Rugged DevOps: Bridging Security and DevOps

  • View
    2.884

  • Download
    1

Embed Size (px)

DESCRIPTION

Rugged DevOps: Bridging Security and DevOps Communities and Practices. These are the slides for the ignite talk by the same name at DevOps Days Austin 2012.

Text of Rugged DevOps: Bridging Security and DevOps

Rugged DevOpsBridging Security and DevOps

@wickettCloud Ops Team Lead, @NIGlobal

CISSP, GWAPT, CCSK, GSEC, GCFW

james@wickett.me

ruggeddevops.org

@LASCONATX

I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.

I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.

I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.

Security vs. Rugged

Absence of Events

Cost Negative FUD Toxic

Verification of quality

Benefit Positive Known values Affirming

Rugged-ities Maintainability Availability Survivability Defensibility Security Longevity Portability Reliability

Ruggedization Theory

Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.

"Secondly, our network got a lot stronger as a result of the LulzSec

attacks." -Surviving Lulz: Behind the Scenes of

LulzSec @SXSW 2012

firewall

firewallfirewall

firewallfirewall

DB

Middle Tier Middle Tier

LDAP

DMZ x3

DMZ x2

DMZ x2

Cloud Firewalls and DMZ(aka Security Groups)

firewall firewall

WebWebWeb

Rugged Benefits

Control and traffic whitelisting Config management Reproducible, automated and source controlled No accidental data traversal across products or

dev/test/prod tiers

Dev and Test identical to Prod tier

Its not our problem anymore

source: Gene Kim, When IT says No @SXSW 2012

Security sees...

They give advice that goes unheeded Business decisions made w/o regard of risk Irrelevancy in the organization Constant bearer of bad news Feels ignored by their peers (you know,

those devops guys)

Inequitable distribution of labor

RUGGED

source: Jessica Allen, http://drbl.in/bgwy

Rugged DevOps

repeatable no manual steps reliable - no DoS here reviewable aka audit rapid fast to build, deploy, restore resilient automated reconfiguration reduced - limited attack surface

#occupy_stage

If you want to build a ship, don't drum up people together to collect wood and don't assign them tasks and work, but rather teach them to long for the endless immensity of the sea

- Antoine Jean-Baptiste Marie Roger de Saint Exupry

The Philosophy of Rugged DevOps

&Principles of Behavior Driven Development

Introducing Gauntletgauntlet, n. an attack from all sides

an always-attacking environment for developers

with attacks written in easy-to-read language

accessible to everyone involved in dev, ops, security, ...

Your web app

w3af

fuzzers

nmap

nessus

sqlmapmetasploit

You

dirbustercustom attacks

Put your code through the Gauntlet

Join Us

#occupy_stage on Rugged DevOps join the email list join.ruggeddevops.org twitter: @ruggeddevops Gauntlet? Ping me on twitter (@wickett)