Adversity: Good for software

Adversity: Good for Software

@wickett• Cloud Ops Team Lead, @NIGlobal• Tags: Rugged DevOps, OWASP, Cloud, Ruby• Blogger at ruggeddevops.org, blog.wickett.me, and theagileadmin.com• Founder of LASCON (http://lascon.org)• Security certs: CISSP, GWAPT, CCSK, ...• t: @wickett | e: james@wickett.me

Adversity requiresRugged solutions

Adversity Real or perceived negative actions and events that prohibit normal function and operation.

People Involved• Developers • Regular customers• Operations • Evil customers• Security • Hackers• Business

Adversity Actors• Malicious intent, targeted• Malicious intent, random• Neutral intent, targeted• Neutral intent, random• No intent, random

Ruggedization TheoryBuilding solutions to handleadversity actors will causeunintended, positive beneﬁtsthat will provide value thatwould have been unrealizedotherwise.

Adversity fueled innovation• NASA in Space• Military hard drives• ATMs in Europe

"Secondly, our network got a lot stronger as a result of the LulzSec attacks." -Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012

“The phone isnt goingto kill you if use it, but a car... well, we dont want code to crash your car.” -Auto Meets Mobile: Building In-Vehicle Apps @SXSW 2012

Software needs to face adversity head on

Software needs to be rugged to succeed

Current Software

Rugged Software

Current Software

Rugged Software

Current Software

Rugged Software

The Internets is Mean• Latency• Distribution• Anonymity• Varied protocols• People

Measuring Rugged

Rugged Software Manifesto

I recognize that my code will be usedin ways I cannot anticipate, in ways itwas not designed, and for longerthan it was ever intended.

I recognize that my code will beattacked by talented and persistentadversaries who threaten ourphysical, economic, and nationalsecurity.

I am rugged, not because it is easy,but because it is necessary... and Iam up for the challenge.

Security vs. Rugged• Absence of • Verification of Events quality• Cost • Benefit• Negative • Positive• FUD • Known values• Toxic • Affirming

Ruggedization TheoryBuilding solutions to handleadversity actors will causeunintended, positive beneﬁtsthat will provide value thatwould have been unrealizedotherwise.

No Pain, No Gain

Rugged-ities • Maintainability • Availability • Survivability • Defensibility • Security • Longevity • Portability • Reliability

If you want to build a ship, dontdrum up people together to collectwood and dont assign them tasksand work, but rather teach them tolong for the endless immensity ofthe sea- Antoine Jean-Baptiste Marie Roger de Saint Exupéry

People, Process, Tech

It’s not our problem anymore

Why do you see the speck that is in yourbrother’s eye, but do not notice the log that is inyour own eye? - Jesus

source: Gene Kim, “When IT says No @SXSW 2012”

solution = devops

Security sees...• They feel they are the constant givers of unheeded advice• Business decisions made w/o worry of risk• Irrelevancy in the organization• They are the bearer of bad news• Even their tribe ignores them• Inequitable distribution of labor

the devops model is broken incomplete

rugged by designdevops by culture

RUGGED source: Jessica Allen, http://drbl.in/bgwy

Rugged DevOps• repeatable – no manual errors• reliable - tested integration APIs• reviewable – model in source control• rapid – fast to build, provision, deploy• resilient – automated reconﬁguration to swap servers (throw away infrastructure)

Rugged Applied Goal: Cloud Firewalls• Make every service/node/instance a DMZ• Cloud environment• 3-tier web architecture• Facilitate automated provisioning

Traditional (non-cloud) 3-Tier Web Architecture Firewall Web Web Web DMZ 1 Firewall Middle Tier Middle Tier DMZ 2 Firewall DB LDAP DMZ 3

Rugged Cloud Architecturefirewall firewall firewall Web Web Web DMZ x3 firewall firewall Middle Tier Middle Tier DMZ x2 firewall firewall DB LDAP DMZ x3

Benefitsfirewall firewall firewall Web Web Web Repeatable Verifiable firewall firewall Middle Tier Middle Tier Prod/Dev/Test Matching firewall firewall DB LDAP Controlled Automatedfirewall firewall firewall firewall firewall firewall Web Web Web Web Web Web firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall DB LDAP DB LDAP

and it grows to looksomething like this...

firewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAPfirewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAPfirewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAP

Rugged Benefits• Control and traffic whitelisting• Config Management• Reproducible and Automated• Data can’t traverse environments accidentally• Dev and Test Tier accurate

Rugged DevOps Next Steps• Build a Rugged DevOps team: Dev, Ops, Security• Implement a chaos monkey• Track security ﬂaws or bugs in the same bug tracking system for development• Automate, track results, repeat• Join the RDO movement!

Want to help me?• Upcoming book: Rugged Driven Development: Building Software in an Adversity Fueled Environment (will live at ruggeddev.com)• Open Source Project: Gauntlet on github at github.com/wickett/gauntlet• I need contributors and reviewers!• Contact me: @wickett

Join Rugged DevOps!• Twitter: @ruggeddevops• Get involved in the movement • http://join.ruggeddevops.org

http://blog.ruggeddevops.org	566
http://blog.wickett.me	541
http://www.tumblr.com	22
http://posterous.com	5
http://elblogdebatis.blogspot.com.es	2
http://elblogdebatis.blogspot.com	1
http://www.elblogdebatis.blogspot.com.es	1
http://www.onlydoo.com	1

Adversity: Good for software

by James Wickett

Accessibility

Categories

Upload Details

Usage Rights

8 Embeds 1,139

Statistics

Adversity: Good for software Presentation Transcript