The Defense RESTs: Automation and APIs for Improving Security

Presented at Black Hat USA 2012, July 25, 2012, 11:45 a.m. (60 minutes)

Want to get better at security? Improve your ops and improve your dev. Most of the security tools you need aren't from security vendors, they don't even need to be commercial. You need tools like chef & puppet, jenkins, logstash + elasticsearch & splunk or even hadoop to name but a few. The key is to centralize management, automate and test. Testing is especially key, like Jeremiah says "Hack Yourself First". So many vulnerabilities can be detected automatically. Let the machines do that work and find the basic XSS, CSRF and SQLi flaws, not to mention buffer overflows, Save the manual effort for the more complex versions of the above attacks and for business logic flaws. This is one of those spaces that dedicated security tools are a must. Leverage APIs (and protect API endpoints), be evidence driven. Counter intuitively, deploy more often, with smaller change sets. Prepare for fail and fail fast but recover faster. Not just theory, will include real examples with real code including open protocols like netconf and open source software like dasein-cloud. There will be no discussion of APT, DevOps vs NoOps, BYOD or Cloud Security concerns, there will however be baked goods.

Presenters:

• David Mortman

Links:

• https://www.blackhat.com/html/bh-us-12/bh-us-12-archives.html#Mortman
• https://media.blackhat.com/bh-us-12/Briefings/Mortman/BH_US_12_Mortman_Defense_RESTs_Slides.pdf
• https://media.blackhat.com/bh-us-12/Briefings/Mortman/BH_US_12_Mortman_Defense_RESTs_WP.pdf

Similar Presentations:

• AppSec USA 2017 / Test Driven Security in the DevOps pipeline
• AppSec USA 2015 / Security as Code: A New Frontier
• Texas Cyber Summit 2019 / BT-1050 Shining a Light on Shadow IT in the Cloud