3. @wickett
• Operations and Security for software
delivered on the cloud
• National Instruments, R&D
• Certs: CISSP, GSEC, GCFW, CCSK
• Tags: OWASP, Cloud, DevOps, Ruby
• Blogger at theagileadmin.com
• I do stuff for LASCON (http://lascon.org)
• Twitter: @wickett
3
4. Cloud @ NI
We built a DevOps team to rapidly deliver
new SaaS products and product functionality
using cloud hosting and services (IaaS, PaaS,
SaaS) as the platform and operations, using
model driven automation, as a key
differentiating element.
With this approach we have delivered
multiple major products to market quickly
with a very small staffing and financial outlay.
4
5. National Instruments
• 30 years old; 5000+ employees
around the world, half in Austin,
mostly engineers; $873M in
2010
• Hardware and software for data
acquisition, embedded design,
instrument control, and test
• LabVIEW is our graphical
dataflow programming language
used by scientists and engineers
in many fields
5
11. FPGA Compile Cloud
• LabVIEW FPGA compiles take hours and
consume extensive system resources;
compilers are getting larger and more
complex
• Implemented on Amazon - EC2,
Java/Linux,C#/.NET/Windows,
and LabVIEW FPGA
• Also an on premise product,
the “Compile Farm”
11
15. Am I healthy?
• Latest and greatest research
• Justification to insurance companies
• Measurement and testing as available
• Point in time snapshot
15
17. Am I secure?
• Latest and greatest vulnerabilities
• Justification of budget for tools
• Measurement and testing as available
• Point in time snapshot
17
20. If you want to build a ship, don't
drum up people together to collect
wood and don't assign them tasks
and work, but rather teach them to
long for the endless immensity of
the sea
- Antoine Jean-Baptiste Marie Roger de Saint Exupéry
20
23. Us vs. Them
• Security professionals often degrade
developers
• Developers don’t get security people
• There is interest across the isle, but often
ruined by negative language
23
24. Why do you see the speck that is in your
brotherʼs eye, but do not notice the log that is in
your own eye?
- Jesus
24
59. Security as a Feature
• SaaF is possible, but hard for most products
• Tough to measure
• Hiding among other features
59
60. Rugged as a Feature
• RaaF addresses to customer felt needs
• Values that people covet
• Buyers want it
60
61. Qualities of Rugged
Software
• Availability - Speed and performance
• Longevity, Long-standing, persistent - Time
• Scalable, Portable
• Maintainable and Defensible - Topology Map
• Resilient in the face of failures
• Reliable - Time, Load
61
62. Measuring Ruggedness
• Physical: Heat, Cold, Friction, Time, Quantity
of use, Type of use
• Software: Concurrency, Transactions, Speed,
Serial Load, Input handling, Entropy, Lines of
Code
62
63. Measuring Frameworks
• Measured by lack of incidents and
quantifying risk and vulns
• OWASP / CVE tracking
• Common Vuln Scoring System (CVSS)
• Mitre Common Weakness Enumeration
(CWE)
• Common Weakness Scoring System
(CWSS)
63
65. Marketing Possibilities
• Positive: Rugged Rating System
• 3rd party verification of Ruggedness
• Self Attestation
• Negative: warning signs
• Buyers Bill of Rights
65
70. Explicit Requirements
• Customers Demand
• 20% Use Cases
• Most Vocal
• Failure results in loss of customers but not
all customers
70
71. Implicit Requirements
• Customers Assume
• 80% of use cases
• Unsaid and Unspoken
• Most basic and expected features
• Failure results in a loss of most customers
71
77. People and Process
• Sit near the developers... DevOpsSec
• Track security flaws or bugs in the same bug
tracking system
• Train to automate
• Involve team with vendors
• Measurement over time and clear communication
77
78. OPSEC Framework
• Know your system and people
• Make security better in small steps
• Add layers of security without
overcompensating
• Use a weekly, iteration-based approach to
security
78
81. Configuration
Management
• Infrastructure as Code (IaC)
• Model driven deployment
• Version control everything
• PIE (Programmable Infrastructure
Enviroment)
• Know Your Environment if you want to
make it defensible
81
82. What is PIE?
• a a framework to define, provision,
monitor, and control cloud-based systems
• written in Java, uses SSH as transport,
currently supports Amazon AWS (Linux
and Windows)
• takes an XML-based model from source
control and creates a full running system
• to define, provision, monitor, and control
cloud-based systems
82
83. PIE ingredients
• model driven automation
• infrastructure as code
• DevOps
• dynamic scaling
• agility
• security in the model
83
85. The Model
• XML descriptions of the system as ‘specs’
• system (top level)
• environment (instance of a system)
• role (“tier” within a system)
• image (specific base box config)
• service (specific software or application)
• commands (for various levels)
• templates (files to be parsed)
85
88. The Registry
• uses Apache Zookeeper
(part of Hadoop project)
• the registry contains information
about the running system
• specific addressing scheme:
• /fcc/test1/external-services/2/tomcat
• [/<system>/<environment>/<role>/<instance>/<service>]
pie registry.register /fcc/test1/external-services/2
pie registry.bind /fcc/test1
pie registry.list /fcc/test1
88
89. Control
• create, terminate, start, stop instances using
the AWS API
• enforce scaling policy
• execute remote commands
pie control.create /fcc/test1/external-services/2
pie control.stop /fcc/test1/external-services/2
pie control.enforce /fcc/test1
pie control.remote.service.restart /fcc/test1/external-services/2/external-tomcat
pie control.remote.execute /fcc/test1/external-services/2 –i exe[0]=“ls –l /etc/
init.d”
89
90. Provisioning
• deploy services and apps
• two-phase for fast deploys
• update config files and parse templates
pie provision.deploy.stage /fcc/test1/external-services/2 –i pack[0]=lvdotcom-auth
pie provision.deploy.run /fcc/test1/external-services/2 –i pack[0]=lvdotcom-auth
pie provision.remote.updateConfig /fcc/test1
90
91. Monitoring
• integrated with third party SaaS monitoring
provider Cloudkick
• systems register with Cloudkick as they
come online and immediately have
appropriate monitors applied based on tags
set from the model
91
93. Logging
• logging in the cloud using splunk
• logging agents are deployed in the model
and they are given the config from registry
and the model as they come online
93
94. Rugged Results
• repeatable – no manual errors
• reviewable – model in source control
• rapid – bring up, install, configure, and test
dozens of systems in a morning
• resilient – automated reconfiguration to
swap servers (throw away infrastructure)
• rugged by design
94
96. What’s a DMZ?
• Demilitarized Zone
• Physical and logical divisions between assets
• Military history
• Control what goes in and what goes out
96
97. Control your
environment
• Make every service a DMZ
• Cloud environment
• 3-tier web architecture
• Allow automated provisioning
97
98. Traditional 3-Tier Web Architecture
Firewall
Web
Web
Web
DMZ 1
Firewall
Middle Tier Middle Tier
DMZ 2
Firewall
DB LDAP
DMZ 3
98
99. Rugged Architecture
firewall firewall firewall
Web Web Web DMZ x3
firewall firewall
Middle Tier Middle Tier
DMZ x2
firewall firewall
DB LDAP
DMZ x3
99
100. firewall firewall firewall
Web Web Web
Repeatable
firewall firewall
Verifiable
Middle Tier Middle Tier Prod/Dev/Test Matching
firewall firewall
Controlled
DB LDAP Automated
firewall firewall firewall firewall firewall firewall
Web Web Web Web Web Web
firewall firewall firewall firewall
Middle Tier Middle Tier Middle Tier Middle Tier
firewall firewall firewall firewall
DB LDAP DB LDAP
100
101. firewall firewall firewall firewall firewall firewall firewall firewall firewall
Web Web Web Web Web Web Web Web Web
firewall firewall firewall firewall firewall firewall
Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier
firewall firewall firewall firewall firewall firewall
DB LDAP DB LDAP DB LDAP
firewall firewall firewall firewall firewall firewall firewall firewall firewall
Web Web Web Web Web Web Web Web Web
firewall firewall firewall firewall firewall firewall
Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier
firewall firewall firewall firewall firewall firewall
DB LDAP DB LDAP DB LDAP
firewall firewall firewall firewall firewall firewall firewall firewall firewall
Web Web Web Web Web Web Web Web Web
firewall firewall firewall firewall firewall firewall
Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier
firewall firewall firewall firewall firewall firewall
DB LDAP DB LDAP DB LDAP
101
102. Rugged 3-Tier
Architecture Benefits
• Control
• Config Management
• Reproducible and Automated
• Data can’t traverse environments
accidentally
• Dev and Test Tier accurate
102
103. OWASP Secure Coding
Quick Reference Guide
• Checklist format that can be added to into
your sprints
• Helps development team find common
security flaws
• Topics include: Input Validation, Output
Encoding, Auth, Session Management,
Memory Management, ...
• http://bit.ly/OWASPQuickRef
103
104. Rugged Next Steps
• Use Rugged language
• Know your systems
• Automate, track results, repeat
• Begin weekly OPSEC in your org
• Attend LASCON (http://lascon.org)
104