1.SECURITY IS DEAD.LONG LIVE RUGGED DEVOPS:SEPTEMBER 12 14, 2012IT AT LUDICROUS SPEEDGRAND HYATT, SAN FRANCISCOJoshua CormanTRUTH, LIES Gene KimAND DECISIONSMoving Forward in an Insecure World September 2012 Organized by

2. Gene Kim: Two Truths and a LiePlease fill out the table below with two statements that are true and one lieabout yourself. I will put the information into the polling system to go livebefore your presentation. Statement Truth or lie? I didnt know that Purdue University was in Indiana,Truth otherwise I wouldnt have gone there I still carry around a J. R. R. Tolkien book in myLie briefcase everywhere I go I have an outrageous man-crush on my co-presenter,Truth Josh Corman 3. About Joshua Corman Director of Security Intelligence for Akamai Technologies - Former Research Director, Enterprise Security [The 451 Group] - Former Principal Security Strategist [IBM ISS] Industry: - Expert Faculty: The Institute for Applied Network Security (IANS) - 2009 NetworkWorld Top 10 Tech People to Know - Co-Founder of Rugged Software www.ruggedsoftware.org - BLOG: www.cognitivedissidents.com Things Ive been researching: - Compliance vs Security - Disruptive Security for Disruptive Innovations - Chaotic Actors - Espionage - Security Metrics3 4. Josh Corman: Two Truths and a LiePlease fill out the table below with two statements that are true and one lieabout yourself. I will put the information into the polling system to go livebefore your presentation. Statement Truth or lie? My philosophy thesis was entitled "SchizophrenicTruth Alienated Tennis Pros in Love" Im the president of my local zombie survivalistLie chapter I have a life sized statue of Spider-Man in my foyerTruth 5. About Gene Kim Researcher, Author Industry:- Invented and founded Tripwire, CTO (1997-2010)- Co-author: Visible Ops Handbook(2006), Visible Ops Security (2008)- Co-author: When IT Fails: The Novel, The DevOps Cookbook (Coming May 2012) Things Ive been researching:- Benchmarked 1300+ IT organizations to test effectiveness of IT controls vs. ITperformance- DevOps, Rugged DevOps- Scoping PCI Cardholder Data Environment5 6. PART 1: THE PROBLEMSEPTEMBER 12 14, 2012GRAND HYATT, SAN FRANCISCOJoshua CormanTRUTH, LIES Gene KimAND DECISIONSMoving Forward in an Insecure World September 2012 Organized by 7. Consequences: Value & Replaceabilityhttp://blog.cognitivedissidents.com/2011/10/24/a-replaceability-continuum/8 8. You Dont Need To Be Faster Than the Bear9 9. How will we rise? 10. DEPENDENCESEPTEMBER 12 14, 2012Grand Hyatt, San Francisco Organized by 11. SOFTWAREASVULNERABILITY SEPTEMBER 12 14, 2012 Grand Hyatt, San FranciscoOrganized by 12. CONNECTED AS EXPOSEDSEPTEMBER 12 14, 2012Grand Hyatt, San FranciscoOrganized by 13. OUR CHALLENGES ARE NOTTECHNICAL,BUT CULTURAL SEPTEMBER 12 14, 2012 Grand Hyatt, San Francisco Organized by 14. WE CAN DOBETTERSEPTEMBER 12 14, 2012Grand Hyatt, San Francisco Organized by 15. PART 2: DEVOPSSEPTEMBER 12 14, 2012GRAND HYATT, SAN FRANCISCOJoshua CormanTRUTH, LIES Gene KimAND DECISIONSMoving Forward in an Insecure World September 2012 Organized by 16. Source: John Allspaw 17. Source: John Allspaw 18. Source: John Allspaw 19. Source: John Allspaw 20. Source: Theo Schlossnagle 21. Source: Theo Schlossnagle 22. Source: Theo Schlossnagle 23. Source: John Jenkins, Amazon.com 24. Ludicrous Speed?31 25. Ludicrous Speed32 26. Ludicrous Speed!34 27. PART 3: RUGGEDSEPTEMBER 12 14, 2012GRAND HYATT, SAN FRANCISCOJoshua CormanTRUTH, LIES Gene KimAND DECISIONSMoving Forward in an Insecure World September 2012 Organized by 28. WHAT IS RUGGED?SEPTEMBER 12 14, 2012GRAND HYATT, SAN FRANCISCO36Organized by 29. WHAT IS RUGGED?SEPTEMBER 12 14, 2012GRAND HYATT, SAN FRANCISCO37Organized by 30. SEPTEMBER 12 14, 2012 GRAND HYATT, SAN FRANCISCO TRUTH, LIES AND DECISIONS Moving Forward in an Insecure WorldRUGGED SOFTWARE DEVELOPMENTJoshua Corman, David Rice, Jeff Williams2010 Organized by 31. RUGGED SOFTWARE 32. so software not only needs to be 33. FAST 34. AGILE 35. Are You Rugged? 36. HARSH 37. UNFRIENDLY 38. THE MANIFESTOSEPTEMBER 12 14, 2012GRAND HYATT, SAN FRANCISCOOrganized by 39. I recognize that my code will be used in ways Icannot anticipate, in ways it was not designed, and for longer than it was ever intended. 40. www.ruggedsoftware.orghttps://www.ruggedsoftware.org/documents/CrossTalkhttp://www.crosstalkonline.org/issues/marchapril-2011.html 41. From the Rugged Handbook StrawMan 42. WHAT IS RUGGED DEVOPS?SEPTEMBER 12 14, 2012GRAND HYATT, SAN FRANCISCO55Organized by 43. Source: James Wickett 44. http://www.youtube.com/watch?v=JQEBYxp_vKs 45. Survival Guide/Pyramidwww.ruggedsoftware.org Defensible Infrastructure 46. Survival Guide/Pyramid Operational Discipline Defensible Infrastructure 47. Survival Guide/Pyramid Situational Awareness Operational Discipline Defensible Infrastructure 48. Survival Guide/Pyramid Countermeasures Situational Awareness Operational Discipline Defensible Infrastructure 49. Source: James Wickett 50. PART 4: ROCKING INFOSEC WITHSEPTEMBER 12 14, 2012RUGGED DEVOPSGRAND HYATT, SAN FRANCISCOJoshua CormanTRUTH, LIES Gene KimAND DECISIONSMoving Forward in an Insecure World September 2012 Organized by 51. The First Way:Systems Thinking 52. The First Way:Systems Thinking(Business) (Customer) 53. The First Way:Systems Thinking (Left To Right) Understand the flow of work Always seek to increase flow Never unconsciously pass defects downstream Never allow local optimization to cause global degradation Achieve profound understanding of the system 54. Create One Step Environment Creation Process Make environments available early in the Developmentprocess Make sure Dev builds the code and environment at the sametime Create a common Dev, QA and Production environmentcreation process 55. Embed Into Automated Infrastructure Team Get educated on open source tools like puppet and chef Provide them your hardening guidance Add your monitoring tools 56. Break Things Early And Often Do painful things more frequently, so you can make it lesspainful We dont get pushback from Dev, because theyknow it makes rollouts smoother.-- Adrian Cockcroft, Architect, Netflix 57. Break Things Early And Often Enforce consistency in code, environments and configurationsacross the environments Add your ASSERTs to find misconfigurations, enforce https,etc. Add static code analysis to automated continuous integrationand testing process 58. The First Way:Systems Thinking: Infosec Insurgency Have someone attend the daily Agile standups Gain awareness of what the team is working on Define what changes/deploys cannot be made withouttriggering full retest 59. Definition: Kanban Board Signaling tool to reduce WIP and increase flow73 60. The First Way:Outcomes Determinism in the release process Creating single repository for code and environments Consistent Dev, QA, Int, and Staging environments, allproperly built before deployment begins Decreased cycle time Reduce deployment times from 6 hours to 45 minutes Refactor deployment process that had 1300+ steps spanning 4 weeks Faster release cadence 61. The Second Way:Amplify Feedback Loops 62. The Second Way:Amplify Feedback Loops (Right to Left) Understand and respond to the needs of all customers,internal and external Shorten and amplify all feedback loops: stop the line whennecessary Create quality at the source Create and embed knowledge where we need it 63. We found that when we woke up developers at 2am, defectsgot fixed faster than ever -Patrick Lightbody, CEO, BrowserMob 64. Phase 2: Extend Release Process And Create Right ->Left Feedback Loops Invite Dev to post-mortems/root cause analysis meeting Have Dev and Infosec cross-train IT Operations Ensure application monitoring/metrics to aid in Ops andInfosec work (e.g., incident/problem management) 65. The Second Way:Amplify Feedback Loops: Infosec Insurgency Give production feedback to developers: being attacked is a gift Capture all instances of UNION ALL in user input and graph it, show it to developers Show all instances of segfaults Create reusable Infosec use and abuse stories that can be added to every project Handle peak traffic of 4MM users and constant 4-6 Gb/sec Anonymous DDoS attacks Pre-enable, shield streamline successful audits Document separation of duty and compensating controls Dont let them disrupt the work 66. The Second Way:Outcomes Defects and security issues getting fixed faster than ever Reusable Ops and Infosec user stories now part of the Agileprocess All groups communicating and coordinating better Everybody is getting more work done 67. The Third Way:Culture Of Continual Experimentation And Learning 68. The Third Way:Culture Of Continual Experimentation And Learning Foster a culture that rewards: Experimentation (taking risks) and learning from failure Repetition is the prerequisite to mastery Why? You need a culture that keeps pushing into the danger zone And have the habits that enable you to survive in the danger zone 69. The best way to avoid failure is to fail constantly 70. An Innovation CultureBy installing a rampant innovation culture, they now do 165experiments in the three months of tax season.Our business result? Conversion rate of the website is up 50 percent.Employee result? Everyone loves it, because now their ideas can makeit to market.--Scott Cook, Intuit Founder85 71. You Dont Choose Chaos MonkeyChaos Monkey Chooses You 72. Help Product Management Lesson: Allocate 20% of Dev cycles to paying down technicaldebt 73. Phase 3: Organize Dev and Ops To AchieveOrganizational Goals Allocate 20% of Dev cycles to non-functional requirements Integrate fault injection and resilience into design,development and production (e.g., Chaos Monkey) 74. The Third Way:Culture Of Continual Experimentation And Learning:Infosec Infosec remediation projects in the Agile backlog Make technical debt visible Help prioritize work against features and other non-functionalrequirements Release your Chaos Monkey Evil/Fuzzy/Chaotic Monkey Eridicate SQLi and XSS defects in our lifetime Find processes that waste everyones time Eliminate needless complexity 75. The Third Way:Outcomes Technical debt is being paid off Exploitable attack surface area decreases Continual reduction of unplanned work More cycles for planned work More resilient code and environments Balancing nimbleness and practiced repetition Enabling wider range of risk/reward balance 76. PART 5: WHY?SEPTEMBER 12 14, 2012GRAND HYATT, SAN FRANCISCOJoshua CormanTRUTH, LIES Gene KimAND DECISIONSMoving Forward in an Insecure World September 2012 Organized by 77. When IT Fails: The Novel and The DevOps Cookbook Coming in July 2012 In the tradition of the best MBA case studies, thisbook should be mandatory reading for business andIT graduates alike. -Paul Muller, VP SoftwareMarketing, Hewlett-Packard The greatest IT management book of ourgeneration. Branden Williams, CTO Marketing, RSA 78. When IT Fails: The Novel and The DevOps Cookbook If you would like these slides, the Top 10 Things You Need To Know About DevOps, Rugged DevOps resources, and updates on the book: Sign up at http://itrevolution.com Email genek@realgenekim.me Give me your business card 79. ENDSEPTEMBER 12 14, 2012GRAND HYATT, SAN FRANCISCOJoshua CormanTRUTH, LIES Gene KimAND DECISIONSMoving Forward in an Insecure World September 2012 Organized by