Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Rugged DevOps: Bridging Security and DevOps


Published on

Rugged DevOps: Bridging Security and DevOps Communities and Practices. These are the slides for the ignite talk by the same name at DevOps Days Austin 2012.

Published in: Technology, News & Politics

Rugged DevOps: Bridging Security and DevOps

  1. 1. Rugged DevOpsBridging Security and DevOps
  2. 2. @wickettCloud Ops TeamLead, @NIGlobalCISSP, GWAPT,CCSK, GSEC,
  3. 3. I recognize that my code will be attacked by talentedand persistent adversaries who threaten our physical,economic, and national security. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.I am rugged, not because it is easy, but because it isnecessary... and I am up for the challenge.
  4. 4. Security vs. Rugged• Absence of • Verification of Events quality• Cost • Benefit• Negative • Positive• FUD • Known values• Toxic • Affirming
  5. 5. Rugged-ities • Maintainability • Availability • Survivability • Defensibility • Security • Longevity • Portability • Reliability
  6. 6. Ruggedization TheoryBuilding solutions to handleadversity will causeunintended, positive benefitsthat will provide value thatwould have been unrealizedotherwise.
  7. 7. "Secondly, our network got a lot stronger as a result of the LulzSec attacks." -Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012
  8. 8. Cloud Firewalls and DMZ (aka Security Groups)firewall firewall firewall Web Web Web DMZ x3 firewall firewall DMZ x2 Middle Tier Middle Tier firewall firewall DB LDAP DMZ x2
  9. 9. Rugged Benefits• Control and traffic whitelisting• Config management• Reproducible, automated and source controlled• No accidental data traversal across products or dev/test/prod tiers• Dev and Test identical to Prod tier
  10. 10. It’s not our problem anymore
  11. 11. source: Gene Kim, “When IT says No @SXSW 2012”
  12. 12. Security sees...• They give advice that goes unheeded• Business decisions made w/o regard of risk• Irrelevancy in the organization• Constant bearer of bad news• Feels ignored by their peers (you know, those devops guys)• Inequitable distribution of labor
  13. 13. RUGGED source: Jessica Allen,
  14. 14. Rugged DevOps• repeatable – no manual steps• reliable - no DoS here• reviewable – aka audit• rapid – fast to build, deploy, restore• resilient – automated reconfiguration• reduced - limited attack surface
  15. 15. #occupy_stage
  16. 16. If you want to build a ship, dontdrum up people together to collectwood and dont assign them tasksand work, but rather teach them tolong for the endless immensity ofthe sea- Antoine Jean-Baptiste Marie Roger de Saint Exupéry
  17. 17. The Philosophy of Rugged DevOps &Principles of BehaviorDriven Development
  18. 18. Introducing Gauntletgauntlet, attack from all sides an always-attacking environment for developers with attacks written in easy-to-read language accessible to everyone involved in dev, ops, security, ...
  19. 19. Put your code through the Gauntlet custom attacks dirbuster metasploit sqlmap fuzzers nessus w3af nmap Your web app You
  20. 20. Join Us• #occupy_stage on Rugged DevOps• join the email list• twitter: @ruggeddevops• Gauntlet? Ping me on twitter (@wickett)