rugged devops: bridging security and devops

Rugged DevOpsBridging Security and DevOps

@wickettCloud Ops Team Lead, @NIGlobal

CISSP, GWAPT, CCSK, GSEC, GCFW

james@wickett.me

ruggeddevops.org

@LASCONATX

I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.

I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.

I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.

Security vs. Rugged

• Absence of Events

• Cost

• Negative

• FUD

• Toxic

• Verification of quality

• Benefit

• Positive

• Known values

• Affirming

Rugged-ities• Maintainability

• Availability

• Survivability

• Defensibility

• Security

• Longevity

• Portability

• Reliability

Ruggedization Theory

Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.

"Secondly, our network got a lot stronger as a result of the LulzSec

attacks." -Surviving Lulz: Behind the Scenes of

LulzSec @SXSW 2012

firewall

firewallfirewall

firewallfirewall

DB

Middle Tier Middle Tier

LDAP

DMZ x3

DMZ x2

DMZ x2

Cloud Firewalls and DMZ(aka Security Groups)

firewall firewall

WebWebWeb

Rugged Benefits

• Control and traffic whitelisting

• Config management

• Reproducible, automated and source controlled

• No accidental data traversal across products or dev/test/prod tiers

• Dev and Test identical to Prod tier

It’s not our problem anymore

source: Gene Kim, “When IT says No @SXSW 2012”

Security sees...

• They give advice that goes unheeded

• Business decisions made w/o regard of risk

• Irrelevancy in the organization

• Constant bearer of bad news

• Feels ignored by their peers (you know, those devops guys)

• Inequitable distribution of labor

RUGGED

source: Jessica Allen, http://drbl.in/bgwy

Rugged DevOps

• repeatable – no manual steps

• reliable - no DoS here

• reviewable – aka audit

• rapid – fast to build, deploy, restore

• resilient – automated reconfiguration

• reduced - limited attack surface

#occupy_stage

If you want to build a ship, don't drum up people together to collect wood and don't assign them tasks and work, but rather teach them to long for the endless immensity of the sea

- Antoine Jean-Baptiste Marie Roger de Saint Exupéry

The Philosophy of Rugged DevOps

&Principles of Behavior Driven Development

Introducing Gauntletgauntlet, n. an attack from all sides

an always-attacking environment for developers

with attacks written in easy-to-read language

accessible to everyone involved in dev, ops, security, ...

Your web app

w3af

fuzzers

nmap

nessus

sqlmapmetasploit

You

dirbustercustom attacks

Put your code through the Gauntlet

Join Us

• #occupy_stage on Rugged DevOps

• join the email list join.ruggeddevops.org

• twitter: @ruggeddevops

• Gauntlet? Ping me on twitter (@wickett)