Post on 20-Feb-2017
DevOps PatternsRugged DevOpsIlkka Turunen@ilkkaturunen
Illka.turenen@sonatype.com
3 10/23/2013 @joshcorman~ Marc Marc Andreessen 2011
Beyond Heartbleed: OpenSSL in 2014 (31 in NIST’s NVD thru December)
4
• CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM SIEMENS *• CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM SIEMENS *• CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM• CVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUM• CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM SIEMENS *• CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH• CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** • CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUM• CVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUM• CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM HeartBleed• CVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUM• CVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUM• CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW• CVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM • CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM • CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM • CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM• …
As of 2014, internet scans by MassScan reveal 300,000 of original 600,000 remain unpatched or unpatchable
Source: Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed - Josh Corman, Gene Kim
Heartbleed + (UnPatchable) Internet of Things == ___ ?
In Our Bodies In Our Homes
In Our InfrastructureIn Our Cars
Source: Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed - Josh Corman, Gene Kim
ON TIME ON BUDGET ACCEPTABLE QUALITY/RISK
Dev’s core motivations are to be OnTime, OnBudget, w/ Acceptable Quality/Risk @joshcorman @mortman #RSAC #DevOps
7
“Don’t Go Chasin’ Waterfalls” Dev started w/ Waterfall, but modern demands require us to go faster @joshcorman @mortman #RSAC #DevOps
ON TIME. Faster builds. Fewer interruptions.More innovation.
ON BUDGET.More efficient. More profitable.More competitive.
ACCEPTABLE QUALITY/RISK.Easier compliance.Higher quality. Built-in audit protection.
Waterfall’s Design -> Dev -> Test -> Deploy may go 1.5-3yrs b/w releases. @joshcorman @mortman #RSAC #DevOps
Agile goats; not goat rodeo. “We need to be agile, but not fragile.” @RuggedSoftware @joshcorman @mortman #RSAC #DevOps
ON TIME. Faster builds. Fewer interruptions.More innovation.
ON BUDGET.More efficient. More profitable.More competitive.
ACCEPTABLE QUALITY/RISK.Easier compliance.Higher quality. Built-in audit protection.
Agile / CI
Agile & Lean tightened Design -> Build -> Test cycle releasing 6-12+ smaller batches/yr @joshcorman @mortman #RSAC #DevOps
DevOps
It may feel like DevOps is Pandora’s Box, but it’s open… and hope remains. ;) @joshcorman @mortman #RSAC #DevOps
ON TIME. Faster builds. Fewer interruptions.More innovation.
ON BUDGET.More efficient. More profitable.More competitive.
ACCEPTABLE QUALITY/RISK.Easier compliance.Higher quality. Built-in audit protection.
DevOps / CD
Agile / CI
Agile made dev faster but wasn’t enough. DevOps extends patterns to Ops 4 mutual gains @joshcorman @mortman #RSAC #DevOps
13
SW Supply Chains
Deming drove Toyota Supply Chains. We can EXTEND DevOps w/ his quality/safety patterns @joshcorman @mortman #RSAC #DevOps
ON TIME. Faster builds. Fewer interruptions.More innovation.
ON BUDGET.More efficient. More profitable.More competitive.
ACCEPTABLE QUALITY/RISK.Easier compliance.Higher quality. Built-in audit protection.
SW Supply Chain
DevOps / CD
Agile / CI
SW SupplyChains enable faster, more efficient dev by reducing elective complexity/risk++ @joshcorman @mortman #RSAC #DevOps
.*Ops
Source: Theo Schlossnagle (@postwait)
^(?<dept>.+)Ops$
Source: Theo Schlossnagle (@postwait)
DevOps Teams’ view of the security guy
How to move from this….
TO THIS?
Defensible Infrastructure10%
Written
Operational Excellence
Situational Awareness
Counter-measures
The software & hardware we build, buy, and deploy. 90% of software is assembled from 3rd
party & Open Source
MOST IMPACT:BUY/BUILD DEFENSIBLE SOFTWARE
Respect & Translate
Test early, test often
ENGAGE AT ALL STAGES
Participate
Bring toolset to SW Factory
Leverage unseen audit trails
4) Implicit and Explicit Change Management. Change is good and leads to stability and fights stagnation. @joshcorman @mortman #rsac #devops
Thanks!
• State of Devops 2015: https://puppetlabs.com/2015-devops-report
• Rugged Devops Book: http://devops.com/2015/04/20/the-rugged-devops-ebook/
• Rugged Software: http://www.ruggedsoftware.org/• Read “The Phoenix Project” by Gene Kim
– http://itrevolution.com/books/phoenix-project-devops-book/
Be DevOpstastic