LASCON 2014

Let's address the plague of complacency that is infecting organizations and individuals in our industry. We cannot evolve without understanding and implementing the new paradigm that is Rugged. Rugged is a call for all software professionals to commit to quality and excellence in everything we do, to commit to an intensely collaborative and transparent approach to teamwork for the benefit of our customers, our end users, and our stakeholders. Anything less than excellent is just failure in disguise.

I will step through the ever-growing list of Rugged attributes one-by-one and give specific pragmatic examples of how to embrace the Rugged approach in our every day lives, both personal or professional. This presentation will call people out for being lazy and unprofessional. Too many of us are complacent and creating work that is half-baked and, in doing so, creating more work for ourselves and others. It's time to step up or step aside!

Writing code that works is hard. Writing rugged code that can stand the test of time is even harder. This difficulty is often compounded by crunched timelines and fast cycles that prioritize new features. Add in evolving business needs and new technology and it becomes confusing to know what to do and how to integrate security into your application. 

This talk brings some advice/tools of the top developers and application security practitioners to help you ruggedize your end-to-end development lifecycle from code commit to running system. You will learn pragmatic approaches and tooling that will affect your development processes, delivery pipelines and even the operational runtime. You will walk away with solutions you can put into practice right away and you will also be armed with rugged anti-patterns to help you identify what to change.

Traditional threat modeling has utilized data flow diagrams to model the software or system in question. How well does that methodology work for complex and interconnected systems? During 3 years of threat modeling work at Rackspace, the authors have found the limitations of data flow diagrams and other threat modeling methodologies when conducting threat models of OpenStack, Linux Containers, Docker and other recent cloud technologies. In this presentation, the author review the lessons learned and demonstrate how to interconnect the multiple systems which make up a typical OpenStack deployment into something useful for the developers, operations, security team and more.

As the world of system and application deployment continues to change, the sys admins and security community are having to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. After adding in Dev/Ops and cloud, the traditional sys admin and security processes just don’t work anymore. How can you rapidly deliver servers and applications while making sure they are built reliably and securely. When you are deploying multiple times a day, there is no time to fit in your traditional week long security assessment. 

A new concept of Test Driven Security, which is loosely based on the tenants of Test Driven Development, is beginning to emerge in the application security community. This talk will cover how Matt is putting the practices in place currently at Rackspace and how you can architect your security work to be agile enough to keep up with the pace of change today. The talk will cover agile methods for securing infrastructure, apps & APIs and source code. Even if you are not there today, you will be soon enough. Its time to embrace the change and say "Challenge Accepted".

In a rare mash-up, DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates (carnal0wnage) and Ken Johnson (cktricky) will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure. 

Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. Everything from common misconfigurations to remote code execution will be presented. This is brand new research to bring awareness to those responsible for securing a DevOps environment.

Software development has been transformed by practices like Continuous Integration and Continuous Integration, while application security has remained trapped in expert-based waterfall mode by slow tools and slow processes. In this talk, Jeff will show you how you can evolve into a fast “Continuous Application Security” organization that generates assurance automatically across an entire application security portfolio. Jeff will show you how to bootstrap the “sensor-model-dashboard” feedback loop that makes real time, continuous application security possible. He will demonstrate the approach with a new *free* tool called Contrast for Eclipse that brings the power of instrumentation-based application security testing directly into the popular IDE.  Check out “Application Security at DevOps Speed and Portfolio Scale” for some background.

As developers of the web, we rely on tools to automate building code, run tests, and even deploy services. What happens when we're too trusting of CI/CD pipelines? Credentials get exposed, hijacked, and re-purposed. We'll talk about how often and what happens when people leak public cloud credentials, how some are protecting themselves using encrypted secrets, how to bypass protections against leaking decrypted secrets and how to turn their Jenkins into your own butler. Come hijack credentials out of repositories, steal hidden and encrypted secrets using builds, and hijack infrastructure via their continuous deployment.