While it is quite common practice to do periodic security assessments of your local network, it is really rare to find a company who puts the same effort for testing the security in their cloud. We have to understand what new threats and risks appeared with the cloud and how should we change our attitude to testing cloud security. The goal of my presentation is to show how security assessment of cloud infrastructure it is different from testing environments in classic architecture. I'll demonstrate a hypothetical attack on a company which is fully deployed in the AWS environment. I’m going to show the whole kill chain starting from presenting cloud-applicable reconnaissance techniques. Then I’ll attack the web application server hosted on EC2 instance to access its metadata. Using the assigned role, I’ll access another AWS EC2 instance to escalate privileges to the administrator and then present how to hide fingerprints in CloudTrail service. Finally, I’ll demonstrate various techniques of silent exfiltrating data from AWS environment, setting up persistent access and describe another potential, cloud-specific threats, e.g. cryptojacking or ransomware in the cloud. The presentation shows practical aspects of attacking cloud services and each step of the kill chain will be presented in a form of an interactive, live demo. On the examples of presented attacks, I’ll show how to use AWS exploitation framework Pacu and other handy scripts.
The document provides an overview of secret management solutions and architectures. It discusses what secrets are and why secret management is important. Some key points: - Secrets include authentication credentials, API keys, passwords, and certificates that need access control. As services increase, so do secrets. - An ideal secret management solution provides security, encryption, access control, auditing, ease of use, and integration with other tools. - Version control systems and orchestration tools like Kubernetes can be used for secrets but have limitations compared to dedicated secret management solutions. - AWS offers Parameter Store, Secrets Manager, and KMS for secret management. Parameter Store is generally recommended, while Secrets Manager is better for database
This session is focused on diving into the AWS IAM policy categories to understand the differences, learn how the policy evaluation logic works, and go over some best practices. We will then walk through how to use permission boundaries to truly delegate administration in AWS.
Come visualizzare e gestire centralmente gli alert di sicurezza e automatizzare i controlli di conformità.
You must have encountered the following image when using screaming frog. Many websites do not have these parameters when crawling by screaming frog. One of the most important issues for search engines is security.
Securing your web applications can be a daunting task, as attackers find different ways to exploit your web application or impact your availability. In this webinar (Level 300), we will share AWS Lambda scripts that you can use to automate security with AWS WAF (web application firewall) and write dynamic rules that can prevent HTTP floods, protect against bad-behaving IPs, and maintain IP reputation lists. You can also learn how Brazilian retailer, Magazine Luiza, leveraged AWS WAF and Lambda to protect its site and guaranteed an operationally smooth Black Friday. Objectives: • Learn how to use AWS WAF and Lambda together to automate security responses. • Get the Lambda scripts and CloudFormation templates that prevent HTTP floods, automatically block bad-behaving IPs, bad-behaving bots, and allow you to import and maintain publicly available IP reputation lists. • Gain an understanding of strategies for protecting your web applications using AWS WAF, CloudFront, and Lambda. Who Should Attend: IT Managers, Security Engineers, DevOps Engineers, Developers, Solution Architects, and Web Site Administrators
This session introduces the concepts of AWS Identity and Access Management (IAM) and walks through the tools and strategies you can use to control access to your AWS environment. We describe IAM users, groups, and roles and how to use them. We demonstrate how to create IAM users and roles, and grant them various types of permissions to access AWS APIs and resources.
Get an overview of HashiCorp's Vault concepts. Learn how to start a Vault server. Learn how to use the Vault's postgresql backend. See an overview of the Vault's SSH backend integration. This presentation was held on the DigitalOcean Meetup in Berlin. Find more details here: https://www.meetup.com/DigitalOceanBerlin/events/237123195/
This presentations is about pentesting AEM web applications. It have been shown on PHDays security conference.
Secure coding is the practice of developing software securely by avoiding security vulnerabilities. It involves understanding the application's attack surface and using techniques like input validation, secure authentication, access control, and encrypting sensitive data. The OWASP organization provides free tools and guidelines to help developers code securely, such as their Top 10 security risks and cheat sheets on issues like injection, authentication, and access control. Developers should use static and dynamic application security testing tools to identify vulnerabilities and continuously learn about secure coding best practices.
This session is designed to introduce you to fundamental cloud computing and AWS security concepts that will help you prepare for the Security Week sessions, demos, and labs. We will ensure you have an AWS account and understand EC2, prepare you to get set up on the AWS Command Line Interface (CLI) to access the AWS Management Console, introduce you to in source repositories, discuss SSH access and necessary SDKs, and more.
This webinar covers cloud security fundamentals across AWS, Azure, and GCP. It begins with introductions and an overview of the course, which includes cloud security 101, best practices for each cloud provider, and a discussion of current threats. The presentation covers topics such as the shared responsibility model, cloud security risks and governance models, identity and access management, data security, and techniques for mitigating risks in the cloud. It emphasizes the importance of a data-centric approach to security and controlling access according to the principles of least privilege and separation of duties.
HashiCorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. We'll show how this works.
This document discusses encryption options when using AWS, focusing on the AWS Key Management Service (KMS). KMS allows users to simplify the creation, control, rotation and use of encryption keys in AWS services like S3, EBS, RDS, Redshift and others. It addresses key storage, access and usage considerations. KMS uses symmetric AES-256 encryption for data keys and allows granular IAM control over who can create, enable/disable, use and audit keys. The presentation demonstrates how to create and use customer master keys in KMS and integrate encryption with S3 and EBS volumes.
The document provides information about an AWS workshop on Amazon EC2 and Amazon VPC including: - The agenda covers Amazon EC2, S3, EBS from 9:30-10:30am and Amazon VPC from 10:45-11:15am with a lab building a VPC and deploying a web server from 11:15-12:15pm. - The introduction section gives logistics for connecting to WiFi and downloading the lab guide and signing up for an AWS account. - Amazon EC2 allows launching virtual server instances with options to choose the operating system, configure storage and networking, and scale capacity up or down as needed.
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities - Injection, Sensitive Data Exposure Cross Site Scripting Insufficient Logging and Monitoring
The document discusses various AWS services for monitoring, logging, and security. It provides examples of AWS CloudTrail logs and best practices for CloudTrail such as enabling in all regions, log file validation, encryption, and integration with CloudWatch Logs. It also summarizes VPC flow logs, CloudWatch metrics and logs, and tools for automating compliance like Config rules, CloudWatch events, and Inspector.
Learning Objectives: - How to safely generate a number of Amazon GuardDuty findings - How to analyze Amazon GuardDuty findings - How to think about remediation of threats
W dzisiejszych czasach powszechną praktyką jest przeprowadzanie okresowych testów bezpieczeństwa lokalnej sieci, jednakże rzadko kiedy właściciele firm decydują się na podobne testy ich środowisk chmurowych. Musimy zrozumieć nowe zagrożenia i ryzyka, które pojawiły się wraz z usługami chmurowymi oraz jak powinniśmy zmienić nasze podejście do ich testowania. Celem mojej prezentacji jest pokazanie konieczności testowania środowiska chmurowego oraz jak bardzo różni się ono od testów środowiska opartego o klasyczną architekturę. W formie dema przedstawię przykładowy atak na firmę wykorzystującą usługi AWS. Wykorzystując podatność w aplikacji webowej, a następnie szereg drobnych zaniedbań w konfiguracji AWS, pokażę jak potencjalny atakujący może krok po kroku przejąć rolę administratora AWS, a następnie usunąć wszystkie dowody swojej aktywności.
This document discusses security issues related to Amazon Web Services (AWS). It begins with an introduction to cloud technology and AWS terms. It then discusses specific issues like unintended access to AWS Simple Storage Service (S3) buckets and exposure of access keys. The document warns that old vulnerabilities can take on new life in the cloud. It provides examples of security incidents and demonstrates security reference scanning and exposure of metadata. The document concludes by recommending ways to restrict access and data, audit policies, whitelist IPs, use multi-factor authentication, and monitor AWS usage and costs. Contact information is provided for any questions.
This document provides an overview of a presentation about AWS security best practices. It discusses several methods for hardening an AWS environment including: not using the root account, removing root access keys, auditing IAM policies, enabling multi-factor authentication, implementing a strong password policy, and restricting API access with MFA. It also covers ways to monitor an AWS environment for anomalies using CloudTrail, SNS, Config, and CloudWatch. Specific examples are given around setting up billing alerts with CloudWatch and SNS.
Information security guidance and strategies for securing cloud infrastructure in Amazon Web Services, presented by risk3sixty LLC and Afonza. Atlanta based cyber risk management.
AWS's access model provides powerful opportunities for controlling who has what level of access to which resources. But with this awesome power comes awesome complexity. The inevitable shortcuts mean that a one-line bug could wipe out all your EC2 resources instead of the intended targeted few. In this talk, we'll quickly review the key aspects of IAM and discuss some strategies for keeping cloud resources safe from friendly fire. Presented at Austin DevOps July 2019
This document summarizes a presentation about security automation improvements that can be made using Amazon CloudWatch Events and AWS Config Rules. It discusses five examples of automation: automatic CloudTrail remediation, CloudFormation template auditing, AWS CIS Foundation Framework account assessment, auto MFA for IAM users, and automatic isolation of "tainted" servers. Code examples and demonstrations are provided for each automation example. Other security automation tools and resources are also listed.
The landscape of IT and data security has changed vastly since the advent of the cloud. Savvy technology leaders know that they must have visibility and control over their environment to fully leverage their cloud investments. Tools like IAM offer teams indispensable tools to proactively manage and protect their cloud environment. Join CloudCheckr CEO Aaron Newman to learn tips for effective and secure cloud deployments that you can implement today, including: How to address requirements of the AWS Shared Responsibility Model Why anticipating internal and external threats are crucial for mitigating security risks in the cloud IAM overview and how it helps ensure secure and compliant deployments Features and policies, as well as how to apply them to users and groups Advice for leveraging IAM roles to mitigate potential security risks Best practices for using IAM to configure user permissions, and other important considerations This session is brought to you by AWS Summit Chicago sponsor, CloudCheckr.
The document discusses various security risks and best practices for securing applications and data in the AWS cloud using a DevOps model. It covers topics like data breaches, weak identity and access management, insecure APIs, system vulnerabilities, account hijacking, and malicious insiders. For each risk, it provides examples of real security incidents and recommendations like implementing least privilege access with IAM, using services like AWS KMS and Secrets Manager for credential storage, enabling MFA, monitoring with GuardDuty and Inspector, and segmenting access. The overall message is that security must be automated, monitored, and built into DevOps workflows from the start when developing in AWS.
If your business runs entirely on AWS, your AWS account is one of your most critical assets. Just as you might run an intrusion detection system in your on-premises network, you should monitor activity in your AWS account to detect abnormal behavior. This session walks you through leveraging unique capabilities in AWS that you can use to detect and respond to changes in your environment.
In this session, you'll learn about recommended patterns for securing your backend APIs, the infrastructure they run on, and your SPAs and mobile apps. The world is no longer a place where you just need to secure your apps’ UI. You need to pay attention to your dependency pipeline and open-source frameworks, too. Once you have the app built, with secure-by-design code, what about the cloud it runs on? Are the servers secure? What about the accounts you use to access them? If you lock all that sh*t down, how do you codify your solution so you can transport it cloud-to-cloud, or back to on-premises? This session will explore these concepts and many more!
The document discusses various penetration testing techniques including: 1. Using OSINT techniques like disabling content security policies to scrape invite links from a site. 2. Checking domains with services like VirusTotal to see their categorization and reputation over time. 3. Using Azure domain fronting to hide command and control domains from network defenders. 4. Enumerating Active Directory with tools like Bloodhound to find high privilege accounts and exploit delegation.
Only year ago we launched AWS IoT, and at re:Invent we showed how AWS IoT makes it easy to secure millions of connected devices. However, we have learned from our customers that a number of unique security challenges for the Internet of Things (IoT) exist.
In this session, you'll learn about recommended patterns for securing your backend APIs, the infrastructure they run on, and your SPAs and mobile apps. The world is no longer a place where you just need to secure your apps’ UI. You need to pay attention to your dependency pipeline and open-source frameworks, too. Once you have the app built, with secure-by-design code, what about the cloud it runs on? Are the servers secure? What about the accounts you use to access them? If you lock all that sh*t down, how do you codify your solution so you can transport it cloud-to-cloud, or back to on-premises? This session will explore these concepts and many more! Delivered at JokerConf on October 28, 2021 at 11am MDT: https://jokerconf.com/en/talks/lock-that-sh*t-down-auth-security-patterns-for-apps-apis-and-infra/
Securing platforms like Kubernetes can be challenging. Luckily there are tools to create insights into potential security threats. Get an introduction into the world of Security Information Event Monitoring (SIEM) and how to make OpenSearch your favorite solution for Security Analytics. You get familiar with the technology and concepts behind this powerful platform. Talk includes hands-on demo to get a grasp of provided functionality.
This document provides an overview of digital forensics and security in the cloud. It discusses common attacks such as access key compromise and misconfigured services. It also outlines an incident response workflow and tools that can be used to acquire evidence from AWS resources like EC2 instances, S3 buckets, and RDS databases. Finally, it discusses hardening strategies like using immutable infrastructure and auditing tools like Prowler to assess security configurations.
In this session, you'll learn about recommended patterns for securing your backend APIs, the infrastructure they run on, and your SPAs and mobile apps. The world is no longer a place where you just need to secure your apps’ UI. You need to pay attention to your dependency pipeline and open source frameworks, too. Once you have the app built, with secure-by-design code, what about the cloud it runs on? Are the servers secure? What about the accounts you use to access them? If you lock all that sh*t down, how do you codify your solution so you can transport it cloud-to-cloud, or back to on-premises? This session will explore these concepts and many more!
SpringOne 2021 Session Title: Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra Speakers: Brian Demers, Developer Advocate at Okta; Matt Raible, Java Web Developer at Okta
Ken Johnson, CTO of nVisium, discusses harnessing existing AWS functionality to strengthen your organization’s AWS infrastructure against real-world attacks.
A talk I gave at the Leeds AWS Meetup (01/11/2017) exploring how Sky Betting and Gaming manage secure access to AWS in an ever-increasing threat environment.