Rugged DevOps

34
DevOps Patterns Rugged DevOps Ilkka Turunen @ilkkaturunen [email protected]

Transcript of Rugged DevOps

Page 1: Rugged DevOps

DevOps PatternsRugged DevOpsIlkka Turunen@ilkkaturunen

[email protected]

Page 2: Rugged DevOps
Page 3: Rugged DevOps

3 10/23/2013 @joshcorman~ Marc Marc Andreessen 2011

Page 4: Rugged DevOps

Beyond Heartbleed: OpenSSL in 2014 (31 in NIST’s NVD thru December)

4

• CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM SIEMENS *• CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM SIEMENS *• CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM• CVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUM• CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM SIEMENS *• CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH• CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** • CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUM• CVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUM• CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM HeartBleed• CVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUM• CVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUM• CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW• CVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM • CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM • CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM • CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM• …

As of 2014, internet scans by MassScan reveal 300,000 of original 600,000 remain unpatched or unpatchable

Source: Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed - Josh Corman, Gene Kim

Page 5: Rugged DevOps

Heartbleed + (UnPatchable) Internet of Things == ___ ?

In Our Bodies In Our Homes

In Our InfrastructureIn Our Cars

Source: Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed - Josh Corman, Gene Kim

Page 6: Rugged DevOps

ON TIME ON BUDGET ACCEPTABLE QUALITY/RISK

Dev’s core motivations are to be OnTime, OnBudget, w/ Acceptable Quality/Risk @joshcorman @mortman #RSAC #DevOps

Page 7: Rugged DevOps

7

“Don’t Go Chasin’ Waterfalls” Dev started w/ Waterfall, but modern demands require us to go faster @joshcorman @mortman #RSAC #DevOps

Page 8: Rugged DevOps

ON TIME. Faster builds. Fewer interruptions.More innovation.

ON BUDGET.More efficient. More profitable.More competitive.

ACCEPTABLE QUALITY/RISK.Easier compliance.Higher quality. Built-in audit protection.

Waterfall’s Design -> Dev -> Test -> Deploy may go 1.5-3yrs b/w releases. @joshcorman @mortman #RSAC #DevOps

Page 9: Rugged DevOps

Agile goats; not goat rodeo. “We need to be agile, but not fragile.” @RuggedSoftware @joshcorman @mortman #RSAC #DevOps

Page 10: Rugged DevOps

ON TIME. Faster builds. Fewer interruptions.More innovation.

ON BUDGET.More efficient. More profitable.More competitive.

ACCEPTABLE QUALITY/RISK.Easier compliance.Higher quality. Built-in audit protection.

Agile / CI

Agile & Lean tightened Design -> Build -> Test cycle releasing 6-12+ smaller batches/yr @joshcorman @mortman #RSAC #DevOps

Page 11: Rugged DevOps

DevOps

It may feel like DevOps is Pandora’s Box, but it’s open… and hope remains. ;) @joshcorman @mortman #RSAC #DevOps

Page 12: Rugged DevOps

ON TIME. Faster builds. Fewer interruptions.More innovation.

ON BUDGET.More efficient. More profitable.More competitive.

ACCEPTABLE QUALITY/RISK.Easier compliance.Higher quality. Built-in audit protection.

DevOps / CD

Agile / CI

Agile made dev faster but wasn’t enough. DevOps extends patterns to Ops 4 mutual gains @joshcorman @mortman #RSAC #DevOps

Page 13: Rugged DevOps

13

SW Supply Chains

Deming drove Toyota Supply Chains. We can EXTEND DevOps w/ his quality/safety patterns @joshcorman @mortman #RSAC #DevOps

Page 14: Rugged DevOps

ON TIME. Faster builds. Fewer interruptions.More innovation.

ON BUDGET.More efficient. More profitable.More competitive.

ACCEPTABLE QUALITY/RISK.Easier compliance.Higher quality. Built-in audit protection.

SW Supply Chain

DevOps / CD

Agile / CI

SW SupplyChains enable faster, more efficient dev by reducing elective complexity/risk++ @joshcorman @mortman #RSAC #DevOps

Page 15: Rugged DevOps

.*Ops

Source: Theo Schlossnagle (@postwait)

Page 16: Rugged DevOps

^(?<dept>.+)Ops$

Source: Theo Schlossnagle (@postwait)

Page 17: Rugged DevOps

DevOps Teams’ view of the security guy

Page 18: Rugged DevOps
Page 19: Rugged DevOps
Page 20: Rugged DevOps

How to move from this….

Page 21: Rugged DevOps

TO THIS?

Page 22: Rugged DevOps

Defensible Infrastructure10%

Written

Operational Excellence

Situational Awareness

Counter-measures

The software & hardware we build, buy, and deploy. 90% of software is assembled from 3rd

party & Open Source

MOST IMPACT:BUY/BUILD DEFENSIBLE SOFTWARE

Page 23: Rugged DevOps
Page 24: Rugged DevOps

Respect & Translate

Page 25: Rugged DevOps

Test early, test often

Page 26: Rugged DevOps
Page 27: Rugged DevOps

ENGAGE AT ALL STAGES

Page 28: Rugged DevOps

Participate

Page 29: Rugged DevOps

Bring toolset to SW Factory

Page 30: Rugged DevOps

Leverage unseen audit trails

Page 31: Rugged DevOps

4) Implicit and Explicit Change Management. Change is good and leads to stability and fights stagnation. @joshcorman @mortman #rsac #devops

Page 32: Rugged DevOps
Page 34: Rugged DevOps

Be DevOpstastic