SlideShare uma empresa Scribd logo

Rugged DevOps Will help you build ur cloudz

James Wickett
James Wickett

Talk given by James Wickett and Ernest Mueller at the (ISC)2 Secure SDLC event in Austin, TX.

TecnologiaNegócios
1 de 83
Baixar para ler offline
RUGGED DEVOPS WILL HELP YOU BUILD UR CLOUDZ by @wickett and @ernestmueller
OUTLINE • Us, And Why You Care What We Say • The Cloud, And How It Is Threatening You • Rugged, And Its New Approach To Security • DevOps, And How It Is Driving Collaborative Solutions • Combining Cloud, Rugged, and DevOps To Solve The Problem • How We Did Cloud Security With DevOps At NI • Introducing RuggedDevOps Tool: Gauntlt
@wicke' Senior  DevOps   Engineer CISSP,  GWAPT,  CCSK,   GSEC,  GCFW james@wicke'.me @RuggedDevOps theagileadmin.com NI  CONFIDENTIAL
@ernestmueller DevOps Platform Manager and Release Manager, Bazaarvoice ernest.mueller@gmail.com theagileadmin.com
WHAT IS THE CLOUD?
THE GRAND UNIFIED THEORY (ISP -> colo -> MSP) + virtualization + HPC + (AJAX + SOA -> REST APIs) = IaaS ((web site -> web app) -> ASP) + virtualization + fast ubiquitous Internet + [RIA browsers && mobile] = SaaS IDE/4GLs + (EAI -> SOA) + SaaS + IaaS = PaaS [IaaS | PaaS | SaaS ] + [ devops | open source | noSQL ] = cloud
CLOUDINESS • An outsourced managed service • providing hosted computing or functionality • delivered over the Internet • offering extreme scalability • by using dynamically provisioned, multitenant, virtualized systems, storage, and applications • controlled via REST APIs • and billed in a utility manner.
“Cloud? I’ve been doing that since 1988. It’s just the same old thing with a new name." - Technohipster
Not new: virtualization outsourcing integration interwebz Pretty new: multitenant massively scalable elastic self provisioning pay as you go Resulting benefits: agility economy of scale low initial investment scalable cost/opex resilience easy delivery
I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.
RUGGEDIZATION THEORY Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.
No Pain, No Gain
RUGGED-ITIES Maintainability Availability Survivability Defensibility Security Longevity Portability Reliability
WHAT NEEDS TO HAPPEN • Focus on real security. FUD doesn’t benefit anyone – figuring out how to “make it happen” – securely – benefits everyone. • It’ll take time for compliance standards to get with the times – but don’t assume the cloud can’t be compliant – some of your auditors have actually heard of VMs and know what to do • Organizations have to accept risk to reap rewards. • Agile has taught orgs the collaborative approach is best • Lean has taught orgs to experiment and iterate
source: Gene Kim, “When IT says No @SXSW 2012”
SECURITY SEES... • They give advice that goes unheeded • Business decisions made w/o regard of risk • Irrelevancy in the organization • Constant bearer of bad news • Feels ignored by their peers (you know, those devops guys) • Inequitable distribution of labor
TRADITIONAL SECURITY
THE CLOUD RESPONSE
THE SEPARATION MODEL
DEVOPS
SERVICE LIFECYCLE
ANTIPATTERN! Deploying Software Manually
ANTIPATTERN! Deploying to a Production-like Environment Only after Development is Complete
ANTIPATTERN! Manual Configuration Management of Production Environments
CONTINUOUS INTEGRATION • Check In Regularly • Create an automated and comprehensive test suite • Keep build and test short and fast • All tests must pass before moving on • Never Go Home on a broken build • Never comment out failing tests
CONFIGURATION MANAGEMENT • Infrastructure as Code (IaC) • Model driven deployment • Version control everything • Know Your Environment if you want to make it defensible
RUGGED DEVOPS BRIDGING SECURITY AND DEVOPS
DEVOPS (+SEC) • Increasedtrend driven by agile development towards tight collaboration between developers and operations staff • Be the “security buddy” • Embed with projects, don’t be a seagull • By understanding, be understood • How secure are things usually when people and teams all work separately?
THE 6 R’S RUGGED DEVOPS • repeatable – no manual steps • reliable - no DoS here • reviewable – aka audit • rapid – fast to build, deploy, restore • resilient – automated reconfiguration • reduced - limited attack surface
APPLY RUGGED DEVOPS TO THE CLOUD • Start with a Rugged DevOps team • Use a lot of firewalls • Scan your code • Source to system • Threat modeling • Watch for changes • Pen Testing
BUILD A RUGGED DEVOPS TEAM
PEOPLE, PROCESS, TECH
PEOPLE AND PROCESS • Sit near the dev and ops team, better yet, put them all on the same team • Track security flaws or bugs in the same bug tracking system • Automate whenever possible • Involve team with vendors • Measurement over time and clear communication
USE FIREWALLS... (A LOT OF THEM)
Traditional 3-Tier Web Architecture Firewall Web Web Web DMZ 1 Firewall Middle Tier Middle Tier DMZ 2 Firewall DB LDAP DMZ 3
Cloud Firewalls and DMZ firewall firewall firewall Web Web Web DMZ x3 firewall firewall DMZ x2 Middle Tier Middle Tier firewall firewall DB LDAP DMZ x2
firewall firewall firewall Web Web Web Repeatable firewall firewall Verifiable Middle Tier Middle Tier Prod/Dev/Test Matching firewall firewall Controlled Automated DB LDAP firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall DB LDAP DB LDAP
firewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAP firewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAP firewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAP
RUGGED BENEFITS • Control and traffic whitelisting • Config management • Reproducible, automated and source controlled • No accidental data traversal across products or dev/test/prod tiers • Dev and Test identical to Prod tier
SCAN THE CODE
• Scans for OWASP Top Ten and more • Security Scanning as a Service • Static and Dynamic scanning • Integrated into development process • Dynamic and Static scanning
SOURCE TO SYSTEM
AUTOMATED PROVISIONING - PIE • Programmable Infrastructure Environment (PIE) • Code can be version controlled • Make Infrastructure as code • Defined once, deployed many times • Eliminate repetitive task and human errors • Rollback capability
• a framework to define, provision, monitor, and control cloud-based systems • written in Java, uses SSH as transport, currently supports Amazon AWS (Linux and Windows) and Microsoft Azure • takes an XML-based model from source control and creates a full running system • to define, provision, monitor, and control cloud-based systems
THREAT MODEL ME
THREAT MODELING • Understanding the threat profile of a system • Provide a basis for secure design and implementation • Discover vulnerabilities • Provide feedback for the application security life cycle p. 29 in Threat Modeling, Swiderski, Snyder
WATCH MY CHANGES
HOST INTRUSION DETECTION SYSTEM • Watch the file system (using hashing and timestamps) – /etc/ – /usr/bin –… • Change control for applications • Alert on changes and anomalies • PIE watchdog
PEN TESTING
PENETRATION TESTING • Use external and internal penetration testing • White box testing vs. Black box testing • Look for automation opportunities (ruby, python, …)
BUT WHAT ABOUT SECURITY TESTING IN MY CONTINUOUS INTEGRATION SYSTEM?
PUT YOUR CODE THROUGH THE GAUNTLT
GAUNTLET, N. AN ATTACK FROM ALL SIDES
custom attacks dirbuster metasploit sqlmap fuzzers nessus w3af nmap Your web app You
GAUNTLT IS BUILT FOR CONTINUOUS INTEGRATION
GAUNTLT IS
AN ALWAYS-ATTACKING ENVIRONMENT FOR DEVELOPERS
WITH ATTACKS WRITTEN IN EASY-TO-READ LANGUAGE
ACCESSIBLE TO EVERYONE INVOLVED IN DEV, OPS, TESTING, SECURITY, ...
GAUNTLT INCLUDES
WHY GAUNTLT? SECURITY DOMAIN KNOWLEDGE IS GENERALLY A MYSTERY TO DEV TEAMS
GAUNTLT ALLOWS DEV AND OPS AND SECURITY TO COMMUNICATE AND COLLABORATE
GAUNTLT JOINS: THE PHILOSOPHY OF RUGGED SOFTWARE & OUTSIDE-IN TESTING
LETS LOOK INSIDE A COUPLE OF THESE FILES
feature for nmap: nmap.feature @gauntlet @run Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: Given nmap is installed Scenario: Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """
step definition for nmap: nmap.rb Given /^nmap is installed$/ do steps %{ When I run `which nmap` Then the output should contain: """ nmap """ } end When /^I run nmap against the hostname in the profile on ports (d+),(d+)$/ do |arg2, arg3| steps %{ When I run `nmap "#{@hostname}" -p80,443` } end
lets run gauntlt with the nmap.feature against google.com
running gauntlt with failing tests wickett$ gauntlt @gauntlet @run Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 8080,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 8080/tcp open http 443/tcp open https """ ... Failing Scenarios: cucumber features/nmap/nmap.feature:8 # Scenario:Verify server is available on standard web ports 1 scenario (1 failed) 4 steps (1 failed, 3 passed) 0m0.341s
running gauntlt with passing tests wickett$ gauntlt @gauntlet @run Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 80,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 80/tcp open http 443/tcp open https """ 1 scenario (1 passed) 4 steps (4 passed) 0m1.117s
WALK VS. RUN • gauntlt has two modes: walk and run • meaning fast and slow or smoke and full • This is done by labels in cucumber • For each feature you will get to decide if it is a @walk or a @run test or both
SOME REALIZATIONS • The core of gauntlt needs to provide a set of functionality that encourages contributors to write extensions for their pen testing tools •A gauntlt DSL (Domain Specific Language) will arise with words like target, scan, attack, host... • Smoke tests and validation vs. long running testing (nightly/weekly)
JOIN THE PARTY!! FORK GAUNTLT ON GITHUB
HTTPS://GITHUB.COM/ THEGAUNTLET/GAUNTLT
CLOUD & SECURITY RESOURCES • Book: Cloud Security and Privacy (Mather, Kumraswamy, Latif) • Jericho Forum (collaboration.opengroup.org/jericho/) • Amazon AWS Security Center (aws.amazon.com/security) • Austin Cloud User Group (acug.cloudug.org) • Cloud Security Alliance (cloudsecurityalliance.org) • CSA Austin Chapter (austincloud.org) • CSA Security Guidance for Critical Areas in Cloud Computing • ENISA Cloud Computing Risk Assessment
CONTACT US! @ERNESTMUELLER @WICKETT

Recomendados

The Rugged Way in the Cloud--Building Reliability and Security into Software
The Rugged Way in the Cloud--Building Reliability and Security into SoftwareThe Rugged Way in the Cloud--Building Reliability and Security into Software
The Rugged Way in the Cloud--Building Reliability and Security into Software
James Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
Serverless Security: Doing Security in 100 milliseconds
Serverless Security: Doing Security in 100 millisecondsServerless Security: Doing Security in 100 milliseconds
Serverless Security: Doing Security in 100 milliseconds
James Wickett
 
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
Daniel Oh
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations Center
Jimmy Mesta
 
New Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application SecurityNew Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application Security
James Wickett
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
DevOps.com
 

Recomendados

The Rugged Way in the Cloud--Building Reliability and Security into Software
The Rugged Way in the Cloud--Building Reliability and Security into SoftwareThe Rugged Way in the Cloud--Building Reliability and Security into Software
The Rugged Way in the Cloud--Building Reliability and Security into Software
James Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
Serverless Security: Doing Security in 100 milliseconds
Serverless Security: Doing Security in 100 millisecondsServerless Security: Doing Security in 100 milliseconds
Serverless Security: Doing Security in 100 milliseconds
James Wickett
 
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
Daniel Oh
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations Center
Jimmy Mesta
 
New Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application SecurityNew Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application Security
James Wickett
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
DevOps.com
 
Monktoberfest Fast Delivery
Monktoberfest Fast DeliveryMonktoberfest Fast Delivery
Monktoberfest Fast Delivery
Adrian Cockcroft
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
When Developers Operate and Operators Develop
When Developers Operate and Operators DevelopWhen Developers Operate and Operators Develop
When Developers Operate and Operators Develop
Adrian Cockcroft
 
Epidemic Failures
Epidemic FailuresEpidemic Failures
Epidemic Failures
Adrian Cockcroft
 
How to Effect Change in the Epistemological Wasteland of Application Security
How to Effect Change in the Epistemological Wasteland of Application SecurityHow to Effect Change in the Epistemological Wasteland of Application Security
How to Effect Change in the Epistemological Wasteland of Application Security
James Wickett
 
Serverless Security: A pragmatic primer for builders and defenders
Serverless Security: A pragmatic primer for builders and defendersServerless Security: A pragmatic primer for builders and defenders
Serverless Security: A pragmatic primer for builders and defenders
James Wickett
 
Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelines
Vandana Verma
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
kloia
 
Hybrid Cloud Networking
Hybrid Cloud NetworkingHybrid Cloud Networking
Hybrid Cloud Networking
SVForum Cloud SIG
 
Rugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsRugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOps
James Wickett
 
Fast Delivery DevOps Israel
Fast Delivery DevOps IsraelFast Delivery DevOps Israel
Fast Delivery DevOps Israel
Adrian Cockcroft
 
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-NapocaFrom Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
jerryhargrove
 
Monitoring Challenges - Monitorama 2016 - Monitoringless
Monitoring Challenges - Monitorama 2016 - MonitoringlessMonitoring Challenges - Monitorama 2016 - Monitoringless
Monitoring Challenges - Monitorama 2016 - Monitoringless
Adrian Cockcroft
 
Microservices: What's Missing - O'Reilly Software Architecture New York
Microservices: What's Missing - O'Reilly Software Architecture New YorkMicroservices: What's Missing - O'Reilly Software Architecture New York
Microservices: What's Missing - O'Reilly Software Architecture New York
Adrian Cockcroft
 
What's Missing? Microservices Meetup at Cisco
What's Missing? Microservices Meetup at CiscoWhat's Missing? Microservices Meetup at Cisco
What's Missing? Microservices Meetup at Cisco
Adrian Cockcroft
 
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCONMicroservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
Adrian Cockcroft
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
Puma Security, LLC
 
The Path of DevOps Enlightenment for InfoSec
The Path of DevOps Enlightenment for InfoSecThe Path of DevOps Enlightenment for InfoSec
The Path of DevOps Enlightenment for InfoSec
James Wickett
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Adversity: Good for software
Adversity: Good for softwareAdversity: Good for software
Adversity: Good for software
James Wickett
 
Devoxx France 2013 Cloud Best Practices
Devoxx France 2013 Cloud Best PracticesDevoxx France 2013 Cloud Best Practices
Devoxx France 2013 Cloud Best Practices
Eric Bottard
 

Mais conteúdo relacionado

Mais procurados

When Developers Operate and Operators Develop
When Developers Operate and Operators DevelopWhen Developers Operate and Operators Develop
When Developers Operate and Operators Develop
Adrian Cockcroft
 
How to Effect Change in the Epistemological Wasteland of Application Security
How to Effect Change in the Epistemological Wasteland of Application SecurityHow to Effect Change in the Epistemological Wasteland of Application Security
How to Effect Change in the Epistemological Wasteland of Application Security
James Wickett
 
Serverless Security: A pragmatic primer for builders and defenders
Serverless Security: A pragmatic primer for builders and defendersServerless Security: A pragmatic primer for builders and defenders
Serverless Security: A pragmatic primer for builders and defenders
James Wickett
 
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-NapocaFrom Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
jerryhargrove
 

Mais procurados (20)

Monktoberfest Fast Delivery
Monktoberfest Fast DeliveryMonktoberfest Fast Delivery
Monktoberfest Fast Delivery
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
When Developers Operate and Operators Develop
When Developers Operate and Operators DevelopWhen Developers Operate and Operators Develop
When Developers Operate and Operators Develop
 
Epidemic Failures
Epidemic FailuresEpidemic Failures
Epidemic Failures
 
How to Effect Change in the Epistemological Wasteland of Application Security
How to Effect Change in the Epistemological Wasteland of Application SecurityHow to Effect Change in the Epistemological Wasteland of Application Security
How to Effect Change in the Epistemological Wasteland of Application Security
 
Serverless Security: A pragmatic primer for builders and defenders
Serverless Security: A pragmatic primer for builders and defendersServerless Security: A pragmatic primer for builders and defenders
Serverless Security: A pragmatic primer for builders and defenders
 
Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelines
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
 
Hybrid Cloud Networking
Hybrid Cloud NetworkingHybrid Cloud Networking
Hybrid Cloud Networking
 
Rugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsRugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOps
 
Fast Delivery DevOps Israel
Fast Delivery DevOps IsraelFast Delivery DevOps Israel
Fast Delivery DevOps Israel
 
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-NapocaFrom Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
 
Monitoring Challenges - Monitorama 2016 - Monitoringless
Monitoring Challenges - Monitorama 2016 - MonitoringlessMonitoring Challenges - Monitorama 2016 - Monitoringless
Monitoring Challenges - Monitorama 2016 - Monitoringless
 
Microservices: What's Missing - O'Reilly Software Architecture New York
Microservices: What's Missing - O'Reilly Software Architecture New YorkMicroservices: What's Missing - O'Reilly Software Architecture New York
Microservices: What's Missing - O'Reilly Software Architecture New York
 
What's Missing? Microservices Meetup at Cisco
What's Missing? Microservices Meetup at CiscoWhat's Missing? Microservices Meetup at Cisco
What's Missing? Microservices Meetup at Cisco
 
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCONMicroservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
The Path of DevOps Enlightenment for InfoSec
The Path of DevOps Enlightenment for InfoSecThe Path of DevOps Enlightenment for InfoSec
The Path of DevOps Enlightenment for InfoSec
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 

Semelhante a Rugged DevOps Will help you build ur cloudz

Devoxx France 2013 Cloud Best Practices
Devoxx France 2013 Cloud Best PracticesDevoxx France 2013 Cloud Best Practices
Devoxx France 2013 Cloud Best Practices
Eric Bottard
 
Open Cloud Interop Public
Open Cloud Interop PublicOpen Cloud Interop Public
Open Cloud Interop Public
rvanhoe
 
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best PracticesLyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
Eric Bottard
 
Windows Azure Platform
Windows Azure PlatformWindows Azure Platform
Windows Azure Platform
AsmTrash
 
Cloud computing bringing the dark side of enterprise apps into the light by...
Cloud computing bringing the dark side of enterprise apps into the light by...Cloud computing bringing the dark side of enterprise apps into the light by...
Cloud computing bringing the dark side of enterprise apps into the light by...
Khazret Sapenov
 
Coding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE frameworkCoding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE framework
James Wickett
 

Semelhante a Rugged DevOps Will help you build ur cloudz (20)

Adversity: Good for software
Adversity: Good for softwareAdversity: Good for software
Adversity: Good for software
 
Devoxx France 2013 Cloud Best Practices
Devoxx France 2013 Cloud Best PracticesDevoxx France 2013 Cloud Best Practices
Devoxx France 2013 Cloud Best Practices
 
Continuous Deployment Practices, with Production, Test and Development Enviro...
Continuous Deployment Practices, with Production, Test and Development Enviro...Continuous Deployment Practices, with Production, Test and Development Enviro...
Continuous Deployment Practices, with Production, Test and Development Enviro...
 
Cloud Computing & Scaling Web Apps
Cloud Computing & Scaling Web AppsCloud Computing & Scaling Web Apps
Cloud Computing & Scaling Web Apps
 
Open Cloud Interop Public
Open Cloud Interop PublicOpen Cloud Interop Public
Open Cloud Interop Public
 
Why Virtualization is important by Tom Phelan of BlueData
Why Virtualization is important by Tom Phelan of BlueDataWhy Virtualization is important by Tom Phelan of BlueData
Why Virtualization is important by Tom Phelan of BlueData
 
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best PracticesLyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
 
Leveraging the Cloud: Getting the more bang for your buck
Leveraging the Cloud: Getting the more bang for your buckLeveraging the Cloud: Getting the more bang for your buck
Leveraging the Cloud: Getting the more bang for your buck
 
Hadoop Successes and Failures to Drive Deployment Evolution
Hadoop Successes and Failures to Drive Deployment EvolutionHadoop Successes and Failures to Drive Deployment Evolution
Hadoop Successes and Failures to Drive Deployment Evolution
 
Cloud patterns
Cloud patternsCloud patterns
Cloud patterns
 
Architecting a Private Cloud - Cloud Expo
Architecting a Private Cloud - Cloud ExpoArchitecting a Private Cloud - Cloud Expo
Architecting a Private Cloud - Cloud Expo
 
Migrating to Public Cloud
Migrating to Public CloudMigrating to Public Cloud
Migrating to Public Cloud
 
Windows Azure Platform
Windows Azure PlatformWindows Azure Platform
Windows Azure Platform
 
Cloud computing bringing the dark side of enterprise apps into the light by...
Cloud computing bringing the dark side of enterprise apps into the light by...Cloud computing bringing the dark side of enterprise apps into the light by...
Cloud computing bringing the dark side of enterprise apps into the light by...
 
Apache Drill (ver. 0.1, check ver. 0.2)
Apache Drill (ver. 0.1, check ver. 0.2)Apache Drill (ver. 0.1, check ver. 0.2)
Apache Drill (ver. 0.1, check ver. 0.2)
 
Managing High Availability with Low Cost
Managing High Availability with Low CostManaging High Availability with Low Cost
Managing High Availability with Low Cost
 
DevOps tools for winning agility
DevOps tools for winning agilityDevOps tools for winning agility
DevOps tools for winning agility
 
Running eZ Platform on Kubernetes (presented by Björn Dieding at eZ Conferenc...
Running eZ Platform on Kubernetes (presented by Björn Dieding at eZ Conferenc...Running eZ Platform on Kubernetes (presented by Björn Dieding at eZ Conferenc...
Running eZ Platform on Kubernetes (presented by Björn Dieding at eZ Conferenc...
 
Coding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE frameworkCoding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE framework
 
Cloud services 101
Cloud services 101 Cloud services 101
Cloud services 101
 

Mais de James Wickett

A Way to Think about DevSecOps: MEASURE
A Way to Think about DevSecOps: MEASUREA Way to Think about DevSecOps: MEASURE
A Way to Think about DevSecOps: MEASURE
James Wickett
 
A Tale of Woe, Chaos, and Business
A Tale of Woe, Chaos, and BusinessA Tale of Woe, Chaos, and Business
A Tale of Woe, Chaos, and Business
James Wickett
 
A DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleA DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and People
James Wickett
 
DevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS LaneDevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS Lane
James Wickett
 

Mais de James Wickett (20)

A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SRE
 
A Way to Think about DevSecOps: MEASURE
A Way to Think about DevSecOps: MEASUREA Way to Think about DevSecOps: MEASURE
A Way to Think about DevSecOps: MEASURE
 
The Security, DevOps, and Chaos Playbook to Change the World
The Security, DevOps, and Chaos Playbook to Change the WorldThe Security, DevOps, and Chaos Playbook to Change the World
The Security, DevOps, and Chaos Playbook to Change the World
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
A Tale of Woe, Chaos, and Business
A Tale of Woe, Chaos, and BusinessA Tale of Woe, Chaos, and Business
A Tale of Woe, Chaos, and Business
 
A DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleA DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and People
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019
 
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsNewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
 
The New Ways of Chaos, Security, and DevOps
The New Ways of Chaos, Security, and DevOpsThe New Ways of Chaos, Security, and DevOps
The New Ways of Chaos, Security, and DevOps
 
DevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS LaneDevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS Lane
 
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpThe Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOp
 
Security in the FaaS Lane
Security in the FaaS LaneSecurity in the FaaS Lane
Security in the FaaS Lane
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real World
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
The State of DevSecOps in 2018
The State of DevSecOps in 2018The State of DevSecOps in 2018
The State of DevSecOps in 2018
 

Último

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 

Último (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 

Rugged DevOps Will help you build ur cloudz

  • 1. RUGGED DEVOPS WILL HELP YOU BUILD UR CLOUDZ by @wickett and @ernestmueller
  • 2. OUTLINE • Us, And Why You Care What We Say • The Cloud, And How It Is Threatening You • Rugged, And Its New Approach To Security • DevOps, And How It Is Driving Collaborative Solutions • Combining Cloud, Rugged, and DevOps To Solve The Problem • How We Did Cloud Security With DevOps At NI • Introducing RuggedDevOps Tool: Gauntlt
  • 3. @wicke' Senior  DevOps   Engineer CISSP,  GWAPT,  CCSK,   GSEC,  GCFW james@wicke'.me @RuggedDevOps theagileadmin.com NI  CONFIDENTIAL
  • 4. @ernestmueller DevOps Platform Manager and Release Manager, Bazaarvoice ernest.mueller@gmail.com theagileadmin.com
  • 5. WHAT IS THE CLOUD?
  • 6. THE GRAND UNIFIED THEORY (ISP -> colo -> MSP) + virtualization + HPC + (AJAX + SOA -> REST APIs) = IaaS ((web site -> web app) -> ASP) + virtualization + fast ubiquitous Internet + [RIA browsers && mobile] = SaaS IDE/4GLs + (EAI -> SOA) + SaaS + IaaS = PaaS [IaaS | PaaS | SaaS ] + [ devops | open source | noSQL ] = cloud
  • 7. CLOUDINESS • An outsourced managed service • providing hosted computing or functionality • delivered over the Internet • offering extreme scalability • by using dynamically provisioned, multitenant, virtualized systems, storage, and applications • controlled via REST APIs • and billed in a utility manner.
  • 8. “Cloud? I’ve been doing that since 1988. It’s just the same old thing with a new name." - Technohipster
  • 9. Not new: virtualization outsourcing integration interwebz Pretty new: multitenant massively scalable elastic self provisioning pay as you go Resulting benefits: agility economy of scale low initial investment scalable cost/opex resilience easy delivery
  • 10.
  • 11. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.
  • 12. RUGGEDIZATION THEORY Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.
  • 13. No Pain, No Gain
  • 14. RUGGED-ITIES Maintainability Availability Survivability Defensibility Security Longevity Portability Reliability
  • 15. WHAT NEEDS TO HAPPEN • Focus on real security. FUD doesn’t benefit anyone – figuring out how to “make it happen” – securely – benefits everyone. • It’ll take time for compliance standards to get with the times – but don’t assume the cloud can’t be compliant – some of your auditors have actually heard of VMs and know what to do • Organizations have to accept risk to reap rewards. • Agile has taught orgs the collaborative approach is best • Lean has taught orgs to experiment and iterate
  • 16. source: Gene Kim, “When IT says No @SXSW 2012”
  • 17. SECURITY SEES... • They give advice that goes unheeded • Business decisions made w/o regard of risk • Irrelevancy in the organization • Constant bearer of bad news • Feels ignored by their peers (you know, those devops guys) • Inequitable distribution of labor
  • 24. ANTIPATTERN! Deploying to a Production-like Environment Only after Development is Complete
  • 25. ANTIPATTERN! Manual Configuration Management of Production Environments
  • 26. CONTINUOUS INTEGRATION • Check In Regularly • Create an automated and comprehensive test suite • Keep build and test short and fast • All tests must pass before moving on • Never Go Home on a broken build • Never comment out failing tests
  • 27. CONFIGURATION MANAGEMENT • Infrastructure as Code (IaC) • Model driven deployment • Version control everything • Know Your Environment if you want to make it defensible
  • 28.
  • 29.
  • 30.
  • 32. DEVOPS (+SEC) • Increasedtrend driven by agile development towards tight collaboration between developers and operations staff • Be the “security buddy” • Embed with projects, don’t be a seagull • By understanding, be understood • How secure are things usually when people and teams all work separately?
  • 33.
  • 34. THE 6 R’S RUGGED DEVOPS • repeatable – no manual steps • reliable - no DoS here • reviewable – aka audit • rapid – fast to build, deploy, restore • resilient – automated reconfiguration • reduced - limited attack surface
  • 35.
  • 36.
  • 37.
  • 38. APPLY RUGGED DEVOPS TO THE CLOUD • Start with a Rugged DevOps team • Use a lot of firewalls • Scan your code • Source to system • Threat modeling • Watch for changes • Pen Testing
  • 41. PEOPLE AND PROCESS • Sit near the dev and ops team, better yet, put them all on the same team • Track security flaws or bugs in the same bug tracking system • Automate whenever possible • Involve team with vendors • Measurement over time and clear communication
  • 43. Traditional 3-Tier Web Architecture Firewall Web Web Web DMZ 1 Firewall Middle Tier Middle Tier DMZ 2 Firewall DB LDAP DMZ 3
  • 44. Cloud Firewalls and DMZ firewall firewall firewall Web Web Web DMZ x3 firewall firewall DMZ x2 Middle Tier Middle Tier firewall firewall DB LDAP DMZ x2
  • 45. firewall firewall firewall Web Web Web Repeatable firewall firewall Verifiable Middle Tier Middle Tier Prod/Dev/Test Matching firewall firewall Controlled Automated DB LDAP firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall DB LDAP DB LDAP
  • 46. firewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAP firewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAP firewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAP
  • 47. RUGGED BENEFITS • Control and traffic whitelisting • Config management • Reproducible, automated and source controlled • No accidental data traversal across products or dev/test/prod tiers • Dev and Test identical to Prod tier
  • 49. • Scans for OWASP Top Ten and more • Security Scanning as a Service • Static and Dynamic scanning • Integrated into development process • Dynamic and Static scanning
  • 51. AUTOMATED PROVISIONING - PIE • Programmable Infrastructure Environment (PIE) • Code can be version controlled • Make Infrastructure as code • Defined once, deployed many times • Eliminate repetitive task and human errors • Rollback capability
  • 52. • a framework to define, provision, monitor, and control cloud-based systems • written in Java, uses SSH as transport, currently supports Amazon AWS (Linux and Windows) and Microsoft Azure • takes an XML-based model from source control and creates a full running system • to define, provision, monitor, and control cloud-based systems
  • 54. THREAT MODELING • Understanding the threat profile of a system • Provide a basis for secure design and implementation • Discover vulnerabilities • Provide feedback for the application security life cycle p. 29 in Threat Modeling, Swiderski, Snyder
  • 56. HOST INTRUSION DETECTION SYSTEM • Watch the file system (using hashing and timestamps) – /etc/ – /usr/bin –… • Change control for applications • Alert on changes and anomalies • PIE watchdog
  • 58. PENETRATION TESTING • Use external and internal penetration testing • White box testing vs. Black box testing • Look for automation opportunities (ruby, python, …)
  • 59. BUT WHAT ABOUT SECURITY TESTING IN MY CONTINUOUS INTEGRATION SYSTEM?
  • 60. PUT YOUR CODE THROUGH THE GAUNTLT
  • 61. GAUNTLET, N. AN ATTACK FROM ALL SIDES
  • 62. custom attacks dirbuster metasploit sqlmap fuzzers nessus w3af nmap Your web app You
  • 63. GAUNTLT IS BUILT FOR CONTINUOUS INTEGRATION
  • 66. WITH ATTACKS WRITTEN IN EASY-TO-READ LANGUAGE
  • 67. ACCESSIBLE TO EVERYONE INVOLVED IN DEV, OPS, TESTING, SECURITY, ...
  • 69. WHY GAUNTLT? SECURITY DOMAIN KNOWLEDGE IS GENERALLY A MYSTERY TO DEV TEAMS
  • 70. GAUNTLT ALLOWS DEV AND OPS AND SECURITY TO COMMUNICATE AND COLLABORATE
  • 71. GAUNTLT JOINS: THE PHILOSOPHY OF RUGGED SOFTWARE & OUTSIDE-IN TESTING
  • 72. LETS LOOK INSIDE A COUPLE OF THESE FILES
  • 73. feature for nmap: nmap.feature @gauntlet @run Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: Given nmap is installed Scenario: Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """
  • 74. step definition for nmap: nmap.rb Given /^nmap is installed$/ do steps %{ When I run `which nmap` Then the output should contain: """ nmap """ } end When /^I run nmap against the hostname in the profile on ports (d+),(d+)$/ do |arg2, arg3| steps %{ When I run `nmap "#{@hostname}" -p80,443` } end
  • 75. lets run gauntlt with the nmap.feature against google.com
  • 76. running gauntlt with failing tests wickett$ gauntlt @gauntlet @run Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 8080,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 8080/tcp open http 443/tcp open https """ ... Failing Scenarios: cucumber features/nmap/nmap.feature:8 # Scenario:Verify server is available on standard web ports 1 scenario (1 failed) 4 steps (1 failed, 3 passed) 0m0.341s
  • 77. running gauntlt with passing tests wickett$ gauntlt @gauntlet @run Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 80,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 80/tcp open http 443/tcp open https """ 1 scenario (1 passed) 4 steps (4 passed) 0m1.117s
  • 78. WALK VS. RUN • gauntlt has two modes: walk and run • meaning fast and slow or smoke and full • This is done by labels in cucumber • For each feature you will get to decide if it is a @walk or a @run test or both
  • 79. SOME REALIZATIONS • The core of gauntlt needs to provide a set of functionality that encourages contributors to write extensions for their pen testing tools •A gauntlt DSL (Domain Specific Language) will arise with words like target, scan, attack, host... • Smoke tests and validation vs. long running testing (nightly/weekly)
  • 80. JOIN THE PARTY!! FORK GAUNTLT ON GITHUB
  • 82. CLOUD & SECURITY RESOURCES • Book: Cloud Security and Privacy (Mather, Kumraswamy, Latif) • Jericho Forum (collaboration.opengroup.org/jericho/) • Amazon AWS Security Center (aws.amazon.com/security) • Austin Cloud User Group (acug.cloudug.org) • Cloud Security Alliance (cloudsecurityalliance.org) • CSA Austin Chapter (austincloud.org) • CSA Security Guidance for Critical Areas in Cloud Computing • ENISA Cloud Computing Risk Assessment