rugged devops: bridging security and devops

20
Rugged DevOps Bridging Security and DevOps

Post on 19-Oct-2014

2.924 views

Category:

Technology


1 download

DESCRIPTION

Rugged DevOps: Bridging Security and DevOps Communities and Practices. These are the slides for the ignite talk by the same name at DevOps Days Austin 2012.

TRANSCRIPT

Page 1: Rugged DevOps: Bridging Security and DevOps

Rugged DevOpsBridging Security and DevOps

Page 2: Rugged DevOps: Bridging Security and DevOps

@wickettCloud Ops Team Lead, @NIGlobal

CISSP, GWAPT, CCSK, GSEC, GCFW

[email protected]

ruggeddevops.org

@LASCONATX

Page 3: Rugged DevOps: Bridging Security and DevOps

I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.

I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.

I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.

Page 4: Rugged DevOps: Bridging Security and DevOps

Security vs. Rugged

• Absence of Events

• Cost

• Negative

• FUD

• Toxic

• Verification of quality

• Benefit

• Positive

• Known values

• Affirming

Page 5: Rugged DevOps: Bridging Security and DevOps

Rugged-ities• Maintainability

• Availability

• Survivability

• Defensibility

• Security

• Longevity

• Portability

• Reliability

Page 6: Rugged DevOps: Bridging Security and DevOps

Ruggedization Theory

Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.

Page 7: Rugged DevOps: Bridging Security and DevOps

"Secondly, our network got a lot stronger as a result of the LulzSec

attacks." -Surviving Lulz: Behind the Scenes of

LulzSec @SXSW 2012

Page 8: Rugged DevOps: Bridging Security and DevOps

firewall

firewallfirewall

firewallfirewall

DB

Middle Tier Middle Tier

LDAP

DMZ x3

DMZ x2

DMZ x2

Cloud Firewalls and DMZ(aka Security Groups)

firewall firewall

WebWebWeb

Page 9: Rugged DevOps: Bridging Security and DevOps

Rugged Benefits

• Control and traffic whitelisting

• Config management

• Reproducible, automated and source controlled

• No accidental data traversal across products or dev/test/prod tiers

• Dev and Test identical to Prod tier

Page 10: Rugged DevOps: Bridging Security and DevOps

It’s not our problem anymore

Page 11: Rugged DevOps: Bridging Security and DevOps

source: Gene Kim, “When IT says No @SXSW 2012”

Page 12: Rugged DevOps: Bridging Security and DevOps

Security sees...

• They give advice that goes unheeded

• Business decisions made w/o regard of risk

• Irrelevancy in the organization

• Constant bearer of bad news

• Feels ignored by their peers (you know, those devops guys)

• Inequitable distribution of labor

Page 13: Rugged DevOps: Bridging Security and DevOps

RUGGED

source: Jessica Allen, http://drbl.in/bgwy

Page 14: Rugged DevOps: Bridging Security and DevOps

Rugged DevOps

• repeatable – no manual steps

• reliable - no DoS here

• reviewable – aka audit

• rapid – fast to build, deploy, restore

• resilient – automated reconfiguration

• reduced - limited attack surface

Page 15: Rugged DevOps: Bridging Security and DevOps

#occupy_stage

Page 16: Rugged DevOps: Bridging Security and DevOps

If you want to build a ship, don't drum up people together to collect wood and don't assign them tasks and work, but rather teach them to long for the endless immensity of the sea

- Antoine Jean-Baptiste Marie Roger de Saint Exupéry

Page 17: Rugged DevOps: Bridging Security and DevOps

The Philosophy of Rugged DevOps

&Principles of Behavior Driven Development

Page 18: Rugged DevOps: Bridging Security and DevOps

Introducing Gauntletgauntlet, n. an attack from all sides

an always-attacking environment for developers

with attacks written in easy-to-read language

accessible to everyone involved in dev, ops, security, ...

Page 19: Rugged DevOps: Bridging Security and DevOps

Your web app

w3af

fuzzers

nmap

nessus

sqlmapmetasploit

You

dirbustercustom attacks

Put your code through the Gauntlet

Page 20: Rugged DevOps: Bridging Security and DevOps

Join Us

• #occupy_stage on Rugged DevOps

• join the email list join.ruggeddevops.org

• twitter: @ruggeddevops

• Gauntlet? Ping me on twitter (@wickett)