Automate all the security!

An experience report on...

  • Automating security
  • By a small company
  • Dealing with big companies
  • Talking about what we've used
  • More better automation is available

We Got Pop

We manage visual entertainment (TV, film, streaming) production so you don't have to, including the security audits

Outlaw King, Netflix, Key Casting

Shift left

Embedding security into the development process so you don't have to think about security while developing

Basic strategy

  • Security is a team goal
  • Use the community
    • Stay with the herd
  • Use a service
    • Externalise the concern

Secure your tools

  • MFA
  • Use federated login
  • Spend time sorting permissions
  • Shared password managers (1Password)

Our core tools

  • Probely
  • Buildkite
  • Ghost Inspector
  • Github
    • Probot
    • Dependabot
  • Sentry
  • Terraform
  • AWS

AWS

  • Intrusion Detection
    • Cloudtrail
    • Cloudwatch
    • GuardDuty
  • Patching
    • Managed Policies
    • ECS/ECR
    • RDS
    • Linux AMI

URL Photo Op

  • https://buildkite.com
  • https://probley.com
  • https://sentry.io
  • https://ghostinspector.com

Tools we're exploring

  • ScoutSuite
  • Bandit
  • Synk Docker testing
  • FaaS

Tools we'd like to be exploring

  • Github
    • Actions
    • Package management
  • Logging dashboards and visualisation
  • Javascript static analysis

Other talks at FullStack

  • Security in NodeJS, Forbes Lindesay
  • Sam Bellen's authentication talks
  • All the world's a staging server, Heidi Waterhouse
  • Building systems with Terraform and NodeJS workshop

Shout out

https://tinyletter.com/cyberweekly

Thank you

Questions?

@rrees

https://wheretofind.me/@rrees

on most social media platforms

We Got POP

https://github.com/wegotpop

https://dev.to/wegotpop