Aws Community Day 2017 (APAC) - Embracing Chatops Infrastructure
DevSecCon Asia 2017 Arun N: Securing chatops
-
Upload
devseccon-limited -
Category
Presentations & Public Speaking
-
view
105 -
download
0
Transcript of DevSecCon Asia 2017 Arun N: Securing chatops
![Page 1: DevSecCon Asia 2017 Arun N: Securing chatops](https://reader035.fdocuments.net/reader035/viewer/2022081517/58ce62671a28ab2f268b5b8b/html5/thumbnails/1.jpg)
Join the conversation #devseccon
Extending and securing Chat-Ops
Arun N
![Page 2: DevSecCon Asia 2017 Arun N: Securing chatops](https://reader035.fdocuments.net/reader035/viewer/2022081517/58ce62671a28ab2f268b5b8b/html5/thumbnails/2.jpg)
Introduction
• Arun Narayanaswamy• 14 years in Dev & Ops• Worked at large enterprises including Fortune 1• Entrepreneur, Student, Photographer and Traveler…
• Disclaimer:• “The opinions expressed, software references and any content in this
presentation are solely mine and they do not represent my employer.”
![Page 3: DevSecCon Asia 2017 Arun N: Securing chatops](https://reader035.fdocuments.net/reader035/viewer/2022081517/58ce62671a28ab2f268b5b8b/html5/thumbnails/3.jpg)
How many of you use Chat @ Work?
techcrunch.com
![Page 4: DevSecCon Asia 2017 Arun N: Securing chatops](https://reader035.fdocuments.net/reader035/viewer/2022081517/58ce62671a28ab2f268b5b8b/html5/thumbnails/4.jpg)
ChatOps Architecture – How does it work?
© http://nordicapis.com
![Page 5: DevSecCon Asia 2017 Arun N: Securing chatops](https://reader035.fdocuments.net/reader035/viewer/2022081517/58ce62671a28ab2f268b5b8b/html5/thumbnails/5.jpg)
Chat Apps – Big Players!
• Instant messaging on steroids• Your ‘whatsapp’ for business!• Collaboration
• Integrated workspace - Text, audio, video• All alerting and messaging in one place• Share, Search & Integrate
• Chat-ops!• Fun
![Page 6: DevSecCon Asia 2017 Arun N: Securing chatops](https://reader035.fdocuments.net/reader035/viewer/2022081517/58ce62671a28ab2f268b5b8b/html5/thumbnails/6.jpg)
Bots– Big Players!
• Hubot
errbot.io
lita.io
operable.io
![Page 7: DevSecCon Asia 2017 Arun N: Securing chatops](https://reader035.fdocuments.net/reader035/viewer/2022081517/58ce62671a28ab2f268b5b8b/html5/thumbnails/7.jpg)
Hubot – Why?
• CoffeeScript on Node.js based• Active development - Github• Easy integration with third part api’s• Deployable on Heroku, AWS• Works with Slack and HipChat (and more)
• What’s chat without Hubot?
![Page 8: DevSecCon Asia 2017 Arun N: Securing chatops](https://reader035.fdocuments.net/reader035/viewer/2022081517/58ce62671a28ab2f268b5b8b/html5/thumbnails/8.jpg)
Typical CD Workflow
• Revolves around the orchestrator • Data need to be consolidated into Splunk/ELK/Jenkins etc.• Now better with• Containers• New-gen monitoring
![Page 9: DevSecCon Asia 2017 Arun N: Securing chatops](https://reader035.fdocuments.net/reader035/viewer/2022081517/58ce62671a28ab2f268b5b8b/html5/thumbnails/9.jpg)
CI-CD – Data Flow Bot InteractionsChat Notifications
HipChat / Hubot - Workflow
![Page 10: DevSecCon Asia 2017 Arun N: Securing chatops](https://reader035.fdocuments.net/reader035/viewer/2022081517/58ce62671a28ab2f268b5b8b/html5/thumbnails/10.jpg)
Risk
Potential Loopholes (With and without ChatOps)
![Page 11: DevSecCon Asia 2017 Arun N: Securing chatops](https://reader035.fdocuments.net/reader035/viewer/2022081517/58ce62671a28ab2f268b5b8b/html5/thumbnails/11.jpg)
Potential Loopholes : Focus today!
![Page 12: DevSecCon Asia 2017 Arun N: Securing chatops](https://reader035.fdocuments.net/reader035/viewer/2022081517/58ce62671a28ab2f268b5b8b/html5/thumbnails/12.jpg)
Plugging in the loopholes
2FA
Hardware Tokens
Software Tokens
Roles• Custom
Code• Hubot Auth
2FA
Multiple Rooms
AWS IAM Policies
![Page 13: DevSecCon Asia 2017 Arun N: Securing chatops](https://reader035.fdocuments.net/reader035/viewer/2022081517/58ce62671a28ab2f268b5b8b/html5/thumbnails/13.jpg)
Plugging in the loopholes : Hardware keys
2FA
Hardware Tokens
Software Tokens
Roles• Custom
Code• Hubot Auth
2FA
Multiple Rooms
AWS IAM Policies
![Page 14: DevSecCon Asia 2017 Arun N: Securing chatops](https://reader035.fdocuments.net/reader035/viewer/2022081517/58ce62671a28ab2f268b5b8b/html5/thumbnails/14.jpg)
Plugging in the loopholes : Hardware keys
• Demo
[ https://devseccon.hipchat.com/chat ][ https://id.heroku.com/login ][ https://www.yubico.com ]
![Page 15: DevSecCon Asia 2017 Arun N: Securing chatops](https://reader035.fdocuments.net/reader035/viewer/2022081517/58ce62671a28ab2f268b5b8b/html5/thumbnails/15.jpg)
Plugging in the loopholes : Soft keys
2FA
Hardware Tokens
Software Tokens
Roles• Custom
Code• Hubot Auth
2FA
Multiple Rooms
AWS IAM Policies
![Page 16: DevSecCon Asia 2017 Arun N: Securing chatops](https://reader035.fdocuments.net/reader035/viewer/2022081517/58ce62671a28ab2f268b5b8b/html5/thumbnails/16.jpg)
Plugging in the loopholes : Roles
2FA
Hardware Tokens
Software Tokens
Roles• Custom
Code• Hubot Auth
2FA
Multiple Rooms
AWS IAM Policies
![Page 17: DevSecCon Asia 2017 Arun N: Securing chatops](https://reader035.fdocuments.net/reader035/viewer/2022081517/58ce62671a28ab2f268b5b8b/html5/thumbnails/17.jpg)
Plugging in the loopholes : Rooms
2FA
Multiple Rooms
AWS IAM Policies
• Restricted Channels• Private Channels• Different Instance of Chat
System• 2FA on Chat system itself
![Page 18: DevSecCon Asia 2017 Arun N: Securing chatops](https://reader035.fdocuments.net/reader035/viewer/2022081517/58ce62671a28ab2f268b5b8b/html5/thumbnails/18.jpg)
Plugging in the loopholes : IAM (AWS)
2FA
Multiple Rooms
AWS IAM Policies
• Policies on what each system can run• Better control on AWS/Heroku where the bots run
![Page 19: DevSecCon Asia 2017 Arun N: Securing chatops](https://reader035.fdocuments.net/reader035/viewer/2022081517/58ce62671a28ab2f268b5b8b/html5/thumbnails/19.jpg)
Summary
© http://nordicapis.com
![Page 20: DevSecCon Asia 2017 Arun N: Securing chatops](https://reader035.fdocuments.net/reader035/viewer/2022081517/58ce62671a28ab2f268b5b8b/html5/thumbnails/20.jpg)
Join the conversation #devseccon
Thank you!
linkedin.com/in/arun-n