the rugged way in the cloud--building reliability and security into software
TRANSCRIPT
The Rugged Way in the Cloud–Building Reliability and Security Into Software
James Wickett [email protected]
1
2
@wickett• Operations and Security for software
delivered on the cloud
• National Instruments, R&D
• Certs: CISSP, GSEC, GCFW, CCSK
• Tags: OWASP, Cloud, DevOps, Ruby
• Blogger at theagileadmin.com
• I do stuff for LASCON (http://lascon.org)
• Twitter: @wickett3
Cloud @ NIWe built a DevOps team to rapidly deliver new SaaS products and product functionality using cloud hosting and services (IaaS, PaaS, SaaS) as the platform and operations, using model driven automation, as a key differentiating element.
With this approach we have delivered multiple major products to market quickly with a very small staffing and financial outlay.
4
National Instruments• 30 years old; 5000+ employees
around the world, half in Austin, mostly engineers; $873M in 2010
• Hardware and software for data acquisition, embedded design, instrument control, and test
• LabVIEW is our graphical dataflow programming language used by scientists and engineers in many fields
5
From toys to black holes
6
NI’s Cloud Products
• LabVIEW Web UI Builder
• FPGA Compile Cloud
• more to come...
7
ni.com/uibuilder8
9
10
FPGA Compile Cloud• LabVIEW FPGA compiles take hours and
consume extensive system resources; compilers are getting larger and more complex
• Implemented on Amazon - EC2, Java/Linux,C#/.NET/Windows, and LabVIEW FPGA
• Also an on premise product, the “Compile Farm”
11
Using the FPGA Compile Cloud
12
Building RuggedIn
13
Am I healthy?
14
Am I healthy?
• Latest and greatest research
• Justification to insurance companies
• Measurement and testing as available
• Point in time snapshot
15
Am I secure?
16
Am I secure?
• Latest and greatest vulnerabilities
• Justification of budget for tools
• Measurement and testing as available
• Point in time snapshot
17
People, Process, Tech
18
It’s not our problem anymore
19
If you want to build a ship, don't drum up people together to collect wood and don't assign them tasks and work, but rather teach them to long for the endless immensity of the sea
- Antoine Jean-Baptiste Marie Roger de Saint Exupéry
20
Twitter Survey
What is one word that you would use to describe ‘IT Security’ people?
21
smart
compassionate
HAWT!
unicorns
demented
passionate
prepared
omnium-gatherum
weirddrunk
facebored
jadedsmart
Tenacious
masochistic
sisyphean
paranoid
22
Us vs. Them
• Security professionals often degrade developers
• Developers don’t get security people
• There is interest across the isle, but often ruined by negative language
23
Why do you see the speck that is in your brotherʼs eye, but do not notice the log that is in your own eye?
- Jesus24
Adverse conditions need Rugged solutions
25
Adversity fueled innovation
• NASA in Space
• Military hard drives
• ATMs in Europe
26
Chip and PIN ATM
27
The Internets is Mean
• Latency
• Distribution
• Anonymity
• Varied protocols
• People
28
Systems are complex
• “How Complex Systems Fail”
• Failure at multiple layers
• Synonyms in other industries
• Defense in Depth
29
Software needs to meet adversity
30
Intro to Rugged by analogy
31
Current Software
32
Rugged Software
33
Current Software
34
Rugged Software
35
Current Software
36
Rugged Software37
Current Software
38
Rugged Software
39
Current Software
40
Rugged Software
41
!!
!"#$"%&'"%(#)*(+,-./(/012*3#4(5"1#
Current Software
42
Rugged Software
43
44
Rugged Software Manifesto
45
I am rugged... and more importantly, my code is rugged.
46
I recognize that software has become a foundation of our modern world.
47
I recognize the awesome responsibility that comes with this foundational role.
48
I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
49
I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.
50
I recognize these things - and I choose to be rugged.
51
I am rugged because I refuse to be a source of vulnerability or weakness.
52
I am rugged because I assure my code will support its mission.
53
I am rugged because my code can face these challenges and persist in spite of them.
54
I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.
55
Rugged-ities
• Availability
• Survivability
• Defensibility
• Security
• Longevity
• Portability
56
Security vs. Rugged
• Absence of Events
• Cost
• Negative
• FUD
• Toxic
• Verification of quality
• Benefit
• Positive
• Known values
• Affirming
57
Rugged Survival Guide
• Defensible Infrastructure
• Operational Discipline
• Situational Awareness
• Countermeasures
On YouTube: “PCI Zombies”
58
Security as a Feature
• SaaF is possible, but hard for most products
• Tough to measure
• Hiding among other features
59
Rugged as a Feature
• RaaF addresses to customer felt needs
• Values that people covet
• Buyers want it
60
Qualities of Rugged Software
• Availability - Speed and performance
• Longevity, Long-standing, persistent - Time
• Scalable, Portable
• Maintainable and Defensible - Topology Map
• Resilient in the face of failures
• Reliable - Time, Load
61
Measuring Ruggedness
• Physical: Heat, Cold, Friction, Time, Quantity of use, Type of use
• Software: Concurrency, Transactions, Speed, Serial Load, Input handling, Entropy, Lines of Code
62
Measuring Frameworks
• Measured by lack of incidents and quantifying risk and vulns
• OWASP / CVE tracking
• Common Vuln Scoring System (CVSS)
• Mitre Common Weakness Enumeration (CWE)
• Common Weakness Scoring System (CWSS)
63
Supply and ______
64
Marketing Possibilities
• Positive: Rugged Rating System
• 3rd party verification of Ruggedness
• Self Attestation
• Negative: warning signs
• Buyers Bill of Rights
65
Measuring Rugged
66
3rd Party Warnings67
Self Attestation68
Implicit vs. Explicit
69
Explicit Requirements
• Customers Demand
• 20% Use Cases
• Most Vocal
• Failure results in loss of customers but not all customers
70
Implicit Requirements
• Customers Assume
• 80% of use cases
• Unsaid and Unspoken
• Most basic and expected features
• Failure results in a loss of most customers
71
Is Security Explicit or Implicit?
72
Is Rugged Explicit or Implicit?
73
74
Rugged Implementations
75
build a ruggedteam
76
People and Process
• Sit near the developers... DevOpsSec
• Track security flaws or bugs in the same bug tracking system
• Train to automate
• Involve team with vendors
• Measurement over time and clear communication
77
OPSEC Framework
• Know your system and people
• Make security better in small steps
• Add layers of security without overcompensating
• Use a weekly, iteration-based approach to security
78
79
Programmable Infrastructure Environment
80
Configuration Management
• Infrastructure as Code (IaC)
• Model driven deployment
• Version control everything
• PIE (Programmable Infrastructure Enviroment)
• Know Your Environment if you want to make it defensible
81
What is PIE?• a a framework to define, provision,
monitor, and control cloud-based systems
• written in Java, uses SSH as transport, currently supports Amazon AWS (Linux and Windows)
• takes an XML-based model from source control and creates a full running system
• to define, provision, monitor, and control cloud-based systems
82
PIE ingredients
• model driven automation
• infrastructure as code
• DevOps
• dynamic scaling
• agility
• security in the model
83
84
The Model
• XML descriptions of the system as ‘specs’
• system (top level)
• environment (instance of a system)
• role (“tier” within a system)
• image (specific base box config)
• service (specific software or application)
• commands (for various levels)
• templates (files to be parsed)85
86
87
The Registry• uses Apache Zookeeper
(part of Hadoop project)
• the registry contains information about the running system
• specific addressing scheme:
• /fcc/test1/external-services/2/tomcat
• [/<system>/<environment>/<role>/<instance>/<service>]
pie registry.register /fcc/test1/external-services/2pie registry.bind /fcc/test1pie registry.list /fcc/test1
88
Control
• create, terminate, start, stop instances using the AWS API
• enforce scaling policy
• execute remote commands
pie control.create /fcc/test1/external-services/2pie control.stop /fcc/test1/external-services/2pie control.enforce /fcc/test1pie control.remote.service.restart /fcc/test1/external-services/2/external-tomcatpie control.remote.execute /fcc/test1/external-services/2 –i exe[0]=“ls –l /etc/init.d”
89
Provisioning
• deploy services and apps
• two-phase for fast deploys
• update config files and parse templates
pie provision.deploy.stage /fcc/test1/external-services/2 –i pack[0]=lvdotcom-authpie provision.deploy.run /fcc/test1/external-services/2 –i pack[0]=lvdotcom-authpie provision.remote.updateConfig /fcc/test1
90
Monitoring
• integrated with third party SaaS monitoring provider Cloudkick
• systems register with Cloudkick as they come online and immediately have appropriate monitors applied based on tags set from the model
91
92
Logging
• logging in the cloud using splunk
• logging agents are deployed in the model and they are given the config from registry and the model as they come online
93
Rugged Results
• repeatable – no manual errors
• reviewable – model in source control
• rapid – bring up, install, configure, and test dozens of systems in a morning
• resilient – automated reconfiguration to swap servers (throw away infrastructure)
• rugged by design
94
buildthe new DMZ
95
What’s a DMZ?
• Demilitarized Zone
• Physical and logical divisions between assets
• Military history
• Control what goes in and what goes out
96
Control your environment
• Make every service a DMZ
• Cloud environment
• 3-tier web architecture
• Allow automated provisioning
97
Web
DB
Middle Tier
WebWeb
Middle Tier
LDAP
Firewall
Firewall
Firewall
DMZ 1
DMZ 2
DMZ 3
Traditional 3-Tier Web Architecture
98
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
DMZ x3
DMZ x2
DMZ x3
Rugged Architecturefirewall
Web
firewall
Web
99
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
RepeatableVerifiable
Prod/Dev/Test MatchingControlledAutomated
100
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
firewall
firewallfirewall
firewallfirewall
Web
DB
Middle Tier Middle Tier
LDAP
firewall
Web
firewall
Web
101
Rugged 3-Tier Architecture Benefits• Control
• Config Management
• Reproducible and Automated
• Data can’t traverse environments accidentally
• Dev and Test Tier accurate
102
OWASP Secure Coding Quick Reference Guide
• Checklist format that can be added to into your sprints
• Helps development team find common security flaws
• Topics include: Input Validation, Output Encoding, Auth, Session Management, Memory Management, ...
• http://bit.ly/OWASPQuickRef
103
Rugged Next Steps
• Use Rugged language
• Know your systems
• Automate, track results, repeat
• Begin weekly OPSEC in your org
• Attend LASCON (http://lascon.org)
104
Rugged Resources
105
h"ps://groups.google.com/a/owasp.org/group/rugged-‐so4ware
106
Recommended Reading
107