Behind Closed Doors: Managing Passwords in a Dangerous World

*
Accepted Session
Short Form
Intermediate
Scheduled: Thursday, June 23, 2016 from 1:30 – 2:15pm in B202/203

Excerpt

A modern application has a lot of passwords and keys floating around. Encryption keys, database passwords, and API credentials; often typed in to text files and forgotten. Fortunately a new wave of tools are emerging to help manage, update, and audit these secrets. Come learn how to avoid being the next TechCrunch headline.

Description

Secrets come in many forms, passwords, keys, tokens. All crucial for the operation of an application, but each dangerous in its own way. In the past, many of us have pasted those secrets in to a text file and moved on, but in a world of config automation and ephemeral microservices these patterns are leaving our data at greater risk than ever before.

New tools, products, and libraries are being released all the time to try to cope with this massive rise in threats, both new and old-but-ignored. This talk will cover the major types of secrets in a normal web application, how to model their security properties, what tools are best for each situation, and how to use them with major web frameworks.

Tags

security, infosec

Speaking experience

You can find recordings of my last few years of talks at https://coderanger.net/talks/ including OSB 2015 (which was awesome btw :)

Speaker

Leave a private comment to organizers about this proposal