I recognize that my code will be attacked by talentedand persistent adversaries who threaten our physical,economic, and national security. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.I am rugged, not because it is easy, but because it isnecessary... and I am up for the challenge.
Security vs. Rugged• Absence of • Veriﬁcation of Events quality• Cost • Beneﬁt• Negative • Positive• FUD • Known values• Toxic • Afﬁrming
Ruggedization TheoryBuilding solutions to handleadversity will causeunintended, positive beneﬁtsthat will provide value thatwould have been unrealizedotherwise.
"Secondly, our network got a lot stronger as a result of the LulzSec attacks." -Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012
Cloud Firewalls and DMZ (aka Security Groups)ﬁrewall ﬁrewall ﬁrewall Web Web Web DMZ x3 ﬁrewall ﬁrewall DMZ x2 Middle Tier Middle Tier ﬁrewall ﬁrewall DB LDAP DMZ x2
Rugged Beneﬁts• Control and trafﬁc whitelisting• Conﬁg management• Reproducible, automated and source controlled• No accidental data traversal across products or dev/test/prod tiers• Dev and Test identical to Prod tier
source: Gene Kim, “When IT says No @SXSW 2012”
Security sees...• They give advice that goes unheeded• Business decisions made w/o regard of risk• Irrelevancy in the organization• Constant bearer of bad news• Feels ignored by their peers (you know, those devops guys)• Inequitable distribution of labor
If you want to build a ship, dontdrum up people together to collectwood and dont assign them tasksand work, but rather teach them tolong for the endless immensity ofthe sea- Antoine Jean-Baptiste Marie Roger de Saint Exupéry
The Philosophy of Rugged DevOps &Principles of BehaviorDriven Development
Introducing Gauntletgauntlet, n.an attack from all sides an always-attacking environment for developers with attacks written in easy-to-read language accessible to everyone involved in dev, ops, security, ...
Put your code through the Gauntlet custom attacks dirbuster metasploit sqlmap fuzzers nessus w3af nmap Your web app You
Join Us• #occupy_stage on Rugged DevOps• join the email list join.ruggeddevops.org• twitter: @ruggeddevops• Gauntlet? Ping me on twitter (@wickett)