Join the conversation #devseccon Extending and securing Chat-Ops Arun N
Join the conversation #devseccon
Extending and securing Chat-Ops
Arun N
Introduction
• Arun Narayanaswamy• 14 years in Dev & Ops• Worked at large enterprises including Fortune 1• Entrepreneur, Student, Photographer and Traveler…
• Disclaimer:• “The opinions expressed, software references and any content in this
presentation are solely mine and they do not represent my employer.”
How many of you use Chat @ Work?
techcrunch.com
ChatOps Architecture – How does it work?
© http://nordicapis.com
Chat Apps – Big Players!
• Instant messaging on steroids• Your ‘whatsapp’ for business!• Collaboration
• Integrated workspace - Text, audio, video• All alerting and messaging in one place• Share, Search & Integrate
• Chat-ops!• Fun
Bots– Big Players!
• Hubot
errbot.io
lita.io
operable.io
Hubot – Why?
• CoffeeScript on Node.js based• Active development - Github• Easy integration with third part api’s• Deployable on Heroku, AWS• Works with Slack and HipChat (and more)
• What’s chat without Hubot?
Typical CD Workflow
• Revolves around the orchestrator • Data need to be consolidated into Splunk/ELK/Jenkins etc.• Now better with• Containers• New-gen monitoring
CI-CD – Data Flow Bot InteractionsChat Notifications
HipChat / Hubot - Workflow
Risk
Potential Loopholes (With and without ChatOps)
Potential Loopholes : Focus today!
Plugging in the loopholes
2FA
Hardware Tokens
Software Tokens
Roles• Custom
Code• Hubot Auth
2FA
Multiple Rooms
AWS IAM Policies
Plugging in the loopholes : Hardware keys
2FA
Hardware Tokens
Software Tokens
Roles• Custom
Code• Hubot Auth
2FA
Multiple Rooms
AWS IAM Policies
Plugging in the loopholes : Hardware keys
• Demo
[ https://devseccon.hipchat.com/chat ][ https://id.heroku.com/login ][ https://www.yubico.com ]
Plugging in the loopholes : Soft keys
2FA
Hardware Tokens
Software Tokens
Roles• Custom
Code• Hubot Auth
2FA
Multiple Rooms
AWS IAM Policies
Plugging in the loopholes : Roles
2FA
Hardware Tokens
Software Tokens
Roles• Custom
Code• Hubot Auth
2FA
Multiple Rooms
AWS IAM Policies
Plugging in the loopholes : Rooms
2FA
Multiple Rooms
AWS IAM Policies
• Restricted Channels• Private Channels• Different Instance of Chat
System• 2FA on Chat system itself
Plugging in the loopholes : IAM (AWS)
2FA
Multiple Rooms
AWS IAM Policies
• Policies on what each system can run• Better control on AWS/Heroku where the bots run
Summary
© http://nordicapis.com
Join the conversation #devseccon
Thank you!
linkedin.com/in/arun-n