh so the cool thing about terraform that it would support like uh around more than a thousand providers so but the problem is just because supports it doesn't mean that the tools would support that and exactly the same point that you said
so what you can do here is you would go and check for example let's take an example like tfsec a tool that i personally use uh have great support for aws for azure for gcp i think alibaba cloud and oracle cloud but when and i don't think that is for other cloud providers so if you have a cloud provider that you are using and you would like to implement implement compliance checks you will you are better using sentinel central policies this product would allow you to write custom tools custom checks and then we need or you can use something like same grip to do the same thing uh an open source alternative and when you do this
you'll be able to review the code and for custom text of course this would require like manual work uh yeah i i got many questions madison regarding the root cause the main root cause of those remote code execution issues that you highlighted in your talk uh do you think that improper access management is the real pain or the main pain in environment like terraform or what what do you think if you want to analyze the root causes of of such remote code execution vulnerabilities with this impact this particular remote consequence vulnerability i to be honest i think this is the the fault of their from they should have support to have whitelisted providers to be whitelisted
or or declared being declared before execution so that a person would say hey i would like to have a security check to check for this particular provider's aws azure gcp and then if someone is calling something different do not execute it do not install it but here uh terraform is uh willingly going and download and install and plan any code that is uh going to be provided imagine it as an interpreter like like a like a 500 or something like that whatever code that you are importing it will uh execute but therefore should have an option to whitelist the providers and this is not there yet and you cannot really uh patch it or prevent it in
a terraform enterprise like with the ci implementation you have to like a temporary way is to parse the code first and then implement as uh like a separate ci that would only execute if their code does not have providers that are not there but then you would not benefit from all the enterprise features that you would get with the telephone enterprise are you aware of any security like standard or hardening guides for terraform environment or best practices that you can refer um more most of them are uh are within the tools that are being used like uh uh like tfsec and chekov they already have uh people uh security checks for terraform and and these are
focusing on general things and also focus on providers little things mainly on the three top providers if you started these ones and you are doing well probably you would be able to run the program in a better way but this could be a good start
great uh any questions yeah there are any questions from the audience uh no no no i can't say it again a new topic in jordan people are still hesitant to participate yeah the cool thing is to try to bring it uh to the amino region like uh from is used in the main region but it's not as used as in the us so it's cool to have it uh discussed so do you think it's any it's on the rise or it will not be implemented it will not die because we can feel that there is a lot of resistance and in our countries arab countries uh i think every new technology would have this uh
like the this type of persistence because humans do not likely change and the terraform is here and is going to stay for the long run the like with the amount of growth that that happened in the past two years the there is no any indicator that it will go away the same thing goes for cloud if you would like to use cloud you have to put security and if you would like to implement security you have to start with basics infrastructure as the code would be one of the basic things to start with so yeah it's going to start to stay just people will try to adapt to it yes i think also um there is there are a
lot of hybrid cloud setups or hybrid and on-prem and this is also one of the challenging points of having for example the cloud setup on terraform and then go back to manual processes and console activity again activities through concert by infrastructure admins so they would prefer to do it all the same way uh i think this is also one of the points where not only native cloud applications or setups we have a lot of hybrid uh we're still in the transition based phase for yeah this one i i'm not rich i haven't really implemented the on-prem uh infrastructure using perform before so i'm not really sure about it but uh like for if you would like to go with
plot i think this is the best way with their phone but uh for emperor on-prem i haven't you even hear the feedback before from michael's about uh like success cases with uh on-prem with their phone it's on-prem people go more with ansible yes okay i think that's it for us thank you everyone everyone and uh hopefully this one will be recorded and i will try to post it uh on my channel sure thank you after the event we will share uh each session on our youtube channel thank you very much yeah thank you very much thank you so much
yeah we'll take our break yeah yes yeah we're coming back on 8 15. now at 8 we can come back if it's like at 8 with the mohammed regarding the last session
[Music] if five minutes yeah
um i think we can start now yeah draw me mohammed you're with us
presenting
foreign
to do testing to do experimenting things learning things or a cloud it will be beneficial for any
security engineer never done automated scanning or automated for his internal any testing or protecting things absolutely it will help [Music]
[Music] um [Music]
[Music]
foreign
[Music]
specialist here
databases will php stack web services will caching will key values
uh
[Music]
foreign
[Music]
knowing is not understanding there is a great difference between knowing and understanding you can know a lot about something and not really understand it
is
[Music]
[Music]
[Music]
[Music]
[Music]
cloud
[Music]
m
https [Music]
[Music]
[Music]
security
foreign
operations
[Music]
[Music] a
[Music]
[Music]
foreign
[Music]
[Music] uh
um
dot zero twenty four ohio network one nine two one six eight uh one dot zero slash twenty four oh when networks router one seven two sixteen one dot zero slash
[Music]
foreign [Music]
foreign
foreign
foreign
is
foreign
or
um
m
[Music]
yes
[Music]
[Music]
infrastructure
allah
um
[Music]
[Music]
[Music]
foreign
uh
[Music]
[Music]
[Music]
internet baghdado zaya service free services sales canadian shield modular office services zymothelen cleanbrowsing.org fandom features
be bilberton andy and dildon here one nine two one six eight zero slash twenty four the coolest thermostats
restrictions
apache
who
[Music]
foreign
x
i thought
hi server engineer
foreign
destroy yes
they're down
okay
flexibility
[Music] is
publicly accessible pianic recommendations infrastructure bootstrap the infrastructure industry must and ips only accessible by the load balancer and then the load [Music]
is
foreign
and still use one wi-fi ssid to connect to these devices belonging to these finances
[Music]
[Music]
[Music]
[Music] is [Music]
foreign
tabayam aesthetic ipo dhcp ala and network 192.168.0.
uh
[Music]
is
um
canadian
um
access list tool controlling what you expose from your network important internally and if you smart [Music] no you can say specific router number from isb in jordan within the search also then dot io we had this kind of router marufil management interface via default hard coded credentials if you expose your your management uh interface the external we couldn't accessible but this is very critical you can accessibility you can see what's the password
[Music]
foreign
foreign
[Music]
[Music]
absolutely
authentication
[Music]
um
foreign
like the camera can only talk to specific ports uh well you don't care about that in general
um
um
[Music]
certificates right private keys can they still access your home down access build configuration remotely md bus outside
gateway
[Music]
would you recommend using raspberry pi clusters for vmware esx es65 projects and training would you recommend using raspberry pi's
foreign
[Music]
is
come on
however it was really pleasure to have you and and we'll still have one another day tomorrow tomorrow for the workshops only registered two workshops come on
is
[Music] foreign
awesome
you
Related talks
56:25
39:40
43:55
28:37
32:24
45:24