• Save
Rugged Dev: Building Reliability and Security Into Software
Upcoming SlideShare
Loading in...5
×
 

Rugged Dev: Building Reliability and Security Into Software

on

  • 418 views

Presented at InnoTech Austin on October 20, 2011. For details on InnoTech, visit www.innotechconferences.com

Presented at InnoTech Austin on October 20, 2011. For details on InnoTech, visit www.innotechconferences.com

Statistics

Views

Total Views
418
Views on SlideShare
418
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Rugged Dev: Building Reliability and Security Into Software Rugged Dev: Building Reliability and Security Into Software Presentation Transcript

  • The Rugged Way in the Cloud–Building Reliabilityand Security Into Software James Wickett james.wickett@owasp.org 1
  • 2
  • @wickett• Operations and Security for software delivered on the cloud• National Instruments, R&D• Certs: CISSP, GSEC, GCFW, CCSK• Tags: OWASP, Cloud, DevOps, Ruby• Blogger at theagileadmin.com• I do stuff for LASCON (http://lascon.org)• Twitter: @wickett 3
  • Cloud @ NIWe built a DevOps team to rapidly delivernew SaaS products and product functionalityusing cloud hosting and services (IaaS, PaaS,SaaS) as the platform and operations, usingmodel driven automation, as a keydifferentiating element.With this approach we have deliveredmultiple major products to market quicklywith a very small staffing and financial outlay. 4
  • National Instruments• 30 years old; 5000+ employees around the world, half in Austin, mostly engineers; $873M in 2010• Hardware and software for data acquisition, embedded design, instrument control, and test• LabVIEW is our graphical dataflow programming language used by scientists and engineers in many fields 5
  • From toys to black holes 6
  • NI’s Cloud Products• LabVIEW Web UI Builder• FPGA Compile Cloud• more to come... 7
  • ni.com/uibuilder 8
  • 9
  • 10
  • FPGA Compile Cloud• LabVIEW FPGA compiles take hours and consume extensive system resources; compilers are getting larger and more complex• Implemented on Amazon - EC2, Java/Linux,C#/.NET/Windows, and LabVIEW FPGA• Also an on premise product, the “Compile Farm” 11
  • Using the FPGACompile Cloud 12
  • BuildingRuggedIn 13
  • Am I healthy? 14
  • Am I healthy?• Latest and greatest research• Justification to insurance companies• Measurement and testing as available• Point in time snapshot 15
  • Am I secure? 16
  • Am I secure?• Latest and greatest vulnerabilities• Justification of budget for tools• Measurement and testing as available• Point in time snapshot 17
  • People, Process, Tech 18
  • It’s not our problem anymore 19
  • If you want to build a ship, dontdrum up people together to collectwood and dont assign them tasksand work, but rather teach them tolong for the endless immensity ofthe sea- Antoine Jean-Baptiste Marie Roger de Saint Exupéry 20
  • Twitter SurveyWhat is one word that youwould use to describe ‘ITSecurity’ people? 21
  • unicorns paranoid prepared Tenacious HAWT! smart masochisticdemented jaded smart sisyphean omnium-gatherum facebored passionate weird drunk compassionate 22
  • Us vs. Them• Security professionals often degrade developers• Developers don’t get security people• There is interest across the isle, but often ruined by negative language 23
  • Why do you see the speck that is in yourbrotherʼs eye, but do not notice the log that is inyour own eye? - Jesus 24
  • Adverse conditionsneed Rugged solutions 25
  • Adversity fueled innovation• NASA in Space• Military hard drives• ATMs in Europe 26
  • Chip and PIN ATM 27
  • The Internets is Mean• Latency• Distribution• Anonymity• Varied protocols• People 28
  • Systems are complex• “How Complex Systems Fail”• Failure at multiple layers• Synonyms in other industries• Defense in Depth 29
  • Software needs to meet adversity 30
  • Intro to Rugged by analogy 31
  • Current Software 32
  • Rugged Software 33
  • Current Software 34
  • Rugged Software 35
  • Current Software 36
  • Rugged Software 37
  • Current Software 38
  • Rugged Software 39
  • Current Software 40
  • Rugged Software 41
  • Current Software 42
  • Rugged Software 43
  • 44
  • Rugged Software Manifesto 45
  • I am rugged... and more importantly,my code is rugged. 46
  • I recognize that software has becomea foundation of our modern world. 47
  • I recognize the awesomeresponsibility that comes with thisfoundational role. 48
  • I recognize that my code will be usedin ways I cannot anticipate, in ways itwas not designed, and for longerthan it was ever intended. 49
  • I recognize that my code will beattacked by talented and persistentadversaries who threaten ourphysical, economic, and nationalsecurity. 50
  • I recognize these things - and Ichoose to be rugged. 51
  • I am rugged because I refuse to be asource of vulnerability or weakness. 52
  • I am rugged because I assure mycode will support its mission. 53
  • I am rugged because my code canface these challenges and persist inspite of them. 54
  • I am rugged, not because it is easy,but because it is necessary... and Iam up for the challenge. 55
  • Rugged-ities • Availability • Survivability • Defensibility • Security • Longevity • Portability 56
  • Security vs. Rugged• Absence of • Verification of Events quality• Cost • Benefit• Negative • Positive• FUD • Known values• Toxic • Affirming 57
  • Rugged Survival Guide • Defensible Infrastructure • Operational Discipline • Situational Awareness • CountermeasuresOn YouTube: “PCI Zombies” 58
  • Security as a Feature• SaaF is possible, but hard for most products• Tough to measure• Hiding among other features 59
  • Rugged as a Feature• RaaF addresses to customer felt needs• Values that people covet• Buyers want it 60
  • Qualities of Rugged Software• Availability - Speed and performance• Longevity, Long-standing, persistent - Time• Scalable, Portable• Maintainable and Defensible - Topology Map• Resilient in the face of failures• Reliable - Time, Load 61
  • Measuring Ruggedness• Physical: Heat, Cold, Friction, Time, Quantity of use, Type of use• Software: Concurrency, Transactions, Speed, Serial Load, Input handling, Entropy, Lines of Code 62
  • Measuring Frameworks• Measured by lack of incidents and quantifying risk and vulns• OWASP / CVE tracking• Common Vuln Scoring System (CVSS)• Mitre Common Weakness Enumeration (CWE)• Common Weakness Scoring System (CWSS) 63
  • Supply and ______ 64
  • Marketing Possibilities• Positive: Rugged Rating System • 3rd party verification of Ruggedness • Self Attestation• Negative: warning signs• Buyers Bill of Rights 65
  • Measuring Rugged 66
  • 3rd Party Warnings 67
  • Self Attestation 68
  • Implicit vs. Explicit 69
  • Explicit Requirements• Customers Demand• 20% Use Cases• Most Vocal• Failure results in loss of customers but not all customers 70
  • Implicit Requirements• Customers Assume• 80% of use cases• Unsaid and Unspoken• Most basic and expected features• Failure results in a loss of most customers 71
  • Is Security Explicit or Implicit? 72
  • Is Rugged Explicit or Implicit? 73
  • 74
  • RuggedImplementations 75
  • build aruggedteam 76
  • People and Process• Sit near the developers... DevOpsSec• Track security flaws or bugs in the same bug tracking system• Train to automate• Involve team with vendors• Measurement over time and clear communication 77
  • OPSEC Framework• Know your system and people• Make security better in small steps• Add layers of security without overcompensating• Use a weekly, iteration-based approach to security 78
  • 79
  • ProgrammableInfrastructureEnvironment 80
  • Configuration Management• Infrastructure as Code (IaC)• Model driven deployment• Version control everything• PIE (Programmable Infrastructure Enviroment)• Know Your Environment if you want to make it defensible 81
  • What is PIE?• a a framework to define, provision, monitor, and control cloud-based systems• written in Java, uses SSH as transport, currently supports Amazon AWS (Linux and Windows)• takes an XML-based model from source control and creates a full running system• to define, provision, monitor, and control cloud-based systems 82
  • PIE ingredients• model driven automation• infrastructure as code• DevOps• dynamic scaling• agility• security in the model 83
  • 84
  • The Model• XML descriptions of the system as ‘specs’• system (top level)• environment (instance of a system)• role (“tier” within a system)• image (specific base box config)• service (specific software or application)• commands (for various levels)• templates (files to be parsed) 85
  • 86
  • 87
  • The Registry• uses Apache Zookeeper (part of Hadoop project)• the registry contains information about the running system• specific addressing scheme:• /fcc/test1/external-services/2/tomcat• [/<system>/<environment>/<role>/<instance>/<service>] pie registry.register /fcc/test1/external-services/2 pie registry.bind /fcc/test1 pie registry.list /fcc/test1 88
  • Control • create, terminate, start, stop instances using the AWS API • enforce scaling policy • execute remote commandspie control.create /fcc/test1/external-services/2pie control.stop /fcc/test1/external-services/2pie control.enforce /fcc/test1pie control.remote.service.restart /fcc/test1/external-services/2/external-tomcatpie control.remote.execute /fcc/test1/external-services/2 –i exe[0]=“ls –l /etc/init.d” 89
  • Provisioning • deploy services and apps • two-phase for fast deploys • update config files and parse templatespie provision.deploy.stage /fcc/test1/external-services/2 –i pack[0]=lvdotcom-authpie provision.deploy.run /fcc/test1/external-services/2 –i pack[0]=lvdotcom-authpie provision.remote.updateConfig /fcc/test1 90
  • Monitoring• integrated with third party SaaS monitoring provider Cloudkick• systems register with Cloudkick as they come online and immediately have appropriate monitors applied based on tags set from the model 91
  • 92
  • Logging• logging in the cloud using splunk• logging agents are deployed in the model and they are given the config from registry and the model as they come online 93
  • Rugged Results• repeatable – no manual errors• reviewable – model in source control• rapid – bring up, install, configure, and test dozens of systems in a morning• resilient – automated reconfiguration to swap servers (throw away infrastructure)• rugged by design 94
  • buildthe newDMZ 95
  • What’s a DMZ?• Demilitarized Zone• Physical and logical divisions between assets• Military history• Control what goes in and what goes out 96
  • Control your environment• Make every service a DMZ• Cloud environment• 3-tier web architecture• Allow automated provisioning 97
  • Traditional 3-Tier Web Architecture Firewall Web Web Web DMZ 1 Firewall Middle Tier Middle Tier DMZ 2 Firewall DB LDAP DMZ 3 98
  • Rugged Architecturefirewall firewall firewall Web Web Web DMZ x3 firewall firewall Middle Tier Middle Tier DMZ x2 firewall firewall DB LDAP DMZ x3 99
  • firewall firewall firewall Web Web Web Repeatable firewall firewall Verifiable Middle Tier Middle Tier Prod/Dev/Test Matching firewall firewall Controlled DB LDAP Automatedfirewall firewall firewall firewall firewall firewall Web Web Web Web Web Web firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall DB LDAP DB LDAP 100
  • firewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAPfirewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAPfirewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAP 101
  • Rugged 3-Tier Architecture Benefits• Control• Config Management• Reproducible and Automated• Data can’t traverse environments accidentally• Dev and Test Tier accurate 102
  • OWASP Secure Coding Quick Reference Guide• Checklist format that can be added to into your sprints• Helps development team find common security flaws• Topics include: Input Validation, Output Encoding, Auth, Session Management, Memory Management, ...• http://bit.ly/OWASPQuickRef 103
  • Rugged Next Steps• Use Rugged language• Know your systems• Automate, track results, repeat• Begin weekly OPSEC in your org• Attend LASCON (http://lascon.org) 104
  • Rugged Resources 105
  • h"ps://groups.google.com/a/owasp.org/group/rugged-­‐so4ware 106
  • Recommended Reading 107