Overview
Syllabus
Intro
Security fundamentals
Spoofing Tampering Repudiation Information Disclosure Denial of Service Escalation of Privilege
OWASP Open Web Application Security Project find good trusted, peer reviewed sources
Consistent Planned Authentication
Storage, Quality, Length, Lifecycle the keys to token success
validation required:: every header every field every format every method
Service decomposition
scaling and resource exhaustion
Orchestration layer attacks
features that scare me 1 impersonation 2 investigation mode 3 demo accounts on production 4 SSL interception and analysis 5 many password sins
the golden rule never assume a security vendor is better at secure development than you are
Identity and access
principle of least privilege the lowest set of permissions and accesses required to do your job
Roles V.S. Fine Grain Permissions
Immutable architectures matter in microservice security
Auditable host configurations are a good thing but you might not be the right person to audit them
Avoids configuration creep including those changes made by an attacker
Choose the right tools for the job you are doing
not all technologies have mature libraries, frameworks and documentation
Detection
Poorly managed logs are a simple way to create denial of service attacks
Taught by
NDC Conferences