Track: Building Security Infrastructure

Location: Plymouth - Royale, 6th fl.

Day of week:

The cost of building defensible infrastructure is many times greater than the cost of successfully attacking it. Unfortunately, the security community has historically not been particularly open about sharing core pieces of their non-business critical security infrastructure. This has led to the proliferation of different solutions to the exact same problems (e.g., secret distribution, service to service communications, logging, etc.), and the waste of an incredibly rare resource: good engineering time.

The goal of this track is to bring together a diverse mix of experts and enthusiasts from industry and academia, for a day of highly technical, engaging presentations, leading to the open sharing of new and fruitful ideas.

The security community must strive for higher degrees of solution sharing and reuse, improving its collective efficiency and fostering a more effective giveback to the ecosystem, by releasing, supporting, and publicly presenting solutions and the open-source software that implements them. Hopefully, this track will be a sizable contribution in this direction.

Track Host: Diogo Monica

Security Lead @Docker

Diogo Mónica is the security lead at Docker, an open platform for building, shipping and running distributed applications. He was an early employee at Square where he led the platform security team, has a BSc, MSc and PhD degrees in Computer Science, serves on the board of advisors of several security startups, and is a long-time IEEE Volunteer.

Trackhost Interview

  • QCon: What's the focus of the things that you're doing today with Docker?

  • Diogo: Our major focus at Docker is to build security into the new platform that developers and ops people are adopting. The question that drives us is how can we add security to Docker in a way that is trivial for developers and operators to use. As more and more companies move to containers, are they going to have safer infrastructures? Our objective is for the answer to be a resounding "yes." We also aim to have all of these features be turned on by default— something that the security industry has not been great at doing for the past 25 years.

  • QCon: That fits perfectly into the motivation of the whole track.

  • Diogo: Exactly. In the majority of conferences that cover security, breaking is always the main attraction. Someone hacked a car; someone hacked a teapot; someone hacked a microwave. We consistently glorify breaking. But the reality is that finding problems is a lot easier than fixing them, or finding solutions for classes of issues. The goal for this track is to focus on the builders, the unsung heroes doing the hard task of keeping our infrastructures safe. In particular, I believe it’s really important to help builders understand what open-source tools are already out there—and that would help them do their jobs—ensuring the community does not keep continuously reinventing the wheel.

  • QCon: What do you want someone who comes to this track to walk away with?

  • Diogo: The main points I would love people to walk away with are: what are the best practices on SSH key management, at scale, in a production system; what are the best practices around microservice security, mutual TLS, secret distribution, and what open-source software out there people can use; ensure that security teams understand they need to apply the same testing best-practices developers have been using for years, and should start implementing regression testing for security vulnerabilities; and finally, what are the best practices around monitoring, and what open source software out there does the bulk of the work already.

BLESS: Better Security and Ops for SSH Access

How can using SSH certificates improve security and simplify operations for instance access at Netflix-scale? How can you smoothly transition existing infrastructure to use SSH Certificates? Netflix created and uses BLESS, an SSH Certificate Authority that runs as an AWS Lambda function and is used to sign SSH public keys. In this talk, you will start by learning about BLESS in general: what it is, how it works, and how you can start using it. Next, we will explore the Netflix BLESS production architecture and how other companies have used BLESS in different ways.

From there, we will dig deeper together to discuss Netflix’s deployment and operational details, leveraging BLESS for security insight, and future plans for authorization improvements. The entire talk will be interactive with demos along the way.

Bryan Payne, Leads Product & Application Security @Netflix

Practical mTLS: Security Without the Headaches

Over the last few years, more and more system administrators and developers have become concerned about guaranteeing the authenticity, integrity, and confidentiality of their network communications. TLS has emerged as the solution recommended by security practitioners for all these problems. Let's Encrypt makes it easy to get a lock icon on a web browser, but in many cases public certificate authorities are inappropriate for private and internal uses. How can you mutually authenticate and secure communication between the services internal to your own infrastructure?

Unfortunately, setting up and maintaining the necessary Public Key Infrastructure that allows applications to communicate via mutual TLS is operationally challenging, contributing to the slow adoption of these security best practices.

Enter Docker swarm, a container orchestrator that significantly simplifies the operational complexities around issuance, renewal and distribution of TLS certificates for your nodes. This talk discusses in detail the implementation challenges of Swarm, how we greatly reduced the overhead necessary to manage an infrastructure that makes use of TLS certificates, and how we've added features such as transparent root key rotation, that reduce the risk of key compromise, and significantly increase the usability of Public Key Infrastructure.

Ying Li, Security Engineer @Docker

Addressing Security Regression By Unit Testing

Regression in codebases is a significant problem that proportionally significant amounts of effort have already been spent addressing. Regression is a similarly large problem in the realm of security, yet de-facto standards and approaches for addressing the issue remain absent. Even when security programs have the proper staff, tooling, and budgets, they commonly struggle with ensuring that security holes remain fixed after they are initially patched. This talk will explore the application of a regression solution commonly employed in software development - unit testing - to fighting security regression. We will cover unit testing solutions that are both integrated into tested codebases as well as solutions that can test deployed codebases from a blackbox standpoint. Our talk will be aided by the release of an open-source software project built specifically to demonstrate how these practices can be employed in real-world scenarios and with re-usable core testing functionality that can be integrated into existing Python projects. Through this talk we hope the audience will leave with an understanding of the role that regression plays in security and how unit testing can be used as a tool to address security regression in both in-house codebases as well as untrusted third-party software.

Christopher Grayson, Founder and Principal Engineer @WebSightIO

Doorman - An Osquery Fleet Manager

Osquery allows you to easily ask questions about your Linux, Windows, and macOS infrastructure using standard SQL-based statements. But how? Organizations deploying osquery will need to engineer various solutions to accomplish this seemingly simple task. Enter Doorman. This simple Python/Flask-based web interface allows you to manage your entire osquery deployment, from baseline configurations and ad-hoc queries, to log collection and alerting. In this talk, we'll give a brief demonstration of osquery and its capabilities and why we set upon using osquery as an endpoint security solution. We'll describe our threat model along with the design and architecture decisions that went into Doorman. Lastly, we'll discuss how we use Doorman and osquery to provide visibility into our infrastructure.

Marcin Wielgoszewski, Security Engineer

Trusting Mobile Clients with Remote Attestation

Everyone knows that in client-server systems, you can't trust the client. However, remote attestation gives us a way to change this. As Square provides financial services on unmanaged mobile devices, building more visibility into the client's runtime environment helps us fight fraud and offer unique features. In this talk I'll describe the systems we've developed to verify that our app is unmodified and running in a secure environment.

Naive client-side tampering checks are relatively easy to circumvent, since attackers can modify both the application and the OS. To counter this, we use a server-driven system that dynamically interrogates the client software. I'll discuss how we manage a rules system with hundreds of interdependent modules, build robust anomaly detection models without having any data from attackers, and support millions of devices running thousands of firmware versions. Our system has parallels with intrusion detection, hardware tamper detection, and systems combating spam, fraud, and abuse.

Janek Klawe, Security Engineer @Square

Building Security Open Space

Tracks

2019 Schedule

Follow QCon

Contact

Menu

QCons around the World

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.