SecureWorld: Security is Dead, Rugged DevOps 1f

download SecureWorld:  Security is Dead, Rugged DevOps 1f

of 104

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of SecureWorld: Security is Dead, Rugged DevOps 1f

  • 1.Security is Dead.Long Live Rugged DevOps:IT at Ludicrous SpeedJoshua Corman & Gene KimSecureWorld BostonMarch 28, 2012Session ID:

2. About Joshua Corman Director of Security Intelligence for Akamai Technologies Former Research Director, Enterprise Security [The 451 Group] Former Principal Security Strategist [IBM ISS] Industry: Expert Faculty: The Institute for Applied Network Security (IANS) 2009 NetworkWorld Top 10 Tech People to Know Co-Founder of Rugged Software BLOG: Things Ive been researching: Compliance vs Security Disruptive Security for Disruptive Innovations Chaotic Actors Espionage Security Metrics2 3. About Gene Kim Researcher, Author Industry: Invented and founded Tripwire, CTO (1997-2010) Co-author: Visible Ops Handbook(2006), Visible Ops Security (2008) Co-author: When IT Fails: The Novel, The DevOps Cookbook (ComingMay 2012) Things Ive been researching: Benchmarked 1300+ IT organizations to test effectiveness of IT controls vs.IT performance DevOps, Rugged DevOps Scoping PCI Cardholder Data Environment3 4. Where Did The High Performers Come From? 5. The Downward Spiral Operations SeesDev Sees Fragile applications are prone to More urgent, date-driven projects failure put into the queue Long time required to figure out which Even more fragile code (less bit got flippedsecure) put into production Detective control is a salesperson More releases have increasingly turbulent installs Too much time required to restore service Release cycles lengthen to amortize cost of deployments Too much firefighting and unplanned work Failing bigger deployments more difficult to diagnose Urgent security rework and remediation Most senior and constrained IT ops resources have less time to Planned project work cannot completefix underlying process problems Frustrated customers leave Ever increasing backlog of work Market share goes downthat cold help the business win Business misses Wall Street Ever increasing amount of commitments tension between IT Ops, Development, Design Business makes even larger promises to Wall Street These arent IT or Infosec problemsThese are business problems! 6. My Mission: Figure Out How Break The IT CoreChronic Conflict Every IT organization is pressured tosimultaneously: Respond more quickly to urgent business needs Provide stable, secure and predictable IT serviceWords often used to describe process improvement: hysterical, irrelevant, bureaucratic, bottleneck, difficult to understand, notaligned with the business, immature, shrill, perpetually focused on irrelevanttechnical minutiae Source: The authors acknowledge Dr. Eliyahu Goldratt, creator of the Theory of Constraints and author of The Goal, has6written extensively on the theory and practice of identifying and resolving core, chronic conflicts. 7. Good News: It Can Be DoneBad News: You Cant Do It Alone 8. Ops 9. QA And Test Source: Flickr: vandyll 10. Development 11. Infosec 12. Product Management And Design Source: Flickr: birdsandanchors 13. Agenda Problem statement What is Rugged? What is DevOps? How do you do Rugged DevOps? Things you can do right away 13 14. Potentially Unfamiliar Words You Will See Kanban Andon cord Sprints Rugged DevOps Bottleneck Systems thinking Controls reliance14 15. Problem Statement15 16. Ludicrous Speed? 16 17. Ludicrous Speed17 18. Ludicrous Speed! 18 19. Ludicrous Fail?! 19 20. What Is DevOps? 20 21. Source: John Allspaw 22. Source: John Allspaw 23. Source: John Allspaw 24. Source: John Allspaw 25. Source: Theo Schlossnagle 26. Source: Theo Schlossnagle 27. Source: Theo Schlossnagle 28. Source: John Jenkins, 29. What Is Rugged? 30 30. Rugged Software DevelopmentJoshua Corman, David Rice, Jeff Williams2010 31. RUGGED SOFTWARE 32. so software not only needs to be 33. FAST 34. AGILE 35. Are You Rugged? 36. HARSH 37. UNFRIENDLY 38. THE MANIFESTO 39. I recognize that my code will be used in ways Icannot anticipate, in ways it was not designed, and for longer than it was ever intended. 40. CrossTalk 41. What Is Rugged DevOps? 46 42. Source: James Wickett 43. Source: James Wickett 44. Survival Guide/ Defensible Infrastructure 45. Survival Guide/Pyramid Operational Discipline Defensible Infrastructure 46. Survival Guide/Pyramid Situational Awareness Operational Discipline Defensible Infrastructure 47. Survival Guide/Pyramid Countermeasures Situational Awareness Operational DisciplineDefensible Infrastructure 48. Zombie Proof Housing s Situational Awareness Operational DisciplineDefensible Infrastructure 49. Zombie Proof Housing s Situational Awareness Operational DisciplineDefensible Infrastructure 50. Zombie Proof Housing s Situational Awareness Operational DisciplineDefensible Infrastructure 51. Zombie Proof Housing s Situational Awareness Operational DisciplineDefensible Infrastructure 52. Zombie Proof Housing s Situational Awareness Operational DisciplineDefensible Infrastructure 53. Zombie Proof Housing s Situational Awareness Operational DisciplineDefensible Infrastructure 54. Zombie Proof Housing s Situational Awareness Operational DisciplineDefensible Infrastructure 55. Source: James Wickett 56. How Do You DoRugged DevOps?64 57. The Prescriptive DevOps Cookbook DevOps Cookbook Authors Patrick DeBois, Mike Orzen,John Willis Goals Codify how to start and finishDevOps transformations How does Development, ITOperations and Infosecbecome dependable partners Describe in detail how toreplicate the transformationsdescribe in When IT Fails: TheNovel 58. The First Way:Systems Thinking 59. The First Way:Systems Thinking (Left To Right) Never pass defects to downstream work centers Never allow local optimization to create globaldegradation Increase flow: elevate bottlenecks, reduce WIP,throttle release of work, reduce batch sizes 60. Definition: Agile Sprints The basic unit of development in Agile Scrums,typically between one week and one month At the end of each sprint, team should havepotentially deliverable productAha Moment: shipping product implies not just code its the environment, too!68 61. Help Dev And Ops Build Code AndEnvironments Dev and Ops work together in Sprint 0 and 1 tocreate code and environments Create environment that Dev deploys into Create downstream environments: QA, Staging,Production Create testable migration procedures from Dev all theway to production Integrate Infosec and QA into daily sprintactivities 62. The First Way:Systems Thinking: Infosec Get a seat at the table DevOps programs are typically led by Dev, QA, ITOperations and Product Management Add value at every step in the flow of work See the end-to-end value flow Shorten and amplify feedback loops Help break silos (e.g., server, networking, database) 63. The First Way:Systems Thinking: Infosec Insurgency Have infosec attend the daily Agile standups Gain awareness of what the team is working on Find the automated infrastructure project team(e.g., puppet, chef) Provide hardening guidance Integrate and extend their production configuration monitoring Find where code packaging is performed Integrate security testing pre- and post-deployment Integrate into continuous integration and releaseprocess Add security test scripts to automated test library 64. The First Way:Outcomes Determinism in the release process Continuation of the Agile and CI/CR processes Creating single repository for code and environments Packaging responsibility moves to development Consistent Dev, QA, Int, and Staging environments, allproperly built before deployment begins Decrease cycle time Reduce deployment times from 6 hours to 45 minutes Refactor deployment process that had 1300+ steps spanning 4 weeks Faster release cadence 65. The Second Way:Amplify Feedback Loops 66. The Second Way:Amplify Feedback Loops (Right to Left) Protect the integrity of the entire system of work,versus completion of tasks Expose visual data so everyone can see howtheir decisions affect the entire system 67. Definition: Andon Cord 75 68. Integrate Ops Into Dev Embed Ops person into Dev structure Describes non-functional requirements, use casesand stories from Ops Responsible for improving quality at the source(e.g., reducing technical debt, fix known problems,etc.) Has special responsibility for pulling the Andon cord 69. Integrate Dev Into Ops MobBrowser case study: Waking up developersat 3am is a great feedback loop: defects getfixed very quickly Goal is to get Dev closer to the customer Infosec can help determine when its too close (andwhen SOD is a requirement) 70. Keep Shrinking Batch Sizes Waterfall projects often have cycle time of oneyear Sprints have cycle time of 1 or 2 weeks When IT Operations work is sufficiently fast andcheap, we may decide to decouple deploymentsfrom sprint boundaries (e.g., Kanbans) 71. Definition: Kanban Board Signaling tool to reduce WIP and increase flow79 72. The Second Way:Amplify Feedback Loops: Infosec Insurgency Extend criteria of what changes/deploys cannot bemade without triggering full retest Create reusable Infosec use and abuse stories thatcan be added to every project Handle peak traffic of 4MM users and constant 4-6 Gb/sec Anonymous DDoS attacks Integrate Infos