Christo Goosen is a Dev and DevOps engineer by day. Long time interest in security and studying Infosec Msc Next year. Luckily as DevOps I get to put some of that interest into practice as a defender. OWASP Cape Town chapter leader and tinkerer of tech. “To err is human, to automate it is DevOps”.
Talk: # TODO: “Secure(r) Cloud Development”
So everyone has heard that Cloud computing is another term for not your computers. Despite this fact we put a lot of trust in the fact that startups don’t have the technical prowess to secure and environment on a level AWS, AppEngine or Azure can achieve. Open source software, audits, investors and the community hold these companies accountable, but sometimes we miss one last avenue of defence: problem between the keyboard and the Cloud. Deploying code, infrastructure, data etc. on cloud systems needs to cover the wild west of the internet. Can you claim that your infrastructure is secure when the developers could introduce vulnerabilities with free reign on Cloud services. Often a startup gets up and running with every developer having admin access to Cloud services, but is this sustainable?
This talk will describe research in this area (such as implementation by coinbase), as well as my own experience working at <insert Company here> (focused around AWS) and using free and open source tools to lock down our development workflows. This talk wil cover VPNs, Pfsense, Cloud services (Google App engine, AWS, Azure, etc.), CI, etc. This talk is aimed at developers, devops, data scientists, security professionals and any other professional working with or due to work with Cloud services.
This talk will take you through existing tech and tools available now to strengthen your security instead of leaving # TODO everywhere in your security.
Takeaways from this talk:
- Security can equal more freedom to developers
- CI can turn DevOPs into DevSecOps
- Pfsense is awesome
- VPNs are great not a pain
- Enable vs disable dev toolset
- Secrets management