Rugged DevOps: Bridging Security and DevOps Communities and Practices. These are the slides for the ignite talk by the same name at DevOps Days Austin 2012.
Rugged DevOpsBridging Security and DevOps
@wickettCloud Ops Team Lead, @NIGlobal
CISSP, GWAPT, CCSK, GSEC, GCFW
I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.
I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.
Security vs. Rugged
Absence of Events
Cost Negative FUD Toxic
Verification of quality
Benefit Positive Known values Affirming
Rugged-ities Maintainability Availability Survivability Defensibility Security Longevity Portability Reliability
Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.
"Secondly, our network got a lot stronger as a result of the LulzSec
attacks." -Surviving Lulz: Behind the Scenes of
LulzSec @SXSW 2012
Middle Tier Middle Tier
Cloud Firewalls and DMZ(aka Security Groups)
Control and traffic whitelisting Config management Reproducible, automated and source controlled No accidental data traversal across products or
Dev and Test identical to Prod tier
Its not our problem anymore
source: Gene Kim, When IT says No @SXSW 2012
They give advice that goes unheeded Business decisions made w/o regard of risk Irrelevancy in the organization Constant bearer of bad news Feels ignored by their peers (you know,
those devops guys)
Inequitable distribution of labor
source: Jessica Allen, http://drbl.in/bgwy
repeatable no manual steps reliable - no DoS here reviewable aka audit rapid fast to build, deploy, restore resilient automated reconfiguration reduced - limited attack surface
If you want to build a ship, don't drum up people together to collect wood and don't assign them tasks and work, but rather teach them to long for the endless immensity of the sea
- Antoine Jean-Baptiste Marie Roger de Saint Exupry
The Philosophy of Rugged DevOps
&Principles of Behavior Driven Development
Introducing Gauntletgauntlet, n. an attack from all sides
an always-attacking environment for developers
with attacks written in easy-to-read language
accessible to everyone involved in dev, ops, security, ...
Your web app
Put your code through the Gauntlet
#occupy_stage on Rugged DevOps join the email list join.ruggeddevops.org twitter: @ruggeddevops Gauntlet? Ping me on twitter (@wickett)