We have 2 hours. Let's fix the bug quickly and come back right away ...
Cybersecurity in our time is needed everywhere, from conditional access control and commercial secrets to PR and communications in times of crisis. IT has already penetrated very deeply and critically into the business, and new technologies are becoming easier to create, implement and use. New items gravitate towards a low threshold of entry (well, who remembers FreeBSD jails? And traditional lxc? And now we have docker and docker). Previously, the problem of information security was users with a low level of computer literacy, now the conditional MongoDB with bare ports to the Internet or production environments with weak passwords and reuse of vulnerable code are becoming a headache and can lead to business stoppage.
To create privacy and prevent personal data from leaking, Secure by Design systems should be designed and developed, when information security does not compromise in the process of creating code. But how can you do this very Secure, if Design is done by another division using the most fashionable and not always proven technologies?
For information security to cease to be a painful topic, it must be made a culture, and not a rush to extinguish fires. Information security is the cornerstone, from which the balance between business speed, secure development and risks begins (and ends with it). Balance, because all processes within the company depend on each other. Development, operation, testing, security, business processes are all parts of one system. On the one hand, tightened security nuts and implementation without comprehending all information security standards can result in a non-working product, a delay in release, a service stoppage, irritated developers, and even environmental incidents. On the other hand, when a developer does not know how a hacker can use his code, he may be involved in a data leak, server hacking, or service failures due to DDoS attacks.
In addition, for technical specialists, an understanding of the basics of cybersecurity is provided by expert (obtained in practice) knowledge that is valued in the market, for example:
- The programmer can learn the nuances of security in order to write code with them in mind, rather than implementing them later
- The tester will learn how to look for specific bugs - security vulnerabilities;
- The system administrator will learn how to recognize a compromised server or protect it if hacked;
- A monitoring specialist will learn how to recognize an incident (although he does so, only in IT).
You can instill cybersecurity on your own, without departments and bosses - it, like in life, requires common sense and understanding when a password and an antivirus dog are enough, and when you need 7 different locks, a retinal scanner and a perimeter with barbed wire. On the other hand, listening to a security curriculum and reading two standards is not enough. For a deep understanding of how this can be used, you need to check vulnerabilities with your hands and see the loopholes in the code yourself - understanding and opening weaknesses in your protection and access comes with practice.
We have a training ground for you!
To prevent security checks from becoming very expensive, the program committee prepared a special block of presentations and master classes on information security at DevOps Live 2020 . At them, experts will tell and discuss how to develop an IT security culture and consider it from three sides: from the side of business, infrastructure and service (developers, testers, security personnel). You can also check it with your hands there.
Fundamentally, there is no difference between ISOC processes and infrastructure monitoring, IT and information security operations, IT testing and information security testing, and we will show it. There will be a lot of practice and working tools, the speaking experts will answer questions, including why "security guards have come, they want something strange." At master classes and QA sessions, participants will learn how to embed security at a new level and painlessly into already running processes, what common mistakes are made during operation, how hackers will “break” the system. And then what to do about it.
The DevSecOps topic is quite young for DevOpsConf, so we have planned information security activities as accessible as possible for untrained students who are not deeply immersed in cybersecurity. Practical presentations from the best experts in the industry who have been speaking at security conferences for several years will be for everyone: both for those who are just thinking about security and for those who have already begun to take their first steps in this direction.
Introductory reportfrom Lev Paley will highlight an important issue - is cybersecurity a brake or driver of changes in the implementation of projects. Lev will tell you how to integrate security into new projects relatively painlessly, as well as share his experience in understanding the IT security needs of your company. The report will be useful to people who interact in one way or another with business units, and will help find a reasonable balance between the speed and security of new services and technologies.
The program will also include a powerful workshop - a master class "Cyber Polygon" by Luka Safonov, where the participants will try to hack the training ground, and Luka will clearly show how to recognize certain types of attacks from the point of view of infrastructure, which systems can be used, how to track the chain of attacks and what can be done.
During the demonstration of the attacks, Luka will comment on and explain how to detect infiltration, how to interfere with network traffic and privilege escalation, and how to prevent control of the infrastructure and data out of the perimeter.
Within 2 hours, it will be shown how to look for vulnerabilities of a certain class, and what is visible at this moment in the logs of network monitoring systems, what events are recorded in them, and what you need to look at. At each step, Luka will explain what the configuration problems were, how to fix it, how to react quickly to block access, and what else to check to understand the attackers' methods.
And for those who want to dive deeper into the methods and tools for carrying out attacks, Roman Romanov, CEO of PentestIT will deliver a report entitled "We will test it, do not hesitate"... In his talk, Roman will highlight the tools that attackers use, methods of securing and bypassing popular defenses, as well as the most common mistakes that system administrators and developers make when operating systems.
As you can see, there will be little theory (although there will be a “helicopter view” on the general principles of approach to security tasks), and master classes, workshops, meetups, round tables or blitz reports are a large part of the conference. IB activities will be evenly distributed throughout the conference. See, choose, participate: program , tickets , atmosphere .