As we move towards architectures designed to cope with changing requirements, and eternal services that go live and iterate, how can we manage change in a secure way? How can we possibly build secure systems in this environment?
Secrets come in many shapes and sizes: database API keys, database passwords, private keys. Distributing and managing these secrets is usually an afterthought. It's hard to get right, and can be very expensive if you get it wrong. In this session, we'll look at the core operations and properties that make up a good secret management system, and how these principals can be implemented.
When a user opens Facebook, he wants to post a picture. When she logs into her bank, she wants to see her balance. Security is not front of mind, and if it gets in their way - they’re likely to look for a shortcut or simply walk away. And yet, we consistently push security decisions to users. This talk will discuss how to build experiences that are actually secure, and yet not alienate users.
The Docker container technology has received criticism from security researchers, especially regarding the isolation of containers and the provenance of images. In this talk I'll explain the main concerns around container security and offer some best practices and guidance for addressing them.