Loading…
DevConf.CZ 2019 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Security / IdM [clear filter]
Friday, January 25
 

1:00pm CET

Automated hardening of systems your way.
So you are a sysadmin responsible for a server, and you have to be sure that the system is hardened in some particular and maybe non-standard way. Then, meet your best friend - the project of the ComplianceAsCode initiative.
It features checks and hardening snippets in Ansible, Bash and SCAP-compliant formats, so you can use automation to determine the system's state and to keep the system hardened. Discover the smart way of system hardening - learn how to leverage the project:
  • Extend it - write your custom rules,
  • tailor existing rules to exactly suit your needs,
  • compose rules into your security profiles that you can use to audit your system against, and
  • test your custom content for robustness.
For the best interactive experience, bring a laptop with
  • these packages installed: git, Ansible, openscap and Python with the pytest, jinja2 and PyYAML Python packages.
  • the ComplianceAsCode/content repository cloned (or updated to it's current master branch).
  • the ComplianceAsCode/demo repository cloned. Check out it's README for useful tips and tricks for the workshop!
  • libvirt-powered Fedora VM, where the root user accepts your unlocked/passwordless SSH key (this is needed only to run tests).

Speakers
avatar for Watson Sato

Watson Sato

Software Engineer, Red Hat, Inc., Red Hat
Watson Sato is a Software Engineer at Red Hat, Inc working on OpenSCAP project. He is involved on development of the OpenSCAP scanner and ComplianceAsCode content.
avatar for Matěj Týč

Matěj Týč

Software Engineer, Red Hat


Friday January 25, 2019 1:00pm - 2:50pm CET
Workshop - A113
 
Saturday, January 26
 

9:00am CET

enterprise Linux crypto story
This session will go through the core crypto components of Red Hat enterprise Linux from kernel to openssl, go briefly through the requirements set for such components, and how their security is evaluated through certifications and other means.

Speakers
avatar for Anderson Sasaki

Anderson Sasaki

Software Engineer, Red Hat



Saturday January 26, 2019 9:00am - 9:25am CET
E105

9:30am CET

Why you shouldn't write crypto functions yourself
Writing cryptographic functions is not hard, you do not even need to understand the math behind the cryptographic primitive you want to implement to be able to construct a set of cunctions that correctly encrypts and decrypts ciphertext.
So why cryptographers keep saying you should not implement your own crypto ?
In this talk we'll show practical examples that explain why implementing a mathematical function correctly is only the easy part of the job, and where the devil in the detail lies. We'll also show how even thought through implementations sometimes can be attacked, and how they evolve over time.

Genral understanding of how modern CPUs work is useful to better understand the more technical parts. Knowledge of a programming language is highly recommended.

Speakers
avatar for Simo Sorce

Simo Sorce

Senior Principal Software Engineer, Red Hat
I work in the RHEL Crypto Team, I like Security related topics.



Saturday January 26, 2019 9:30am - 9:55am CET
E105

10:00am CET

Russian GOST cryptography in and near OpenSSL
There is a necessity to provide national cryptography in various applications. The presentation describes history, current state and future of Russian GOST support in OpenSSL and OpenSSL-based applications.

Russian GOST support in OpenSSL is divided between modifications of OpenSSL itself and the engine (https://github.com/gost-engine/engine) implementing the low-level cryptographic primitives. The presentation describes the edge cases of using externally provided algorithms, problems of support of the national specifics in OpenSSL and adopting applications and standards to support national cryptography.

The presentation contains history of the universal API for asymmetric cryptography in OpenSSL and provides some ideas about possible API development to make it more flexible.



Saturday January 26, 2019 10:00am - 10:50am CET
E105

11:00am CET

Overview of the NIST Post-Quantum Algorithms
This session will have a high level overview of the various NIST post-Quantum algorithms: 1) why they are needed, 2) how the families of the various algorithms work. 3) what are the broad characteristics of those families, 4) what algorithms are in those families, 5) how some of the one offs work. 6) Where to go to play with the algorithms. 5) What are the next steps in the competition.

Speakers
avatar for Bob Relyea

Bob Relyea

Principal Programmer, OASIS PKCS #11 co-chair., Red Hat
Bob Relyea is a principal programmer at Red Hat working on the Network Security System Library. Bob is also the co-chair for the OASIS PKCS #11 technical committee, having worked with PKCS #11 and PKCS #11 integration into NSS since 1995.



Saturday January 26, 2019 11:00am - 11:25am CET
E105

11:30am CET

TLS 1.3: what developers should know about the API
Major crypto libraries have adopted TLS 1.3 since its final publication in last August. Those libraries are carefully designed so applications can switch to the new protocol with minimal code modification. However, as TLS 1.3 also brings new features, such as post-handshake authentication and 0-RTT, applications need to use new API to take full advantage of the protocol.

In this presentation, we will go through the new API functions added for TLS 1.3 in multiple crypto libraries, see pros and cons of their design choices, and discuss the best practice in using those new functions.

Speakers
DU

Daiki Ueno

Engineer, Red Hat


tls13 pdf

Saturday January 26, 2019 11:30am - 11:55am CET
E105

12:00pm CET

Applications of TPM 2.0
Now that a complete TPM 2.0 infrastructure has been delivered in Linux, the focus is moving to building applications that benefit from TPM security. This session will cover the initial application of TPM in NBDE and explore other applications that can be built with TPM. Topics include protecting secrets with the TPM, measurement of the system and using system information to seal secrets, Trusted Boot, TPM signing of software patchesand protection of Edge systems. We will also address the use of trusted processing enclaves and complete system protection using TPM with trusted processing enclaves. Bonus topic: TPM secured Blockchains!

Speakers
avatar for Javier Martinez Canillas

Javier Martinez Canillas

Software Engineer, Red Hat
Javier is a Software Engineer in the Desktop Hardware Enablement team at Red Hat, working on the Fedora and RHEL bootloader stack.
avatar for Russell Doty

Russell Doty

Russell Doty is a Technology Product Manager at Red Hat., Red Hat
Russell Doty is a Technology Product Manager at Red Hat focusing on the requirements of Internet of Things (IoT), High Performance Computing, and AI/ML - all with a strong focus on security.



Saturday January 26, 2019 12:00pm - 12:50pm CET
E105

1:00pm CET

Minting and collecting SWID tags
What software is installed on machine X?

With new ways of distributing software like container images or web applications in various formats, trusted packaging tools and formats like rpm, deb, or pacman no longer provide complete answer to this simple question. That in turn makes it harder to scan for vulnerabilities, or prevents even basic software accounting.

We will look at SWID, 2015 standard for software identification that might be bringing a solution. We will explore the schema, some SWID tags, tools and content, and share preliminary results of quest for best practices, for turning the standard into useful mechanism for admins, security personnel, or software maintainers. Think about examples of convoluted deployment and come to find out if SWID can bring some order to the chaos.

Speakers
avatar for Jan Pazdziora

Jan Pazdziora

Sr. Principal Software Engineer, Red Hat
As a member of Security Engineering Special Projects group, Jan focuses on making security features seamlessly consumable by admins and users. Lately he's been working with software identities and SWID.



Saturday January 26, 2019 1:00pm - 1:25pm CET
E105

1:30pm CET

First steps into security engineering
Experience with security is a useful and even profitable skill for every technical and non-technical employee in IT. Contrary to common stereotypes, security is far more than black hoodies, math and crypto. It's also humans and communication skills.

Attendees of my talk DevConf.CZ 2018 talk and DevConf.IN key note have ask me how to get started. Let me introduce you to diverse areas of info sec and point you to books, online courses, talks, and other resources to get you started.

Speakers
avatar for Christian Heimes

Christian Heimes

Principal Software Engineer, Red Hat
Christian is a long time Python developer from Hamburg/Germany and contributor to several Open Source projects such as the CPython interpreter. In the past years he has helped to keep Python secure, for example as member of the Python security response te



Saturday January 26, 2019 1:30pm - 1:55pm CET
E105

2:00pm CET

Migrating a Linux environment to IDM
As you would expect, Red Hat IT manages lots of Linux systems. This talk will discuss how we are slowly and methodically migrating them from classical LDAP and MIT Kerberos info and authentication backends to using IDM and sssd.

Benefits of the move will be shared and so will some of the lessons learned.

Speakers
avatar for Dustin Minnich

Dustin Minnich

Principal Systems Administrator, Red Hat
Been in IT for over a decade. Currently work for the Identity and Access Management IT team at Red Hat as a Principal Systems Administrator. RHCA certified.Strong believer in open source technologies and methodologies. Privacy and freedom of speech advocate.In my free time I enjoy... Read More →



Saturday January 26, 2019 2:00pm - 2:25pm CET
E105

2:30pm CET

Finding vulnerabilities using VMaaS
Looking for a simple way how to find vulnerable packages installed on your RHEL/Fedora systems? Vulnerability Metadata as a Service (VMaaS) is an API microservice that could fulfill this need.

VMaaS works as an repository and CVE metadata aggregator and provides these metadata in a stateless HTTP API. The microservice is deployable as an docker-compose or into an OpenShift environment. There is also a public deployment hosted by Red Hat.

This talk will summarize current state of the service and present a thin client tool to obtain vulnerabilities from the API.

Speakers


Saturday January 26, 2019 2:30pm - 2:55pm CET
E105

3:00pm CET

USBGuard
In this session you will be presented with USB Guard functionality both CLI and GUI.

You will get:

* overall understanding of the concept
* knowledge to configure the service
* CLI how to
* rules structure explanation
* explanation of GUI applet
* hands on experiance

There will be slides presented to lead us through the steps and real examples will be shown.
You are encouraged to bring your laptop and any kind of USB device (mouse, flash stick, yubikey, ...) to try to set it up on your own.

Speakers
avatar for Dalibor Pospisil

Dalibor Pospisil

quality engineer, Red Hat



Saturday January 26, 2019 3:00pm - 3:25pm CET
E105

3:30pm CET

System-wide crypto policies what and why
System-wide crypto policies are a fairly new thing in Fedora. In this talk I will introduce them and show the reasons why system-wide crypto policies are needed.
Then we look at them in more details - which are the currently provided policy levels, which core crypto components follow the policy, and how the policies are implemented.
I will also provide overview of what is in works and what are the future plans with the system-wide crypto policies features.
The attendants of the talk should have some basic knowledge of cryptography algorithms and secure protocols from the user's point of view.

Speakers
avatar for Tomáš Mráz

Tomáš Mráz

Principal Software Engineer, Red Hat
Tomáš Mráz is long time developer and package maintainer of security related software in Fedora and Red Hat Enterprise Linux, he also participates in the upstream OpenSSL community as a member of the OpenSSL committers team.



Saturday January 26, 2019 3:30pm - 3:55pm CET
E105

4:00pm CET

Using SELinux with container runtimes
This talk will explain how SELinux works with containers. We will show how to enable/disable SElinux using multiple different container runtimes and define the default types. The two default types for running containers are container_t which is a fully confined domain, which eliminates any use of the host files unless they are relabeled. Or spc_t, which is the type containers run with when SELinux is disabled for container separation, --privileged mode. Writing custom policy for each container that needed additional access would be very difficult and require a container policy writer. Lukas built a new standalone tool, udica for generating SELinux policy profiles for containers based on automatic inspecting these containers. Come to see how easy you can create own policy for container!

Speakers
avatar for Lukas Vrabec

Lukas Vrabec

Senior Software engineer & SELinux technology evangelist, Red Hat
Lukas Vrabec is a Senior Software engineer & SELinux technology evangelist at Red Hat. He is part of Security Controls team working on SELinux projects focusing especially on security policies. Lukas is author of udica, the tool for generating custom SELinux profiles for containers... Read More →
avatar for Daniel Walsh

Daniel Walsh

Senior Distinguished Engineer, Red Hat, Inc.
Daniel Walsh has worked in the computer security field for over 30 years.Dan is a Consulting Engineer at Red Hat. He joined Red Hat in August 2001.Dan leads the Red Hat Container Engineering team since August 2013, but hasbeen working on container tec



Saturday January 26, 2019 4:00pm - 4:50pm CET
E105

5:00pm CET

Common Criteria Demystified
What do you feel when you hear the term "Common Criteria"? Do you perceive
it as something complex and scary? It doesn't need to be. After attending
this talk, you will have a clear picture of what Common Criteria is, when,
why and how it is used, why it matters, and what is your role as a
developer in the process of acquiring Common Criteria Certification.
Equipped with this knowledge, you will better appreciate all that goes into
Common Criteria and how it makes products more secure.

Speakers
avatar for Steven Grubb

Steven Grubb

Security Architect, Red Hat
Steve Grubb is a Senior Principal Engineer whose role in Red Hat Engineering is as a Security Architect with a focus on Security Certifications (such as Common Criteriai, SCAP, and FIPS-140) and configuration Guidance (such as DISA STIG, USGCB, and the CIS RHEL Benchmark). He also... Read More →
avatar for Mark Thacker

Mark Thacker

Principal Technical Product Manager, Red Hat
All about open source security, compliance, multi-level security, encryption with a heavy emphasis on what's actually usable.



Saturday January 26, 2019 5:00pm - 5:25pm CET
E105
 
Sunday, January 27
 

9:00am CET

Scale Your Auditing Events
The Linux Audit daemon is responsible for writing audit records to the disk, which you can then access with ausearch and aureport. However, it turned out that parsing and centralizing these records is not as easy as you would hope. Elastic's new Auditbeat fixes this by keeping the original configuration, but ships them to a centralized location where you can easily visualize all events. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. This talk shows you what can you do to discover changes, events, and potential security breaches as soon as possible on interactive dashboards. Additionally, we are combining Auditd events with logs, which are security relevant.

Speakers
avatar for Philipp Krenn

Philipp Krenn

Developer Advocate, Elastic
Philipp lives to demo interesting technology. Having worked as a web, infrastructure, and database engineer for over ten years, Philipp is now a developer advocate and community team lead in EMEA at Elastic — the company behind the Elastic Stack consisting of Elasticsearch, Kibana... Read More →


Auditd pdf

Sunday January 27, 2019 9:00am - 9:50am CET
E112

10:00am CET

Public Sector: Stories to Getting Started
Hear how open source is changing and affecting governments and institutions across the world. In this talk, we will go beyond stories with how open source is impacting governments and institutions to what is required of open source projects. Some code samples will be provided to show how to meet some of the basic requirements that governments have to be able to use open source software.

Speakers
avatar for Gabriel Alford

Gabriel Alford

Member of the Technical Staff, Office of the Chief Technologist, Red Hat Public Sector, Red Hat
Gabriel Alford is a Member of the Technical Staff, Office of the Chief Technologist in Red Hat's Public Sector where he focuses on developing security automation technologies and security standards. He is also one of the upstream maintainers of the ComplianceAsCode and OpenControl... Read More →
avatar for Shawn Wells

Shawn Wells

Chief Security Strategist, U.S. Public Sector, Red Hat



Sunday January 27, 2019 10:00am - 10:25am CET
E112

12:00pm CET

Red Hat Enterprise Linux Security Technologies Lab
In this lab, you'll learn about the built-in security technologies in Red Hat Enterprise Linux. Specifically, you will do a series of hands on lab exercises on: OpenSCAP, SELinux, Network Bound Disk Encryption, USBGuard, IPsec to encrypt all host to host communication within an enterprise network, audit, Audit Intrusion Detection Environment (AIDE), Red Hat Identity Management, GNU Privacy Guard (GPG) ,and firewalld to dynamically manage firewall rules. Finally, you will make multiple configuration changes to your systems across different versions of Red Hat Enterprise Linux running in your environment, in an automated fashion using Red Hat Ansible Automation, using the Systems Roles feature.

If you want to participate in this hands-on lab, please be sure to bring a laptop to the event with a SSH client and web browser (Firefox with plugins disabled recommended).

Speakers
avatar for Lucy Kerner

Lucy Kerner

Global Security Technical Strategist and Evangelist, Red Hat
Lucy Huh Kerner is currently the Global Security Technical Evangelist and Strategist at Red Hat and helps drive thought leadership and the global go-to-market strategy for Security across the entire Red Hat portfolio. In addition, she helps create and deliver security related technical... Read More →
DK

Daniel Kopeček

Software Engineer, Red Hat, Inc.
avatar for Lukas Vrabec

Lukas Vrabec

Senior Software engineer & SELinux technology evangelist, Red Hat
Lukas Vrabec is a Senior Software engineer & SELinux technology evangelist at Red Hat. He is part of Security Controls team working on SELinux projects focusing especially on security policies. Lukas is author of udica, the tool for generating custom SELinux profiles for containers... Read More →


Sunday January 27, 2019 12:00pm - 1:50pm CET
A112