Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

<
Back to Main

Snippets from RSA: Part 2

Caroline Wong
Apr 24, 2018

Last week during RSA Conference, I reached out to a few speakers to learn more about what they are up to and hear about their RSA talks.

  1. James Routh, Aetna | Read blog

  2. Kolby Allen, Zipwhip

Here’s what they had to say about their jobs, their favorite and least favorite things about their work, and their advice for DevOps engineers.

What is your current role at Zipwhip and what do you like best about it?

I am currently a DevOps engineer with our Operations teams. We are a small team that is responsible for the core infrastructure (servers, clusters, dbs) and also managing our build and deployment tools. The team is great to be on because of the varied amount of work we get to do. Our projects range from building and learning Kubernetes, to simple troubleshooting of Jenkins builds. Every day is something new and different, which keeps things interesting.

What are the key takeaways from your talk at RSA this year?

The talk focused on AWS and some of their native security tools and methodologies. The biggest things I hope people take away from it were the following:

1) From the attack perspective — read-only accounts can get a lot of information and can be used to do a lot of things within your account.

2) Minimize access. If you are not able to minimize access, then minimize the access each role has and then leverage multiple roles.

3) Leverage MFA where you can.

4) Turn on all AWS logging and monitor it so that you can learn what is really happening in your account.

What would you say are your favorite and least favorite things about integrating Security into DevOps?

Favorite — The ability to provide secure and automated environments. It can prove challenging but is worth it once you figure out how to do it. I love challenging myself to see how I can integrate it more into how I do things. Least Favorite — Sometimes it can be really hard to do from a technical perspective and also getting buy-in from execs and other teams. Sometimes fighting for your security beliefs can prove to be exhausting and at times discouraging.

What advice would you give to DevOps engineers who are interested in learning more about security?

I would tell them to focus on automation. Automation is a key to security in the DevOps methodology. Once you can build & control servers you can then start integrating more tools. Once you have mastered that, I would start reviewing all the tools on the market and see how they can best help you obtain your security requirements.