Embed Size (px)
Citation preview
DevOps for DefendersRuggedizing the Pipeline
James [email protected]
Austin, TX
Rugged Dev Podcast
Gauntlt Core Team
DevOps Days Austin Organizer
DevOps Days Global Organizer
My Journey
Clouding since 2008 and DevOpsing since 2010!
Led National Instruments R&D Cloud Ops team
IoT and Cloud products at Mentor Graphics
Working at Signal Sciences Corp
Conclusions
We optimize for the perceived probable
Agile, DevOps and Continuous Delivery practices have approached this problem in different ways
InfoSec is behind but has a chance to add value
Integrating into the build pipeline wins
Humans optimize for the probable
We optimize for the probable
Happy Path Engineering
We optimize for the possible
Over Engineering
We optimize for the perceived probable
How do we perceive what is probable?
How do we know anything?
Epistemological Problem of Software Development
We attempt to solve it by gathering data or
rhetoric
Approaches to solve perceived probable
problem
Arc 1: Agile
Agile discovered we don’t know what we are building
Solution: release features to customers rapidly
Just Ship It!
Behavior Driven Development is a second-generation, outside–in, pull-based,
multiple-stakeholder, multiple-scale, high-automation, agile methodology. It
describes a cycle of interactions with well-defined outputs, resulting in the delivery of working, tested software that matters.
Dan North , 2009
Agile Summary
Rapid Iterations Win
Agile eventually births DevOps
Arc 2: DevOps
Agile Infrastructure
@littleidea @patrickdebois at Velocity 2009
http://itrevolution.com/the-history-of-devops/
http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
First DevOps Days, Ghent 2009
@patrickdebois
DevOps is a community movement
http://dev2ops.org/blog/2010/2/22/what-is-devops.html
DevOps realized that Ops doesn't know what
Devs know and vice versa
DevOps is an epistemological
breakthrough joining disparate people around
a common problem
Culture
Dev : Ops 10 : 1
Traditional Dev to Ops Ratio
“That the word #devops gets reduced to technology is a manifestation of how badly we need a cultural shift”
- @patrickdebois
http://www.slideshare.net/cm6051/london-devops-31-5-years-of-devops
Culture is the most important aspect to DevOps succeeding in the enterprise
What we value determines our culture
Culture affects
Mutual Understanding Shared Language
Openness Visualization
Tooling
http://puppetlabs.com/sites/default/files/2014-state-of-devops-report.pdf
the first scientific study of the relationship between organizational performance, IT performance and
DevOps practices
Firms with high-performing IT
organizations were twice as likely to exceed their
profitability, market share and productivity goals.
DevOps practices improve IT performance
Organizational culture is one of the strongest predictors of both IT
performance and overall performance of
the organization.
Job satisfaction is the No. 1 predictor of organizational
performance.
Culture Automation
Measurement Sharing
@botchagalupe @damonedwards
Antipattern: Rebrand your ops team to
devops team
Culture InfluencersDecrease time from development to release
Blameless post-mortems
Reward failure and have a high emphasis on testing
Unite different disciplines (like dev + ops) to solve problems
http://www.slideshare.net/wickett/the-devops-way-of-delivering-results-in-the-enterprise
Automation
Antipattern: Manual config of
production environment
Beware of the
DevOps Software Solution
Seek automation to increase repeatability
Chef, Puppet, Ansible, CfEngine Rundeck, Mcollective
Jenkins, Travis, Kitchen Cucumber, Gauntlt, ServerSpec
Vagrant, Docker
A Sample of the Automation toolspace
Decrease barriers to Deploy
Measurement
Old Way: CPU, Mem, Avg Load
New Way Metrics mapped to stuff you actually care about
Business Metrics Event Correlation
Usage based monitoring
Sharing
Dashboards for all to see Cultural adjustment
Deploy Bot
Arc 3: Continuous Delivery
DevOps Deming Style!
Manufacturing Wisdom of the 50’s and 60’s
Goldratt Deming Toyota
Black Belts Six Sigma Kanban
Lean
Batch size of 1
Old Way
Changes break stuff, so limit them and batch
them all together
Change Control Windows Roll Backs
New Way
Delivery of one change at a time reduces outages, increases performance,
and limits technical debt
Anyone can deploy…
You must deploy your stuff
Continuous Delivery is not merely how often
you deliver but how little you can deliver at a time
The Next Arc: Security
The Next Arc: SecurityRugged
“… those stupid developers”
- Security person
“Security prefers a system powered off and unplugged”
- Developer
Cultural unrest with security in an organization
Differing priorities
Compliance Driven Culture: PCI, SOX, …
“[risk assessment] introduces a dangerous fallacy: that
structured inadequacy is almost as good as adequacy and that underfunded security efforts
plus risk management are about as good as properly funded
security work”
Ratio Problem Devs : Ops : Security
100 : 10 : 1
Security Tools are run out-of-band
Security tools are confusing
and when they are done they give you this lovely gem
The tide is changing
Resiliency Engineering
Netflix famously released chaos
monkey
Rugged
The Rugged Manifesto
I am rugged and, more importantly, my code is rugged.
I recognize that software has become a foundation of our modern world.
I recognize the awesome responsibility that comes with this
foundational role.
I recognize that my code will be used in ways I cannot anticipate, in ways it
was not designed, and for longer than it was ever intended.
I recognize that my code will be attacked by talented and persistent
adversaries who threaten our physical, economic and national security.
I recognize these things – and I choose to be rugged.
I am rugged because I refuse to be a source of vulnerability or weakness.
I am rugged because I assure my code will support its mission.
I am rugged because my code can face these challenges and persist in
spite of them.
I am rugged, not because it is easy, but because it is necessary and I
am up for the challenge.
http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
Dev / Ops / Sec
Join forces
Rugged Journey
Quality
Transparency
Value Creation
Culture infusion
#RuggedDevOps
http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
http://videos.2012.appsecusa.org/video/54250716
https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring
https://speakerdeck.com/mkonda/appsecusa-2013-insecure-expectationshttp://vimeo.com/75930344
Try this at home
Add Security Tooling to Delivery Pipeline
…to influence Culture, Automation, Measurement
and Sharing
Security Testing
Static Code Analysis
Dynamic Testing
Virus Scanning
Code Signing Checks
Business logic/flow testing
Wouldn’t it be great if we could automate our
security tests…
http://static.hothdwallpaper.net/51b8e4ee5a5ae19808.jpg
Enter Gauntlt
Gauntlt PhilosophyGauntlt comes with pre-canned steps that hook security testing tools
Gauntlt does not install tools
Gauntlt can be part of the CI/CD pipeline
Be a good citizen of exit status and stdout/stderr
MIT Open Source License
Security + Cucumber = Gauntlt
Attack Logic
GIVENWHENTHEN
Who uses Gauntlt?
arachni nmap
sqlmap sslyze dirb
garmr generic
sqli xss
fuzzing forceful browsing
info leaks heartbleed
…
TLDR;
Gauntlt automates security tools
TLDR;
Gauntlt facilitates collaboration
more on gauntlt
• Google Group > https://groups.google.com/d/forum/gauntlt
• Wiki > https://github.com/gauntlt/gauntlt/wiki• Twitter > @gauntlt• IRC > #gauntlt on freenode• Issue tracking > http://github.com/gauntlt/gauntlt
Free Gauntlt Bookrequest a copy
Caveat Emptor: Under
development!
Valid until Dec 3rd
Try this at home
Fully functioning attacking pipeline
Fork this repo
https://github.com/secure-pipeline/rails-travis-example
Go through the labs in ./velocity
Conclusions
We optimize for the perceived probable
Agile, DevOps and Continuous Delivery practices have approached this problem in different ways
InfoSec is behind but has a chance to add value
Integrating into the build pipeline wins
