adversity: good for software

54
Adversity: Good for Software

Post on 19-Oct-2014

2.759 views

Category:

Technology


0 download

DESCRIPTION

Adversity is a fact of software security–bad things happen both intentionally and accidentally. In the InfoSec field there is a growing undercurrent of belief that we need to build code that is Rugged meaning code that is survivable, long-lasting and persistent in the face of adversity. When paired with DevOps the Rugged Software movement really begins to hit a nerve. The pairing, aptly called Rugged DevOps is where security becomes an asset to the organization and no longer a drag on innovation.

TRANSCRIPT

Page 1: Adversity: Good for software

Adversity: Good for Software

Page 2: Adversity: Good for software

@wickett

• Cloud Ops Team Lead, @NIGlobal

• Tags: Rugged DevOps, OWASP, Cloud, Ruby

• Blogger at ruggeddevops.org, blog.wickett.me, and theagileadmin.com

• Founder of LASCON (http://lascon.org)

• Security certs: CISSP, GWAPT, CCSK, ...

• t: @wickett | e: [email protected]

Page 3: Adversity: Good for software

Adversity requires Rugged solutions

Page 4: Adversity: Good for software

Adversity

Real or perceived negative actions and events that prohibit normal function and operation.

Page 5: Adversity: Good for software

People Involved

• Developers

• Operations

• Security

• Business

• Regular customers

• Evil customers

• Hackers

Page 6: Adversity: Good for software

Adversity Actors

• Malicious intent, targeted

• Malicious intent, random

• Neutral intent, targeted

• Neutral intent, random

• No intent, random

Page 7: Adversity: Good for software

Ruggedization Theory

Building solutions to handle adversity actors will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.

Page 8: Adversity: Good for software

Adversity fueled innovation

• NASA in Space

• Military hard drives

• ATMs in Europe

Page 9: Adversity: Good for software

"Secondly, our network got a lot stronger as a result of the LulzSec

attacks." -Surviving Lulz: Behind the Scenes of

LulzSec @SXSW 2012

Page 10: Adversity: Good for software

“The phone isn't going to kill you if use it, but a

car... well, we don't want code to crash

your car.” -Auto Meets Mobile: Building In-Vehicle Apps

@SXSW 2012

Page 11: Adversity: Good for software

Software needs to face adversity head on

Page 12: Adversity: Good for software

Software needs to be rugged to succeed

Page 13: Adversity: Good for software

Current Software

Page 14: Adversity: Good for software

Rugged Software

Page 15: Adversity: Good for software

Current Software

Page 16: Adversity: Good for software

Rugged Software

Page 17: Adversity: Good for software

Current Software

Page 18: Adversity: Good for software

Rugged Software

Page 19: Adversity: Good for software

The Internets is Mean

• Latency

• Distribution

• Anonymity

• Varied protocols

• People

Page 20: Adversity: Good for software

Measuring Rugged

Page 21: Adversity: Good for software
Page 22: Adversity: Good for software
Page 23: Adversity: Good for software

Rugged Software Manifesto

Page 24: Adversity: Good for software

I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.

Page 25: Adversity: Good for software

I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.

Page 26: Adversity: Good for software

I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.

Page 27: Adversity: Good for software

Security vs. Rugged

• Absence of Events

• Cost

• Negative

• FUD

• Toxic

• Verification of quality

• Benefit

• Positive

• Known values

• Affirming

Page 28: Adversity: Good for software

Ruggedization Theory

Building solutions to handle adversity actors will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.

Page 29: Adversity: Good for software

No Pain, No Gain

Page 30: Adversity: Good for software
Page 31: Adversity: Good for software
Page 32: Adversity: Good for software
Page 33: Adversity: Good for software

Rugged-ities• Maintainability

• Availability

• Survivability

• Defensibility

• Security

• Longevity

• Portability

• Reliability

Page 34: Adversity: Good for software

If you want to build a ship, don't drum up people together to collect wood and don't assign them tasks and work, but rather teach them to long for the endless immensity of the sea

- Antoine Jean-Baptiste Marie Roger de Saint Exupéry

Page 35: Adversity: Good for software

People, Process, Tech

Page 36: Adversity: Good for software

It’s not our problem anymore

Page 37: Adversity: Good for software

Why do you see the speck that is in your brother’s eye, but do not notice the log that is in your own eye?

- Jesus

Page 38: Adversity: Good for software

source: Gene Kim, “When IT says No @SXSW 2012”

Page 39: Adversity: Good for software

solution = devops

Page 40: Adversity: Good for software

Security sees...

• They feel they are the constant givers of unheeded advice

• Business decisions made w/o worry of risk

• Irrelevancy in the organization

• They are the bearer of bad news

• Even their tribe ignores them

• Inequitable distribution of labor

Page 41: Adversity: Good for software

the devops model is broken incomplete

Page 42: Adversity: Good for software

rugged by design devops by culture

Page 43: Adversity: Good for software

RUGGED

source: Jessica Allen, http://drbl.in/bgwy

Page 44: Adversity: Good for software

Rugged DevOps

• repeatable – no manual errors

• reliable - tested integration APIs

• reviewable – model in source control

• rapid – fast to build, provision, deploy

• resilient – automated reconfiguration to swap servers (throw away infrastructure)

Page 45: Adversity: Good for software

Rugged AppliedGoal: Cloud Firewalls

• Make every service/node/instance a DMZ

• Cloud environment

• 3-tier web architecture

• Facilitate automated provisioning

Page 46: Adversity: Good for software

Web

DB

Middle Tier

WebWeb

Middle Tier

LDAP

Firewall

Firewall

Firewall

DMZ 1

DMZ 2

DMZ 3

Traditional (non-cloud) 3-Tier Web Architecture

Page 47: Adversity: Good for software

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

DMZ x3

DMZ x2

DMZ x3

Rugged Cloud Architecturefirewall

Web

firewall

Web

Page 48: Adversity: Good for software

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

BenefitsRepeatableVerifiable

Prod/Dev/Test MatchingControlledAutomated

Page 49: Adversity: Good for software

and it grows to look something like this...

Page 50: Adversity: Good for software

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

Page 51: Adversity: Good for software

Rugged Benefits

• Control and traffic whitelisting

• Config Management

• Reproducible and Automated

• Data can’t traverse environments accidentally

• Dev and Test Tier accurate

Page 52: Adversity: Good for software

Rugged DevOpsNext Steps

• Build a Rugged DevOps team: Dev, Ops, Security

• Implement a chaos monkey

• Track security flaws or bugs in the same bug tracking system for development

• Automate, track results, repeat

• Join the RDO movement!

Page 53: Adversity: Good for software

Want to help me?

• Upcoming book: Rugged Driven Development: Building Software in an Adversity Fueled Environment (will live at ruggeddev.com)

• Open Source Project: Gauntlet on github at github.com/wickett/gauntlet

• I need contributors and reviewers!

• Contact me: @wickett

Page 54: Adversity: Good for software

Join Rugged DevOps!

• Twitter: @ruggeddevops

• Get involved in the movement

• http://join.ruggeddevops.org