Gene Kim, profile picture
Uploaded byGene Kim
PPTX, PDF2,515 views

United2012 Rugged DevOps Rocks

The document is a transcript from a presentation given by Joshua Corman and Gene Kim at a security conference in San Francisco in September 2012. The presentation discusses the problems with current security practices, introduces the concepts of DevOps and Rugged DevOps, and provides three ways ("systems thinking", "amplifying feedback loops", and "culture of continual experimentation") to implement Rugged DevOps practices to improve security. The overall message is that cultural and process changes are needed, not just technical fixes, to build more secure software.

Embed presentation

Downloaded 37 times
SECURITY IS DEAD. LONG LIVE RUGGED DEVOPS: SEPTEMBER 12 – 14, 2012 IT AT LUDICROUS SPEED… GRAND HYATT, SAN FRANCISCO Joshua Corman TRUTH, LIES Gene Kim AND DECISIONS Moving Forward in an Insecure World September 2012 Organized by
Gene Kim: Two Truths and a Lie Please fill out the table below with two statements that are true and one lie about yourself. I will put the information into the polling system to go live before your presentation. Statement Truth or lie? I didn't know that Purdue University was in Indiana, Truth otherwise I wouldn't have gone there I still carry around a J. R. R. Tolkien book in my Lie briefcase everywhere I go I have an outrageous man-crush on my co-presenter, Truth Josh Corman
About Joshua Corman • Director of Security Intelligence for Akamai Technologies - Former Research Director, Enterprise Security [The 451 Group] - Former Principal Security Strategist [IBM ISS] • Industry: - Expert Faculty: The Institute for Applied Network Security (IANS) - 2009 NetworkWorld Top 10 Tech People to Know - Co-Founder of “Rugged Software” www.ruggedsoftware.org - BLOG: www.cognitivedissidents.com • Things I’ve been researching: - Compliance vs Security - Disruptive Security for Disruptive Innovations - Chaotic Actors - Espionage - Security Metrics 3
Josh Corman: Two Truths and a Lie Please fill out the table below with two statements that are true and one lie about yourself. I will put the information into the polling system to go live before your presentation. Statement Truth or lie? My philosophy thesis was entitled "Schizophrenic Truth Alienated Tennis Pros in Love" I'm the president of my local zombie survivalist Lie chapter I have a life sized statue of Spider-Man in my foyer Truth
About Gene Kim • Researcher, Author • Industry: - Invented and founded Tripwire, CTO (1997-2010) - Co-author: “Visible Ops Handbook”(2006), “Visible Ops Security” (2008) - Co-author: “When IT Fails: The Novel,” “The DevOps Cookbook” (Coming May 2012) • Things I’ve been researching: - Benchmarked 1300+ IT organizations to test effectiveness of IT controls vs. IT performance - DevOps, Rugged DevOps - Scoping PCI Cardholder Data Environment 5
PART 1: THE PROBLEM SEPTEMBER 12 – 14, 2012 GRAND HYATT, SAN FRANCISCO Joshua Corman TRUTH, LIES Gene Kim AND DECISIONS Moving Forward in an Insecure World September 2012 Organized by
Consequences: Value & Replaceability http://blog.cognitivedissidents.com/2011/10/24/a-replaceability-continuum/ 8
You Don’t Need To Be Faster Than the Bear… 9
How will we rise?
DEPENDENCE SEPTEMBER 12 – 14, 2012 Grand Hyatt, San Francisco Organized by
SOFTWARE AS VULNERABILITY SEPTEMBER 12 – 14, 2012 Grand Hyatt, San Francisco Organized by
CONNECTED AS EXPOSED SEPTEMBER 12 – 14, 2012 Grand Hyatt, San Francisco Organized by
OUR CHALLENGES ARE NOT TECHNICAL, BUT CULTURAL SEPTEMBER 12 – 14, 2012 Grand Hyatt, San Francisco Organized by
WE CAN DO BETTER SEPTEMBER 12 – 14, 2012 Grand Hyatt, San Francisco Organized by
PART 2: DEVOPS SEPTEMBER 12 – 14, 2012 GRAND HYATT, SAN FRANCISCO Joshua Corman TRUTH, LIES Gene Kim AND DECISIONS Moving Forward in an Insecure World September 2012 Organized by
Source: John Allspaw
Source: John Allspaw
Source: John Allspaw
Source: John Allspaw
Source: Theo Schlossnagle
Source: Theo Schlossnagle
Source: Theo Schlossnagle
Source: John Jenkins, Amazon.com
Ludicrous Speed? 31
Ludicrous Speed 32
Ludicrous Speed! 34
PART 3: RUGGED SEPTEMBER 12 – 14, 2012 GRAND HYATT, SAN FRANCISCO Joshua Corman TRUTH, LIES Gene Kim AND DECISIONS Moving Forward in an Insecure World September 2012 Organized by
WHAT IS RUGGED? SEPTEMBER 12 – 14, 2012 GRAND HYATT, SAN FRANCISCO 36 Organized by
WHAT IS RUGGED? SEPTEMBER 12 – 14, 2012 GRAND HYATT, SAN FRANCISCO 37 Organized by
SEPTEMBER 12 – 14, 2012 GRAND HYATT, SAN FRANCISCO TRUTH, LIES AND DECISIONS Moving Forward in an Insecure World RUGGED SOFTWARE DEVELOPMENT Joshua Corman, David Rice, Jeff Williams 2010 Organized by
RUGGED SOFTWARE
…so software not only needs to be…
FAST
AGILE
Are You Rugged?
HARSH
UNFRIENDLY
THE MANIFESTO SEPTEMBER 12 – 14, 2012 GRAND HYATT, SAN FRANCISCO Organized by
I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
www.ruggedsoftware.org https://www.ruggedsoftware.org/documents/ CrossTalk http://www.crosstalkonline.org/issues/marchapril-2011.html
From the Rugged Handbook StrawMan
WHAT IS RUGGED DEVOPS? SEPTEMBER 12 – 14, 2012 GRAND HYATT, SAN FRANCISCO 55 Organized by
Source: James Wickett
http://www.youtube.com/watch?v=JQEBYxp_vKs
Survival Guide/Pyramid www.ruggedsoftware.org Defensible Infrastructure
Survival Guide/Pyramid Operational Discipline Defensible Infrastructure
Survival Guide/Pyramid Situational Awareness Operational Discipline Defensible Infrastructure
Survival Guide/Pyramid Countermeasures Situational Awareness Operational Discipline Defensible Infrastructure
Source: James Wickett
PART 4: ROCKING INFOSEC WITH SEPTEMBER 12 – 14, 2012 RUGGED DEVOPS GRAND HYATT, SAN FRANCISCO Joshua Corman TRUTH, LIES Gene Kim AND DECISIONS Moving Forward in an Insecure World September 2012 Organized by
The First Way: Systems Thinking
The First Way: Systems Thinking (Business) (Customer)
The First Way: Systems Thinking (Left To Right)  Understand the flow of work  Always seek to increase flow  Never unconsciously pass defects downstream  Never allow local optimization to cause global degradation  Achieve profound understanding of the system
Create One Step Environment Creation Process  Make environments available early in the Development process  Make sure Dev builds the code and environment at the same time  Create a common Dev, QA and Production environment creation process
Embed Into Automated Infrastructure Team  Get educated on open source tools like puppet and chef  Provide them your hardening guidance  Add your monitoring tools
Break Things Early And Often  “Do painful things more frequently, so you can make it less painful… We don’t get pushback from Dev, because they know it makes rollouts smoother.” -- Adrian Cockcroft, Architect, Netflix
Break Things Early And Often  Enforce consistency in code, environments and configurations across the environments  Add your ASSERTs to find misconfigurations, enforce https, etc.  Add static code analysis to automated continuous integration and testing process
The First Way: Systems Thinking: Infosec Insurgency  Have someone attend the daily Agile standups • Gain awareness of what the team is working on  Define what changes/deploys cannot be made without triggering full retest
Definition: Kanban Board  Signaling tool to reduce WIP and increase flow 73
The First Way: Outcomes  Determinism in the release process  Creating single repository for code and environments  Consistent Dev, QA, Int, and Staging environments, all properly built before deployment begins  Decreased cycle time • Reduce deployment times from 6 hours to 45 minutes • Refactor deployment process that had 1300+ steps spanning 4 weeks  Faster release cadence
The Second Way: Amplify Feedback Loops
The Second Way: Amplify Feedback Loops (Right to Left)  Understand and respond to the needs of all customers, internal and external  Shorten and amplify all feedback loops: stop the line when necessary  Create quality at the source  Create and embed knowledge where we need it
“We found that when we woke up developers at 2am, defects got fixed faster than ever” -Patrick Lightbody, CEO, BrowserMob
Phase 2: Extend Release Process And Create Right -> Left Feedback Loops  Invite Dev to post-mortems/root cause analysis meeting  Have Dev and Infosec cross-train IT Operations  Ensure application monitoring/metrics to aid in Ops and Infosec work (e.g., incident/problem management)
The Second Way: Amplify Feedback Loops: Infosec Insurgency  Give production feedback to developers: being attacked is a gift • Capture all instances of “UNION ALL” in user input and graph it, show it to developers • Show all instances of segfaults  Create reusable Infosec use and abuse stories that can be added to every project • “Handle peak traffic of 4MM users and constant 4-6 Gb/sec Anonymous DDoS attacks”  Pre-enable, shield streamline successful audits • Document separation of duty and compensating controls • Don’t let them disrupt the work
The Second Way: Outcomes  Defects and security issues getting fixed faster than ever  Reusable Ops and Infosec user stories now part of the Agile process  All groups communicating and coordinating better  Everybody is getting more work done
The Third Way: Culture Of Continual Experimentation And Learning
The Third Way: Culture Of Continual Experimentation And Learning  Foster a culture that rewards: • Experimentation (taking risks) and learning from failure • Repetition is the prerequisite to mastery  Why? • You need a culture that keeps pushing into the danger zone • And have the habits that enable you to survive in the danger zone
“The best way to avoid failure is to fail constantly”
An Innovation Culture “By installing a rampant innovation culture, they now do 165 experiments in the three months of tax season. Our business result? Conversion rate of the website is up 50 percent. Employee result? Everyone loves it, because now their ideas can make it to market.” --Scott Cook, Intuit Founder 85
You Don’t Choose Chaos Monkey… Chaos Monkey Chooses You
Help Product Management… Lesson: Allocate 20% of Dev cycles to paying down technical debt
Phase 3: Organize Dev and Ops To Achieve Organizational Goals  Allocate 20% of Dev cycles to non-functional requirements  Integrate fault injection and resilience into design, development and production (e.g., Chaos Monkey)
The Third Way: Culture Of Continual Experimentation And Learning: Infosec  Infosec remediation projects in the Agile backlog • Make technical debt visible • Help prioritize work against features and other non-functional requirements  Release your Chaos Monkey • Evil/Fuzzy/Chaotic Monkey • Eridicate SQLi and XSS defects in our lifetime  Find processes that waste everyone’s time  Eliminate needless complexity
The Third Way: Outcomes  Technical debt is being paid off  Exploitable attack surface area decreases  Continual reduction of unplanned work  More cycles for planned work  More resilient code and environments  Balancing nimbleness and practiced repetition  Enabling wider range of risk/reward balance
PART 5: WHY? SEPTEMBER 12 – 14, 2012 GRAND HYATT, SAN FRANCISCO Joshua Corman TRUTH, LIES Gene Kim AND DECISIONS Moving Forward in an Insecure World September 2012 Organized by
When IT Fails: The Novel and The DevOps Cookbook  Coming in July 2012  “In the tradition of the best MBA case studies, this book should be mandatory reading for business and IT graduates alike.” -Paul Muller, VP Software Marketing, Hewlett-Packard  “The greatest IT management book of our generation.” –Branden Williams, CTO Marketing, RSA
When IT Fails: The Novel and The DevOps Cookbook  If you would like these slides, the “Top 10 Things You Need To Know About DevOps,” Rugged DevOps resources, and updates on the book: Sign up at http://itrevolution.com Email genek@realgenekim.me Give me your business card
END SEPTEMBER 12 – 14, 2012 GRAND HYATT, SAN FRANCISCO Joshua Corman TRUTH, LIES Gene Kim AND DECISIONS Moving Forward in an Insecure World September 2012 Organized by

More Related Content

PDF
Culture Matters - The cultural requirements for Web 2.0 powered innovation, n...
byTeemu Arina
 
PDF
Architecting a Post Mortem - Velocity 2018 San Jose Tutorial
byWill Gallego
 
PDF
Software Entomology or Where Do Bugs Come From?
byNoah Sussman
 
PDF
Fast and Good: Alternate Approaches to Quality at Etsy - STPCon fall 2011
byNoah Sussman
 
PDF
The magic number is 10 by Gabor Devenyi & Alex Sloley at #AgileIndia2019
byAgile Software Community of India
 
PPTX
2017 VMUG UserCon Presentation (IT Culture & DevOps)
byJon Hildebrand
 
PDF
Continuous Automated Testing - Cast conference workshop august 2014
byNoah Sussman
 
PDF
Asking the Right questions
byComputer Aid, Inc
 
Culture Matters - The cultural requirements for Web 2.0 powered innovation, n...
byTeemu Arina
 
Architecting a Post Mortem - Velocity 2018 San Jose Tutorial
byWill Gallego
 
Software Entomology or Where Do Bugs Come From?
byNoah Sussman
 
Fast and Good: Alternate Approaches to Quality at Etsy - STPCon fall 2011
byNoah Sussman
 
The magic number is 10 by Gabor Devenyi & Alex Sloley at #AgileIndia2019
byAgile Software Community of India
 
2017 VMUG UserCon Presentation (IT Culture & DevOps)
byJon Hildebrand
 
Continuous Automated Testing - Cast conference workshop august 2014
byNoah Sussman
 
Asking the Right questions
byComputer Aid, Inc
 

Viewers also liked

PPT
마케팅커뮤니케이션
byChaenam, Jun
 
PPT
Imc정의
byChaenam, Jun
 
PPT
Android Programming - Input
byJake Yoon
 
PPT
國立高雄大學新生入學典禮交通安全宣導
byTzongyeu Lu
 
PPT
El coralet. Treball de 2n Primària
byCeip La Draga
 
DOCX
El arte
byViviana Ysabel Campoblanco Hidalgo
 
PPTX
2012 SxSW When IT Says No by Gene Kim
byGene Kim
 
PPTX
2012년 소셜미디어의 현황과 전망
byChaenam, Jun
 
PPT
아이애드
byChaenam, Jun
 
PPTX
passU
byJake Yoon
 
PDF
Speechless Brochure
bysharmuys
 
PPTX
GpsLatitude Technology
byHarvey Kaye
 
PPTX
Android virtualization을 통한 IoT구현
byJake Yoon
 
PDF
Reference is Neither Here Nor There: Connecting Through SMS
byMargie Ruppel
 
PPT
The archived Canadian US Patent Competitive Intelligence Database (2014/10/14)
byMuchiu (Henry) Chang, PhD. Cantab
 
PDF
How fashion stores act on Facebook
byPaul Dumitru
 
PPT
Bailey advertisement
bybbkett
 
DOC
Mecanismes de transmissio circular
bySusana Valls Andreu
 
PPS
Quino siempre genial
bybaneik
 
PDF
101110-Presentation ICSadviseurs-Building better schools conference
byHidde Benedictus
 
마케팅커뮤니케이션
byChaenam, Jun
 
Imc정의
byChaenam, Jun
 
Android Programming - Input
byJake Yoon
 
國立高雄大學新生入學典禮交通安全宣導
byTzongyeu Lu
 
El coralet. Treball de 2n Primària
byCeip La Draga
 
El arte
byViviana Ysabel Campoblanco Hidalgo
 
2012 SxSW When IT Says No by Gene Kim
byGene Kim
 
2012년 소셜미디어의 현황과 전망
byChaenam, Jun
 
아이애드
byChaenam, Jun
 
passU
byJake Yoon
 
Speechless Brochure
bysharmuys
 
GpsLatitude Technology
byHarvey Kaye
 
Android virtualization을 통한 IoT구현
byJake Yoon
 
Reference is Neither Here Nor There: Connecting Through SMS
byMargie Ruppel
 
The archived Canadian US Patent Competitive Intelligence Database (2014/10/14)
byMuchiu (Henry) Chang, PhD. Cantab
 
How fashion stores act on Facebook
byPaul Dumitru
 
Bailey advertisement
bybbkett
 
Mecanismes de transmissio circular
bySusana Valls Andreu
 
Quino siempre genial
bybaneik
 
101110-Presentation ICSadviseurs-Building better schools conference
byHidde Benedictus
 

Similar to United2012 Rugged DevOps Rocks

PDF
Reflective Nursing Essay
byLindsay Adams
 
PDF
You Give Us The Fire We'll Give'em Hell!
bywmetcalf
 
PDF
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
bySource Conference
 
PDF
Gartner Security & Risk Management Summit Brochure
bytrunko
 
PDF
Developing Your Resilience
byJeffrey Russell
 
PDF
Collaborate, Innovate, Secure
bywremes
 
PDF
Defensible rim disposal leads to effective discovery responses - 2011.08.09
byAlfresco Software
 
ZIP
Forty Years of Crisis, Ten Years of Agile, Now What?
byMorendil
 
PPT
Security.ppt
byssuser50c54b
 
PDF
The Rugged Way in the Cloud--Building Reliability and Security into Software
byJames Wickett
 
PDF
Rugged Dev: Building Reliability and Security Into Software
byInnoTech
 
PDF
Threat model express agile 2012
bydrewz lin
 
PDF
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
byCory Scott
 
PPTX
Security Influencer's Channel Episode One: Live Nation Entertainment
byContrast Security
 
PDF
Ciso Academy 3-10-2019
byTom D'Aquino
 
PPTX
How to Fight Networks: New Visions for National Security From the Head of Def...
byYPFP
 
PDF
Web Application Remediation - OWASP San Antonio March 2007
byDenim Group
 
PDF
Making security automation a reality
byadammontville
 
PDF
"Management Issues in Computer Sciences" Final Exam
byErol Bozkurt
 
PDF
Investigative Business Journalism - Developing and Interviewing Sources by Al...
byReynolds Center for Business Journalism
 
Reflective Nursing Essay
byLindsay Adams
 
You Give Us The Fire We'll Give'em Hell!
bywmetcalf
 
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
bySource Conference
 
Gartner Security & Risk Management Summit Brochure
bytrunko
 
Developing Your Resilience
byJeffrey Russell
 
Collaborate, Innovate, Secure
bywremes
 
Defensible rim disposal leads to effective discovery responses - 2011.08.09
byAlfresco Software
 
Forty Years of Crisis, Ten Years of Agile, Now What?
byMorendil
 
Security.ppt
byssuser50c54b
 
The Rugged Way in the Cloud--Building Reliability and Security into Software
byJames Wickett
 
Rugged Dev: Building Reliability and Security Into Software
byInnoTech
 
Threat model express agile 2012
bydrewz lin
 
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
byCory Scott
 
Security Influencer's Channel Episode One: Live Nation Entertainment
byContrast Security
 
Ciso Academy 3-10-2019
byTom D'Aquino
 
How to Fight Networks: New Visions for National Security From the Head of Def...
byYPFP
 
Web Application Remediation - OWASP San Antonio March 2007
byDenim Group
 
Making security automation a reality
byadammontville
 
"Management Issues in Computer Sciences" Final Exam
byErol Bozkurt
 
Investigative Business Journalism - Developing and Interviewing Sources by Al...
byReynolds Center for Business Journalism
 

More from Gene Kim

PPTX
The Unicorn Project and The Five Ideals (Updated Dec 2019)
byGene Kim
 
PPTX
2019 Top Lessons Learned Since the Phoenix Project Was Released
byGene Kim
 
PPTX
The Unicorn Project and The Five Ideals (older: see notes for newer version)
byGene Kim
 
PPTX
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
byGene Kim
 
PPTX
Keeping The Auditor Away: DevOps Audit Compliance Case Studies
byGene Kim
 
PPT
2012 Velocity London: DevOps Patterns Distilled
byGene Kim
 
PPTX
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev ops
byGene Kim
 
PPTX
Leading A DevOps Transformation: Lessons Learned
byGene Kim
 
PPTX
How Can We Better Sell DevOps?
byGene Kim
 
PPTX
PuppetConf2012GeneKim
byGene Kim
 
PPTX
SecureWorld - Communicating With Your CFO
byGene Kim
 
PPTX
Infosec at Ludicrous Speeds - Rugged DevOps
byGene Kim
 
PPTX
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
byGene Kim
 
PPTX
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
byGene Kim
 
PDF
2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!
byGene Kim
 
PPTX
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
byGene Kim
 
PPTX
When IT Fails The Business Fails...
byGene Kim
 
PPTX
2014 State Of DevOps Findings! Velocity Conference
byGene Kim
 
PPTX
Speaker Recording Tips For Virtual DevOps Enterprise (And Why We're Pre-Recor...
byGene Kim
 
PDF
Kevin Behr: Integrating Controls and Process Improvement
byGene Kim
 
The Unicorn Project and The Five Ideals (Updated Dec 2019)
byGene Kim
 
2019 Top Lessons Learned Since the Phoenix Project Was Released
byGene Kim
 
The Unicorn Project and The Five Ideals (older: see notes for newer version)
byGene Kim
 
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
byGene Kim
 
Keeping The Auditor Away: DevOps Audit Compliance Case Studies
byGene Kim
 
2012 Velocity London: DevOps Patterns Distilled
byGene Kim
 
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev ops
byGene Kim
 
Leading A DevOps Transformation: Lessons Learned
byGene Kim
 
How Can We Better Sell DevOps?
byGene Kim
 
PuppetConf2012GeneKim
byGene Kim
 
SecureWorld - Communicating With Your CFO
byGene Kim
 
Infosec at Ludicrous Speeds - Rugged DevOps
byGene Kim
 
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
byGene Kim
 
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
byGene Kim
 
2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!
byGene Kim
 
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
byGene Kim
 
When IT Fails The Business Fails...
byGene Kim
 
2014 State Of DevOps Findings! Velocity Conference
byGene Kim
 
Speaker Recording Tips For Virtual DevOps Enterprise (And Why We're Pre-Recor...
byGene Kim
 
Kevin Behr: Integrating Controls and Process Improvement
byGene Kim
 

Recently uploaded

PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
The year in review - MarvelClient in 2025
bypanagenda
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
The Landscape of Computer Software Development Companies
byYash Singh
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
AI Technology important knowledge ......
byutkarshj2007
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 

United2012 Rugged DevOps Rocks

  • 1.
    SECURITY IS DEAD. LONG LIVE RUGGED DEVOPS: SEPTEMBER 12 – 14, 2012 IT AT LUDICROUS SPEED… GRAND HYATT, SAN FRANCISCO Joshua Corman TRUTH, LIES Gene Kim AND DECISIONS Moving Forward in an Insecure World September 2012 Organized by
  • 2.
    Gene Kim: TwoTruths and a Lie Please fill out the table below with two statements that are true and one lie about yourself. I will put the information into the polling system to go live before your presentation. Statement Truth or lie? I didn't know that Purdue University was in Indiana, Truth otherwise I wouldn't have gone there I still carry around a J. R. R. Tolkien book in my Lie briefcase everywhere I go I have an outrageous man-crush on my co-presenter, Truth Josh Corman
  • 3.
    About Joshua Corman • Director of Security Intelligence for Akamai Technologies - Former Research Director, Enterprise Security [The 451 Group] - Former Principal Security Strategist [IBM ISS] • Industry: - Expert Faculty: The Institute for Applied Network Security (IANS) - 2009 NetworkWorld Top 10 Tech People to Know - Co-Founder of “Rugged Software” www.ruggedsoftware.org - BLOG: www.cognitivedissidents.com • Things I’ve been researching: - Compliance vs Security - Disruptive Security for Disruptive Innovations - Chaotic Actors - Espionage - Security Metrics 3
  • 4.
    Josh Corman: TwoTruths and a Lie Please fill out the table below with two statements that are true and one lie about yourself. I will put the information into the polling system to go live before your presentation. Statement Truth or lie? My philosophy thesis was entitled "Schizophrenic Truth Alienated Tennis Pros in Love" I'm the president of my local zombie survivalist Lie chapter I have a life sized statue of Spider-Man in my foyer Truth
  • 5.
    About Gene Kim • Researcher, Author • Industry: - Invented and founded Tripwire, CTO (1997-2010) - Co-author: “Visible Ops Handbook”(2006), “Visible Ops Security” (2008) - Co-author: “When IT Fails: The Novel,” “The DevOps Cookbook” (Coming May 2012) • Things I’ve been researching: - Benchmarked 1300+ IT organizations to test effectiveness of IT controls vs. IT performance - DevOps, Rugged DevOps - Scoping PCI Cardholder Data Environment 5
  • 6.
    PART 1: THEPROBLEM SEPTEMBER 12 – 14, 2012 GRAND HYATT, SAN FRANCISCO Joshua Corman TRUTH, LIES Gene Kim AND DECISIONS Moving Forward in an Insecure World September 2012 Organized by
  • 8.
    Consequences: Value &Replaceability http://blog.cognitivedissidents.com/2011/10/24/a-replaceability-continuum/ 8
  • 9.
    You Don’t NeedTo Be Faster Than the Bear… 9
  • 10.
  • 12.
    DEPENDENCE SEPTEMBER 12 –14, 2012 Grand Hyatt, San Francisco Organized by
  • 16.
    SOFTWARE AS VULNERABILITY SEPTEMBER 12 – 14, 2012 Grand Hyatt, San Francisco Organized by
  • 17.
    CONNECTED AS EXPOSED SEPTEMBER 12 – 14, 2012 Grand Hyatt, San Francisco Organized by
  • 18.
    OUR CHALLENGES ARENOT TECHNICAL, BUT CULTURAL SEPTEMBER 12 – 14, 2012 Grand Hyatt, San Francisco Organized by
  • 19.
    WE CAN DO BETTER SEPTEMBER 12 – 14, 2012 Grand Hyatt, San Francisco Organized by
  • 20.
    PART 2: DEVOPS SEPTEMBER 12 – 14, 2012 GRAND HYATT, SAN FRANCISCO Joshua Corman TRUTH, LIES Gene Kim AND DECISIONS Moving Forward in an Insecure World September 2012 Organized by
  • 21.
  • 22.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 34.
  • 35.
    PART 3: RUGGED SEPTEMBER 12 – 14, 2012 GRAND HYATT, SAN FRANCISCO Joshua Corman TRUTH, LIES Gene Kim AND DECISIONS Moving Forward in an Insecure World September 2012 Organized by
  • 36.
    WHAT IS RUGGED? SEPTEMBER 12 – 14, 2012 GRAND HYATT, SAN FRANCISCO 36 Organized by
  • 37.
    WHAT IS RUGGED? SEPTEMBER 12 – 14, 2012 GRAND HYATT, SAN FRANCISCO 37 Organized by
  • 38.
    SEPTEMBER 12 –14, 2012 GRAND HYATT, SAN FRANCISCO TRUTH, LIES AND DECISIONS Moving Forward in an Insecure World RUGGED SOFTWARE DEVELOPMENT Joshua Corman, David Rice, Jeff Williams 2010 Organized by
  • 41.
  • 42.
    …so software notonly needs to be…
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
    THE MANIFESTO SEPTEMBER 12 – 14, 2012 GRAND HYATT, SAN FRANCISCO Organized by
  • 50.
    I recognize thatmy code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
  • 52.
  • 54.
    From the RuggedHandbook StrawMan
  • 55.
    WHAT IS RUGGEDDEVOPS? SEPTEMBER 12 – 14, 2012 GRAND HYATT, SAN FRANCISCO 55 Organized by
  • 56.
  • 57.
  • 59.
    Survival Guide/Pyramid www.ruggedsoftware.org Defensible Infrastructure
  • 60.
    Survival Guide/Pyramid Operational Discipline Defensible Infrastructure
  • 61.
    Survival Guide/Pyramid Situational Awareness Operational Discipline Defensible Infrastructure
  • 62.
    Survival Guide/Pyramid Countermeasures Situational Awareness Operational Discipline Defensible Infrastructure
  • 63.
  • 64.
    PART 4: ROCKINGINFOSEC WITH SEPTEMBER 12 – 14, 2012 RUGGED DEVOPS GRAND HYATT, SAN FRANCISCO Joshua Corman TRUTH, LIES Gene Kim AND DECISIONS Moving Forward in an Insecure World September 2012 Organized by
  • 65.
  • 66.
    The First Way: SystemsThinking (Business) (Customer)
  • 67.
    The First Way: SystemsThinking (Left To Right)  Understand the flow of work  Always seek to increase flow  Never unconsciously pass defects downstream  Never allow local optimization to cause global degradation  Achieve profound understanding of the system
  • 68.
    Create One StepEnvironment Creation Process  Make environments available early in the Development process  Make sure Dev builds the code and environment at the same time  Create a common Dev, QA and Production environment creation process
  • 69.
    Embed Into AutomatedInfrastructure Team  Get educated on open source tools like puppet and chef  Provide them your hardening guidance  Add your monitoring tools
  • 70.
    Break Things EarlyAnd Often  “Do painful things more frequently, so you can make it less painful… We don’t get pushback from Dev, because they know it makes rollouts smoother.” -- Adrian Cockcroft, Architect, Netflix
  • 71.
    Break Things EarlyAnd Often  Enforce consistency in code, environments and configurations across the environments  Add your ASSERTs to find misconfigurations, enforce https, etc.  Add static code analysis to automated continuous integration and testing process
  • 72.
    The First Way: SystemsThinking: Infosec Insurgency  Have someone attend the daily Agile standups • Gain awareness of what the team is working on  Define what changes/deploys cannot be made without triggering full retest
  • 73.
    Definition: Kanban Board Signaling tool to reduce WIP and increase flow 73
  • 74.
    The First Way: Outcomes Determinism in the release process  Creating single repository for code and environments  Consistent Dev, QA, Int, and Staging environments, all properly built before deployment begins  Decreased cycle time • Reduce deployment times from 6 hours to 45 minutes • Refactor deployment process that had 1300+ steps spanning 4 weeks  Faster release cadence
  • 75.
  • 76.
    The Second Way: AmplifyFeedback Loops (Right to Left)  Understand and respond to the needs of all customers, internal and external  Shorten and amplify all feedback loops: stop the line when necessary  Create quality at the source  Create and embed knowledge where we need it
  • 77.
    “We found thatwhen we woke up developers at 2am, defects got fixed faster than ever” -Patrick Lightbody, CEO, BrowserMob
  • 78.
    Phase 2: ExtendRelease Process And Create Right -> Left Feedback Loops  Invite Dev to post-mortems/root cause analysis meeting  Have Dev and Infosec cross-train IT Operations  Ensure application monitoring/metrics to aid in Ops and Infosec work (e.g., incident/problem management)
  • 79.
    The Second Way: AmplifyFeedback Loops: Infosec Insurgency  Give production feedback to developers: being attacked is a gift • Capture all instances of “UNION ALL” in user input and graph it, show it to developers • Show all instances of segfaults  Create reusable Infosec use and abuse stories that can be added to every project • “Handle peak traffic of 4MM users and constant 4-6 Gb/sec Anonymous DDoS attacks”  Pre-enable, shield streamline successful audits • Document separation of duty and compensating controls • Don’t let them disrupt the work
  • 80.
    The Second Way: Outcomes Defects and security issues getting fixed faster than ever  Reusable Ops and Infosec user stories now part of the Agile process  All groups communicating and coordinating better  Everybody is getting more work done
  • 81.
    The Third Way: CultureOf Continual Experimentation And Learning
  • 82.
    The Third Way: CultureOf Continual Experimentation And Learning  Foster a culture that rewards: • Experimentation (taking risks) and learning from failure • Repetition is the prerequisite to mastery  Why? • You need a culture that keeps pushing into the danger zone • And have the habits that enable you to survive in the danger zone
  • 83.
    “The best wayto avoid failure is to fail constantly”
  • 84.
    An Innovation Culture “Byinstalling a rampant innovation culture, they now do 165 experiments in the three months of tax season. Our business result? Conversion rate of the website is up 50 percent. Employee result? Everyone loves it, because now their ideas can make it to market.” --Scott Cook, Intuit Founder 85
  • 85.
    You Don’t ChooseChaos Monkey… Chaos Monkey Chooses You
  • 86.
    Help Product Management… Lesson: Allocate 20% of Dev cycles to paying down technical debt
  • 87.
    Phase 3: OrganizeDev and Ops To Achieve Organizational Goals  Allocate 20% of Dev cycles to non-functional requirements  Integrate fault injection and resilience into design, development and production (e.g., Chaos Monkey)
  • 88.
    The Third Way: CultureOf Continual Experimentation And Learning: Infosec  Infosec remediation projects in the Agile backlog • Make technical debt visible • Help prioritize work against features and other non-functional requirements  Release your Chaos Monkey • Evil/Fuzzy/Chaotic Monkey • Eridicate SQLi and XSS defects in our lifetime  Find processes that waste everyone’s time  Eliminate needless complexity
  • 89.
    The Third Way: Outcomes Technical debt is being paid off  Exploitable attack surface area decreases  Continual reduction of unplanned work  More cycles for planned work  More resilient code and environments  Balancing nimbleness and practiced repetition  Enabling wider range of risk/reward balance
  • 90.
    PART 5: WHY? SEPTEMBER 12 – 14, 2012 GRAND HYATT, SAN FRANCISCO Joshua Corman TRUTH, LIES Gene Kim AND DECISIONS Moving Forward in an Insecure World September 2012 Organized by
  • 94.
    When IT Fails:The Novel and The DevOps Cookbook  Coming in July 2012  “In the tradition of the best MBA case studies, this book should be mandatory reading for business and IT graduates alike.” -Paul Muller, VP Software Marketing, Hewlett-Packard  “The greatest IT management book of our generation.” –Branden Williams, CTO Marketing, RSA
  • 95.
    When IT Fails:The Novel and The DevOps Cookbook  If you would like these slides, the “Top 10 Things You Need To Know About DevOps,” Rugged DevOps resources, and updates on the book: Sign up at http://itrevolution.com Email genek@realgenekim.me Give me your business card
  • 96.
    END SEPTEMBER 12 – 14, 2012 GRAND HYATT, SAN FRANCISCO Joshua Corman TRUTH, LIES Gene Kim AND DECISIONS Moving Forward in an Insecure World September 2012 Organized by

Editor's Notes

  • #25 There are many ways to react to this: like, fear, horror, trying to become invisible… All understandable, given the circumstances…Because infosec can no longer take 4 weeks to turn around a security review for application code, or take 6 weeks to turnaround a firewall change. But, on the other hand, I think it’s will be the best thing to ever happen to infosec in the past 20 years. We’re calling this Rugged DevOps, because it’s a way for infosec to integrate into the DevOps process, and be welcomed. And not be viewed as the shrill hysterical folks who slow the business down.
  • #31 Tell story of Amazon, Netflix: they care about, availability, securityIt’s not a push, it’s a pull – they’re looking for our help (#1 concern: fear of disintermediation and being marginalized)
  • #40 At RSA 2009, Josh Corman, Jeff Williams, and David Rice were chatting at the Greylock cocktail party.
  • #43 So software not only need
  • #44 …fast, and…
  • #45 …agile, but it also needs to be…
  • #46 …rugged. Capable of withstanding…
  • #47 …the harshest conditions…
  • #48 …and most unfriendly environments…
  • #54 From Rugged Handbook: https://www.ruggedsoftware.org/documents/
  • #55 From Rugged Handbook: https://www.ruggedsoftware.org/documents/
  • #93 This story is about how Bill, the thoughtful and methodical VP IT Operations, who saves some of the largest problems of the company. It’s a story about a Visible Ops and DevOps style transformation. It’s how Bill saves the company, helping it achieves their project goals, operational goals, security and compliance goals.And Steve the CEO realizes that Bill, the lowly VP of IT Operations, is the person who saved the company.
  • #94 This story is about how Bill, the thoughtful and methodical VP IT Operations, who saves some of the largest problems of the company. It’s a story about a Visible Ops and DevOps style transformation. It’s how Bill saves the company, helping it achieves their project goals, operational goals, security and compliance goals.And Steve the CEO realizes that Bill, the lowly VP of IT Operations, is the person who saved the company.
  • #95 This story is about how Bill, the thoughtful and methodical VP IT Operations, who saves some of the largest problems of the company. It’s a story about a Visible Ops and DevOps style transformation. It’s how Bill saves the company, helping it achieves their project goals, operational goals, security and compliance goals.And Steve the CEO realizes that Bill, the lowly VP of IT Operations, is the person who saved the company.