Securing ChatOps - DevSecCon Asia 2017 arun n

Join the conversation #devseccon

Extending and securing Chat-Ops

Arun N

Introduction

• Arun Narayanaswamy• 14 years in Dev & Ops• Worked at large enterprises including Fortune 1• Entrepreneur, Student, Photographer and Traveler…

• Disclaimer:• “The opinions expressed, software references and any content in this

presentation are solely mine and they do not represent my employer.”

How many of you use Chat @ Work?

techcrunch.com

ChatOps Architecture – How does it work?

© http://nordicapis.com

Chat Apps – Big Players!

• Instant messaging on steroids• Your ‘whatsapp’ for business!• Collaboration

• Integrated workspace - Text, audio, video• All alerting and messaging in one place• Share, Search & Integrate

• Chat-ops!• Fun

Bots– Big Players!

• Hubot

errbot.io

lita.io

operable.io

Hubot – Why?

• CoffeeScript on Node.js based• Active development - Github• Easy integration with third part api’s• Deployable on Heroku, AWS• Works with Slack and HipChat (and more)

• What’s chat without Hubot?

Typical CD Workflow

• Revolves around the orchestrator • Data need to be consolidated into Splunk/ELK/Jenkins etc.• Now better with• Containers• New-gen monitoring

CI-CD – Data Flow Bot InteractionsChat Notifications

HipChat / Hubot - Workflow

Risk

Potential Loopholes (With and without ChatOps)

Potential Loopholes : Focus today!

Plugging in the loopholes

2FA

Hardware Tokens

Software Tokens

Roles• Custom

Code• Hubot Auth

2FA

Multiple Rooms

AWS IAM Policies

Plugging in the loopholes : Hardware keys

2FA

Hardware Tokens

Software Tokens

Roles• Custom

Code• Hubot Auth

2FA

Multiple Rooms

AWS IAM Policies

Plugging in the loopholes : Hardware keys

• Demo

[ https://devseccon.hipchat.com/chat ][ https://id.heroku.com/login ][ https://www.yubico.com ]

Plugging in the loopholes : Soft keys

2FA

Hardware Tokens

Software Tokens

Roles• Custom

Code• Hubot Auth

2FA

Multiple Rooms

AWS IAM Policies

Plugging in the loopholes : Roles

2FA

Hardware Tokens

Software Tokens

Roles• Custom

Code• Hubot Auth

2FA

Multiple Rooms

AWS IAM Policies

Plugging in the loopholes : Rooms

2FA

Multiple Rooms

AWS IAM Policies

• Restricted Channels• Private Channels• Different Instance of Chat

System• 2FA on Chat system itself

Plugging in the loopholes : IAM (AWS)

2FA

Multiple Rooms

AWS IAM Policies

• Policies on what each system can run• Better control on AWS/Heroku where the bots run

Summary

© http://nordicapis.com

Join the conversation #devseccon

Thank you!

linkedin.com/in/arun-n