Track: Building Security Infrastructure

Location: Plymouth - Royale, 6th fl.

Day of week: Tuesday

The cost of building defensible infrastructure is many times greater than the cost of successfully attacking it. Unfortunately, the security community has historically not been particularly open about sharing core pieces of their non-business critical security infrastructure. This has led to the proliferation of different solutions to the exact same problems (e.g., secret distribution, service to service communications, logging, etc.), and the waste of an incredibly rare resource: good engineering time.

The goal of this track is to bring together a diverse mix of experts and enthusiasts from industry and academia, for a day of highly technical, engaging presentations, leading to the open sharing of new and fruitful ideas.

The security community must strive for higher degrees of solution sharing and reuse, improving its collective efficiency and fostering a more effective giveback to the ecosystem, by releasing, supporting, and publicly presenting solutions and the open-source software that implements them. Hopefully, this track will be a sizable contribution in this direction.

Track Host:
Diogo Monica
Security Lead @Docker

Diogo Mónica is the security lead at Docker, an open platform for building, shipping and running distributed applications. He was an early employee at Square where he led the platform security team, has a BSc, MSc and PhD degrees in Computer Science, serves on the board of advisors of several security startups, and is a long-time IEEE Volunteer.

Trackhost Interview

QCon: What's the focus of the things that you're doing today with Docker?

Diogo: Our major focus at Docker is to build security into the new platform that developers and ops people are adopting. The question that drives us is how can we add security to Docker in a way that is trivial for developers and operators to use. As more and more companies move to containers, are they going to have safer infrastructures? Our objective is for the answer to be a resounding "yes." We also aim to have all of these features be turned on by default— something that the security industry has not been great at doing for the past 25 years.

QCon: That fits perfectly into the motivation of the whole track.

Diogo: Exactly. In the majority of conferences that cover security, breaking is always the main attraction. Someone hacked a car; someone hacked a teapot; someone hacked a microwave. We consistently glorify breaking. But the reality is that finding problems is a lot easier than fixing them, or finding solutions for classes of issues. The goal for this track is to focus on the builders, the unsung heroes doing the hard task of keeping our infrastructures safe. In particular, I believe it’s really important to help builders understand what open-source tools are already out there—and that would help them do their jobs—ensuring the community does not keep continuously reinventing the wheel.

QCon: What do you want someone who comes to this track to walk away with?

Diogo: The main points I would love people to walk away with are: what are the best practices on SSH key management, at scale, in a production system; what are the best practices around microservice security, mutual TLS, secret distribution, and what open-source software out there people can use; ensure that security teams understand they need to apply the same testing best-practices developers have been using for years, and should start implementing regression testing for security vulnerabilities; and finally, what are the best practices around monitoring, and what open source software out there does the bulk of the work already.

10:35am - 11:25am

by Ying Li
Security Engineer @Docker

Over the last few years, more and more system administrators and developers have become concerned about guaranteeing the authenticity, integrity, and confidentiality of their network communications. TLS has emerged as the solution recommended by security practitioners for all these problems. Let's Encrypt makes it easy to get a lock icon on a web browser, but in many cases public certificate authorities are inappropriate for private and internal uses. How can you mutually authenticate and...

11:50am - 12:40pm

Open Space
1:40pm - 2:30pm

by Christopher Grayson
Founder and Principal Engineer @WebSightIO

Regression in codebases is a significant problem that proportionally significant amounts of effort have already been spent addressing. Regression is a similarly large problem in the realm of security, yet de-facto standards and approaches for addressing the issue remain absent. Even when security programs have the proper staff, tooling, and budgets, they commonly struggle with ensuring that security holes remain fixed after they are initially patched. This talk will explore the application...

2:55pm - 3:45pm

by Bryan Payne
Leads Product & Application Security @Netflix

How can using SSH certificates improve security and simplify operations for instance access at Netflix-scale? How can you smoothly transition existing infrastructure to use SSH Certificates? Netflix created and uses BLESS, an SSH Certificate Authority that runs as an AWS Lambda function and is used to sign SSH public keys. In this talk, you will start by learning about BLESS in general: what it is, how it works, and how you can start using it. Next, we will explore the Netflix BLESS...

4:10pm - 5:00pm

by Marcin Wielgoszewski
Security Engineer

Osquery allows you to easily ask questions about your Linux, Windows, and macOS infrastructure using standard SQL-based statements. But how? Organizations deploying osquery will need to engineer various solutions to accomplish this seemingly simple task. Enter Doorman. This simple Python/Flask-based web interface allows you to manage your entire osquery deployment, from baseline configurations and ad-hoc queries, to log collection and alerting. In this talk, we'll give a brief demonstration...

5:25pm - 6:15pm

by Janek Klawe
Security Engineer @Square

Everyone knows that in client-server systems, you can't trust the client. However, remote attestation gives us a way to change this. As Square provides financial services on unmanaged mobile devices, building more visibility into the client's runtime environment helps us fight fraud and offer unique features. In this talk I'll describe the systems we've developed to verify that our app is unmodified and running in a secure environment.

Naive client-side tampering checks are relatively...


Monday, 26 June

Tuesday, 27 June

Wednesday, 28 June