adversity: good for software

Report

Tags:

Post on 19-Oct-2014

2.759 Views

Category:

Technology

0 Downloads

Preview:

Click to see full reader

DESCRIPTION

Adversity is a fact of software security–bad things happen both intentionally and accidentally. In the InfoSec field there is a growing undercurrent of belief that we need to build code that is Rugged meaning code that is survivable, long-lasting and persistent in the face of adversity. When paired with DevOps the Rugged Software movement really begins to hit a nerve. The pairing, aptly called Rugged DevOps is where security becomes an asset to the organization and no longer a drag on innovation.

TRANSCRIPT

Adversity: Good for Software

@wickett

• Cloud Ops Team Lead, @NIGlobal

• Tags: Rugged DevOps, OWASP, Cloud, Ruby

• Blogger at ruggeddevops.org, blog.wickett.me, and theagileadmin.com

• Founder of LASCON (http://lascon.org)

• Security certs: CISSP, GWAPT, CCSK, ...

• t: @wickett | e: james@wickett.me

http://lascon.org
http://lascon.org

Adversity requires Rugged solutions

Adversity

Real or perceived negative actions and events that prohibit normal function and operation.

People Involved

• Developers

• Operations

• Security

• Business

• Regular customers

• Evil customers

• Hackers

Adversity Actors

• Malicious intent, targeted

• Malicious intent, random

• Neutral intent, targeted

• Neutral intent, random

• No intent, random

Ruggedization Theory

Building solutions to handle adversity actors will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.

Adversity fueled innovation

• NASA in Space

• Military hard drives

• ATMs in Europe

"Secondly, our network got a lot stronger as a result of the LulzSec

attacks." -Surviving Lulz: Behind the Scenes of

LulzSec @SXSW 2012

“The phone isn't going to kill you if use it, but a

car... well, we don't want code to crash

your car.” -Auto Meets Mobile: Building In-Vehicle Apps

@SXSW 2012

Software needs to face adversity head on

Software needs to be rugged to succeed

Current Software

Rugged Software

Current Software

Rugged Software

Current Software

Rugged Software

The Internets is Mean

• Latency

• Distribution

• Anonymity

• Varied protocols

• People

Measuring Rugged

Rugged Software Manifesto

I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.

I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.

I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.

Security vs. Rugged

• Absence of Events

• Cost

• Negative

• FUD

• Toxic

• Verification of quality

• Benefit

• Positive

• Known values

• Affirming

Ruggedization Theory

Building solutions to handle adversity actors will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.

No Pain, No Gain

Rugged-ities• Maintainability

• Availability

• Survivability

• Defensibility

• Security

• Longevity

• Portability

• Reliability

If you want to build a ship, don't drum up people together to collect wood and don't assign them tasks and work, but rather teach them to long for the endless immensity of the sea

- Antoine Jean-Baptiste Marie Roger de Saint Exupéry

People, Process, Tech

It’s not our problem anymore

Why do you see the speck that is in your brother’s eye, but do not notice the log that is in your own eye?

- Jesus

source: Gene Kim, “When IT says No @SXSW 2012”

solution = devops

Security sees...

• They feel they are the constant givers of unheeded advice

• Business decisions made w/o worry of risk

• Irrelevancy in the organization

• They are the bearer of bad news

• Even their tribe ignores them

• Inequitable distribution of labor

the devops model is broken incomplete

rugged by design devops by culture

RUGGED

source: Jessica Allen, http://drbl.in/bgwy

http://drbl.in/bgwy
http://drbl.in/bgwy

Rugged DevOps

• repeatable – no manual errors

• reliable - tested integration APIs

• reviewable – model in source control

• rapid – fast to build, provision, deploy

• resilient – automated reconfiguration to swap servers (throw away infrastructure)

Rugged AppliedGoal: Cloud Firewalls

• Make every service/node/instance a DMZ

• Cloud environment

• 3-tier web architecture

• Facilitate automated provisioning

Web

DB

Middle Tier

WebWeb

Middle Tier

LDAP

Firewall

Firewall

Firewall

DMZ 1

DMZ 2

DMZ 3

Traditional (non-cloud) 3-Tier Web Architecture

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

DMZ x3

DMZ x2

DMZ x3

Rugged Cloud Architecturefirewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

BenefitsRepeatableVerifiable

Prod/Dev/Test MatchingControlledAutomated

and it grows to look something like this...

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

Rugged Benefits

• Control and traffic whitelisting

• Config Management

• Reproducible and Automated

• Data can’t traverse environments accidentally

• Dev and Test Tier accurate

Rugged DevOpsNext Steps

• Build a Rugged DevOps team: Dev, Ops, Security

• Implement a chaos monkey

• Track security flaws or bugs in the same bug tracking system for development

• Automate, track results, repeat

• Join the RDO movement!

Want to help me?

• Upcoming book: Rugged Driven Development: Building Software in an Adversity Fueled Environment (will live at ruggeddev.com)

• Open Source Project: Gauntlet on github at github.com/wickett/gauntlet

• I need contributors and reviewers!

• Contact me: @wickett

Join Rugged DevOps!

• Twitter: @ruggeddevops

• Get involved in the movement

• http://join.ruggeddevops.org

http://join.ruggeddevops.org
http://join.ruggeddevops.org

top related

overcoming adversity
Spiritual
erp software why its good
Technology
evidence of good character: living honorably and …...
Documents
practices of good software architects
Technology
community adversity and resilience:
Documents
strength in adversity
Documents
models of software evolution good
Documents
triumph in adversity!
Documents
the entrepreneur in adversity
Business
overcoming adversity: bold perspectives on mental health...
Documents
good software “consumes” less energy
Technology
persevere in adversity: perceived religious discrimination...
Documents
what makes a good software architect?€¦ · good software...
Documents
adversity: accepting change !
Documents
virtues of good (parallel) software
Documents
handling adversity
Spiritual
sweet adversity - teachershub.com.au€¦ · sweet...
Documents
simposium 2014 leading through adversity kit welchlin ...
Documents
triumph over adversity
Documents
dealing with adversity
Documents