We are excited to have Dan who works in the security team at Atlassian coming all the way from Sydney to talk to us about the Honey tokens project called SpaceCrab! We are also privileged to have Richard from SEEK enlighten us on his secrets in source code scanning project to wrap up the evening :)
If you are developing products within a cloud environment, you know it’s a complex, ever changing landscape. This brings with it, the challenge of keeping up with the best in class, security-as-code controls, to keep these environments hardened. Especially as development teams start taking ownership of operational concerns by transitioning to secure DevOps methodologies.
Food and drinks will be provided. Please RSVP if you can make it.
- Pizza - 6:00pm - 6:30pm
- Talks - 6:30pm - 7:30pm
- Networking - 7:30pm till 8:30pm
Honey tokens are a defense in depth operational control, that can be used to trick hackers into falling for well placed “bait” (e.g. fake AWS keys). They are great for detecting breaches and tipping off your on-call defenders to potential system compromises, but they're only as good as their coverage (and their camouflage).
At Atlassian, we built project SpaceCrab to help you build better traps, with tastier-looking bait! Dan will also explain the chaos that ensues when you post hundreds of AWS access keys onto the public internet.... He also has stickers.
Dan is a Security Intelligence Analyst at Atlassian, an upright citizen and a meddler. His greatest fears are public speaking and writing bios ... mistakes have been made.
We all know secrets should not live in source code, but how do you verify that your team is not committing secrets within their source control system? Pfft you say, we would never!!! Well do you know if they have been accidently added, deleted, but still live in the repositories git history? And how would you do this at scale, across gigabytes of source code stored in a cloud service?
At SEEK, we hacked together a few well known scanning tools and also added a feature to take a known secret list, to come up with what we think is a fair compromise between detecting all the secrets and reducing the false positive rate. It’s still a work-in-progress, but we have some decent results so thought sharing is caring, etc, etc :)
Richard began his technology career in product development, and has recently ventured into application security. He has a passion for architecting and building security related solutions.
If you are locked out or having issues finding the place, email, Slack or Tweet us and we will guide you :)
- Julian (julian [dot] berton [at] owasp [dot} org)
- OWASP Slack - https://owasp.herokuapp.com/ (@jberton)
- Twitter - https://twitter.com/OWASPMelbourne