Your SlideShare is downloading. ×
Adversity: Good for software
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Adversity: Good for software

2,537
views

Published on

Adversity is a fact of software security–bad things happen both intentionally and accidentally. In the InfoSec field there is a growing undercurrent of belief that we need to build code that is …

Adversity is a fact of software security–bad things happen both intentionally and accidentally. In the InfoSec field there is a growing undercurrent of belief that we need to build code that is Rugged meaning code that is survivable, long-lasting and persistent in the face of adversity. When paired with DevOps the Rugged Software movement really begins to hit a nerve. The pairing, aptly called Rugged DevOps is where security becomes an asset to the organization and no longer a drag on innovation.

Published in: Technology, Business

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,537
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
19
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Adversity: Good for Software
  • 2. @wickett• Cloud Ops Team Lead, @NIGlobal• Tags: Rugged DevOps, OWASP, Cloud, Ruby• Blogger at ruggeddevops.org, blog.wickett.me, and theagileadmin.com• Founder of LASCON (http://lascon.org)• Security certs: CISSP, GWAPT, CCSK, ...• t: @wickett | e: james@wickett.me
  • 3. Adversity requiresRugged solutions
  • 4. Adversity Real or perceived negative actions and events that prohibit normal function and operation.
  • 5. People Involved• Developers • Regular customers• Operations • Evil customers• Security • Hackers• Business
  • 6. Adversity Actors• Malicious intent, targeted• Malicious intent, random• Neutral intent, targeted• Neutral intent, random• No intent, random
  • 7. Ruggedization TheoryBuilding solutions to handleadversity actors will causeunintended, positive benefitsthat will provide value thatwould have been unrealizedotherwise.
  • 8. Adversity fueled innovation• NASA in Space• Military hard drives• ATMs in Europe
  • 9. "Secondly, our network got a lot stronger as a result of the LulzSec attacks." -Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012
  • 10. “The phone isnt goingto kill you if use it, but a car... well, we dont want code to crash your car.” -Auto Meets Mobile: Building In-Vehicle Apps @SXSW 2012
  • 11. Software needs to face adversity head on
  • 12. Software needs to be rugged to succeed
  • 13. Current Software
  • 14. Rugged Software
  • 15. Current Software
  • 16. Rugged Software
  • 17. Current Software
  • 18. Rugged Software
  • 19. The Internets is Mean• Latency• Distribution• Anonymity• Varied protocols• People
  • 20. Measuring Rugged
  • 21. Rugged Software Manifesto
  • 22. I recognize that my code will be usedin ways I cannot anticipate, in ways itwas not designed, and for longerthan it was ever intended.
  • 23. I recognize that my code will beattacked by talented and persistentadversaries who threaten ourphysical, economic, and nationalsecurity.
  • 24. I am rugged, not because it is easy,but because it is necessary... and Iam up for the challenge.
  • 25. Security vs. Rugged• Absence of • Verification of Events quality• Cost • Benefit• Negative • Positive• FUD • Known values• Toxic • Affirming
  • 26. Ruggedization TheoryBuilding solutions to handleadversity actors will causeunintended, positive benefitsthat will provide value thatwould have been unrealizedotherwise.
  • 27. No Pain, No Gain
  • 28. Rugged-ities • Maintainability • Availability • Survivability • Defensibility • Security • Longevity • Portability • Reliability
  • 29. If you want to build a ship, dontdrum up people together to collectwood and dont assign them tasksand work, but rather teach them tolong for the endless immensity ofthe sea- Antoine Jean-Baptiste Marie Roger de Saint Exupéry
  • 30. People, Process, Tech
  • 31. It’s not our problem anymore
  • 32. Why do you see the speck that is in yourbrother’s eye, but do not notice the log that is inyour own eye? - Jesus
  • 33. source: Gene Kim, “When IT says No @SXSW 2012”
  • 34. solution = devops
  • 35. Security sees...• They feel they are the constant givers of unheeded advice• Business decisions made w/o worry of risk• Irrelevancy in the organization• They are the bearer of bad news• Even their tribe ignores them• Inequitable distribution of labor
  • 36. the devops model is broken incomplete
  • 37. rugged by designdevops by culture
  • 38. RUGGED source: Jessica Allen, http://drbl.in/bgwy
  • 39. Rugged DevOps• repeatable – no manual errors• reliable - tested integration APIs• reviewable – model in source control• rapid – fast to build, provision, deploy• resilient – automated reconfiguration to swap servers (throw away infrastructure)
  • 40. Rugged Applied Goal: Cloud Firewalls• Make every service/node/instance a DMZ• Cloud environment• 3-tier web architecture• Facilitate automated provisioning
  • 41. Traditional (non-cloud) 3-Tier Web Architecture Firewall Web Web Web DMZ 1 Firewall Middle Tier Middle Tier DMZ 2 Firewall DB LDAP DMZ 3
  • 42. Rugged Cloud Architecturefirewall firewall firewall Web Web Web DMZ x3 firewall firewall Middle Tier Middle Tier DMZ x2 firewall firewall DB LDAP DMZ x3
  • 43. Benefitsfirewall firewall firewall Web Web Web Repeatable Verifiable firewall firewall Middle Tier Middle Tier Prod/Dev/Test Matching firewall firewall DB LDAP Controlled Automatedfirewall firewall firewall firewall firewall firewall Web Web Web Web Web Web firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall DB LDAP DB LDAP
  • 44. and it grows to looksomething like this...
  • 45. firewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAPfirewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAPfirewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAP
  • 46. Rugged Benefits• Control and traffic whitelisting• Config Management• Reproducible and Automated• Data can’t traverse environments accidentally• Dev and Test Tier accurate
  • 47. Rugged DevOps Next Steps• Build a Rugged DevOps team: Dev, Ops, Security• Implement a chaos monkey• Track security flaws or bugs in the same bug tracking system for development• Automate, track results, repeat• Join the RDO movement!
  • 48. Want to help me?• Upcoming book: Rugged Driven Development: Building Software in an Adversity Fueled Environment (will live at ruggeddev.com)• Open Source Project: Gauntlet on github at github.com/wickett/gauntlet• I need contributors and reviewers!• Contact me: @wickett
  • 49. Join Rugged DevOps!• Twitter: @ruggeddevops• Get involved in the movement • http://join.ruggeddevops.org