Automate all the security!
An experience report on...
- Automating security
- By a small company
- Dealing with big companies
- Talking about what we've used
- More better automation is available
We Got Pop
We manage visual entertainment (TV, film, streaming) production so you don't have to, including the security audits
Outlaw King, Netflix, Key Casting
![](https://s3.amazonaws.com/media-p.slid.es/uploads/126362/images/6318319/outlaw-king.jpg)
Shift left
Embedding security into the development process so you don't have to think about security while developing
Basic strategy
- Security is a team goal
- Use the community
- Stay with the herd
- Use a service
- Externalise the concern
Secure your tools
- MFA
- Use federated login
- Spend time sorting permissions
- Shared password managers (1Password)
Our core tools
- Probely
- Buildkite
- Ghost Inspector
- Github
- Probot
- Dependabot
- Sentry
- Terraform
- AWS
AWS
- Intrusion Detection
- Cloudtrail
- Cloudwatch
- GuardDuty
- Patching
- Managed Policies
- ECS/ECR
- RDS
- Linux AMI
URL Photo Op
- https://buildkite.com
- https://probley.com
- https://sentry.io
- https://ghostinspector.com
Tools we're exploring
- ScoutSuite
- Bandit
- Synk Docker testing
- FaaS
Tools we'd like to be exploring
- Github
- Actions
- Package management
- Logging dashboards and visualisation
- Javascript static analysis
Other talks at FullStack
- Security in NodeJS, Forbes Lindesay
- Sam Bellen's authentication talks
- All the world's a staging server, Heidi Waterhouse
- Building systems with Terraform and NodeJS workshop
Shout out
https://tinyletter.com/cyberweekly
Thank you
Questions?
@rrees
https://wheretofind.me/@rrees
on most social media platforms
We Got POP
https://github.com/wegotpop
https://dev.to/wegotpop
Automate all the security! (FullStack 2019)
By Robert Rees
Automate all the security! (FullStack 2019)
- 994