adversity: good for software
Post on 19-Oct-2014
2.759 Views
Preview:
DESCRIPTION
TRANSCRIPT
Adversity: Good for Software
@wickett
• Cloud Ops Team Lead, @NIGlobal
• Tags: Rugged DevOps, OWASP, Cloud, Ruby
• Blogger at ruggeddevops.org, blog.wickett.me, and theagileadmin.com
• Founder of LASCON (http://lascon.org)
• Security certs: CISSP, GWAPT, CCSK, ...
• t: @wickett | e: james@wickett.me
Adversity requires Rugged solutions
Adversity
Real or perceived negative actions and events that prohibit normal function and operation.
People Involved
• Developers
• Operations
• Security
• Business
• Regular customers
• Evil customers
• Hackers
Adversity Actors
• Malicious intent, targeted
• Malicious intent, random
• Neutral intent, targeted
• Neutral intent, random
• No intent, random
Ruggedization Theory
Building solutions to handle adversity actors will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.
Adversity fueled innovation
• NASA in Space
• Military hard drives
• ATMs in Europe
"Secondly, our network got a lot stronger as a result of the LulzSec
attacks." -Surviving Lulz: Behind the Scenes of
LulzSec @SXSW 2012
“The phone isn't going to kill you if use it, but a
car... well, we don't want code to crash
your car.” -Auto Meets Mobile: Building In-Vehicle Apps
@SXSW 2012
Software needs to face adversity head on
Software needs to be rugged to succeed
Current Software
Rugged Software
Current Software
Rugged Software
Current Software
Rugged Software
The Internets is Mean
• Latency
• Distribution
• Anonymity
• Varied protocols
• People
Measuring Rugged
Rugged Software Manifesto
I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.
I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.
Security vs. Rugged
• Absence of Events
• Cost
• Negative
• FUD
• Toxic
• Verification of quality
• Benefit
• Positive
• Known values
• Affirming
Ruggedization Theory
Building solutions to handle adversity actors will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.
No Pain, No Gain
Rugged-ities• Maintainability
• Availability
• Survivability
• Defensibility
• Security
• Longevity
• Portability
• Reliability
If you want to build a ship, don't drum up people together to collect wood and don't assign them tasks and work, but rather teach them to long for the endless immensity of the sea
- Antoine Jean-Baptiste Marie Roger de Saint Exupéry
People, Process, Tech
It’s not our problem anymore
Why do you see the speck that is in your brother’s eye, but do not notice the log that is in your own eye?
- Jesus
source: Gene Kim, “When IT says No @SXSW 2012”
solution = devops
Security sees...
• They feel they are the constant givers of unheeded advice
• Business decisions made w/o worry of risk
• Irrelevancy in the organization
• They are the bearer of bad news
• Even their tribe ignores them
• Inequitable distribution of labor
the devops model is broken incomplete
rugged by design devops by culture
Rugged DevOps
• repeatable – no manual errors
• reliable - tested integration APIs
• reviewable – model in source control
• rapid – fast to build, provision, deploy
• resilient – automated reconfiguration to swap servers (throw away infrastructure)
Rugged AppliedGoal: Cloud Firewalls
• Make every service/node/instance a DMZ
• Cloud environment
• 3-tier web architecture
• Facilitate automated provisioning
Web
DB
Middle Tier
WebWeb
Middle Tier
LDAP
Firewall
Firewall
Firewall
DMZ 1
DMZ 2
DMZ 3
Traditional (non-cloud) 3-Tier Web Architecture
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
DMZ x3
DMZ x2
DMZ x3
Rugged Cloud Architecturefirewall
Web
firewall
Web
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
BenefitsRepeatableVerifiable
Prod/Dev/Test MatchingControlledAutomated
and it grows to look something like this...
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
Rugged Benefits
• Control and traffic whitelisting
• Config Management
• Reproducible and Automated
• Data can’t traverse environments accidentally
• Dev and Test Tier accurate
Rugged DevOpsNext Steps
• Build a Rugged DevOps team: Dev, Ops, Security
• Implement a chaos monkey
• Track security flaws or bugs in the same bug tracking system for development
• Automate, track results, repeat
• Join the RDO movement!
Want to help me?
• Upcoming book: Rugged Driven Development: Building Software in an Adversity Fueled Environment (will live at ruggeddev.com)
• Open Source Project: Gauntlet on github at github.com/wickett/gauntlet
• I need contributors and reviewers!
• Contact me: @wickett
Join Rugged DevOps!
• Twitter: @ruggeddevops
• Get involved in the movement
• http://join.ruggeddevops.org
top related