This month, in addition to the several dozen technical talks and trainings our researchers will offer at our internal conferences, NCC CON US and NCC CON Europe, two NCC Group researchers will also be presenting work publicly:
- Clint Gibler, “DevSecOps State of the Union v2.0,” presented at AppSec Cali (Santa Monica, CA – January 22-24 2020)
- Mark Manning, “Command and KubeCTL: Real-World Kubernetes Security for Pentesters” presented at Shmoocon (Washington, DC – January 31-February 2 2020)
You can preview each of the talk abstracts below. We hope to see you there!
DevSecOps State of the Union v2.0
Clint Gibler, NCC Group
AppSec Cali, Santa Monica, CA
Friday January 24 2019
There have been hundreds of blog posts and conference talks about DevSecOps and scaling security. As a busy security engineer, it can be difficult to stay on top of or even be aware of relevant research.
Don’t worry, I’ve put in the time for you.
This talk will summarize and distill the unique tips and tricks, lessons learned, and tools discussed in a vast number of blog posts and conference talks over the past few years, and combine it with knowledge gained from in-person discussions with AppSec engineers at a number of companies with mature security teams.
- Principles, mindsets, and methodologies of highly effective AppSec teams
- High value engineering projects that can prevent classes of bugs
- Security metrics and creating a data-driven security program
- Valuable security primitives to invest in, upon which high leverage initiatives can be built
- How and where to integrate security automation into the CI/CD process in a high signal, low noise way
- Useful open source tools
You’ll leave this talk with an understanding of the current state of the art in DevSecOps, links to tools you can use, resources where you can dive into specific topics of interest, and most importantly, an actionable path forward for taking your security program to the next level.
Command and KubeCTL: Real-World Kubernetes Security for Pentesters
Mark Manning, NCC Group
Shmoocon – Washington, DC
January 31 – February 2 2020
Kubernetes is a security challenge that many organizations need to take on and we as pentesters, developers, security practitioners, and the technically curious need to adapt to these challenges. In this talk we will look at tactics, techniques, and tools to assess and exploit Kubernetes clusters. We will demonstrate how to intercept service mesh traffic, evade runtime syscall filters, exploit custom sidecars, and chain attacks that go from compromising a build environment, to exploiting production applications. We’ll cover real world attack paths, provide practical advice, and guidance using the experience of conducting hundreds of reviews of containerized environments while running NCC Group’s container research group.