Rugged DevOps: Bridging Security and DevOps Communities and Practices. These are the slides for the ignite talk by the same name at DevOps Days Austin 2012.
3. I recognize that my code will be attacked by talented
and persistent adversaries who threaten our physical,
economic, and national security.
I recognize that my code
will be used in ways I
cannot anticipate, in
ways it was not designed,
and for longer than it was
ever intended.
I am rugged, not because it is easy, but because it is
necessary... and I am up for the challenge.
4. Security vs. Rugged
• Absence of • Verification of
Events quality
• Cost • Benefit
• Negative • Positive
• FUD • Known values
• Toxic • Affirming
6. Ruggedization Theory
Building solutions to handle
adversity will cause
unintended, positive benefits
that will provide value that
would have been unrealized
otherwise.
7. "Secondly, our network
got a lot stronger as a
result of the LulzSec
attacks."
-Surviving Lulz: Behind the Scenes of
LulzSec @SXSW 2012
8. Cloud Firewalls and DMZ
(aka Security Groups)
firewall firewall firewall
Web Web Web DMZ x3
firewall firewall
DMZ x2
Middle Tier Middle Tier
firewall firewall
DB LDAP
DMZ x2
9. Rugged Benefits
• Control and traffic whitelisting
• Config management
• Reproducible, automated and source controlled
• No accidental data traversal across products or
dev/test/prod tiers
• Dev and Test identical to Prod tier
12. Security sees...
• They give advice that goes unheeded
• Business decisions made w/o regard of risk
• Irrelevancy in the organization
• Constant bearer of bad news
• Feels ignored by their peers (you know,
those devops guys)
• Inequitable distribution of labor
16. If you want to build a ship, don't
drum up people together to collect
wood and don't assign them tasks
and work, but rather teach them to
long for the endless immensity of
the sea
- Antoine Jean-Baptiste Marie Roger de Saint Exupéry
17. The Philosophy of
Rugged DevOps
&
Principles of Behavior
Driven Development
18. Introducing Gauntlet
gauntlet, n.
an attack from all sides
an always-attacking
environment for developers
with attacks written in
easy-to-read language
accessible to everyone involved in dev,
ops, security, ...
19. Put your code through the Gauntlet
custom attacks dirbuster
metasploit sqlmap
fuzzers nessus
w3af nmap
Your web app You
20. Join Us
• #occupy_stage on Rugged DevOps
• join the email list join.ruggeddevops.org
• twitter: @ruggeddevops
• Gauntlet? Ping me on twitter (@wickett)