Embed Size (px)
Citation preview
DevOps for the
James [email protected]
Austin, TX
Work at Signal Sciences
Rugged Dev Podcast
Gauntlt Core Team
LASCON Founder and Organizer
DevOps Days Austin and Global Organizer
in honor of SkyMall
If you find yourself in
Austin, stop by!
Austin OWASP (last Tuesday of the month)
LASCON Oct 22-23
ConclusionsIt is easy to get discouraged in our industry, but there is hope!
Agile, DevOps and Continuous Delivery practices have an impact for AppSec / InfoSec
InfoSec is behind but has a unique opportunity to add value
Conclusions continued
Integrating into the build pipeline and operational tooling wins
Unit and Integration tests are not enough, we need testing that focuses on attack tooling
you == “person you once knew at
a previous company”
Do you feel unable to cause positive change in
your organization?
Is security ever left out of important engineering
decisions?
Have you ever reported a serious internal vulnerability only to see it open 6 months or more later?
Why we are here
Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony,Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony, Sony
Humans optimize for the probable
We optimize for the probable
Unit Testing
Integration Testing
Happy Path Engineering
We optimize for the possible
Over Engineering
Stress and load testing
We optimize for the perceived probable
How do we perceive what is probable?
Epistemological Problem of Software Development
We attempt to solve it by gathering data or
rhetoric
3 approaches to solve the Epistemological Problem of Software Development
Arc 1: Agile
Agile side-steps the problem
Agile says we don’t know what we are building
Solution: release features to customers rapidly
Just Ship It!
Behavior Driven Dev
Behavior Driven Development is a second-generation, outside–in, pull-based,
multiple-stakeholder, multiple-scale, high-automation, agile methodology. It
describes a cycle of interactions with well-defined outputs, resulting in the delivery of working, tested software that matters.
Dan North , 2009
Amplify the
feedback loop
TLDR;
Rapid Iterations Win
Agile is our guiding
light
We don't sell software like we used to
Software as a Service
The last 15 years have brought a complete
change in our delivery cadence, distribution, and
revenue models
DevOps is the application of Agile
methodology to system administration
- The Practice of Cloud System Administration Book
Arc 2: DevOps
Agile Infrastructure
@littleidea @patrickdebois at Velocity 2009
http://itrevolution.com/the-history-of-devops/
http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
First DevOps Days, Ghent 2009
@patrickdebois
The opposite of DevOps is despair - Gene Kim
DevOps is the operationalism of the world
- Theo Schlossnagle
DevOps is a community movement
http://dev2ops.org/blog/2010/2/22/what-is-devops.html
DevOps realized that Ops doesn't know what
Devs know and vice versa
DevOps is an epistemological
breakthrough joining disparate people around
a common problem
DevOps is an inclusive movement that
codifies a culture - Adam Jacobs
Dev : Ops 10 : 1
Traditional Dev to Ops Ratio
“That the word #devops gets reduced to technology is a manifestation of how badly we need a cultural shift”
- @patrickdebois
http://www.slideshare.net/cm6051/london-devops-31-5-years-of-devops
Culture is the most important aspect to DevOps succeeding in the enterprise
What we value
determines our culture
Mutual Understanding Shared Language
Openness Visualization
Tooling
DevOps is the inevitable result of needing to do
efficient operations in a [distributed computing and
cloud] environment. - Tom Limoncelli
DevOps is not a technological problem. DevOps is a business
problem. - Damon Edwards
http://puppetlabs.com/sites/default/files/2014-state-of-devops-report.pdf
the first scientific study of the relationship between organizational performance, IT performance and
DevOps practices
DevOps practices improve IT performance
Culture Automation
Measurement Sharing
@botchagalupe @damonedwards
Culture InfluencersDecrease time from development to release
Blameless post-mortems
Reward failure and have a high emphasis on testing
Unite different disciplines (like dev + ops) to solve problems
http://www.slideshare.net/wickett/the-devops-way-of-delivering-results-in-the-enterprise
Antipattern: Rebrand your ops team to
devops team
Automation
Seek automation to increase repeatability
Chef, Puppet, Ansible, CfEngine Rundeck, Mcollective
Jenkins, Travis, Kitchen Cucumber, Gauntlt, ServerSpec
Vagrant, Docker
A Sample of the Automation toolspace
Antipattern: Manual config of
production environment
Beware of the
DevOps Software Solution
Measurement
Business Metrics Event Correlation
Usage based monitoring
Sharing
Dashboards for all Deploy Bot
Arc 3: Continuous
Delivery
Continuous Delivery is not merely how often
you deliver but how little you can deliver at a time
Batch size of 1
Old Way
Changes break stuff, so limit them and batch
them all together
New Way
Delivery of one change at a time reduces outages, increases performance,
and limits technical debt
You must deploy your stuff
Never Pass Defects to the Next Step
The Practice of Cloud System Administration
Increase the Flow of Work
The Practice of Cloud System Administration
Let the bots troll the users for the lolz.
Allocate time to enhance the build, test and deploy
system
The Practice of Cloud System Administration
Reduce code latency and increase code velocity
The Next Arc: SecurityRugged
“… those stupid developers”
- Security person
“Security prefers a system powered off and unplugged”
- Developer
Cultural unrest with security in an organization
Compliance Driven Culture: PCI, SOX, …
“[risk assessment] introduces a dangerous fallacy: that
structured inadequacy is almost as good as adequacy and that underfunded security efforts
plus risk management are about as good as properly funded
security work”
Ratio Problem Devs : Ops : Security
100 : 10 : 1
Security Tools are run out-of-band
Security tools are confusing
and when they are done they give you this lovely gem
The tide is changing
Resiliency Engineering
Netflix famously released chaos
monkey
Rugged
The Rugged Manifesto (excerpts)
I am rugged and, more importantly, my code is rugged.
I recognize that software has become a foundation of our modern world.
I recognize the awesome responsibility that comes with this
foundational role.
I am rugged because my code can face these challenges and
persist in spite of them.
http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
Rugged Journey
Quality
Transparency
Value Creation
Culture infusion
http://videos.2012.appsecusa.org/video/54250716
https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring
https://speakerdeck.com/mkonda/appsecusa-2013-insecure-expectationshttp://vimeo.com/75930344
Security Tooling to Delivery Pipeline
…to influence Culture, Automation, Measurement
and Sharing
Security Testing
Static Code Analysis
Dynamic Testing
Virus Scanning
Code Signing Checks
Business logic/flow testing
Wouldn’t it be great if we could automate our
security tests
http://static.hothdwallpaper.net/51b8e4ee5a5ae19808.jpg
You could say things like…
The login page on my application should not be
vulnerable to SQL injection
The search page should not be vulnerable to XSS
Our app should not have a backdoor in it
Enter Gauntlt
Integration tests meet Dynamic App Security
Testing
Gauntlt PhilosophyGauntlt comes with pre-canned steps that hook security testing and attack tooling
Gauntlt functions as part of the CI/CD pipeline
Gauntlt is a good citizen of exit status and stdout/stderr
Gauntlt does not install tools
MIT Open Source License
Security + Cucumber = Gauntlt
Attack Logic
GIVENWHENTHEN
Who uses Gauntlt?
CabForward
arachni nmap
sqlmap sslyze dirb
garmr generic
sqli xss
fuzzing forceful browsing
info leaks heartbleed
…
TLDR;
Gauntlt automates attack tooling
TLDR;
Gauntlt facilitates collaboration
more on gauntlt
• Google Group > https://groups.google.com/d/forum/gauntlt
• Wiki > https://github.com/gauntlt/gauntlt/wiki• Twitter > @gauntlt• IRC > #gauntlt on freenode• Issue tracking > http://github.com/gauntlt/gauntlt
Try this at home
Fully functioning attacking pipeline
Fork this repo
https://github.com/secure-pipeline/rails-travis-example
labs in ./velocity
./velocity/lab_2/.travis.yml
./Gemfile
./velocity/lab_2/.travis.yml
./Rakefile
./test/attacks/xss.attack
./test/attacks/xss.attack
./test/attacks/backdoors.attack
./test/attacks/sql_injection.attack
Gauntlt Next steps
Gauntlt currently doesn't install attack tooling, we are working on a gauntlt docker container to change that
Integrate into Kali distro
but wait, there is more…
+----------------------------------+--------+-----------------------------------------+ | Alert | Risk | URL | +----------------------------------+--------+-----------------------------------------+ | Cross Site Scripting (Reflected) | High | http://localhost:3000/forgot_password | +----------------------------------+--------+-----------------------------------------+
ConclusionsIt is easy to get discouraged in our industry, but there is hope!
Agile, DevOps and Continuous Delivery practices have an impact for AppSec / InfoSec
InfoSec is behind but has a unique opportunity to add value
Conclusions continued
Integrating into the build pipeline and operational tooling wins
Unit and Integration tests are not enough, we need testing that focuses on attack tooling
