DevSecOpsDays Austin 2019
This past December I got the chance to attend and participate in DevSecOpsDays Austin 2019. It was had an incredible line up of speakers that I really look up to. Before we even got to the first morning break we heard from Andrew Clay Shafer, Shannon Lietz, Kat Sweet and Matt Tesauro. In the afternoon it didn’t stop with tons more awesome speakers.
The organizers James Wickett, Ernest Mueller, and Karthik Gaekwad and all of the volunteers did a tremendous job and put on an excellent show.
In the afternoon I got to talk about using Shodan in the Pipeline, a little side project I have been working on:
@ablythe talking @shodanhq at #devsecopsdaysaustin pic.twitter.com/dBpHDrAXPN
— James Wickett (@wickett) December 16, 2019
Over the last few years I have done several talks on Shodan. Because I believe that the bad guys know how to use this tool, so I should help to teach my friends how to protect their assets and their companies assets. In the talk I try to build off of other things I heard at the conference about making sure you prioritize which CVE’s you work on. These CVE’s are the ones that are advertised to the world that you have. These are the type that get you on the list of emails of people that have interacted with the a Nigerian Prince email scam. Having CVE’s on this list is not a good look.
For this talk I open sourced a very simple pipeline on Gitlab at https://gitlab.com/aaronblythe/shodan_pipeline
In this project you would go to the only merge request to see how it works: https://gitlab.com/aaronblythe/shodan_pipeline/-/merge_requests/1
The Merge Request has a pipeline attached to it: https://gitlab.com/aaronblythe/shodan_pipeline/pipelines/102176632
Each of the jobs have output that should be easy to read to show the failure.
I did this work in about 2x2 hour sessions and tried to keep the best notes I could here:
- https://gitlab.com/aaronblythe/shodan_pipeline/blob/e1106bf402aa5518842d248e97eccba636160e57/RESEARCH_SHODAN_CLI.md
- https://gitlab.com/aaronblythe/shodan_pipeline/blob/e1106bf402aa5518842d248e97eccba636160e57/RESEARCH_GITLABCI_YAML.md
Please reach out if you have any questions. What is here is pretty rudimentary. I would love to see someone build on this and for the number of CVE’s for you and your company or city go down.
Any please reach out if you think one of my Shodan talks would be good for your user groups, your conference or your company.
People had some nice things to say about the talk in Austin:
Now this is some deep @shodanhq content that I love hearing. @ablythe dropping some knowledge that I'm definitely going to check out... #devsecopsdaysaustin pic.twitter.com/Oic7ao7yxv
— DJ Schleen, ⬡ Dev{x}Ops Advocate (@djschleen) December 16, 2019
“GitLab is my tool of choice” - @ablythe 🙌🏼 Great presenters at #devsecopsdaysaustin. Learning a lot about Shodan from Aaron Blythe. pic.twitter.com/TSgpfH4vRM
— Brandon Brooks 🇯🇵🦝🐶 (@bbm0n) December 16, 2019
#DevSecOpsDaysAustin @ablythe: Remember: Use this for positive purposes. Do the right thing. (Also, don't forget there's honeypots out there)
— Laura 👩🏽💻🧶 (@nimbinatus) December 16, 2019
#DevSecOpsDaysAustin @ablythe: Thanks for the talk!
— Laura 👩🏽💻🧶 (@nimbinatus) December 16, 2019