Level: Technical

Abstract:

There’s a lot of things to get right in order to have a Kubernetes environment your developers can use. Let’s try and figure out how they will do that, which tools they will use, and how will those tools impact your organization from a security perspective. In this talk, we’ll cover parts of Kubernetes attack surface from a development standpoint, tools your developers might want to use when interacting with Kubernetes clusters, and the overall impact making your clusters a part of your organization’s development workflow might have on your security posture.

Full description:

The Kubernetes ecosystem is broad, which in turn gives us an interesting and broad attack surface. We start off with a short introduction about Kubernetes and the state of Kubernetes security (in broad strokes). From there, we move into the motivation for this talk; one particular area in Kubernetes security that is not often looked at are the applications that developers use in order to improve their development experience. We will explore the “why” behind this motivation of bringing third-party tools into the development process and take a critical look at such applications.

We will look at the security evaluation process for bringing in new tools/applications into your Kubernetes environment. How should you choose what is brought into your environment, and what should that decision making process/guidelines look like from a security perspective? How much freedom do (or should) the developers really have? Where’s the thin line between productivity and opening an entirely new layer of attack surface? What is the current state of security of the commonly used tooling? How can we help developers in choosing a reasonable security baseline when evaluating software? How can we improve processes so that such software is brought in and security vetted at a company level?

Bios:

Igor Vuk is a system administrator with a soft spot for Python, SELinux and Kubernetes. He thinks that software-defined things are the bee’s knees.

Tonimir Kišasondi juggles his time between running a consultancy and making and breaking new shiny stuff. He loves appsec, go, coffee and secure software/hardware.

Level: Low Tech

Abstract:

Ever wonder what incident management is like when an embassy gets hacked, by ISIS? Come on a journey of surprisingly weak security, insider threats, a 50 million dollar extortion attempt, diplomatic immunity, city wide security lock down, all while >400 dignitary’s lives dangle in the negotiation crossfire.

Join Chris, the lead investigator and resolver on a super-secret squirrel adventure against ISIS & Turkish Intel in The Hague, The Netherlands. Discussing the 2014 Saudi Arabian embassy hack. Whoever said STEM was boring made it boring! Solve the crime and save lives with key takeaways from a real life cyber terrorism investigation. No classified information will be shared, some terrorists were harmed in the making of this talk.

Bio:

Chris Kubecka is the founder and CEO of HypaSec offering nation-state incident management, training in IT, IOT, ICS SCADA and expert advisory services to governments. Prior to HypaSec, she headed the Information Protection Group and international intelligence for the Aramco family. Re-establishing international business operations, helping to stabilize the oil market and implementing digital security after the company suffered from the world’s most devastating Shamoon cyberwarfare attacks which wiped out 85% of computer systems and over 35,000 Windows systems which deeply affected the countries of Saudi Arabia, Qatar and Bahrain. At Unisys, she helped halt the July 2009 second wave cyberwarfare attacks against South Korea during her time advising the company’s flagship customers Danone and Lloyds TSB. A USAF veteran, serving her country both as a military aviator and handling command and control systems for Space Command. Beginning her computer career at the age of five coding but was restricted from using computer systems from the age of ten until eighteen after hacking into the DOJ. Chris combines highly technical skills, ethical hacking, OSINT, strategy, leadership and governance expertise. Presenting at Europol, Interpol, national police, EU/NATO cyberwarfare exercises, DefCon, Black Hat, United Nations, Oxford, Cambridge, OWASP and BSides globally. Author of several technical, engineering and management courses and books Down the Rabbit Hole An OSINT Journey, Hack the World with OSINT and her upcoming book Hack the Galaxy with OSINT.

Blog: https://hypasec.com