View
2.924
Download
1
Embed Size (px)
DESCRIPTION
Rugged DevOps: Bridging Security and DevOps Communities and Practices. These are the slides for the ignite talk by the same name at DevOps Days Austin 2012.
Citation preview
Rugged DevOpsBridging Security and DevOps
@wickettCloud Ops Team Lead, @NIGlobal
CISSP, GWAPT, CCSK, GSEC, GCFW
ruggeddevops.org
@LASCONATX
I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.
I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.
Security vs. Rugged
• Absence of Events
• Cost
• Negative
• FUD
• Toxic
• Verification of quality
• Benefit
• Positive
• Known values
• Affirming
Rugged-ities• Maintainability
• Availability
• Survivability
• Defensibility
• Security
• Longevity
• Portability
• Reliability
Ruggedization Theory
Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.
"Secondly, our network got a lot stronger as a result of the LulzSec
attacks." -Surviving Lulz: Behind the Scenes of
LulzSec @SXSW 2012
firewall
firewallfirewall
firewallfirewall
DB
Middle Tier Middle Tier
LDAP
DMZ x3
DMZ x2
DMZ x2
Cloud Firewalls and DMZ(aka Security Groups)
firewall firewall
WebWebWeb
Rugged Benefits
• Control and traffic whitelisting
• Config management
• Reproducible, automated and source controlled
• No accidental data traversal across products or dev/test/prod tiers
• Dev and Test identical to Prod tier
It’s not our problem anymore
source: Gene Kim, “When IT says No @SXSW 2012”
Security sees...
• They give advice that goes unheeded
• Business decisions made w/o regard of risk
• Irrelevancy in the organization
• Constant bearer of bad news
• Feels ignored by their peers (you know, those devops guys)
• Inequitable distribution of labor
Rugged DevOps
• repeatable – no manual steps
• reliable - no DoS here
• reviewable – aka audit
• rapid – fast to build, deploy, restore
• resilient – automated reconfiguration
• reduced - limited attack surface
#occupy_stage
If you want to build a ship, don't drum up people together to collect wood and don't assign them tasks and work, but rather teach them to long for the endless immensity of the sea
- Antoine Jean-Baptiste Marie Roger de Saint Exupéry
The Philosophy of Rugged DevOps
&Principles of Behavior Driven Development
Introducing Gauntletgauntlet, n. an attack from all sides
an always-attacking environment for developers
with attacks written in easy-to-read language
accessible to everyone involved in dev, ops, security, ...
Your web app
w3af
fuzzers
nmap
nessus
sqlmapmetasploit
You
dirbustercustom attacks
Put your code through the Gauntlet
Join Us
• #occupy_stage on Rugged DevOps
• join the email list join.ruggeddevops.org
• twitter: @ruggeddevops
• Gauntlet? Ping me on twitter (@wickett)