Markerbench

Perspectives on technology, security, and current events.

about me

I’m Andrew Jaquith, a Wall St Managing Director. Previously, I was CTO SilverSky, and former analyst with Forrester and Yankee Group. My interests include security and risk, anything data-related, app development, visualization, good writing and spirited discussion.

topics

applications · big data · books · dev ops · humor · metrics · research · security · vendor-bashing · visualization

twitter

Metricon X — Opening Remarks

- - posted in metricon | Comments

This is the nominal text of Andy Jaquith’s opening remarks for Metricon X, delivered on March 21, 2019. It has been lightly edited for clarity and a few identities have been slightly disguised.

Welcome

I appreciate everybody coming today. It’s a great turnout for a conference that we rather deliberately did not advertise. If you’re here, it’s because you wanted to be here. You’ve self-selected.

The theme of the conference is “plus ça change…,” the second half of which is “plus c’est la même chose.” Colloquially: “the more things change, the more they stay the same.” So what we’re really here to talk about are the constants and the change. But because I suspect that we will have ample time to reheat some of the old chestnuts (the constants), I’d like to offer a few remarks on the changes — that is, notable happenings in the world of security metrics over the last 12 years.

The Twenty-Year War on Cybercrime

- - posted in big data, risk, security | Comments

This is the text of a speech I delivered at the Gartner Group Security and Risk Management Summit in June 2015. I originally wrote the speech for Sir Roger Carr, the Chairman of BAE Systems, to use at one of his public appearances. But it was too good not to re-use for myself as the BAE Applied Intelligence’ strategy lead. I felt no shame in doing so, seeing that I’d written it…

Introduction

Good afternoon. Thank you for coming. It is a privilege to speak with you today. I’ve been asked to speak to you about digital crime: its rise, its significance, and what can be done about it.

But I also know that I am the last thing between you and beer, so I will keep this talk as short and sweet as I can.

The DevOps Security Handbook: Building Security in With Chef, Part III

- - posted in DevOps, security | Comments

Introduction

This is the third in a series of occasional posts about security and DevOps. The ultimate goal of this series is to show how to build a reasonably secure Apache web server using the popular DevOps automation tool Chef. The server will be suitable for serving static content such as that generated by OctoPress. Each post explores a new aspect of Chef.

If you read the first and second posts in this series, you learned how to set up the Chef workstation and server; created webserver and base roles; created a test environment and a virtual machine; and built a partially hardened server called tester.local. This server has a minimized Apache configuration, and a restricted OpenSSH configuration.

In this post, I will demonstrate one of the most challenging aspects of any server automation project: copying sensitive keying materials, such as SSL private keys, to server nodes. Although SSL certificates themselves are not sensitive, certificate private keys are. In order to use Chef to truly “build security in,” these materials must be securely conveyed from the Chef server to the target server nodes. To do this, you will use Chef’s encrypted data bag feature and an add-on feature called chef-vault. You will create a custom cookbook recipe that performs all of the necessary decryption and file-creation actions on the target node. At the end of this post, you will possess a repeatable, reliable and secure method for conveying SSL keying materials or other secrets to target nodes.

The DevOps Security Handbook: Building Security in With Chef, Part II

- - posted in DevOps, security | Comments

Introduction

This is the second in a series of occasional posts about security and DevOps. The ultimate goal of this series is to show how to build a reasonably secure Apache web server using the popular DevOps automation tool Chef. The server I am describing how to build will be suitable for serving static content. Readers of this blog know that I am a fan of static blogging tools like Octopress, which I use to generate this website.

If you read the first post in this series, you learned how to set up the Chef workstation and server account. You created an Apache server role and a test environment; set up a virtual machine; and built your first node. In this post, I will show you how to create a new role called base that includes security enhancements to OpenSSH. You will also fine-tune Apache to remove non-essential modules.

The DevOps Security Handbook: Building Security in With Chef, Part I

- - posted in DevOps, security | Comments

Introduction

This is the first in a series of posts about Chef, an infrastructure automation platform. The goal of this series is to describe how to build a reasonably secure Apache web server. By using Chef, we can quickly and efficiently build identical web servers with assurance that they will work the same way, every time, and have the security properties we want.