Learn, hack!

URL

https://media.blackhat.com/bh-us-12/Briefings/Mortman/BH_US_12_Mortman_Defense_RESTs_Slides.pdf

File name

BH_US_12_Mortman_Defense_RESTs_Slides.pdf

File size

415.6 KB

MD5

596660d1853bdad975e657bda28c910e

SHA1

d1c94a82e70e61cbb9a189536a8ed82d8d651c97

Want to get better at security? Improve your ops and improve your dev. Most of the security tools you need aren't from security vendors, they don't even need to be commercial. You need tools like chef & puppet, jenkins, logstash + elasticsearch & splunk or even hadoop to name but a few. The key is to centralize management, automate and test. Testing is especially key, like Jeremiah says "Hack Yourself First". So many vulnerabilities can be detected automatically. Let the machines do that work and find the basic XSS, CSRF and SQLi flaws, not to mention buffer overflows, Save the manual effort for the more complex versions of the above attacks and for business logic flaws. This is one of those spaces that dedicated security tools are a must. Leverage APIs (and protect API endpoints), be evidence driven. Counter intuitively, deploy more often, with smaller change sets. Prepare for fail and fail fast but recover faster. Not just theory, will include real examples with real code including open protocols like netconf and open source software like dasein-cloud. There will be no discussion of APT, DevOps vs NoOps, BYOD or Cloud Security concerns, there will however be baked goods.