survival isn’t mandatory - blue sky elearnisc)2 esymposium...survival isn’t mandatory ....
TRANSCRIPT
Survival Isn’t Mandatory
Challenges and Opportunities of DevOps
Joshua Corman @joshcorman
– CTO, Sonatype • Former Director of Security Intelligence [Akamai] • Former Research Director, Enterprise Security [The 451 Group] • Former Principal Security Strategist [IBM ISS]
– Industry:
• Co-Founder of “I am The Cavalry” www.iamthecavalry.org • Co-Founder of “Rugged Software” www.ruggedsoftware.org • ISC2 ASAC Board Member • Faculty with CMU Heinz and IANS • BLOG: www.cognitivedissidents.com
– Things I’ve been researching:
• SW Supply Chains • DevOps • Security Intelligence • Chaotic Actors • Espionage • Security Metrics
Joshua Corman @joshcorman
Acknowledgement: Gene Kim
“It is not necessary to change. Survival isn’t
mandatory”
Countermeasures
Situational Awareness
Operational Excellence
Defensible Infrastructure
Life Rights CritInfr IP PII CCN
Counter- measures
Situational Awareness
Operational Excellence
Defensible Infrastructure
REPLACEABILITY
Dependence
10 11/20/2014
CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM SEIMENS * CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM SEIMENS * CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUM CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM SEIMENS * CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUM CVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUM CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM HeartBleed CVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW CVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM
As of today, internet scans by MassScan reveal 300,000 of original
600,000 remain unpatched or unpatchable
11 10/23/2013 @joshcorman #DOES14
In Our Bodies In Our Homes
In Our Infrastructure In Our Cars
•The
The Cavalry isn’t coming… It falls to us
Problem Statement Our society is adopting connected technology faster than we are able to secure it.
Mission Statement To ensure connected technologies with the potential to impact public safety and human life are worthy of our trust.
Collecting existing research, researchers, and resources Connecting researchers with each other, industry, media, policy, and legal Collaborating across a broad range of backgrounds, interests, and skillsets Catalyzing positive action sooner than it would have happened on its own
Why Trust, public safety, human life How Education, outreach, research Who Infosec research community Who Global, grass roots initiative WhatLong-term vision for cyber safety Medical Automotive Connected
Home Public
Infrastructure
I Am The Cavalry
Connections and Ongoing Collaborations
5-Star Capabilities Safety by Design – Anticipate failure and plan mitigation Third-Party Collaboration – Engage willing allies Evidence Capture – Observe and learn from failure Security Updates – Respond quickly to issues discovered Segmentation & Isolation – Prevent cascading failure
Addressing Automotive Cyber Systems
Automotive Engineers
Security Researchers
Policy Makers
Insurance Analysts
Accident Investigators
Standards Organizations
https://www.iamthecavalry.org/auto/5star/
5-Star Framework
Choices
Ignore
Wait for
Prepare for
Introduce DevOps
What is DevOps?
Continuous Deployment
A cult?
Ostensibly…
A Singular Opportunity
Source: John Allspaw
Source: John Allspaw
Source: Theo Schlossnagle
Source: John Jenkins, Amazon.com
http://puppetlabs.com/2013-state-of-devops-infographic
http://puppetlabs.com/2013-state-of-devops-infographic
http://puppetlabs.com/2013-state-of-devops-infographic
http://puppetlabs.com/2013-state-of-devops-infographic
“Smaller batch sizes; more frequent deploys.”
The Phoenix Project
“The Three Ways”
1) Systems Thinking
2) Amplify Feedback Loops
3) Culture of Continuous Experimentation & Learning
Amplification
Tackling Technical Debt
Instrumented
Orchestrated
Automated
Anti-Complexity! Complexity is the enemy of Security AND Stability
Fail Fast! Iterate!
Break Things Early And Often
“Do painful things more frequently, so you can make it less painful… We don’t get pushback from Dev, because they know it makes rollouts smoother.” -- Adrian Cockcroft, Architect, Netflix
“The best way to avoid failure is to fail constantly”
Chaos Monkey
I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed,
and for longer than it was ever intended.
www.ruggedsoftware.org https://www.ruggedsoftware.org/documents/
SECURITY
COST INHIBITOR
Source: Wendy Nather (at the time, a CISO)
1) Systems Thinking
Rugged by Role
Executives CIO/CTO
Security “Analysts”
Architects
Developers
Testers
Program Managers
CIO Architect Developer QA
Linkage and Efficiency
2) Amplify Feedback Loops
3) Culture Of Continual Experimentation And Learning
Countermeasures
Situational Awareness
Operational Excellence
Defensible Infrastructure
Rugged DevOps Success
Vertical: Financial
Business: Money management firm
Implemented Rugged DevOps to quicken the change cycle and tighten the security
Results: Increased from quarterly change cycle, to daily changes, 46 average a month.
Reduced failed changes from 17% to 4%
Reduced IT audit exceptions to zero
Rugged DevOps Success
Gauntlt James Wickett, Mani Tadayon
Brakeman Justin Collins, Neil Matatall, Alex Smolen
AppSecUSA 2012 LASCON Edition
Rugged DevOps Track
AppSecUSA 2013 Denver
DevOps Track
DevOps Enterprise Summit October, 2014
Singular Opportunity They are waiting for us with open arms…
Boundary Spanners
Choices
Ignore
Wait for
Prepare for
Introduce DevOps
“It is not necessary to change. Survival isn’t
mandatory”
Dr. Deming
Joshua Corman [Knowledge Seeker | Zombie Killer]
Twitter: @joshcorman
BLOG: http://blog.cognitivedissidents.com
The Phoenix Project