Rugged DevOps: Bridging Security and DevOps

  • View

  • Download

Embed Size (px)


Rugged DevOps: Bridging Security and DevOps Communities and Practices. These are the slides for the ignite talk by the same name at DevOps Days Austin 2012.

Text of Rugged DevOps: Bridging Security and DevOps

Rugged DevOpsBridging Security and DevOps

@wickettCloud Ops Team Lead, @NIGlobal



I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.

I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.

I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.

Security vs. Rugged

Absence of Events

Cost Negative FUD Toxic

Verification of quality

Benefit Positive Known values Affirming

Rugged-ities Maintainability Availability Survivability Defensibility Security Longevity Portability Reliability

Ruggedization Theory

Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.

"Secondly, our network got a lot stronger as a result of the LulzSec

attacks." -Surviving Lulz: Behind the Scenes of

LulzSec @SXSW 2012





Middle Tier Middle Tier


DMZ x3

DMZ x2

DMZ x2

Cloud Firewalls and DMZ(aka Security Groups)

firewall firewall


Rugged Benefits

Control and traffic whitelisting Config management Reproducible, automated and source controlled No accidental data traversal across products or

dev/test/prod tiers

Dev and Test identical to Prod tier

Its not our problem anymore

source: Gene Kim, When IT says No @SXSW 2012

Security sees...

They give advice that goes unheeded Business decisions made w/o regard of risk Irrelevancy in the organization Constant bearer of bad news Feels ignored by their peers (you know,

those devops guys)

Inequitable distribution of labor


source: Jessica Allen,

Rugged DevOps

repeatable no manual steps reliable - no DoS here reviewable aka audit rapid fast to build, deploy, restore resilient automated reconfiguration reduced - limited attack surface


If you want to build a ship, don't drum up people together to collect wood and don't assign them tasks and work, but rather teach them to long for the endless immensity of the sea

- Antoine Jean-Baptiste Marie Roger de Saint Exupry

The Philosophy of Rugged DevOps

&Principles of Behavior Driven Development

Introducing Gauntletgauntlet, n. an attack from all sides

an always-attacking environment for developers

with attacks written in easy-to-read language

accessible to everyone involved in dev, ops, security, ...

Your web app







dirbustercustom attacks

Put your code through the Gauntlet

Join Us

#occupy_stage on Rugged DevOps join the email list twitter: @ruggeddevops Gauntlet? Ping me on twitter (@wickett)