logo
Dates

Author


Conferences

Tags

Sort by:  

Conference:  Black Hat Asia 2023
Authors: Maxine Holt, Marina Krotofil, Tara Seals, Fyodor Yarochkin, Stefano Zanero
2023-05-11

Artificial Intelligence (AI) has the potential to revolutionize cybersecurity by enhancing detection and response capabilities, automating routine tasks, and identifying threats that are invisible to humans. However, AI also poses significant risks, including the potential for attackers to use AI to develop more sophisticated attacks and evade detection. Panelist will explore how AI can be used to improve cybersecurity, the ethical considerations of using AI in security, and how to manage the risks associated with AI-powered security systems. Additionally, the panel will discuss the future of AI and cybersecurity and the role the InfoSec community and policymakers can have in shaping the development and use of AI in security.
Authors: Ionut-Maxim Margelatu, Larisa Andreea Danaila
2023-04-20

tldr - powered by Generative AI

The presentation discusses the challenges of having separate workflows for infrastructure provisioning and application deployment and proposes a unified approach using Crossplane. The speaker also highlights the importance of putting everything in a single release.
  • Separate workflows for infrastructure provisioning and application deployment lead to inefficiency, higher risk of errors, longer feedback loop, and unmanageable complexity
  • A unified approach using Crossplane can increase iteration speed, quality, and time to market
  • Putting everything in a single release is crucial for continuous deployment pipeline and reducing cognitive load on developers
  • Examples of challenges include running post-deployment tests, making changes in configuration, and dealing with multiple repositories
Authors: Jimmy Mesta
2023-04-19

tldr - powered by Generative AI

The presentation discusses the importance of role-based access control (RBAC) in Kubernetes and the potential security risks associated with overly permissive RBAC configurations. It also highlights the need for fine-grained configuration and least privilege access.
  • RBAC is a collection of users, resources, and operations that are combined to give access to the resources needed
  • Fine-grained configuration is necessary to limit access to service accounts and humans
  • Least privilege access is important to ensure that only necessary access is granted
  • Audit logs can be used to craft better RBAC policies
  • Escalate, impersonate, and bind verbs are dangerous and should be monitored
  • Persistent volumes can be used to break out of the container context and access the underlying host
Authors: Spyros Gasteratos
2023-02-15

tldr - powered by Generative AI

The presentation introduces a free and open source Application Security Toolchain Framework that unifies multiple security tools and allows for per-team configuration, conditional tool execution, and automated reporting. The framework is low to no code, platform-agnostic, and community-driven.
  • Automated security testing has brought an abundance of signal about codebases and infrastructure without much manual effort, but managing findings and triaging false positives is time-consuming and results in hiring more security experts.
  • The Application Security Toolchain Framework unifies multiple security tools and allows for per-team configuration, conditional tool execution, and automated reporting to different sinks based on code ownership.
  • The framework is low to no code, platform-agnostic, and community-driven, with integrations for several scanners both under the OWASP umbrella and not.
  • The framework allows for scheduling tool execution against both code and infrastructure, aggregating results from different tools, enriching them using several processors, and consuming them with a multitude of visualization platforms.
  • The framework is demonstrated through a tool called Dracon, which unifies security tool execution and results management.
  • The community-driven aspect of the framework allows for integration with a wide range of security tools and provides an idea of which tools are more popular based on their integrations.
Authors: Aakash Shah
2022-11-18

Infrastructure-as-code adoption continues to grow as more organizations seek to automate deployments and better manage the complexity of their cloud applications. Increasingly, development teams are taking ownership of IaC for their application as the boundaries between the application and infrastructure layers continue to blur in the Cloud. Terraform (more accurately - Hashicrop Configuration Language (HCL)) is one of the most widely used infrastructure-as-code (IaC) languages at the forefront of this transformation with over 100M open-source downloads.There are a lot of public Terraform projects available to developers to quickly learn and build from. Terraform also offers modules - an abstraction that allows infrastructure developers to write modular and clean code, allowing them to accelerate development and better maintain this code. And there are many community-driven open-source Terraform modules available for developers to reference in their Terraform code to quickly design & deliver changes to infrastructure.As of today, there are over 90k public repositories on GitHub with Terraform (HCL) code and over 15k open-source terraform modules. As an infrastructure developer if you utilize a community Terraform module or build from an existing example, how can you be assured that your infrastructure design will meet your security needs? What steps do you need to take to ensure that your cloud-native deployment is both secure & compliant?We used automation to assess public Terraform repositories and modules across Github to identify the most common security gaps against industry best practices. We selected best practices based on Cloud Service Provider reference architectures, Cloud Security Alliance, CIS benchmarks and OWASP. To limit the scope, we focused on Terraform for AWS and Azure resources. In this talk, we will share results of this assessment and provide lessons learned. Since this is OWASP, we’ll present the top 10 classes of security issues we found. We will then discuss security best practices for using community Terraform modules and building your cloud architectures from public Terraform repositories.
Authors: Joshua Bregler, Corbin Moyer
2022-11-18

Make no mistake, secure development relies on automation. In a DevSecOps culture, having scalable, reliable tools and processes are the only way to make DevSecOps a reality. Creativity and technical chops are lauded for their ability to bring magic from the machines. However, is anyone in charge of making sure that your organization is automating the right things? How much attention is being paid towards supporting that automation across an Enterprise? The security is baked in, right? It may just be possible to focus so heavily on automation and tools that disparate teams lose sight of the bigger picture.This talk discusses the pitfall that many organizations trip into all too readily. By focusing forcefully or narrowly on automation, an organization can find itself creating technical debt, waste, and classically unsupportable support systems. We utilize two real-world case studies to clearly demonstrate classic automation problems and propose functional solutions. Audiences will come away with data-driven DevSecOps security management techniques as well as how to recognize and accept the trade-offs in a secure DevSecOps culture. This includes how to avoid creating new, unintended, invisible stove-pipe problems, drawing from our 25+ years of experience in the military and commercial spaces. Finally, we explore methods to find these opportunities, track meaningful metrics, and recognize when you’ve fallen over the edge.
Authors: Sarah Khalife, Grant Griffiths
2022-10-28

Automating cloud native app development and incorporating security through a transparent and consistent process is key in building any production level applications. On a daily basis, think about how often you build your application and scan for vulnerabilities in the code. This is mostly an afterthought and not always considered as the easy part of developing any applications. However, the recent vulnerability exploits reinforced the need for a secure development lifecycle. Simplifying and automating the process all in a single pull request makes it much easier for any cloud app developer to add security! This talk will cover how to leverage available open source tooling to build and test a cloud native application, run security scans across it, and package it for shipping. For automation, we will have a step-by-step demonstration on how to set it up all within a PR to provide consistency and push the containerized application to a Kubernetes environment.
Authors: Shatarupa Nandi
2022-10-26

tldr - powered by Generative AI

The presentation discusses how a platform operations team was able to manage over 30 clusters and several applications in production in a highly regulated environment using the Carvel tool chain by adopting the GitOps mindset.
  • The team faced challenges with complex deployment topologies and managing fine-grained access for development teams
  • They adopted the GitOps mindset by keeping configuration in a central git repository, relying on Carvel's package manager cap controller to create clusters, and using continuous reconciliation to prevent configuration drift
  • They bundled their applications configuration, Kubernetes manifests, and dependencies in a single immutable OCI artifact using a Carvel tool called image package
  • They used Carvel's yaml wrangling tool ytt to write overlays for third-party software
  • The platform operations team was able to enable the development team to provision new clusters with common software in a matter of minutes and keep these clusters upgraded
Authors: Kara Yimoyines
2022-10-25

tldr - powered by Generative AI

The presentation discusses the need for an actionable user interface to address the challenges of vulnerability data and CVEs in the security space.
  • Vulnerability data alone is not enough to secure software supply chain
  • An actionable user interface is needed to automate remediation and understand blast radius of CVEs
  • GUI can help prioritize work and alert when things go sideways
  • GUI should allow annotation of CVEs and weigh potential harm and risk to the business
  • GUI becomes the central location to collaborate and communicate with cross-functional teams
  • GUI should be extensible and interoperable with other tools solving adjacent problems
  • Building accessible tools that don't require exclusive use of the terminal is important
Authors: Hritik Vijay, Philippe Ombredanne
2022-06-22

tldr - powered by Generative AI

The presentation discusses the challenges of package and dependency management in software development and proposes solutions such as using package URLs and a universal versioning system.
  • The complexity of package and dependency management in software development makes it difficult to express boundaries between dependencies and automate the process.
  • Solutions proposed include providing installation prerequisites, using a single package manager, and using general-purpose package managers such as Spack, Conda, Nix, and Guix.
  • Package URLs can be used to name packages and a universal versioning system can be used to deal with version ranges.
  • The universal versioning system can accommodate different versioning schemes and express version ranges in a universal way.