Automate all the security!
An experience report on...
- Automating security
- By a small company
- Dealing with big companies
- Talking about what we've used
- More better automation is available
We Got Pop
We manage visual entertainment (TV, film, streaming) production so you don't have to, including the security audits
Outlaw King, Netflix, Key Casting
Shift left
Embedding security into the development process so you don't have to think about security while developing
Basic strategy
- Security is a team goal
- Use the community
- Stay with the herd
- Use a service
- Externalise the concern
Secure your tools
- MFA
- Use federated login
- Spend time sorting permissions
- Shared password managers (1Password)
Our core tools
- Probely
- Buildkite
- Ghost Inspector
- Github
- Probot
- Dependabot
- Sentry
- Terraform
- AWS
AWS
- Intrusion Detection
- Cloudtrail
- Cloudwatch
- GuardDuty
- Patching
- Managed Policies
- ECS/ECR
- RDS
- Linux AMI
URL Photo Op
- https://buildkite.com
- https://probley.com
- https://sentry.io
- https://ghostinspector.com
Tools we're exploring
- ScoutSuite
- Bandit
- Synk Docker testing
- FaaS
Tools we'd like to be exploring
- Github
- Actions
- Package management
- Logging dashboards and visualisation
- Javascript static analysis
Other talks at FullStack
- Security in NodeJS, Forbes Lindesay
- Sam Bellen's authentication talks
- All the world's a staging server, Heidi Waterhouse
- Building systems with Terraform and NodeJS workshop
Shout out
https://tinyletter.com/cyberweekly
Thank you
Questions?
@rrees
https://wheretofind.me/@rrees
on most social media platforms
We Got POP
https://github.com/wegotpop
https://dev.to/wegotpop
Automate all the security! (FullStack 2019)
By Robert Rees
