rugged devops: bridging security and devops
Post on 19-Oct-2014
2.924 views
DESCRIPTION
Rugged DevOps: Bridging Security and DevOps Communities and Practices. These are the slides for the ignite talk by the same name at DevOps Days Austin 2012.TRANSCRIPT
Rugged DevOpsBridging Security and DevOps
@wickettCloud Ops Team Lead, @NIGlobal
CISSP, GWAPT, CCSK, GSEC, GCFW
ruggeddevops.org
@LASCONATX
I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.
I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.
Security vs. Rugged
• Absence of Events
• Cost
• Negative
• FUD
• Toxic
• Verification of quality
• Benefit
• Positive
• Known values
• Affirming
Rugged-ities• Maintainability
• Availability
• Survivability
• Defensibility
• Security
• Longevity
• Portability
• Reliability
Ruggedization Theory
Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.
"Secondly, our network got a lot stronger as a result of the LulzSec
attacks." -Surviving Lulz: Behind the Scenes of
LulzSec @SXSW 2012
firewall
firewallfirewall
firewallfirewall
DB
Middle Tier Middle Tier
LDAP
DMZ x3
DMZ x2
DMZ x2
Cloud Firewalls and DMZ(aka Security Groups)
firewall firewall
WebWebWeb
Rugged Benefits
• Control and traffic whitelisting
• Config management
• Reproducible, automated and source controlled
• No accidental data traversal across products or dev/test/prod tiers
• Dev and Test identical to Prod tier
It’s not our problem anymore
source: Gene Kim, “When IT says No @SXSW 2012”
Security sees...
• They give advice that goes unheeded
• Business decisions made w/o regard of risk
• Irrelevancy in the organization
• Constant bearer of bad news
• Feels ignored by their peers (you know, those devops guys)
• Inequitable distribution of labor
Rugged DevOps
• repeatable – no manual steps
• reliable - no DoS here
• reviewable – aka audit
• rapid – fast to build, deploy, restore
• resilient – automated reconfiguration
• reduced - limited attack surface
#occupy_stage
If you want to build a ship, don't drum up people together to collect wood and don't assign them tasks and work, but rather teach them to long for the endless immensity of the sea
- Antoine Jean-Baptiste Marie Roger de Saint Exupéry
The Philosophy of Rugged DevOps
&Principles of Behavior Driven Development
Introducing Gauntletgauntlet, n. an attack from all sides
an always-attacking environment for developers
with attacks written in easy-to-read language
accessible to everyone involved in dev, ops, security, ...
Your web app
w3af
fuzzers
nmap
nessus
sqlmapmetasploit
You
dirbustercustom attacks
Put your code through the Gauntlet
Join Us
• #occupy_stage on Rugged DevOps
• join the email list join.ruggeddevops.org
• twitter: @ruggeddevops
• Gauntlet? Ping me on twitter (@wickett)