3. @wickett
⢠Operations and Security for software
delivered on the cloud
⢠National Instruments, R&D
⢠Certs: CISSP, GSEC, GCFW, CCSK
⢠Tags: OWASP, Cloud, DevOps, Ruby
⢠Blogger at theagileadmin.com
⢠I do stuff for LASCON (http://lascon.org)
⢠Twitter: @wickett
3
4. Cloud @ NI
We built a DevOps team to rapidly deliver
new SaaS products and product functionality
using cloud hosting and services (IaaS, PaaS,
SaaS) as the platform and operations, using
model driven automation, as a key
differentiating element.
With this approach we have delivered
multiple major products to market quickly
with a very small stafďŹng and ďŹnancial outlay.
4
5. National Instruments
⢠30 years old; 5000+ employees
around the world, half in Austin,
mostly engineers; $873M in
2010
⢠Hardware and software for data
acquisition, embedded design,
instrument control, and test
⢠LabVIEW is our graphical
dataďŹow programming language
used by scientists and engineers
in many ďŹelds
5
11. FPGA Compile Cloud
⢠LabVIEW FPGA compiles take hours and
consume extensive system resources;
compilers are getting larger and more
complex
⢠Implemented on Amazon - EC2,
Java/Linux,C#/.NET/Windows,
and LabVIEW FPGA
⢠Also an on premise product,
the âCompile Farmâ
11
15. Am I healthy?
⢠Latest and greatest research
⢠JustiďŹcation to insurance companies
⢠Measurement and testing as available
⢠Point in time snapshot
15
17. Am I secure?
⢠Latest and greatest vulnerabilities
⢠JustiďŹcation of budget for tools
⢠Measurement and testing as available
⢠Point in time snapshot
17
20. If you want to build a ship, don't
drum up people together to collect
wood and don't assign them tasks
and work, but rather teach them to
long for the endless immensity of
the sea
- Antoine Jean-Baptiste Marie Roger de Saint ExupĂŠry
20
21. Twitter Survey
What is one word that you
would use to describe âIT
Securityâ people?
21
23. Us vs. Them
⢠Security professionals often degrade
developers
⢠Developers donât get security people
⢠There is interest across the isle, but often
ruined by negative language
23
24. Why do you see the speck that is in your
brotherĘźs eye, but do not notice the log that is in
your own eye?
- Jesus
24
59. Security as a Feature
⢠SaaF is possible, but hard for most products
⢠Tough to measure
⢠Hiding among other features
59
60. Rugged as a Feature
⢠RaaF addresses to customer felt needs
⢠Values that people covet
⢠Buyers want it
60
61. Qualities of Rugged
Software
⢠Availability - Speed and performance
⢠Longevity, Long-standing, persistent - Time
⢠Scalable, Portable
⢠Maintainable and Defensible - Topology Map
⢠Resilient in the face of failures
⢠Reliable - Time, Load
61
62. Measuring Ruggedness
⢠Physical: Heat, Cold, Friction, Time, Quantity
of use, Type of use
⢠Software: Concurrency, Transactions, Speed,
Serial Load, Input handling, Entropy, Lines of
Code
62
63. Measuring Frameworks
⢠Measured by lack of incidents and
quantifying risk and vulns
⢠OWASP / CVE tracking
⢠Common Vuln Scoring System (CVSS)
⢠Mitre Common Weakness Enumeration
(CWE)
⢠Common Weakness Scoring System
(CWSS)
63
65. Marketing Possibilities
⢠Positive: Rugged Rating System
⢠3rd party veriďŹcation of Ruggedness
⢠Self Attestation
⢠Negative: warning signs
⢠Buyers Bill of Rights
65
70. Explicit Requirements
⢠Customers Demand
⢠20% Use Cases
⢠Most Vocal
⢠Failure results in loss of customers but not
all customers
70
71. Implicit Requirements
⢠Customers Assume
⢠80% of use cases
⢠Unsaid and Unspoken
⢠Most basic and expected features
⢠Failure results in a loss of most customers
71
77. People and Process
⢠Sit near the developers... DevOpsSec
⢠Track security ďŹaws or bugs in the same bug
tracking system
⢠Train to automate
⢠Involve team with vendors
⢠Measurement over time and clear communication
77
78. OPSEC Framework
⢠Know your system and people
⢠Make security better in small steps
⢠Add layers of security without
overcompensating
⢠Use a weekly, iteration-based approach to
security
78
81. ConďŹguration
Management
⢠Infrastructure as Code (IaC)
⢠Model driven deployment
⢠Version control everything
⢠PIE (Programmable Infrastructure
Enviroment)
⢠Know Your Environment if you want to
make it defensible
81
82. What is PIE?
⢠a a framework to define, provision,
monitor, and control cloud-based systems
⢠written in Java, uses SSH as transport,
currently supports Amazon AWS (Linux
and Windows)
⢠takes an XML-based model from source
control and creates a full running system
⢠to define, provision, monitor, and control
cloud-based systems
82
83. PIE ingredients
⢠model driven automation
⢠infrastructure as code
⢠DevOps
⢠dynamic scaling
⢠agility
⢠security in the model
83
85. The Model
⢠XML descriptions of the system as âspecsâ
⢠system (top level)
⢠environment (instance of a system)
⢠role (âtierâ within a system)
⢠image (speciďŹc base box conďŹg)
⢠service (speciďŹc software or application)
⢠commands (for various levels)
⢠templates (ďŹles to be parsed)
85
88. The Registry
⢠uses Apache Zookeeper
(part of Hadoop project)
⢠the registry contains information
about the running system
⢠speciďŹc addressing scheme:
⢠/fcc/test1/external-services/2/tomcat
⢠[/<system>/<environment>/<role>/<instance>/<service>]
pie registry.register /fcc/test1/external-services/2
pie registry.bind /fcc/test1
pie registry.list /fcc/test1
88
89. Control
⢠create, terminate, start, stop instances using
the AWS API
⢠enforce scaling policy
⢠execute remote commands
pie control.create /fcc/test1/external-services/2
pie control.stop /fcc/test1/external-services/2
pie control.enforce /fcc/test1
pie control.remote.service.restart /fcc/test1/external-services/2/external-tomcat
pie control.remote.execute /fcc/test1/external-services/2 âi exe[0]=âls âl /etc/
init.dâ
89
90. Provisioning
⢠deploy services and apps
⢠two-phase for fast deploys
⢠update conďŹg ďŹles and parse templates
pie provision.deploy.stage /fcc/test1/external-services/2 âi pack[0]=lvdotcom-auth
pie provision.deploy.run /fcc/test1/external-services/2 âi pack[0]=lvdotcom-auth
pie provision.remote.updateConfig /fcc/test1
90
91. Monitoring
⢠integrated with third party SaaS monitoring
provider Cloudkick
⢠systems register with Cloudkick as they
come online and immediately have
appropriate monitors applied based on tags
set from the model
91
93. Logging
⢠logging in the cloud using splunk
⢠logging agents are deployed in the model
and they are given the conďŹg from registry
and the model as they come online
93
94. Rugged Results
⢠repeatable â no manual errors
⢠reviewable â model in source control
⢠rapid â bring up, install, conďŹgure, and test
dozens of systems in a morning
⢠resilient â automated reconďŹguration to
swap servers (throw away infrastructure)
⢠rugged by design
94
96. Whatâs a DMZ?
⢠Demilitarized Zone
⢠Physical and logical divisions between assets
⢠Military history
⢠Control what goes in and what goes out
96
97. Control your
environment
⢠Make every service a DMZ
⢠Cloud environment
⢠3-tier web architecture
⢠Allow automated provisioning
97
98. Traditional 3-Tier Web Architecture
Firewall
Web
Web
Web
DMZ 1
Firewall
Middle Tier Middle Tier
DMZ 2
Firewall
DB LDAP
DMZ 3
98
99. Rugged Architecture
ďŹrewall ďŹrewall ďŹrewall
Web Web Web DMZ x3
ďŹrewall ďŹrewall
Middle Tier Middle Tier
DMZ x2
ďŹrewall ďŹrewall
DB LDAP
DMZ x3
99
100. ďŹrewall ďŹrewall ďŹrewall
Web Web Web
Repeatable
ďŹrewall ďŹrewall
VeriďŹable
Middle Tier Middle Tier Prod/Dev/Test Matching
ďŹrewall ďŹrewall
Controlled
DB LDAP Automated
ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall
Web Web Web Web Web Web
ďŹrewall ďŹrewall ďŹrewall ďŹrewall
Middle Tier Middle Tier Middle Tier Middle Tier
ďŹrewall ďŹrewall ďŹrewall ďŹrewall
DB LDAP DB LDAP
100
101. ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall
Web Web Web Web Web Web Web Web Web
ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall
Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier
ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall
DB LDAP DB LDAP DB LDAP
ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall
Web Web Web Web Web Web Web Web Web
ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall
Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier
ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall
DB LDAP DB LDAP DB LDAP
ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall
Web Web Web Web Web Web Web Web Web
ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall
Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier Middle Tier
ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall ďŹrewall
DB LDAP DB LDAP DB LDAP
101
102. Rugged 3-Tier
Architecture BeneďŹts
⢠Control
⢠ConďŹg Management
⢠Reproducible and Automated
⢠Data canât traverse environments
accidentally
⢠Dev and Test Tier accurate
102
103. OWASP Secure Coding
Quick Reference Guide
⢠Checklist format that can be added to into
your sprints
⢠Helps development team ďŹnd common
security ďŹaws
⢠Topics include: Input Validation, Output
Encoding, Auth, Session Management,
Memory Management, ...
⢠http://bit.ly/OWASPQuickRef
103
104. Rugged Next Steps
⢠Use Rugged language
⢠Know your systems
⢠Automate, track results, repeat
⢠Begin weekly OPSEC in your org
⢠Attend LASCON (http://lascon.org)
104