![duo beyondcorp and aws duo beyondcorp and aws](https://ackcent.com/wp-content/uploads/2019/07/duo-aws.jpg)
Fuzzing – gofuzz based on AFL fuzz, sends random data at function, use on custom network protocols.High false positives, have to tweak your rules. ESLint with detect-unsafe-regex and detect-child-process. Need to not slow down CI, so they want tooling that will advise and not block the build. Lack of security tooling for the new stuff. JavaScript, golang, no more rust (too bleeding edge). They use AWS, codeship, docker (benefits – dev like in prod, run tools local, test local). Not covering host security, office security, incident response here.Make use of available tools, linters, SCA tools, fuzzing.The usual startup challenges – small group of devs, short timelines, new tech, AWS, secrets. If we get hacked no one wants our product. They are building security SaaS products (sold one off already, now making XFIL) and doing security consulting. So you are getting started and don’t have a lot of spare time or money – what is highest leverage to ensure product security? Vendors please get to one tool per phase, it’s just too much.īy Mike McCabe and Brian Henderson of Stratum Security (, /stratumsecurity), this was a great talk that reminded me of Paul Hammond’s seminal Infrastructure for Startups talk from Velocity. Read the Google Beyondcorp white papers for newfangled security model: She likes to use the killchain metaphor for intrusion and the MITRE severity definitions.īut convert those into “letter grades” for normal people to understand! Learn development-ese to communicate with devs, don’t make them learn your lingo. 70-80% of bad guys return in 7 days – but 20% wait 30d till your logs roll.Reduce waste in providing info to devs.
![duo beyondcorp and aws duo beyondcorp and aws](https://i0.wp.com/blogs.vmware.com/vsphere/files/2019/06/blog2.png)
Give security defects to your devs, but characterize adversary interest so they can prioritize.She’s a leader in this space and I’ve seen her before at many DevOps conferences. Then the first track talk I went to was on Security for DevOps, by Shannon Lietz, DevSecOps Leader at Intuit.
Duo beyondcorp and aws plus#
![duo beyondcorp and aws duo beyondcorp and aws](https://cdn-ssl-devio-img.classmethod.jp/wp-content/uploads/2017/08/52-account-setup-finish.png)
Duo beyondcorp and aws full#
Here’s the full schedule, obviously I could only go to a subset of all the great content myself. Some years I get a lot out of LASCON and some I don’t, this one was a good one and I took lots and lots of notes! Here they are in mildly-edited format for your edification. Well, last Thursday and Friday I went to LASCON, our local Austin application security convention! It started back in 2010 here’s the videos from previous years (the 2017 talks were all recorded and should show up there sometime soon.