Presented at
Kawaiicon 2 (2022) Rescheduled,
July 1, 2022, 11:15 a.m.
(30 minutes).
In a zero trust network it's becoming harder to attack endpoints, and move through traditional networks, so let's look at the new frontier: cloud and SaaS. We'll walk through some examples of attacking a company where the initial foothold is via leaked secrets in Slack, or Pastebin. From that first SaaS service, we'll show off being able to jump to other SaaS services recursively, until eventually the whole farm is compromised. At the heart of all this is API keys and credentials scattered throughout your collaboration tools and engineering tools. We'll also cover practical ways to remediate the issues we discover, such as setting up Secrets Management tools at scale. We'll also cover pragmatic factors that play a vital role, such as least privilege both in regards to who has access to which secrets, what those secrets have access to, and how long those secrets live for. Finally we'll discuss some defensive quick easy wins such as data retention policies and canaries.
Not a Harry Potter Fanfic, but pretty damn close.
Presenters:
-
Dylan Ayrey
as Dylan
Dylan Ayrey - Co-Founder @ Truffle Security Co: Dylan Ayrey is a Security Engineer. He has been heavily involved in the open source community for a few years, authoring tools like TruffleHog, and recently he has been doing his best to bring security practices into the cloud/devsecops world. He had the opportunity to speak at Kiwicon 2018 on red teaming with javascript in browsers
-
Frenchie
Sam "Frenchie" Stewart - Staff Infrastructure Security Engineer @ Brex: Frenchie is far too biased to answer this question, and instead chooses to break the 4th wall. Originally from Batmania, by way of San Secuestro, he is currently a COVID Refugee living in Queenstown, Niuzlind. Previous roles include: KawaiiCon Self Driving Car Prototype #1. 🤖 🚗 skynet prevention squad, Infrastructure Security Engineering Manager at Cruise. Shipped https://github.com/cruise-automation/k-rail and can often be found tinkering with cloud, cluster & container security things (anything starting with the letter C).
Links:
Similar Presentations: