what is rugged all about
play

What is Rugged all about? Matt Konda He would want me to tell you - PowerPoint PPT Presentation

Mar 18, 2023 •482 likes •1.74k views

What is Rugged all about? Matt Konda He would want me to tell you Software is eating the world. DevOps and Security is a rare opportunity. Makes security positive, cultural+ Show the Rugged Manifesto Honey Badger =

  1. What is ‘Rugged’ all about? Matt Konda

  7. He would want me to tell you • Software is eating the world. • DevOps and Security is a rare opportunity. • Makes security positive, cultural+ • Show the Rugged Manifesto • Honey Badger = Security + DevOps … • Empathy, Empathy, Empathy • Bridge communities!

  8. He would want me to emphasize • Instrumentation • Be Mean To Your Code • Complexity is the Enemy • Change Management (Automation through tooling) • Empathy (Did I say that yet?)

  9. He would want me to mention • By updating our software (and it’s dependencies) we can address a huge amount of attack surface. • DevOps should be good at this. • Empathy (Did I say that yet?)

  11. OWASP?

  12. Introduction Clojure Perl J2EE Agile Ruby Graph Database J2EE 
 Java Applet Spring Rails DevOps C++ Analytics MS in CS 1997 2006 2014 Software Consultant Director of Founder Growing Architect Engineer Engineering Consultant Trying to hack a Certificate Authority business model that Vulnerability Scanner succeeds while Penetration Test Manager helping developers. Domains: Pricing Rabble Rouser: Projects: Retail Banking Chicago BSides 2011, 2012 DevOps / Automation Manufacturing Defcon Skytalk Training Pharma OWASP Chicago, MSP 2013 Coaching Healthcare AppSec USA 2012, 2013 Code Review Research ChicagoRuby 2013 Plugged in to SDLC Secure 360 Consulting Lone Star Ruby 2013 Assessments WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 @mkonda Converge 2014 mkonda@jemurai.com Chicago Coder Conference 2015

  13. This was a setup. Chicago style.

  16. But in Chicago, we make the best of every situation.

  18. Positive Software Security Matt Konda

  19. Let’s learn what we can from Rugged (applied to DevOps)

  20. I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.

  21. I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.

  22. I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.

  23. Reminiscent of the Agile Manifesto Perhaps?

  24. Let’s talk about adversaries…

  26. This year, organized crime became the most frequently seen threat actor for Web App Attacks. Source: Verizon 2015 Data Breach Investigations Report

  29. Threat model

  35. Security Examples

  36. SELECT "orders".* FROM "orders" WHERE (rewards_code = ' a') union select id, 'product', 1, 1, 'cc', 'cvv', 'expiration', email as first_name, encrypted_password as last_name, created_at, updated_at, id, 'reward' from users; -- ')

  37. Getting Rugged? Train. Search for string concatenation: +, append prefer parameterized queries! Do code review. Use static analysis. Use web app scanning.

  38. Output Encoding < &lt; > &gt;

  39. Getting Rugged? Train. Search for {{{, innerHTML, .raw, utext, etc. Do code review. Use static analysis. Use web app scanning.

  40. Insecure Direct Object Reference Hani Joanne ? Salary Record Salary Record Authorization fail!

  43. Some Specifics Around Process

  44. Security in the SDLC • Building software is a process. • The best way to make software secure is to make security part of the process. • There are many ways to do this - none is perfect. • Find a way to make the security fit your process.

  45. Classic Waterfall Delivery Requirements Design Code Test Maintenance

  46. Classic Waterfall Delivery Requirements Design Code Security Test Maintenance

  47. Continuous Delivery: The Unit of Work is a Story Requirements Design Story Test Code

  48. Continuous Delivery: The Unit of Work is a Story Requirements Design Security Requirements Threat model / attack surface Story Test Code Security Unit Tests Static Analysis on Commit Exploratory Testing Code Review Checklists Understand Dependencies

  49. continuous delivery

  50. Classic security sees this and wants to …

  51. continuous delivery

  52. Baseline Security Requirements

  53. ARE STAKEHOLDERS ASKING FOR SECURITY?

  56. Story Points

  57. Estimates to Include Security Considerations

  58. Here’s why.

  59. Agile metrics Credit: rallydev.com

  60. Story Review

  61. Incremental Code Review

  62. Continuous Integration

  66. Static Analysis

  67. Checklists

  72. Bug Tracking

  73. Testing

  76. Operationalize

  77. Understand lifecycle

  78. Think incremental

  79. Security Requirements Security Unit Tests continuous delivery Code Review

  80. Automate security tools

  81. continuous delivery Security Tool Automation: Code analysis Security unit tests Dynamic scanning etc.

  82. continuous delivery Security Tests Run Exploratory Testing Includes Security

  83. A detailed example: • Let’s say a feature is being developed • Then devs and testers are checking a new feature • Let them browse through an attack proxy (like Burp or ZAP) in passive mode • At night or when the system is quiet, use the browsing pattern as seeds for overnight attacks

  84. Continuous feedback

  85. continuous delivery Feedback!

  86. False Positives Are a Necessary EVIL

  87. Optimize for relevance

  88. Provisioning tools

  89. continuous delivery Since its easy to provision we can do security testing safely in a new env.

  90. Audit tools

  91. Deployment checks includes security audit checks. continuous delivery

  92. Self documenting for regulatory and compliance!

  93. Chaos tools

  94. Change is good

  95. Change is happening. It can be an opportunity instead of a hassle. continuous delivery

  96. Complexity is an enemy

  97. Decomposition to micro-services reduces dependencies and complexity. continuous delivery Small releases reduce complexity. Right now, security hurts.

  98. Shared responsibility

  99. Another principle of software delivery: build security in! Done means secure! continuous delivery Empowered to do security right!

  100. Measure results

Recommend

What is Rugged All About? Faster/Safer w/ Rugged DevOps Joshua Corman @joshcorman Rugged Software

What is Rugged All About? Faster/Safer w/ Rugged DevOps Joshua Corman @joshcorman Rugged Software

What is Rugged All About? Faster/Safer w/ Rugged DevOps Joshua Corman @joshcorman Rugged Software @RuggedSoftware ~ Marc Andreessen 2011 10/23/2013 6 @joshcorman 7 Trade Offs Costs &amp; Benefits 10/23/2013 8 @joshcorman

1.03k views • 78 slides
Investor Overview february 2014 1 a global leader and innovator in rugged tablet PCs for

Investor Overview february 2014 1 a global leader and innovator in rugged tablet PCs for

Investor Overview february 2014 1 a global leader and innovator in rugged tablet PCs for over fifteen years developers developers of the of the most rugged tablets in the market 2 Notice: This Presentation (the

512 views • 22 slides
The Road to Rugged Shannon Lietz Who I am 25+ years Technology and Security Experience

The Road to Rugged Shannon Lietz Who I am 25+ years Technology and Security Experience

The Road to Rugged Shannon Lietz Who I am 25+ years Technology and Security Experience Most of my career has been about being Rugged! Background in Security R&amp;D Working with the Cloud before it was called the Cloud --

652 views • 21 slides
The Great Depression Outcome: Herbert Hoover and Rugged Individualism

The Great Depression Outcome: Herbert Hoover and Rugged Individualism

The Great Depression Outcome: Herbert Hoover and Rugged Individualism Herbert Hoover &amp; Rugged Individualism 1. Presidency a. Won big in election of 1928

259 views • 11 slides
LITTLE LIVERPOOL RANGE From out that rough and rugged range a lofty peak arose, with

LITTLE LIVERPOOL RANGE From out that rough and rugged range a lofty peak arose, with

LITTLE LIVERPOOL RANGE From out that rough and rugged range a lofty peak arose, with buttressed base and spreading spurs, in stately calm repose. Why is the range important? Wildlife corridor Home to threatened species Balancing

576 views • 20 slides
Mediterranean Sea Rugged, Irregular Coastlinegreat for Pick ONE. Slides or Fill ins?

Mediterranean Sea Rugged, Irregular Coastlinegreat for Pick ONE. Slides or Fill ins?

5/30/2017 Mediterranean Sea Rugged, Irregular Coastlinegreat for Pick ONE. Slides or Fill ins? trade &amp; travel Connects Europe, Asia, Africa Review Checkpoint #1 is today. I will be taking your folder. Europe Part 1 Review

437 views • 9 slides
Introducing the ALGIZ RT8 Ultra-rugged efficiency ALGIZ RT8 Key features Mobility first

Introducing the ALGIZ RT8 Ultra-rugged efficiency ALGIZ RT8 Key features Mobility first

Introducing the ALGIZ RT8 Ultra-rugged efficiency ALGIZ RT8 Key features Mobility first Real-world capabilities Outdoor ruggedness Accessories for efficiency Advanced software layer ALGIZ RT8 Small profile, big impact

189 views • 17 slides
SCORPION B SCAN CRAWLER What is the Scorpion B Scan Crawler? The Scorpion is a rugged

SCORPION B SCAN CRAWLER What is the Scorpion B Scan Crawler? The Scorpion is a rugged

SCORPION B SCAN CRAWLER What is the Scorpion B Scan Crawler? The Scorpion is a rugged remote access ultrasonic crawler designed to allow cost Effective A and B-scan imaging on above ground ferro-magnetic structures without the need for

387 views • 3 slides
Even Faster: How Rugged DevOps &amp; SW Supply Chains Attack Developer Waste Josh Corman

Even Faster: How Rugged DevOps &amp; SW Supply Chains Attack Developer Waste Josh Corman

Even Faster: How Rugged DevOps &amp; SW Supply Chains Attack Developer Waste Josh Corman @joshcorman @joshcorman Conclusions / Apply! Idea: A full embrace of Deming is a SW Supply Chain: Fewer/Better Suppliers Highest Quality Supply

832 views • 64 slides
ACROMAG S SMALL FORM FACTOR RUGGED SOLUTION

ACROMAG S SMALL FORM FACTOR RUGGED SOLUTION

ACROMAG S SMALL FORM FACTOR RUGGED SOLUTION www.acromag.com 248-624-1541 www.acromag.com 248-624-1541

814 views • 26 slides
Keynote

Keynote

Keynote Agile, Lean, Rugged The Paper Edition!

796 views • 51 slides
Bpo powerpoint presentation templates Mirror Link #1 This could arrange some of the latest

Bpo powerpoint presentation templates Mirror Link #1 This could arrange some of the latest

Bpo powerpoint presentation templates. It counterclockwise made a big wednesday for me. I crematory you would down the power source and volume down button for 10 games. Ash is an unprotected other and dancing engineer but he s a rugged marketing

428 views • 3 slides
Season What is NMU SAE Baja? NMU SAE Baja is: Engineering Manufacturing Marketing

Season What is NMU SAE Baja? NMU SAE Baja is: Engineering Manufacturing Marketing

2012-2013 Season What is NMU SAE Baja? NMU SAE Baja is: Engineering Manufacturing Marketing Accounting Organization The Objective Each teams goal is to build a prototype of a rugged, single seat, off-road vehicle

476 views • 10 slides
- For tough users in rough environments Background The environment is not always

- For tough users in rough environments Background The environment is not always

- For tough users in rough environments Background The environment is not always predictable and you need to prepare The Panel What is Sirius? -A very rugged touch screen that remote controls a Motorola MotoTrbo radio The

354 views • 17 slides
aMAP! Project area Puyallup River Basin 900 square miles area rugged mountains

aMAP! Project area Puyallup River Basin 900 square miles area rugged mountains

LEVEE SETBACK FEASIBILITY STUDY Puyallup, Carbon, White Rivers, Pierce County, WA Mary Ann Reinhart &amp; Rob Richardson : GeoEngineers Randy Brake &amp; Dave Renstrom : Pierce County Darrell Sofield : aMAP! aMAP! Project area Puyallup

543 views • 27 slides
LIGH- T V3 Product presentation V3.0 Last edit 20.04.2018 www.elistair.com

LIGH- T V3 Product presentation V3.0 Last edit 20.04.2018 www.elistair.com

LIGH- T V3 Product presentation V3.0 Last edit 20.04.2018 www.elistair.com 0 General Description Overall Presentation Ligh-T is a rugged tethering station for multirotor drones. This

272 views • 9 slides
D I S C O V E R From pine clad clifgs to sandy bays, quench your wanderlust at Anassa. Venture

D I S C O V E R From pine clad clifgs to sandy bays, quench your wanderlust at Anassa. Venture

L O C AT I O N D I S C O V E R From pine clad clifgs to sandy bays, quench your wanderlust at Anassa. Venture into the unspoiled heart of Cyprus: visit dazzling UNESCO marvels, painted churches and breathtaking lagoons; explore the rugged

665 views • 41 slides
Sermon #243 Galatians 5:16-26 June 3, 2018 (Title Slide 1) The Fruitful Life Its a barren,

Sermon #243 Galatians 5:16-26 June 3, 2018 (Title Slide 1) The Fruitful Life Its a barren,

P a g e | 1 Sermon #243 Galatians 5:16-26 June 3, 2018 (Title Slide 1) The Fruitful Life Its a barren, dry, hot, and desolate area. (Slides 2, 3, 4) Few trees if any are found there. Nomadic shepherds roam the rugged hills and deep

80 views • 4 slides
Lectur Lecture 22: e 22: AC M AC Motor otors AC M AC Motor otors Two main types of AC

Lectur Lecture 22: e 22: AC M AC Motor otors AC M AC Motor otors Two main types of AC

Lectur Lecture 22: e 22: AC M AC Motor otors AC M AC Motor otors Two main types of AC Motors Induction (non-synchronous) Motors Workhorse of industry rugged, reliable, cheap Only stator externally excited Rotor spins

474 views • 26 slides
Product Introduction GRX2 Jan 2013 GRX2 GRX2 Physical Features: 226 GNSS

Product Introduction GRX2 Jan 2013 GRX2 GRX2 Physical Features: 226 GNSS

Product Introduction GRX2 Jan 2013 GRX2 GRX2 Physical Features: 226 GNSS Channels Rugged Integrated Design Takes a 2m pole drop IP67 Waterproof Rating Integrated RTK &amp; Static Receivers Configuration: No

127 views • 12 slides
Born in 1973 Roots was founded by Michael Budman and Don Green. United by a summer camp

Born in 1973 Roots was founded by Michael Budman and Don Green. United by a summer camp

Born in 1973 Roots was founded by Michael Budman and Don Green. United by a summer camp friendship and inspired by the rugged beauty of Algonquin Park, Investor Presentation they set out to create an enduring lifestyle brand that captured

623 views • 17 slides
Born in 1973 Roots was founded by Michael Budman and Don Green. United by a summer camp

Born in 1973 Roots was founded by Michael Budman and Don Green. United by a summer camp

Born in 1973 Roots was founded by Michael Budman and Don Green. United by a summer camp friendship and inspired by the rugged beauty of Algonquin Park, Investor Presentation they set out to create an enduring lifestyle brand that captured

640 views • 25 slides
ISE Measurement Seminar The world leader in serving science Doug Sterner Antonia Finlayson

ISE Measurement Seminar The world leader in serving science Doug Sterner Antonia Finlayson

ISE Measurement Seminar The world leader in serving science Doug Sterner Antonia Finlayson Adrian Vazquez Why Use ISEs? Responsive over a wide concentration range Not affected by color or turbidity of sample Rugged and durable

1.2k views • 85 slides
MOROCCO Invest in Experiences not Things ! Proud Member of MOROCCO Country information Morocco

MOROCCO Invest in Experiences not Things ! Proud Member of MOROCCO Country information Morocco

MOROCCO Invest in Experiences not Things ! Proud Member of MOROCCO Country information Morocco is a sovereign country located in the Maghreb region of North Africa. Geographically, Morocco is characterized by a rugged mountainous interior

1.07k views • 59 slides

More recommend