Adversity: Good for Software
@wickett• Cloud Ops Team Lead, @NIGlobal• Tags: Rugged DevOps, OWASP, Cloud, Ruby• Blogger at ruggeddevops.org,  blog.wick...
Adversity requiresRugged solutions
Adversity Real or perceived negative actions and events that prohibit normal function and operation.
People Involved• Developers   • Regular customers• Operations   • Evil customers• Security     • Hackers• Business
Adversity Actors• Malicious intent, targeted• Malicious intent, random• Neutral intent, targeted• Neutral intent, random• ...
Ruggedization TheoryBuilding solutions to handleadversity actors will causeunintended, positive benefitsthat will provide v...
Adversity fueled        innovation• NASA in Space• Military hard drives• ATMs in Europe
"Secondly, our network got a lot stronger as a  result of the LulzSec        attacks." -Surviving Lulz: Behind the Scenes ...
“The phone isnt goingto kill you if use it, but a   car... well, we dont  want code to crash         your car.” -Auto Meet...
Software needs to face  adversity head on
Software needs to be rugged to succeed
Current Software
Rugged Software
Current Software
Rugged Software
Current Software
Rugged Software
The Internets is Mean• Latency• Distribution• Anonymity• Varied protocols• People
Measuring Rugged
Rugged Software   Manifesto
I recognize that my code will be usedin ways I cannot anticipate, in ways itwas not designed, and for longerthan it was ev...
I recognize that my code will beattacked by talented and persistentadversaries who threaten ourphysical, economic, and nat...
I am rugged, not because it is easy,but because it is necessary... and Iam up for the challenge.
Security vs. Rugged• Absence of   • Verification of  Events         quality• Cost         • Benefit• Negative     • Positive...
Ruggedization TheoryBuilding solutions to handleadversity actors will causeunintended, positive benefitsthat will provide v...
No Pain, No Gain
Rugged-ities •   Maintainability •   Availability •   Survivability •   Defensibility •   Security •   Longevity •   Porta...
If you want to build a ship, dontdrum up people together to collectwood and dont assign them tasksand work, but rather tea...
People, Process, Tech
It’s not our problem anymore
Why do you see the speck that is in yourbrother’s eye, but do not notice the log that is inyour own eye?                  ...
source: Gene Kim, “When IT says No @SXSW 2012”
solution = devops
Security sees...• They feel they are the constant givers of  unheeded advice• Business decisions made w/o worry of risk• I...
the devops model is broken incomplete
rugged by designdevops by culture
RUGGED         source: Jessica Allen, http://drbl.in/bgwy
Rugged DevOps• repeatable – no manual errors• reliable - tested integration APIs• reviewable – model in source control• ra...
Rugged Applied Goal: Cloud Firewalls• Make every service/node/instance a  DMZ• Cloud environment• 3-tier web architecture•...
Traditional (non-cloud) 3-Tier Web Architecture                       Firewall                       Web                  ...
Rugged Cloud Architecturefirewall                 firewall                 firewall Web                     Web              ...
Benefitsfirewall                 firewall                 firewall Web                     Web                     Web        ...
and it grows to looksomething like this...
firewall               firewall               firewall   firewall               firewall               firewall   firewall       ...
Rugged Benefits• Control and traffic whitelisting• Config Management• Reproducible and Automated• Data can’t traverse environ...
Rugged DevOps            Next Steps• Build a Rugged DevOps team: Dev, Ops, Security• Implement a chaos monkey• Track secur...
Want to help me?• Upcoming book: Rugged Driven  Development: Building Software in an  Adversity Fueled Environment (will l...
Join Rugged DevOps!• Twitter: @ruggeddevops• Get involved in the movement • http://join.ruggeddevops.org
Adversity: Good for software
Adversity: Good for software
Adversity: Good for software
Adversity: Good for software
Adversity: Good for software
Upcoming SlideShare
Loading in …5
×

Adversity: Good for software

4,235 views

Published on

Adversity is a fact of software security–bad things happen both intentionally and accidentally. In the InfoSec field there is a growing undercurrent of belief that we need to build code that is Rugged meaning code that is survivable, long-lasting and persistent in the face of adversity. When paired with DevOps the Rugged Software movement really begins to hit a nerve. The pairing, aptly called Rugged DevOps is where security becomes an asset to the organization and no longer a drag on innovation.

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,235
On SlideShare
0
From Embeds
0
Number of Embeds
1,716
Actions
Shares
0
Downloads
21
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Adversity: Good for software

  1. Adversity: Good for Software
  2. @wickett• Cloud Ops Team Lead, @NIGlobal• Tags: Rugged DevOps, OWASP, Cloud, Ruby• Blogger at ruggeddevops.org, blog.wickett.me, and theagileadmin.com• Founder of LASCON (http://lascon.org)• Security certs: CISSP, GWAPT, CCSK, ...• t: @wickett | e: james@wickett.me
  3. Adversity requiresRugged solutions
  4. Adversity Real or perceived negative actions and events that prohibit normal function and operation.
  5. People Involved• Developers • Regular customers• Operations • Evil customers• Security • Hackers• Business
  6. Adversity Actors• Malicious intent, targeted• Malicious intent, random• Neutral intent, targeted• Neutral intent, random• No intent, random
  7. Ruggedization TheoryBuilding solutions to handleadversity actors will causeunintended, positive benefitsthat will provide value thatwould have been unrealizedotherwise.
  8. Adversity fueled innovation• NASA in Space• Military hard drives• ATMs in Europe
  9. "Secondly, our network got a lot stronger as a result of the LulzSec attacks." -Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012
  10. “The phone isnt goingto kill you if use it, but a car... well, we dont want code to crash your car.” -Auto Meets Mobile: Building In-Vehicle Apps @SXSW 2012
  11. Software needs to face adversity head on
  12. Software needs to be rugged to succeed
  13. Current Software
  14. Rugged Software
  15. Current Software
  16. Rugged Software
  17. Current Software
  18. Rugged Software
  19. The Internets is Mean• Latency• Distribution• Anonymity• Varied protocols• People
  20. Measuring Rugged
  21. Rugged Software Manifesto
  22. I recognize that my code will be usedin ways I cannot anticipate, in ways itwas not designed, and for longerthan it was ever intended.
  23. I recognize that my code will beattacked by talented and persistentadversaries who threaten ourphysical, economic, and nationalsecurity.
  24. I am rugged, not because it is easy,but because it is necessary... and Iam up for the challenge.
  25. Security vs. Rugged• Absence of • Verification of Events quality• Cost • Benefit• Negative • Positive• FUD • Known values• Toxic • Affirming
  26. Ruggedization TheoryBuilding solutions to handleadversity actors will causeunintended, positive benefitsthat will provide value thatwould have been unrealizedotherwise.
  27. No Pain, No Gain
  28. Rugged-ities • Maintainability • Availability • Survivability • Defensibility • Security • Longevity • Portability • Reliability
  29. If you want to build a ship, dontdrum up people together to collectwood and dont assign them tasksand work, but rather teach them tolong for the endless immensity ofthe sea- Antoine Jean-Baptiste Marie Roger de Saint Exupéry
  30. People, Process, Tech
  31. It’s not our problem anymore
  32. Why do you see the speck that is in yourbrother’s eye, but do not notice the log that is inyour own eye? - Jesus
  33. source: Gene Kim, “When IT says No @SXSW 2012”
  34. solution = devops
  35. Security sees...• They feel they are the constant givers of unheeded advice• Business decisions made w/o worry of risk• Irrelevancy in the organization• They are the bearer of bad news• Even their tribe ignores them• Inequitable distribution of labor
  36. the devops model is broken incomplete
  37. rugged by designdevops by culture
  38. RUGGED source: Jessica Allen, http://drbl.in/bgwy
  39. Rugged DevOps• repeatable – no manual errors• reliable - tested integration APIs• reviewable – model in source control• rapid – fast to build, provision, deploy• resilient – automated reconfiguration to swap servers (throw away infrastructure)
  40. Rugged Applied Goal: Cloud Firewalls• Make every service/node/instance a DMZ• Cloud environment• 3-tier web architecture• Facilitate automated provisioning
  41. Traditional (non-cloud) 3-Tier Web Architecture Firewall Web Web Web DMZ 1 Firewall Middle Tier Middle Tier DMZ 2 Firewall DB LDAP DMZ 3
  42. Rugged Cloud Architecturefirewall firewall firewall Web Web Web DMZ x3 firewall firewall Middle Tier Middle Tier DMZ x2 firewall firewall DB LDAP DMZ x3
  43. Benefitsfirewall firewall firewall Web Web Web Repeatable Verifiable firewall firewall Middle Tier Middle Tier Prod/Dev/Test Matching firewall firewall DB LDAP Controlled Automatedfirewall firewall firewall firewall firewall firewall Web Web Web Web Web Web firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall DB LDAP DB LDAP
  44. and it grows to looksomething like this...
  45. firewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAPfirewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAPfirewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAP
  46. Rugged Benefits• Control and traffic whitelisting• Config Management• Reproducible and Automated• Data can’t traverse environments accidentally• Dev and Test Tier accurate
  47. Rugged DevOps Next Steps• Build a Rugged DevOps team: Dev, Ops, Security• Implement a chaos monkey• Track security flaws or bugs in the same bug tracking system for development• Automate, track results, repeat• Join the RDO movement!
  48. Want to help me?• Upcoming book: Rugged Driven Development: Building Software in an Adversity Fueled Environment (will live at ruggeddev.com)• Open Source Project: Gauntlet on github at github.com/wickett/gauntlet• I need contributors and reviewers!• Contact me: @wickett
  49. Join Rugged DevOps!• Twitter: @ruggeddevops• Get involved in the movement • http://join.ruggeddevops.org

×