Securing Apps in the Open-By-Default Cloud

Presented at Black Hat USA 2019, Aug. 8, 2019, 3:50 p.m. (50 minutes).

Services created in cloud environments like GCP or AWS are open to the internet by default. This is a problem that compounds in a workplace where developers are empowered to create new microservices faster than a security team can review them. Even if all of these services could be reviewed before launch it is infeasible for security teams to track and review all security-impacting code changes, often leading to improper auth controls and exposed services.

We present a generalizable solution which automatically enforces auth controls for all services throughout their development lifecycle. Our solution is designed to require minimal operational overhead for the development and security teams and holds no opinions about the project's development process, allowing development teams to maintain their autonomy.


Presenters:

  • Winston Howes - Technical Lead for Application Security, Snap Inc
    Winston Howes is Technical Lead for Application Security at Snap Inc. An expert in web security, he has led the vision for Snap's web security efforts. Outside of Snap he has interests in voting security and is an accomplished magician.
  • Michael Wozniak - Technical Lead for Infrastructure Security, Snap Inc
    Michael Wozniak is Technical Lead for Infrastructure Security at Snap Inc. He has lead the security efforts to expand into multiple cloud providers including migrating to a service mesh architecture. He also has experience working on several open source cryptocurrency projects.

Links:

Similar Presentations: