the rugged way in the cloud--building reliability and security into software

107
The Rugged Way in the CloudBuilding Reliability and Security Into Software James Wickett [email protected] 1

Upload: james-wickett

Post on 16-Apr-2017

3.812 views

Category:

Technology


3 download

TRANSCRIPT

Page 1: The Rugged Way in the Cloud--Building Reliability and Security into Software

The Rugged Way in the Cloud–Building Reliability and Security Into Software

James Wickett [email protected]

1

Page 2: The Rugged Way in the Cloud--Building Reliability and Security into Software

2

Page 3: The Rugged Way in the Cloud--Building Reliability and Security into Software

@wickett• Operations and Security for software

delivered on the cloud

• National Instruments, R&D

• Certs: CISSP, GSEC, GCFW, CCSK

• Tags: OWASP, Cloud, DevOps, Ruby

• Blogger at theagileadmin.com

• I do stuff for LASCON (http://lascon.org)

• Twitter: @wickett3

Page 4: The Rugged Way in the Cloud--Building Reliability and Security into Software

Cloud @ NIWe built a DevOps team to rapidly deliver new SaaS products and product functionality using cloud hosting and services (IaaS, PaaS, SaaS) as the platform and operations, using model driven automation, as a key differentiating element.

With this approach we have delivered multiple major products to market quickly with a very small staffing and financial outlay.

4

Page 5: The Rugged Way in the Cloud--Building Reliability and Security into Software

National Instruments• 30 years old; 5000+ employees

around the world, half in Austin, mostly engineers; $873M in 2010

• Hardware and software for data acquisition, embedded design, instrument control, and test

• LabVIEW is our graphical dataflow programming language used by scientists and engineers in many fields

5

Page 6: The Rugged Way in the Cloud--Building Reliability and Security into Software

From toys to black holes

6

Page 7: The Rugged Way in the Cloud--Building Reliability and Security into Software

NI’s Cloud Products

• LabVIEW Web UI Builder

• FPGA Compile Cloud

• more to come...

7

Page 8: The Rugged Way in the Cloud--Building Reliability and Security into Software

ni.com/uibuilder8

Page 9: The Rugged Way in the Cloud--Building Reliability and Security into Software

9

Page 10: The Rugged Way in the Cloud--Building Reliability and Security into Software

10

Page 11: The Rugged Way in the Cloud--Building Reliability and Security into Software

FPGA Compile Cloud• LabVIEW FPGA compiles take hours and

consume extensive system resources; compilers are getting larger and more complex

• Implemented on Amazon - EC2, Java/Linux,C#/.NET/Windows, and LabVIEW FPGA

• Also an on premise product, the “Compile Farm”

11

Page 12: The Rugged Way in the Cloud--Building Reliability and Security into Software

Using the FPGA Compile Cloud

12

Page 13: The Rugged Way in the Cloud--Building Reliability and Security into Software

Building RuggedIn

13

Page 14: The Rugged Way in the Cloud--Building Reliability and Security into Software

Am I healthy?

14

Page 15: The Rugged Way in the Cloud--Building Reliability and Security into Software

Am I healthy?

• Latest and greatest research

• Justification to insurance companies

• Measurement and testing as available

• Point in time snapshot

15

Page 16: The Rugged Way in the Cloud--Building Reliability and Security into Software

Am I secure?

16

Page 17: The Rugged Way in the Cloud--Building Reliability and Security into Software

Am I secure?

• Latest and greatest vulnerabilities

• Justification of budget for tools

• Measurement and testing as available

• Point in time snapshot

17

Page 18: The Rugged Way in the Cloud--Building Reliability and Security into Software

People, Process, Tech

18

Page 19: The Rugged Way in the Cloud--Building Reliability and Security into Software

It’s not our problem anymore

19

Page 20: The Rugged Way in the Cloud--Building Reliability and Security into Software

If you want to build a ship, don't drum up people together to collect wood and don't assign them tasks and work, but rather teach them to long for the endless immensity of the sea

- Antoine Jean-Baptiste Marie Roger de Saint Exupéry

20

Page 21: The Rugged Way in the Cloud--Building Reliability and Security into Software

Twitter Survey

What is one word that you would use to describe ‘IT Security’ people?

21

Page 22: The Rugged Way in the Cloud--Building Reliability and Security into Software

smart

compassionate

HAWT!

unicorns

demented

passionate

prepared

omnium-gatherum

weirddrunk

facebored

jadedsmart

Tenacious

masochistic

sisyphean

paranoid

22

Page 23: The Rugged Way in the Cloud--Building Reliability and Security into Software

Us vs. Them

• Security professionals often degrade developers

• Developers don’t get security people

• There is interest across the isle, but often ruined by negative language

23

Page 24: The Rugged Way in the Cloud--Building Reliability and Security into Software

Why do you see the speck that is in your brotherʼs eye, but do not notice the log that is in your own eye?

- Jesus24

Page 25: The Rugged Way in the Cloud--Building Reliability and Security into Software

Adverse conditions need Rugged solutions

25

Page 26: The Rugged Way in the Cloud--Building Reliability and Security into Software

Adversity fueled innovation

• NASA in Space

• Military hard drives

• ATMs in Europe

26

Page 27: The Rugged Way in the Cloud--Building Reliability and Security into Software

Chip and PIN ATM

27

Page 28: The Rugged Way in the Cloud--Building Reliability and Security into Software

The Internets is Mean

• Latency

• Distribution

• Anonymity

• Varied protocols

• People

28

Page 29: The Rugged Way in the Cloud--Building Reliability and Security into Software

Systems are complex

• “How Complex Systems Fail”

• Failure at multiple layers

• Synonyms in other industries

• Defense in Depth

29

Page 30: The Rugged Way in the Cloud--Building Reliability and Security into Software

Software needs to meet adversity

30

Page 31: The Rugged Way in the Cloud--Building Reliability and Security into Software

Intro to Rugged by analogy

31

Page 32: The Rugged Way in the Cloud--Building Reliability and Security into Software

Current Software

32

Page 33: The Rugged Way in the Cloud--Building Reliability and Security into Software

Rugged Software

33

Page 34: The Rugged Way in the Cloud--Building Reliability and Security into Software

Current Software

34

Page 35: The Rugged Way in the Cloud--Building Reliability and Security into Software

Rugged Software

35

Page 36: The Rugged Way in the Cloud--Building Reliability and Security into Software

Current Software

36

Page 37: The Rugged Way in the Cloud--Building Reliability and Security into Software

Rugged Software37

Page 38: The Rugged Way in the Cloud--Building Reliability and Security into Software

Current Software

38

Page 39: The Rugged Way in the Cloud--Building Reliability and Security into Software

Rugged Software

39

Page 40: The Rugged Way in the Cloud--Building Reliability and Security into Software

Current Software

40

Page 41: The Rugged Way in the Cloud--Building Reliability and Security into Software

Rugged Software

41

Page 42: The Rugged Way in the Cloud--Building Reliability and Security into Software

!!

!"#$"%&'"%(#)*(+,-./(/012*3#4(5"1#

Current Software

42

Page 43: The Rugged Way in the Cloud--Building Reliability and Security into Software

Rugged Software

43

Page 44: The Rugged Way in the Cloud--Building Reliability and Security into Software

44

Page 45: The Rugged Way in the Cloud--Building Reliability and Security into Software

Rugged Software Manifesto

45

Page 46: The Rugged Way in the Cloud--Building Reliability and Security into Software

I am rugged... and more importantly, my code is rugged.

46

Page 47: The Rugged Way in the Cloud--Building Reliability and Security into Software

I recognize that software has become a foundation of our modern world.

47

Page 48: The Rugged Way in the Cloud--Building Reliability and Security into Software

I recognize the awesome responsibility that comes with this foundational role.

48

Page 49: The Rugged Way in the Cloud--Building Reliability and Security into Software

I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.

49

Page 50: The Rugged Way in the Cloud--Building Reliability and Security into Software

I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.

50

Page 51: The Rugged Way in the Cloud--Building Reliability and Security into Software

I recognize these things - and I choose to be rugged.

51

Page 52: The Rugged Way in the Cloud--Building Reliability and Security into Software

I am rugged because I refuse to be a source of vulnerability or weakness.

52

Page 53: The Rugged Way in the Cloud--Building Reliability and Security into Software

I am rugged because I assure my code will support its mission.

53

Page 54: The Rugged Way in the Cloud--Building Reliability and Security into Software

I am rugged because my code can face these challenges and persist in spite of them.

54

Page 55: The Rugged Way in the Cloud--Building Reliability and Security into Software

I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.

55

Page 56: The Rugged Way in the Cloud--Building Reliability and Security into Software

Rugged-ities

• Availability

• Survivability

• Defensibility

• Security

• Longevity

• Portability

56

Page 57: The Rugged Way in the Cloud--Building Reliability and Security into Software

Security vs. Rugged

• Absence of Events

• Cost

• Negative

• FUD

• Toxic

• Verification of quality

• Benefit

• Positive

• Known values

• Affirming

57

Page 58: The Rugged Way in the Cloud--Building Reliability and Security into Software

Rugged Survival Guide

• Defensible Infrastructure

• Operational Discipline

• Situational Awareness

• Countermeasures

On YouTube: “PCI Zombies”

58

Page 59: The Rugged Way in the Cloud--Building Reliability and Security into Software

Security as a Feature

• SaaF is possible, but hard for most products

• Tough to measure

• Hiding among other features

59

Page 60: The Rugged Way in the Cloud--Building Reliability and Security into Software

Rugged as a Feature

• RaaF addresses to customer felt needs

• Values that people covet

• Buyers want it

60

Page 61: The Rugged Way in the Cloud--Building Reliability and Security into Software

Qualities of Rugged Software

• Availability - Speed and performance

• Longevity, Long-standing, persistent - Time

• Scalable, Portable

• Maintainable and Defensible - Topology Map

• Resilient in the face of failures

• Reliable - Time, Load

61

Page 62: The Rugged Way in the Cloud--Building Reliability and Security into Software

Measuring Ruggedness

• Physical: Heat, Cold, Friction, Time, Quantity of use, Type of use

• Software: Concurrency, Transactions, Speed, Serial Load, Input handling, Entropy, Lines of Code

62

Page 63: The Rugged Way in the Cloud--Building Reliability and Security into Software

Measuring Frameworks

• Measured by lack of incidents and quantifying risk and vulns

• OWASP / CVE tracking

• Common Vuln Scoring System (CVSS)

• Mitre Common Weakness Enumeration (CWE)

• Common Weakness Scoring System (CWSS)

63

Page 64: The Rugged Way in the Cloud--Building Reliability and Security into Software

Supply and ______

64

Page 65: The Rugged Way in the Cloud--Building Reliability and Security into Software

Marketing Possibilities

• Positive: Rugged Rating System

• 3rd party verification of Ruggedness

• Self Attestation

• Negative: warning signs

• Buyers Bill of Rights

65

Page 66: The Rugged Way in the Cloud--Building Reliability and Security into Software

Measuring Rugged

66

Page 67: The Rugged Way in the Cloud--Building Reliability and Security into Software

3rd Party Warnings67

Page 68: The Rugged Way in the Cloud--Building Reliability and Security into Software

Self Attestation68

Page 69: The Rugged Way in the Cloud--Building Reliability and Security into Software

Implicit vs. Explicit

69

Page 70: The Rugged Way in the Cloud--Building Reliability and Security into Software

Explicit Requirements

• Customers Demand

• 20% Use Cases

• Most Vocal

• Failure results in loss of customers but not all customers

70

Page 71: The Rugged Way in the Cloud--Building Reliability and Security into Software

Implicit Requirements

• Customers Assume

• 80% of use cases

• Unsaid and Unspoken

• Most basic and expected features

• Failure results in a loss of most customers

71

Page 72: The Rugged Way in the Cloud--Building Reliability and Security into Software

Is Security Explicit or Implicit?

72

Page 73: The Rugged Way in the Cloud--Building Reliability and Security into Software

Is Rugged Explicit or Implicit?

73

Page 74: The Rugged Way in the Cloud--Building Reliability and Security into Software

74

Page 75: The Rugged Way in the Cloud--Building Reliability and Security into Software

Rugged Implementations

75

Page 76: The Rugged Way in the Cloud--Building Reliability and Security into Software

build a ruggedteam

76

Page 77: The Rugged Way in the Cloud--Building Reliability and Security into Software

People and Process

• Sit near the developers... DevOpsSec

• Track security flaws or bugs in the same bug tracking system

• Train to automate

• Involve team with vendors

• Measurement over time and clear communication

77

Page 78: The Rugged Way in the Cloud--Building Reliability and Security into Software

OPSEC Framework

• Know your system and people

• Make security better in small steps

• Add layers of security without overcompensating

• Use a weekly, iteration-based approach to security

78

Page 79: The Rugged Way in the Cloud--Building Reliability and Security into Software

79

Page 80: The Rugged Way in the Cloud--Building Reliability and Security into Software

Programmable Infrastructure Environment

80

Page 81: The Rugged Way in the Cloud--Building Reliability and Security into Software

Configuration Management

• Infrastructure as Code (IaC)

• Model driven deployment

• Version control everything

• PIE (Programmable Infrastructure Enviroment)

• Know Your Environment if you want to make it defensible

81

Page 82: The Rugged Way in the Cloud--Building Reliability and Security into Software

What is PIE?• a a framework to define, provision,

monitor, and control cloud-based systems

• written in Java, uses SSH as transport, currently supports Amazon AWS (Linux and Windows)

• takes an XML-based model from source control and creates a full running system

• to define, provision, monitor, and control cloud-based systems

82

Page 83: The Rugged Way in the Cloud--Building Reliability and Security into Software

PIE ingredients

• model driven automation

• infrastructure as code

• DevOps

• dynamic scaling

• agility

• security in the model

83

Page 84: The Rugged Way in the Cloud--Building Reliability and Security into Software

84

Page 85: The Rugged Way in the Cloud--Building Reliability and Security into Software

The Model

• XML descriptions of the system as ‘specs’

• system (top level)

• environment (instance of a system)

• role (“tier” within a system)

• image (specific base box config)

• service (specific software or application)

• commands (for various levels)

• templates (files to be parsed)85

Page 86: The Rugged Way in the Cloud--Building Reliability and Security into Software

86

Page 87: The Rugged Way in the Cloud--Building Reliability and Security into Software

87

Page 88: The Rugged Way in the Cloud--Building Reliability and Security into Software

The Registry• uses Apache Zookeeper

(part of Hadoop project)

• the registry contains information about the running system

• specific addressing scheme:

• /fcc/test1/external-services/2/tomcat

• [/<system>/<environment>/<role>/<instance>/<service>]

pie registry.register /fcc/test1/external-services/2pie registry.bind /fcc/test1pie registry.list /fcc/test1

88

Page 89: The Rugged Way in the Cloud--Building Reliability and Security into Software

Control

• create, terminate, start, stop instances using the AWS API

• enforce scaling policy

• execute remote commands

pie control.create /fcc/test1/external-services/2pie control.stop /fcc/test1/external-services/2pie control.enforce /fcc/test1pie control.remote.service.restart /fcc/test1/external-services/2/external-tomcatpie control.remote.execute /fcc/test1/external-services/2 –i exe[0]=“ls –l /etc/init.d”

89

Page 90: The Rugged Way in the Cloud--Building Reliability and Security into Software

Provisioning

• deploy services and apps

• two-phase for fast deploys

• update config files and parse templates

pie provision.deploy.stage /fcc/test1/external-services/2 –i pack[0]=lvdotcom-authpie provision.deploy.run /fcc/test1/external-services/2 –i pack[0]=lvdotcom-authpie provision.remote.updateConfig /fcc/test1

90

Page 91: The Rugged Way in the Cloud--Building Reliability and Security into Software

Monitoring

• integrated with third party SaaS monitoring provider Cloudkick

• systems register with Cloudkick as they come online and immediately have appropriate monitors applied based on tags set from the model

91

Page 92: The Rugged Way in the Cloud--Building Reliability and Security into Software

92

Page 93: The Rugged Way in the Cloud--Building Reliability and Security into Software

Logging

• logging in the cloud using splunk

• logging agents are deployed in the model and they are given the config from registry and the model as they come online

93

Page 94: The Rugged Way in the Cloud--Building Reliability and Security into Software

Rugged Results

• repeatable – no manual errors

• reviewable – model in source control

• rapid – bring up, install, configure, and test dozens of systems in a morning

• resilient – automated reconfiguration to swap servers (throw away infrastructure)

• rugged by design

94

Page 95: The Rugged Way in the Cloud--Building Reliability and Security into Software

buildthe new DMZ

95

Page 96: The Rugged Way in the Cloud--Building Reliability and Security into Software

What’s a DMZ?

• Demilitarized Zone

• Physical and logical divisions between assets

• Military history

• Control what goes in and what goes out

96

Page 97: The Rugged Way in the Cloud--Building Reliability and Security into Software

Control your environment

• Make every service a DMZ

• Cloud environment

• 3-tier web architecture

• Allow automated provisioning

97

Page 98: The Rugged Way in the Cloud--Building Reliability and Security into Software

Web

DB

Middle Tier

WebWeb

Middle Tier

LDAP

Firewall

Firewall

Firewall

DMZ 1

DMZ 2

DMZ 3

Traditional 3-Tier Web Architecture

98

Page 99: The Rugged Way in the Cloud--Building Reliability and Security into Software

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

DMZ x3

DMZ x2

DMZ x3

Rugged Architecturefirewall

Web

firewall

Web

99

Page 100: The Rugged Way in the Cloud--Building Reliability and Security into Software

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

RepeatableVerifiable

Prod/Dev/Test MatchingControlledAutomated

100

Page 101: The Rugged Way in the Cloud--Building Reliability and Security into Software

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

firewall

firewallfirewall

firewallfirewall

Web

DB

Middle Tier Middle Tier

LDAP

firewall

Web

firewall

Web

101

Page 102: The Rugged Way in the Cloud--Building Reliability and Security into Software

Rugged 3-Tier Architecture Benefits• Control

• Config Management

• Reproducible and Automated

• Data can’t traverse environments accidentally

• Dev and Test Tier accurate

102

Page 103: The Rugged Way in the Cloud--Building Reliability and Security into Software

OWASP Secure Coding Quick Reference Guide

• Checklist format that can be added to into your sprints

• Helps development team find common security flaws

• Topics include: Input Validation, Output Encoding, Auth, Session Management, Memory Management, ...

• http://bit.ly/OWASPQuickRef

103

Page 104: The Rugged Way in the Cloud--Building Reliability and Security into Software

Rugged Next Steps

• Use Rugged language

• Know your systems

• Automate, track results, repeat

• Begin weekly OPSEC in your org

• Attend LASCON (http://lascon.org)

104

Page 105: The Rugged Way in the Cloud--Building Reliability and Security into Software

Rugged Resources

105

Page 107: The Rugged Way in the Cloud--Building Reliability and Security into Software

Recommended Reading

107