So Happy Together: Making the Promise of DevSecOps a Reality

Alyssa Miller, Application Security Advocate, Snyk

It may be hard to believe, but it’s been over a decade since DevOps was introduced. It wasn’t long after that the concept of DevSecOps began to emerge as security practitioners attempted to keep application security practices engaged in software delivery. However, recent studies show that even in organizations that have adopted a DevSecOps model, security is still often viewed as a bottleneck. This can undermine the promise of DevSecOps to deliver a culture of shared responsibility for security.

Hacker, former developer, and application security advocate Alyssa Miller dives into the key issues that keep security shut out of the DevOps Pipeline. She’ll provide insights from her recent research into the state of DevSecOps and Open Source Security and share evidence that indicates organizations are still failing to mature their processes and achieve the ideal shared responsibility culture.

Through her analysis, Alyssa identifies tangible, practical actions that security practitioners can take to successfully enable security practices within the pipeline. Alyssa will demonstrate what steps can be taken to create accountability between Development, Security, and Operations disciplines. Finally, Alyssa delivers a forward-looking viewpoint for what lies beyond DevSecOps, and how this culture can be extended to include the broader business.

If you Give a hacker a Cookie

Shaun Lamb, Principal Security Application Architect, SAS Institute

If you give a hacker a cookie… He’s going to inspect the cookie with a tool like OWASP ZAP. When he’s found a persistent session cookie, he might notice the SameSite or HttpOnly attributes are missing. So he will probably run a dynamic security scan using ZAP to find a cross site scripting vulnerability on a page that uses the vulnerable cookie. When the scanner finds a reflected XSS, he’ll want to execute a session hijacking attack to steal the sensitive information in the persistent cookie. He might send phishing emails containing the vulnerable URL which would execute Javascript in the user’s browser and send sensitive information back to the hacker. He might get carried away and brag about his exploit on social media thus damaging the reputation of the company. He’ll post the YouTube video of his exploit and stand back to look at it. While looking at YouTube he’ll end up watching a funny video of a cat falling asleep while drinking milk which will remind him that he’s thirsty. So… he’ll want a glass of milk. And chances are while he drinks a glass of milk, he’s going to want a cookie to go with it.

This session will cover:

• An introduction to OIDC, Oauth and JWTs in the context of a microservices based architecture
• A comparison of a traditional cookie-based authentication approach vs a modern JWT based design
• Open Source OWASP Tools such as the API Security Guide, Cheat Sheets, and Testing Tools
• Role of an API Gateway when using Cloud based Identity Providers

5 Pillars of Security Success

Eric Hart, TLCP Senior Principal Engineer

A common challenge in organizations is how to keep the topic of security at the forefront but not blow CAPEX or OPEX budgets. Compounded with the industry-wide shortage of cybersecurity talent in the workforce, there is little left to wonder why the increased burden of security keeps moving faster than most can keep up. In this talk I will highlight 5 Pillars for implementing a self-sustaining security education model within any organization that will:

• Convince the C-Suite the investment in talent is worth the effort
• Make the CISO your trusted ally
• Build a sustainable and repeatable framework that is product agnostic
• Recharge and motivate developers to do more and reward them for the effort.

Sudo for defense: How can new or lesser-known features help you?

Peter Czanik, Open Source Evangelist, One Identity

Sudo has supported fine-tuned permissions and logging in-depth for many years, even though system administrators often know it only as the “prefix” to use before entering a command requiring root privileges. Recent versions provide even more tools to operate and secure your systems. You can collect session recordings centrally. You can now also extend sudo using Python code to, for example, further restrict authorization, terminate sessions, and alert on suspicious activity.
Learning or guessing a user’s password is relatively easy. That is why attackers know sudo as an easy stepping-stone to administrator access. Earlier versions of sudo already provided in-depth logging in order to spot suspicious activity. Version 1.9 puts even more tools into the hands of administrators and security teams. You can collect session recordings centrally. Plugin support was already available in 1.8 but starting with 1.9 you can also extend sudo using Python code.

This talk gives you an introduction to lesser-known features of sudo and then focuses on new possibilities for system administrators available with version 1.9.

Using sudo does not make much sense without proper logging and alerting. There are three major possibilities:

• syslog: all events are logged to syslog. For additional security, collect sudo logs centrally, so a malicious user cannot delete them easily.
• e-mail: sudo can send email alerts on different kinds of failures.
• debug: in-depth logging of subsystems, mostly useful for developers

Session recording is a fourth possibility. The terminal output can be saved in a file and played back. You can play back what happened, even if the user started up an interactive shell.

Starting with version 1.9, you can collect session recordings centrally. This has many advantages: it is convenient, more available, and provides additional security.

You can also extend sudo in Python. This gives you even more possibilities on the defense side. Using Python code, you can easily query external applications for information. For example, only allow a session if there is an open ticket for it, or when the given sysadmin is on duty according to the HR database.

Python also provides many possibilities to detect suspicious activities. A new API provides you with full access to sudo logs, with even more data than the traditional sudo logs provide, so you can analyze log messages in real-time within sudo. You can also analyze IO logs from Python, including user input and terminal output. This way it is easy to detect suspicious content on the screen, like file names appearing on-screen from a directory which the user was never supposed to access. With a few additional tricks, you can also detect what the user is typing and analyze command lines. You can alert on suspicious activity or even terminate sessions.

As you can see, sudo has several lesser-known features that can make access management and monitoring easier.

How to 2FA-enable Open Source Applications

Michael Schwartz, Founder/CEO, Gluu

Everyone knows passwords are terrible for security. But rolling out two-factor authentication (2FA) is tricky. Not only do you need to update applications to use 2FA, but you need to consider what happens if an end-user loses their credential. If you love open source tools like WordPress, SuiteCRM, NextCloud, RocketChat, and OnlyOffice, a 2FA solution is now within your grasp. And you are not limited to just OTP or SMS. You can integrate support for FIDO tokens, mobile push notifications, or even popular SaaS services, like Duo Security.

In this workshop, you'll learn:

1. Which 2FA technologies can be used without paying a license;
2. How to enable users to enroll and delete 2FA credentials;
3. How configure open source applications to act as a federated relying party--delegating authentication to a central service
4. How custom applications can act as a federated relying party