Adversity is a fact of software security–bad things happen both intentionally and accidentally. In the InfoSec field there is a growing undercurrent of belief that we need to build code that is Rugged meaning code that is survivable, long-lasting and persistent in the face of adversity. When paired with DevOps the Rugged Software movement really begins to hit a nerve. The pairing, aptly called Rugged DevOps is where security becomes an asset to the organization and no longer a drag on innovation.
6. Adversity Actors
• Malicious intent, targeted
• Malicious intent, random
• Neutral intent, targeted
• Neutral intent, random
• No intent, random
7. Ruggedization Theory
Building solutions to handle
adversity actors will cause
unintended, positive benefits
that will provide value that
would have been unrealized
otherwise.
8. Adversity fueled
innovation
• NASA in Space
• Military hard drives
• ATMs in Europe
9. "Secondly, our network
got a lot stronger as a
result of the LulzSec
attacks."
-Surviving Lulz: Behind the Scenes of
LulzSec @SXSW 2012
10. “The phone isn't going
to kill you if use it, but a
car... well, we don't
want code to crash
your car.”
-Auto Meets Mobile: Building In-Vehicle Apps
@SXSW 2012
24. I recognize that my code will be used
in ways I cannot anticipate, in ways it
was not designed, and for longer
than it was ever intended.
25. I recognize that my code will be
attacked by talented and persistent
adversaries who threaten our
physical, economic, and national
security.
26. I am rugged, not because it is easy,
but because it is necessary... and I
am up for the challenge.
27. Security vs. Rugged
• Absence of • Verification of
Events quality
• Cost • Benefit
• Negative • Positive
• FUD • Known values
• Toxic • Affirming
28. Ruggedization Theory
Building solutions to handle
adversity actors will cause
unintended, positive benefits
that will provide value that
would have been unrealized
otherwise.
34. If you want to build a ship, don't
drum up people together to collect
wood and don't assign them tasks
and work, but rather teach them to
long for the endless immensity of
the sea
- Antoine Jean-Baptiste Marie Roger de Saint Exupéry
40. Security sees...
• They feel they are the constant givers of
unheeded advice
• Business decisions made w/o worry of risk
• Irrelevancy in the organization
• They are the bearer of bad news
• Even their tribe ignores them
• Inequitable distribution of labor
44. Rugged DevOps
• repeatable – no manual errors
• reliable - tested integration APIs
• reviewable – model in source control
• rapid – fast to build, provision, deploy
• resilient – automated reconfiguration
to swap servers (throw away
infrastructure)
45. Rugged Applied
Goal: Cloud Firewalls
• Make every service/node/instance a
DMZ
• Cloud environment
• 3-tier web architecture
• Facilitate automated provisioning
46. Traditional (non-cloud) 3-Tier Web Architecture
Firewall
Web
Web
Web
DMZ 1
Firewall
Middle Tier Middle Tier
DMZ 2
Firewall
DB LDAP
DMZ 3
47. Rugged Cloud Architecture
firewall firewall firewall
Web Web Web DMZ x3
firewall firewall
Middle Tier Middle Tier
DMZ x2
firewall firewall
DB LDAP
DMZ x3
48. Benefits
firewall firewall firewall
Web Web Web
Repeatable
Verifiable
firewall firewall
Middle Tier Middle Tier
Prod/Dev/Test Matching
firewall firewall
DB LDAP
Controlled
Automated
firewall firewall firewall firewall firewall firewall
Web Web Web Web Web Web
firewall firewall firewall firewall
Middle Tier Middle Tier Middle Tier Middle Tier
firewall firewall firewall firewall
DB LDAP DB LDAP
50. firewall firewall firewall firewall firewall firewall firewall firewall firewall
Web Web Web Web Web Web Web Web Web
firewall firewall firewall firewall firewall firewall
Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier
firewall firewall firewall firewall firewall firewall
DB LDAP DB LDAP DB LDAP
firewall firewall firewall firewall firewall firewall firewall firewall firewall
Web Web Web Web Web Web Web Web Web
firewall firewall firewall firewall firewall firewall
Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier
firewall firewall firewall firewall firewall firewall
DB LDAP DB LDAP DB LDAP
firewall firewall firewall firewall firewall firewall firewall firewall firewall
Web Web Web Web Web Web Web Web Web
firewall firewall firewall firewall firewall firewall
Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier
firewall firewall firewall firewall firewall firewall
DB LDAP DB LDAP DB LDAP
51. Rugged Benefits
• Control and traffic whitelisting
• Config Management
• Reproducible and Automated
• Data can’t traverse environments
accidentally
• Dev and Test Tier accurate
52. Rugged DevOps
Next Steps
• Build a Rugged DevOps team: Dev, Ops, Security
• Implement a chaos monkey
• Track security flaws or bugs in the same bug
tracking system for development
• Automate, track results, repeat
• Join the RDO movement!
53. Want to help me?
• Upcoming book: Rugged Driven
Development: Building Software in an
Adversity Fueled Environment (will live at
ruggeddev.com)
• Open Source Project: Gauntlet on github at
github.com/wickett/gauntlet
• I need contributors and reviewers!
• Contact me: @wickett
54. Join Rugged DevOps!
• Twitter: @ruggeddevops
• Get involved in the movement
• http://join.ruggeddevops.org