Steven Danneman

About Me

Steven in Macao

        I'm currently working as a Security Engineer at Security Innovation in Seattle, WA, making application software more secure through targeted penetration testing. Previously, I lead the team responsible for all authentication and identity services development within the OneFS operating system in the Isilon Storage Division of EMC. I received my B.S. in Computer Science from the University of Washington.

        In the time that's left over I enjoy cinema, traveling, and reading non-fiction.

Writings

A list of writings not directly on my blog.

Automating TLS Configuration Verification - September, 2017
        Instructions for testing TLS configuration against open source RDBM systems.

Presentations

Automating TLS Configuration Verification on the Back-End of the Web Application Stack - AppSec USA 2017
        Best practices for HTTPS deployment have been steadily improving over the past decade. TLS usage on web servers has been steadily increasing and there are dozens of tools (O-Saft being the most popular) now available to test the correctness of the TLS configuration of a front-end web server. All good news. But what about the other services and protocols used in a web application stack? What about the connection between the web application server and the backing data store? This talk looks at the current TLS capabilities of popular web application data stores (MySQL, PostgreSQL, and MongoDB), including both the most recent versions as well as the most widely deployed versions. We'll discuss best practices for defining TLS configuration within these data stores, which are somewhat different from HTTPS, and improvements in tools made by the presenter, to help verify proper server configuration of TLS.
Identity Mapping in the OneFS Clustered File System - SDC 2012
        Building a NAS appliance, which seamlessly provides both SMB and NFS file sharing protocols, requires supporting both the authentication and access control semantics of Windows and Unix. In a unified file system like this, between the authentication and authorization steps, arises a requirement for identity mapping. ID mapping is a unique third step that equates security identifiers from both domains, in order to provide an authenticated ID that can be used in access control checks. This talk will cover the design and implementation of the Isilon OneFS identity mapping system.
Adding Role Based Access Controls onto a Unix Storage Platform - SDC 2011
        The traditional Unix authorization model defines an all powerful root user who can perform any system task, modify any file, and change any system configuration. This simple model produces several fundamental problems for a storage platform. The root user, whether maliciously or accidentally, can cause catastrophic data loss. They can also view and undetectably modify the contents of any file and thus need to be an extremely trusted individual. Solving these problems requires partitioning the traditional root administrative rights among many different users and limiting within the file system the ability of any one user to view and modify all files. This can be accomplished with Role Based Access Control.
A Comparison Between the Samba 3 and Likewise Lwiod SMB File Servers - SDC 2010, SambaXP 2010
        The Samba 3 smbd file server is the most predominantly deployed open source SMB server in the world. Lwiod is an open source SMB file server developed by Likewise Software. Both provide Windows file sharing functionality on Unix operating systems. In this presentation I compare and contrast the overall architecture and feature sets of these two servers from both an administrator and developer's perspective. Viewers should gain an understanding of the primary benefits and drawbacks of each implementation.
Permissions Mapping in the Isilon OneFS File System - SDC 2009
        There are a few authorization domains used widely today: POSIX mode bits and CIFS/NFSv4 Access Control Lists. Creating a file system which intelligently maps between different sets of file permissions is tricky. I explain how Isilon accomplishes this in its OneFS operating system. By mapping ACLs from one authorization domain to the other, our clustered file server provides one unified permissions model for CIFS, NFSv3 and NFSv4 clients.
Improvements in Samba to Take Advantage of OneFS - SambaXP 2009
        The Samba networking stack provides a modular framework for file system developers to optimally integrate their features with those expected from the SMB protocol. This presentation discusses how Isilon used this VFS framework to expose the NTFS equivalent functionality of OneFS to its Windows clients.
Using Samba with a Commercial Clustered Filesystem - CIFS Workshop 2007
        An overview of Isilon's distributed file system design and SMB networking stack utilizing Samba.