SlideShare ist ein Scribd-Unternehmen logo

Rugged DevOps Will help you build ur cloudz

James Wickett
James Wickett

Talk given by James Wickett and Ernest Mueller at the (ISC)2 Secure SDLC event in Austin, TX.

TechnologieBusiness
1 von 83
Downloaden Sie, um offline zu lesen
RUGGED DEVOPS WILL HELP YOU BUILD UR CLOUDZ by @wickett and @ernestmueller
OUTLINE • Us, And Why You Care What We Say • The Cloud, And How It Is Threatening You • Rugged, And Its New Approach To Security • DevOps, And How It Is Driving Collaborative Solutions • Combining Cloud, Rugged, and DevOps To Solve The Problem • How We Did Cloud Security With DevOps At NI • Introducing RuggedDevOps Tool: Gauntlt
@wicke' Senior  DevOps   Engineer CISSP,  GWAPT,  CCSK,   GSEC,  GCFW james@wicke'.me @RuggedDevOps theagileadmin.com NI  CONFIDENTIAL
@ernestmueller DevOps Platform Manager and Release Manager, Bazaarvoice ernest.mueller@gmail.com theagileadmin.com
WHAT IS THE CLOUD?
THE GRAND UNIFIED THEORY (ISP -> colo -> MSP) + virtualization + HPC + (AJAX + SOA -> REST APIs) = IaaS ((web site -> web app) -> ASP) + virtualization + fast ubiquitous Internet + [RIA browsers && mobile] = SaaS IDE/4GLs + (EAI -> SOA) + SaaS + IaaS = PaaS [IaaS | PaaS | SaaS ] + [ devops | open source | noSQL ] = cloud
CLOUDINESS • An outsourced managed service • providing hosted computing or functionality • delivered over the Internet • offering extreme scalability • by using dynamically provisioned, multitenant, virtualized systems, storage, and applications • controlled via REST APIs • and billed in a utility manner.
“Cloud? I’ve been doing that since 1988. It’s just the same old thing with a new name." - Technohipster
Not new: virtualization outsourcing integration interwebz Pretty new: multitenant massively scalable elastic self provisioning pay as you go Resulting benefits: agility economy of scale low initial investment scalable cost/opex resilience easy delivery
I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.
RUGGEDIZATION THEORY Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.
No Pain, No Gain
RUGGED-ITIES Maintainability Availability Survivability Defensibility Security Longevity Portability Reliability
WHAT NEEDS TO HAPPEN • Focus on real security. FUD doesn’t benefit anyone – figuring out how to “make it happen” – securely – benefits everyone. • It’ll take time for compliance standards to get with the times – but don’t assume the cloud can’t be compliant – some of your auditors have actually heard of VMs and know what to do • Organizations have to accept risk to reap rewards. • Agile has taught orgs the collaborative approach is best • Lean has taught orgs to experiment and iterate
source: Gene Kim, “When IT says No @SXSW 2012”
SECURITY SEES... • They give advice that goes unheeded • Business decisions made w/o regard of risk • Irrelevancy in the organization • Constant bearer of bad news • Feels ignored by their peers (you know, those devops guys) • Inequitable distribution of labor
TRADITIONAL SECURITY
THE CLOUD RESPONSE
THE SEPARATION MODEL
DEVOPS
SERVICE LIFECYCLE
ANTIPATTERN! Deploying Software Manually
ANTIPATTERN! Deploying to a Production-like Environment Only after Development is Complete
ANTIPATTERN! Manual Configuration Management of Production Environments
CONTINUOUS INTEGRATION • Check In Regularly • Create an automated and comprehensive test suite • Keep build and test short and fast • All tests must pass before moving on • Never Go Home on a broken build • Never comment out failing tests
CONFIGURATION MANAGEMENT • Infrastructure as Code (IaC) • Model driven deployment • Version control everything • Know Your Environment if you want to make it defensible
RUGGED DEVOPS BRIDGING SECURITY AND DEVOPS
DEVOPS (+SEC) • Increasedtrend driven by agile development towards tight collaboration between developers and operations staff • Be the “security buddy” • Embed with projects, don’t be a seagull • By understanding, be understood • How secure are things usually when people and teams all work separately?
THE 6 R’S RUGGED DEVOPS • repeatable – no manual steps • reliable - no DoS here • reviewable – aka audit • rapid – fast to build, deploy, restore • resilient – automated reconfiguration • reduced - limited attack surface
APPLY RUGGED DEVOPS TO THE CLOUD • Start with a Rugged DevOps team • Use a lot of firewalls • Scan your code • Source to system • Threat modeling • Watch for changes • Pen Testing
BUILD A RUGGED DEVOPS TEAM
PEOPLE, PROCESS, TECH
PEOPLE AND PROCESS • Sit near the dev and ops team, better yet, put them all on the same team • Track security flaws or bugs in the same bug tracking system • Automate whenever possible • Involve team with vendors • Measurement over time and clear communication
USE FIREWALLS... (A LOT OF THEM)
Traditional 3-Tier Web Architecture Firewall Web Web Web DMZ 1 Firewall Middle Tier Middle Tier DMZ 2 Firewall DB LDAP DMZ 3
Cloud Firewalls and DMZ firewall firewall firewall Web Web Web DMZ x3 firewall firewall DMZ x2 Middle Tier Middle Tier firewall firewall DB LDAP DMZ x2
firewall firewall firewall Web Web Web Repeatable firewall firewall Verifiable Middle Tier Middle Tier Prod/Dev/Test Matching firewall firewall Controlled Automated DB LDAP firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall DB LDAP DB LDAP
firewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAP firewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAP firewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAP
RUGGED BENEFITS • Control and traffic whitelisting • Config management • Reproducible, automated and source controlled • No accidental data traversal across products or dev/test/prod tiers • Dev and Test identical to Prod tier
SCAN THE CODE
• Scans for OWASP Top Ten and more • Security Scanning as a Service • Static and Dynamic scanning • Integrated into development process • Dynamic and Static scanning
SOURCE TO SYSTEM
AUTOMATED PROVISIONING - PIE • Programmable Infrastructure Environment (PIE) • Code can be version controlled • Make Infrastructure as code • Defined once, deployed many times • Eliminate repetitive task and human errors • Rollback capability
• a framework to define, provision, monitor, and control cloud-based systems • written in Java, uses SSH as transport, currently supports Amazon AWS (Linux and Windows) and Microsoft Azure • takes an XML-based model from source control and creates a full running system • to define, provision, monitor, and control cloud-based systems
THREAT MODEL ME
THREAT MODELING • Understanding the threat profile of a system • Provide a basis for secure design and implementation • Discover vulnerabilities • Provide feedback for the application security life cycle p. 29 in Threat Modeling, Swiderski, Snyder
WATCH MY CHANGES
HOST INTRUSION DETECTION SYSTEM • Watch the file system (using hashing and timestamps) – /etc/ – /usr/bin –… • Change control for applications • Alert on changes and anomalies • PIE watchdog
PEN TESTING
PENETRATION TESTING • Use external and internal penetration testing • White box testing vs. Black box testing • Look for automation opportunities (ruby, python, …)
BUT WHAT ABOUT SECURITY TESTING IN MY CONTINUOUS INTEGRATION SYSTEM?
PUT YOUR CODE THROUGH THE GAUNTLT
GAUNTLET, N. AN ATTACK FROM ALL SIDES
custom attacks dirbuster metasploit sqlmap fuzzers nessus w3af nmap Your web app You
GAUNTLT IS BUILT FOR CONTINUOUS INTEGRATION
GAUNTLT IS
AN ALWAYS-ATTACKING ENVIRONMENT FOR DEVELOPERS
WITH ATTACKS WRITTEN IN EASY-TO-READ LANGUAGE
ACCESSIBLE TO EVERYONE INVOLVED IN DEV, OPS, TESTING, SECURITY, ...
GAUNTLT INCLUDES
WHY GAUNTLT? SECURITY DOMAIN KNOWLEDGE IS GENERALLY A MYSTERY TO DEV TEAMS
GAUNTLT ALLOWS DEV AND OPS AND SECURITY TO COMMUNICATE AND COLLABORATE
GAUNTLT JOINS: THE PHILOSOPHY OF RUGGED SOFTWARE & OUTSIDE-IN TESTING
LETS LOOK INSIDE A COUPLE OF THESE FILES
feature for nmap: nmap.feature @gauntlet @run Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: Given nmap is installed Scenario: Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """
step definition for nmap: nmap.rb Given /^nmap is installed$/ do steps %{ When I run `which nmap` Then the output should contain: """ nmap """ } end When /^I run nmap against the hostname in the profile on ports (d+),(d+)$/ do |arg2, arg3| steps %{ When I run `nmap "#{@hostname}" -p80,443` } end
lets run gauntlt with the nmap.feature against google.com
running gauntlt with failing tests wickett$ gauntlt @gauntlet @run Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 8080,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 8080/tcp open http 443/tcp open https """ ... Failing Scenarios: cucumber features/nmap/nmap.feature:8 # Scenario:Verify server is available on standard web ports 1 scenario (1 failed) 4 steps (1 failed, 3 passed) 0m0.341s
running gauntlt with passing tests wickett$ gauntlt @gauntlet @run Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 80,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 80/tcp open http 443/tcp open https """ 1 scenario (1 passed) 4 steps (4 passed) 0m1.117s
WALK VS. RUN • gauntlt has two modes: walk and run • meaning fast and slow or smoke and full • This is done by labels in cucumber • For each feature you will get to decide if it is a @walk or a @run test or both
SOME REALIZATIONS • The core of gauntlt needs to provide a set of functionality that encourages contributors to write extensions for their pen testing tools •A gauntlt DSL (Domain Specific Language) will arise with words like target, scan, attack, host... • Smoke tests and validation vs. long running testing (nightly/weekly)
JOIN THE PARTY!! FORK GAUNTLT ON GITHUB
HTTPS://GITHUB.COM/ THEGAUNTLET/GAUNTLT
CLOUD & SECURITY RESOURCES • Book: Cloud Security and Privacy (Mather, Kumraswamy, Latif) • Jericho Forum (collaboration.opengroup.org/jericho/) • Amazon AWS Security Center (aws.amazon.com/security) • Austin Cloud User Group (acug.cloudug.org) • Cloud Security Alliance (cloudsecurityalliance.org) • CSA Austin Chapter (austincloud.org) • CSA Security Guidance for Critical Areas in Cloud Computing • ENISA Cloud Computing Risk Assessment
CONTACT US! @ERNESTMUELLER @WICKETT

Empfohlen

The Rugged Way in the Cloud--Building Reliability and Security into Software
The Rugged Way in the Cloud--Building Reliability and Security into SoftwareThe Rugged Way in the Cloud--Building Reliability and Security into Software
The Rugged Way in the Cloud--Building Reliability and Security into SoftwareJames Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
Serverless Security: Doing Security in 100 milliseconds
Serverless Security: Doing Security in 100 millisecondsServerless Security: Doing Security in 100 milliseconds
Serverless Security: Doing Security in 100 millisecondsJames Wickett
 
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOpsDaniel Oh
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations CenterJimmy Mesta
 
New Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application SecurityNew Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application SecurityJames Wickett
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentDevOps.com
 

Empfohlen

The Rugged Way in the Cloud--Building Reliability and Security into Software
The Rugged Way in the Cloud--Building Reliability and Security into SoftwareThe Rugged Way in the Cloud--Building Reliability and Security into Software
The Rugged Way in the Cloud--Building Reliability and Security into SoftwareJames Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
Serverless Security: Doing Security in 100 milliseconds
Serverless Security: Doing Security in 100 millisecondsServerless Security: Doing Security in 100 milliseconds
Serverless Security: Doing Security in 100 millisecondsJames Wickett
 
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOpsDaniel Oh
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations CenterJimmy Mesta
 
New Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application SecurityNew Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application SecurityJames Wickett
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentDevOps.com
 
Monktoberfest Fast Delivery
Monktoberfest Fast DeliveryMonktoberfest Fast Delivery
Monktoberfest Fast DeliveryAdrian Cockcroft
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
When Developers Operate and Operators Develop
When Developers Operate and Operators DevelopWhen Developers Operate and Operators Develop
When Developers Operate and Operators DevelopAdrian Cockcroft
 
Epidemic Failures
Epidemic FailuresEpidemic Failures
Epidemic FailuresAdrian Cockcroft
 
How to Effect Change in the Epistemological Wasteland of Application Security
How to Effect Change in the Epistemological Wasteland of Application SecurityHow to Effect Change in the Epistemological Wasteland of Application Security
How to Effect Change in the Epistemological Wasteland of Application SecurityJames Wickett
 
Serverless Security: A pragmatic primer for builders and defenders
Serverless Security: A pragmatic primer for builders and defendersServerless Security: A pragmatic primer for builders and defenders
Serverless Security: A pragmatic primer for builders and defendersJames Wickett
 
Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelinesVandana Verma
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
Hybrid Cloud Networking
Hybrid Cloud NetworkingHybrid Cloud Networking
Hybrid Cloud NetworkingSVForum Cloud SIG
 
Rugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsRugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsJames Wickett
 
Fast Delivery DevOps Israel
Fast Delivery DevOps IsraelFast Delivery DevOps Israel
Fast Delivery DevOps IsraelAdrian Cockcroft
 
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-NapocaFrom Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napocajerryhargrove
 
Monitoring Challenges - Monitorama 2016 - Monitoringless
Monitoring Challenges - Monitorama 2016 - MonitoringlessMonitoring Challenges - Monitorama 2016 - Monitoringless
Monitoring Challenges - Monitorama 2016 - MonitoringlessAdrian Cockcroft
 
Microservices: What's Missing - O'Reilly Software Architecture New York
Microservices: What's Missing - O'Reilly Software Architecture New YorkMicroservices: What's Missing - O'Reilly Software Architecture New York
Microservices: What's Missing - O'Reilly Software Architecture New YorkAdrian Cockcroft
 
What's Missing? Microservices Meetup at Cisco
What's Missing? Microservices Meetup at CiscoWhat's Missing? Microservices Meetup at Cisco
What's Missing? Microservices Meetup at CiscoAdrian Cockcroft
 
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCONMicroservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCONAdrian Cockcroft
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and HowNotSoSecure Global Services
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
The Path of DevOps Enlightenment for InfoSec
The Path of DevOps Enlightenment for InfoSecThe Path of DevOps Enlightenment for InfoSec
The Path of DevOps Enlightenment for InfoSecJames Wickett
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
Adversity: Good for software
Adversity: Good for softwareAdversity: Good for software
Adversity: Good for softwareJames Wickett
 
Devoxx France 2013 Cloud Best Practices
Devoxx France 2013 Cloud Best PracticesDevoxx France 2013 Cloud Best Practices
Devoxx France 2013 Cloud Best PracticesEric Bottard
 

Weitere ähnliche Inhalte

Was ist angesagt?

Monktoberfest Fast Delivery
Monktoberfest Fast DeliveryMonktoberfest Fast Delivery
Monktoberfest Fast DeliveryAdrian Cockcroft
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
When Developers Operate and Operators Develop
When Developers Operate and Operators DevelopWhen Developers Operate and Operators Develop
When Developers Operate and Operators DevelopAdrian Cockcroft
 
How to Effect Change in the Epistemological Wasteland of Application Security
How to Effect Change in the Epistemological Wasteland of Application SecurityHow to Effect Change in the Epistemological Wasteland of Application Security
How to Effect Change in the Epistemological Wasteland of Application SecurityJames Wickett
 
Serverless Security: A pragmatic primer for builders and defenders
Serverless Security: A pragmatic primer for builders and defendersServerless Security: A pragmatic primer for builders and defenders
Serverless Security: A pragmatic primer for builders and defendersJames Wickett
 
Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelinesVandana Verma
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
Rugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsRugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsJames Wickett
 
Fast Delivery DevOps Israel
Fast Delivery DevOps IsraelFast Delivery DevOps Israel
Fast Delivery DevOps IsraelAdrian Cockcroft
 
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-NapocaFrom Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napocajerryhargrove
 
Monitoring Challenges - Monitorama 2016 - Monitoringless
Monitoring Challenges - Monitorama 2016 - MonitoringlessMonitoring Challenges - Monitorama 2016 - Monitoringless
Monitoring Challenges - Monitorama 2016 - MonitoringlessAdrian Cockcroft
 
Microservices: What's Missing - O'Reilly Software Architecture New York
Microservices: What's Missing - O'Reilly Software Architecture New YorkMicroservices: What's Missing - O'Reilly Software Architecture New York
Microservices: What's Missing - O'Reilly Software Architecture New YorkAdrian Cockcroft
 
What's Missing? Microservices Meetup at Cisco
What's Missing? Microservices Meetup at CiscoWhat's Missing? Microservices Meetup at Cisco
What's Missing? Microservices Meetup at CiscoAdrian Cockcroft
 
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCONMicroservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCONAdrian Cockcroft
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
The Path of DevOps Enlightenment for InfoSec
The Path of DevOps Enlightenment for InfoSecThe Path of DevOps Enlightenment for InfoSec
The Path of DevOps Enlightenment for InfoSecJames Wickett
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 

Was ist angesagt? (20)

Monktoberfest Fast Delivery
Monktoberfest Fast DeliveryMonktoberfest Fast Delivery
Monktoberfest Fast Delivery
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
When Developers Operate and Operators Develop
When Developers Operate and Operators DevelopWhen Developers Operate and Operators Develop
When Developers Operate and Operators Develop
 
Epidemic Failures
Epidemic FailuresEpidemic Failures
Epidemic Failures
 
How to Effect Change in the Epistemological Wasteland of Application Security
How to Effect Change in the Epistemological Wasteland of Application SecurityHow to Effect Change in the Epistemological Wasteland of Application Security
How to Effect Change in the Epistemological Wasteland of Application Security
 
Serverless Security: A pragmatic primer for builders and defenders
Serverless Security: A pragmatic primer for builders and defendersServerless Security: A pragmatic primer for builders and defenders
Serverless Security: A pragmatic primer for builders and defenders
 
Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelines
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
 
Hybrid Cloud Networking
Hybrid Cloud NetworkingHybrid Cloud Networking
Hybrid Cloud Networking
 
Rugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsRugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOps
 
Fast Delivery DevOps Israel
Fast Delivery DevOps IsraelFast Delivery DevOps Israel
Fast Delivery DevOps Israel
 
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-NapocaFrom Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
 
Monitoring Challenges - Monitorama 2016 - Monitoringless
Monitoring Challenges - Monitorama 2016 - MonitoringlessMonitoring Challenges - Monitorama 2016 - Monitoringless
Monitoring Challenges - Monitorama 2016 - Monitoringless
 
Microservices: What's Missing - O'Reilly Software Architecture New York
Microservices: What's Missing - O'Reilly Software Architecture New YorkMicroservices: What's Missing - O'Reilly Software Architecture New York
Microservices: What's Missing - O'Reilly Software Architecture New York
 
What's Missing? Microservices Meetup at Cisco
What's Missing? Microservices Meetup at CiscoWhat's Missing? Microservices Meetup at Cisco
What's Missing? Microservices Meetup at Cisco
 
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCONMicroservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
The Path of DevOps Enlightenment for InfoSec
The Path of DevOps Enlightenment for InfoSecThe Path of DevOps Enlightenment for InfoSec
The Path of DevOps Enlightenment for InfoSec
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 

Ähnlich wie Rugged DevOps Will help you build ur cloudz

Adversity: Good for software
Adversity: Good for softwareAdversity: Good for software
Adversity: Good for softwareJames Wickett
 
Devoxx France 2013 Cloud Best Practices
Devoxx France 2013 Cloud Best PracticesDevoxx France 2013 Cloud Best Practices
Devoxx France 2013 Cloud Best PracticesEric Bottard
 
Continuous Deployment Practices, with Production, Test and Development Enviro...
Continuous Deployment Practices, with Production, Test and Development Enviro...Continuous Deployment Practices, with Production, Test and Development Enviro...
Continuous Deployment Practices, with Production, Test and Development Enviro...Amazon Web Services
 
Cloud Computing & Scaling Web Apps
Cloud Computing & Scaling Web AppsCloud Computing & Scaling Web Apps
Cloud Computing & Scaling Web AppsMark Slingsby
 
Open Cloud Interop Public
Open Cloud Interop PublicOpen Cloud Interop Public
Open Cloud Interop Publicrvanhoe
 
Why Virtualization is important by Tom Phelan of BlueData
Why Virtualization is important by Tom Phelan of BlueDataWhy Virtualization is important by Tom Phelan of BlueData
Why Virtualization is important by Tom Phelan of BlueDataData Con LA
 
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best PracticesLyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best PracticesEric Bottard
 
Leveraging the Cloud: Getting the more bang for your buck
Leveraging the Cloud: Getting the more bang for your buckLeveraging the Cloud: Getting the more bang for your buck
Leveraging the Cloud: Getting the more bang for your buckDesk
 
Hadoop Successes and Failures to Drive Deployment Evolution
Hadoop Successes and Failures to Drive Deployment EvolutionHadoop Successes and Failures to Drive Deployment Evolution
Hadoop Successes and Failures to Drive Deployment EvolutionBenoit Perroud
 
Architecting a Private Cloud - Cloud Expo
Architecting a Private Cloud - Cloud ExpoArchitecting a Private Cloud - Cloud Expo
Architecting a Private Cloud - Cloud Exposmw355
 
Windows Azure Platform
Windows Azure PlatformWindows Azure Platform
Windows Azure PlatformAsmTrash
 
Cloud computing bringing the dark side of enterprise apps into the light by...
Cloud computing bringing the dark side of enterprise apps into the light by...Cloud computing bringing the dark side of enterprise apps into the light by...
Cloud computing bringing the dark side of enterprise apps into the light by...Khazret Sapenov
 
Apache Drill (ver. 0.1, check ver. 0.2)
Apache Drill (ver. 0.1, check ver. 0.2)Apache Drill (ver. 0.1, check ver. 0.2)
Apache Drill (ver. 0.1, check ver. 0.2)Camuel Gilyadov
 
Managing High Availability with Low Cost
Managing High Availability with Low CostManaging High Availability with Low Cost
Managing High Availability with Low CostDataLeader.io
 
Running eZ Platform on Kubernetes (presented by Björn Dieding at eZ Conferenc...
Running eZ Platform on Kubernetes (presented by Björn Dieding at eZ Conferenc...Running eZ Platform on Kubernetes (presented by Björn Dieding at eZ Conferenc...
Running eZ Platform on Kubernetes (presented by Björn Dieding at eZ Conferenc...eZ Systems
 
Coding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE frameworkCoding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE frameworkJames Wickett
 
Cloud services 101
Cloud services 101 Cloud services 101
Cloud services 101 InnoTech
 

Ähnlich wie Rugged DevOps Will help you build ur cloudz (20)

Adversity: Good for software
Adversity: Good for softwareAdversity: Good for software
Adversity: Good for software
 
Devoxx France 2013 Cloud Best Practices
Devoxx France 2013 Cloud Best PracticesDevoxx France 2013 Cloud Best Practices
Devoxx France 2013 Cloud Best Practices
 
Continuous Deployment Practices, with Production, Test and Development Enviro...
Continuous Deployment Practices, with Production, Test and Development Enviro...Continuous Deployment Practices, with Production, Test and Development Enviro...
Continuous Deployment Practices, with Production, Test and Development Enviro...
 
Cloud Computing & Scaling Web Apps
Cloud Computing & Scaling Web AppsCloud Computing & Scaling Web Apps
Cloud Computing & Scaling Web Apps
 
Open Cloud Interop Public
Open Cloud Interop PublicOpen Cloud Interop Public
Open Cloud Interop Public
 
Why Virtualization is important by Tom Phelan of BlueData
Why Virtualization is important by Tom Phelan of BlueDataWhy Virtualization is important by Tom Phelan of BlueData
Why Virtualization is important by Tom Phelan of BlueData
 
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best PracticesLyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
 
Leveraging the Cloud: Getting the more bang for your buck
Leveraging the Cloud: Getting the more bang for your buckLeveraging the Cloud: Getting the more bang for your buck
Leveraging the Cloud: Getting the more bang for your buck
 
Hadoop Successes and Failures to Drive Deployment Evolution
Hadoop Successes and Failures to Drive Deployment EvolutionHadoop Successes and Failures to Drive Deployment Evolution
Hadoop Successes and Failures to Drive Deployment Evolution
 
Cloud patterns
Cloud patternsCloud patterns
Cloud patterns
 
Architecting a Private Cloud - Cloud Expo
Architecting a Private Cloud - Cloud ExpoArchitecting a Private Cloud - Cloud Expo
Architecting a Private Cloud - Cloud Expo
 
Migrating to Public Cloud
Migrating to Public CloudMigrating to Public Cloud
Migrating to Public Cloud
 
Windows Azure Platform
Windows Azure PlatformWindows Azure Platform
Windows Azure Platform
 
Cloud computing bringing the dark side of enterprise apps into the light by...
Cloud computing bringing the dark side of enterprise apps into the light by...Cloud computing bringing the dark side of enterprise apps into the light by...
Cloud computing bringing the dark side of enterprise apps into the light by...
 
Apache Drill (ver. 0.1, check ver. 0.2)
Apache Drill (ver. 0.1, check ver. 0.2)Apache Drill (ver. 0.1, check ver. 0.2)
Apache Drill (ver. 0.1, check ver. 0.2)
 
Managing High Availability with Low Cost
Managing High Availability with Low CostManaging High Availability with Low Cost
Managing High Availability with Low Cost
 
DevOps tools for winning agility
DevOps tools for winning agilityDevOps tools for winning agility
DevOps tools for winning agility
 
Running eZ Platform on Kubernetes (presented by Björn Dieding at eZ Conferenc...
Running eZ Platform on Kubernetes (presented by Björn Dieding at eZ Conferenc...Running eZ Platform on Kubernetes (presented by Björn Dieding at eZ Conferenc...
Running eZ Platform on Kubernetes (presented by Björn Dieding at eZ Conferenc...
 
Coding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE frameworkCoding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE framework
 
Cloud services 101
Cloud services 101 Cloud services 101
Cloud services 101
 

Mehr von James Wickett

A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREJames Wickett
 
A Way to Think about DevSecOps: MEASURE
A Way to Think about DevSecOps: MEASUREA Way to Think about DevSecOps: MEASURE
A Way to Think about DevSecOps: MEASUREJames Wickett
 
The Security, DevOps, and Chaos Playbook to Change the World
The Security, DevOps, and Chaos Playbook to Change the WorldThe Security, DevOps, and Chaos Playbook to Change the World
The Security, DevOps, and Chaos Playbook to Change the WorldJames Wickett
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
A Tale of Woe, Chaos, and Business
A Tale of Woe, Chaos, and BusinessA Tale of Woe, Chaos, and Business
A Tale of Woe, Chaos, and BusinessJames Wickett
 
A DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleA DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleJames Wickett
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019James Wickett
 
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsNewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsJames Wickett
 
The New Ways of Chaos, Security, and DevOps
The New Ways of Chaos, Security, and DevOpsThe New Ways of Chaos, Security, and DevOps
The New Ways of Chaos, Security, and DevOpsJames Wickett
 
DevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS LaneDevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS LaneJames Wickett
 
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpThe Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpJames Wickett
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOpJames Wickett
 
Security in the FaaS Lane
Security in the FaaS LaneSecurity in the FaaS Lane
Security in the FaaS LaneJames Wickett
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldJames Wickett
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
The State of DevSecOps in 2018
The State of DevSecOps in 2018The State of DevSecOps in 2018
The State of DevSecOps in 2018James Wickett
 

Mehr von James Wickett (20)

A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SRE
 
A Way to Think about DevSecOps: MEASURE
A Way to Think about DevSecOps: MEASUREA Way to Think about DevSecOps: MEASURE
A Way to Think about DevSecOps: MEASURE
 
The Security, DevOps, and Chaos Playbook to Change the World
The Security, DevOps, and Chaos Playbook to Change the WorldThe Security, DevOps, and Chaos Playbook to Change the World
The Security, DevOps, and Chaos Playbook to Change the World
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
A Tale of Woe, Chaos, and Business
A Tale of Woe, Chaos, and BusinessA Tale of Woe, Chaos, and Business
A Tale of Woe, Chaos, and Business
 
A DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleA DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and People
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019
 
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsNewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
 
The New Ways of Chaos, Security, and DevOps
The New Ways of Chaos, Security, and DevOpsThe New Ways of Chaos, Security, and DevOps
The New Ways of Chaos, Security, and DevOps
 
DevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS LaneDevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS Lane
 
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpThe Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOp
 
Security in the FaaS Lane
Security in the FaaS LaneSecurity in the FaaS Lane
Security in the FaaS Lane
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real World
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
The State of DevSecOps in 2018
The State of DevSecOps in 2018The State of DevSecOps in 2018
The State of DevSecOps in 2018
 

Kürzlich hochgeladen

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 

Kürzlich hochgeladen (20)

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

Rugged DevOps Will help you build ur cloudz

  • 1. RUGGED DEVOPS WILL HELP YOU BUILD UR CLOUDZ by @wickett and @ernestmueller
  • 2. OUTLINE • Us, And Why You Care What We Say • The Cloud, And How It Is Threatening You • Rugged, And Its New Approach To Security • DevOps, And How It Is Driving Collaborative Solutions • Combining Cloud, Rugged, and DevOps To Solve The Problem • How We Did Cloud Security With DevOps At NI • Introducing RuggedDevOps Tool: Gauntlt
  • 3. @wicke' Senior  DevOps   Engineer CISSP,  GWAPT,  CCSK,   GSEC,  GCFW james@wicke'.me @RuggedDevOps theagileadmin.com NI  CONFIDENTIAL
  • 4. @ernestmueller DevOps Platform Manager and Release Manager, Bazaarvoice ernest.mueller@gmail.com theagileadmin.com
  • 5. WHAT IS THE CLOUD?
  • 6. THE GRAND UNIFIED THEORY (ISP -> colo -> MSP) + virtualization + HPC + (AJAX + SOA -> REST APIs) = IaaS ((web site -> web app) -> ASP) + virtualization + fast ubiquitous Internet + [RIA browsers && mobile] = SaaS IDE/4GLs + (EAI -> SOA) + SaaS + IaaS = PaaS [IaaS | PaaS | SaaS ] + [ devops | open source | noSQL ] = cloud
  • 7. CLOUDINESS • An outsourced managed service • providing hosted computing or functionality • delivered over the Internet • offering extreme scalability • by using dynamically provisioned, multitenant, virtualized systems, storage, and applications • controlled via REST APIs • and billed in a utility manner.
  • 8. “Cloud? I’ve been doing that since 1988. It’s just the same old thing with a new name." - Technohipster
  • 9. Not new: virtualization outsourcing integration interwebz Pretty new: multitenant massively scalable elastic self provisioning pay as you go Resulting benefits: agility economy of scale low initial investment scalable cost/opex resilience easy delivery
  • 10.
  • 11. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.
  • 12. RUGGEDIZATION THEORY Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.
  • 13. No Pain, No Gain
  • 14. RUGGED-ITIES Maintainability Availability Survivability Defensibility Security Longevity Portability Reliability
  • 15. WHAT NEEDS TO HAPPEN • Focus on real security. FUD doesn’t benefit anyone – figuring out how to “make it happen” – securely – benefits everyone. • It’ll take time for compliance standards to get with the times – but don’t assume the cloud can’t be compliant – some of your auditors have actually heard of VMs and know what to do • Organizations have to accept risk to reap rewards. • Agile has taught orgs the collaborative approach is best • Lean has taught orgs to experiment and iterate
  • 16. source: Gene Kim, “When IT says No @SXSW 2012”
  • 17. SECURITY SEES... • They give advice that goes unheeded • Business decisions made w/o regard of risk • Irrelevancy in the organization • Constant bearer of bad news • Feels ignored by their peers (you know, those devops guys) • Inequitable distribution of labor
  • 24. ANTIPATTERN! Deploying to a Production-like Environment Only after Development is Complete
  • 25. ANTIPATTERN! Manual Configuration Management of Production Environments
  • 26. CONTINUOUS INTEGRATION • Check In Regularly • Create an automated and comprehensive test suite • Keep build and test short and fast • All tests must pass before moving on • Never Go Home on a broken build • Never comment out failing tests
  • 27. CONFIGURATION MANAGEMENT • Infrastructure as Code (IaC) • Model driven deployment • Version control everything • Know Your Environment if you want to make it defensible
  • 28.
  • 29.
  • 30.
  • 32. DEVOPS (+SEC) • Increasedtrend driven by agile development towards tight collaboration between developers and operations staff • Be the “security buddy” • Embed with projects, don’t be a seagull • By understanding, be understood • How secure are things usually when people and teams all work separately?
  • 33.
  • 34. THE 6 R’S RUGGED DEVOPS • repeatable – no manual steps • reliable - no DoS here • reviewable – aka audit • rapid – fast to build, deploy, restore • resilient – automated reconfiguration • reduced - limited attack surface
  • 35.
  • 36.
  • 37.
  • 38. APPLY RUGGED DEVOPS TO THE CLOUD • Start with a Rugged DevOps team • Use a lot of firewalls • Scan your code • Source to system • Threat modeling • Watch for changes • Pen Testing
  • 41. PEOPLE AND PROCESS • Sit near the dev and ops team, better yet, put them all on the same team • Track security flaws or bugs in the same bug tracking system • Automate whenever possible • Involve team with vendors • Measurement over time and clear communication
  • 43. Traditional 3-Tier Web Architecture Firewall Web Web Web DMZ 1 Firewall Middle Tier Middle Tier DMZ 2 Firewall DB LDAP DMZ 3
  • 44. Cloud Firewalls and DMZ firewall firewall firewall Web Web Web DMZ x3 firewall firewall DMZ x2 Middle Tier Middle Tier firewall firewall DB LDAP DMZ x2
  • 45. firewall firewall firewall Web Web Web Repeatable firewall firewall Verifiable Middle Tier Middle Tier Prod/Dev/Test Matching firewall firewall Controlled Automated DB LDAP firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall DB LDAP DB LDAP
  • 46. firewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAP firewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAP firewall firewall firewall firewall firewall firewall firewall firewall firewall Web Web Web Web Web Web Web Web Web firewall firewall firewall firewall firewall firewall Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier firewall firewall firewall firewall firewall firewall DB LDAP DB LDAP DB LDAP
  • 47. RUGGED BENEFITS • Control and traffic whitelisting • Config management • Reproducible, automated and source controlled • No accidental data traversal across products or dev/test/prod tiers • Dev and Test identical to Prod tier
  • 49. • Scans for OWASP Top Ten and more • Security Scanning as a Service • Static and Dynamic scanning • Integrated into development process • Dynamic and Static scanning
  • 51. AUTOMATED PROVISIONING - PIE • Programmable Infrastructure Environment (PIE) • Code can be version controlled • Make Infrastructure as code • Defined once, deployed many times • Eliminate repetitive task and human errors • Rollback capability
  • 52. • a framework to define, provision, monitor, and control cloud-based systems • written in Java, uses SSH as transport, currently supports Amazon AWS (Linux and Windows) and Microsoft Azure • takes an XML-based model from source control and creates a full running system • to define, provision, monitor, and control cloud-based systems
  • 54. THREAT MODELING • Understanding the threat profile of a system • Provide a basis for secure design and implementation • Discover vulnerabilities • Provide feedback for the application security life cycle p. 29 in Threat Modeling, Swiderski, Snyder
  • 56. HOST INTRUSION DETECTION SYSTEM • Watch the file system (using hashing and timestamps) – /etc/ – /usr/bin –… • Change control for applications • Alert on changes and anomalies • PIE watchdog
  • 58. PENETRATION TESTING • Use external and internal penetration testing • White box testing vs. Black box testing • Look for automation opportunities (ruby, python, …)
  • 59. BUT WHAT ABOUT SECURITY TESTING IN MY CONTINUOUS INTEGRATION SYSTEM?
  • 60. PUT YOUR CODE THROUGH THE GAUNTLT
  • 61. GAUNTLET, N. AN ATTACK FROM ALL SIDES
  • 62. custom attacks dirbuster metasploit sqlmap fuzzers nessus w3af nmap Your web app You
  • 63. GAUNTLT IS BUILT FOR CONTINUOUS INTEGRATION
  • 66. WITH ATTACKS WRITTEN IN EASY-TO-READ LANGUAGE
  • 67. ACCESSIBLE TO EVERYONE INVOLVED IN DEV, OPS, TESTING, SECURITY, ...
  • 69. WHY GAUNTLT? SECURITY DOMAIN KNOWLEDGE IS GENERALLY A MYSTERY TO DEV TEAMS
  • 70. GAUNTLT ALLOWS DEV AND OPS AND SECURITY TO COMMUNICATE AND COLLABORATE
  • 71. GAUNTLT JOINS: THE PHILOSOPHY OF RUGGED SOFTWARE & OUTSIDE-IN TESTING
  • 72. LETS LOOK INSIDE A COUPLE OF THESE FILES
  • 73. feature for nmap: nmap.feature @gauntlet @run Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: Given nmap is installed Scenario: Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """
  • 74. step definition for nmap: nmap.rb Given /^nmap is installed$/ do steps %{ When I run `which nmap` Then the output should contain: """ nmap """ } end When /^I run nmap against the hostname in the profile on ports (d+),(d+)$/ do |arg2, arg3| steps %{ When I run `nmap "#{@hostname}" -p80,443` } end
  • 75. lets run gauntlt with the nmap.feature against google.com
  • 76. running gauntlt with failing tests wickett$ gauntlt @gauntlet @run Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 8080,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 8080/tcp open http 443/tcp open https """ ... Failing Scenarios: cucumber features/nmap/nmap.feature:8 # Scenario:Verify server is available on standard web ports 1 scenario (1 failed) 4 steps (1 failed, 3 passed) 0m0.341s
  • 77. running gauntlt with passing tests wickett$ gauntlt @gauntlet @run Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 80,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 80/tcp open http 443/tcp open https """ 1 scenario (1 passed) 4 steps (4 passed) 0m1.117s
  • 78. WALK VS. RUN • gauntlt has two modes: walk and run • meaning fast and slow or smoke and full • This is done by labels in cucumber • For each feature you will get to decide if it is a @walk or a @run test or both
  • 79. SOME REALIZATIONS • The core of gauntlt needs to provide a set of functionality that encourages contributors to write extensions for their pen testing tools •A gauntlt DSL (Domain Specific Language) will arise with words like target, scan, attack, host... • Smoke tests and validation vs. long running testing (nightly/weekly)
  • 80. JOIN THE PARTY!! FORK GAUNTLT ON GITHUB
  • 82. CLOUD & SECURITY RESOURCES • Book: Cloud Security and Privacy (Mather, Kumraswamy, Latif) • Jericho Forum (collaboration.opengroup.org/jericho/) • Amazon AWS Security Center (aws.amazon.com/security) • Austin Cloud User Group (acug.cloudug.org) • Cloud Security Alliance (cloudsecurityalliance.org) • CSA Austin Chapter (austincloud.org) • CSA Security Guidance for Critical Areas in Cloud Computing • ENISA Cloud Computing Risk Assessment