Talk Notes: The Infosec Perspective of DevOps: James Wickett: LASCON 2011
Thursday, January 26, 2012 at 12:50PM LASCON 2011: October 27, 2011
- Talk title: Coding Secure Infrastructure in the Cloud using the PIE framework
- James Wickett (@wickett, personal website, slideshare)
James Wickett and his ex-boss @ernestmueller are both a very special breed of people. James is well-known for his experience as an information security practitioner and his leadership in the OWASP community (he is the conference chair for the upcoming 2012 OWASP USA conference). But what makes him so interesting to me is that a boundary spanner. Beyond just infosec, he has experience doing IT Operations, as well as Development and DevOps practices.
(Incidentally, I believe his presentation on "The Rugged Way in the Cloud--Building Reliability and Security into Software" as one of the seminal works on how to information security integrates into DevOps-style practices. It is shown below, even though that isn't the topic of this talk note:)
At LASCON, he presented with Peco Karayanev on the PIE tool they built to integrate security practices into daily development and IT operations work. It will look very similar to a DevOps presentation, but hints at how organizations can integrate and deliver the non-functional requirements from the Rugged Computing initiative (e.g., scalable, available, survivable, securable, supportable, etc..).
Here's how they describe PIE, which is a tool they developed at National Instruments to support developing applications that are served up in the cloud:
PIE (Programmable Infrastructure Environment) is the open source cloud system management project released in the fall of 2011 that has changed how engineers build systems and manage security in the cloud. In DevOps fashion, PIE is focused on coding infrastructure that blends the lines between applications and servers.
The PIE project began when we built our very large scale cloud-based products and we focused on building a rugged, highly available system that would run resiliently in the face of failures. We knew we had to treat our "Infrastructure as Code" and from that theory PIE was born. Along the way we have learned how hard that can be. Come here how to use PIE to shape your cloud deployment and secure your infrastructure.
This presentation will feature the main developer of PIE, Peco Karayanev, who will give insight into how to transform your infrastructure using PIE.
Incidentally, Josh Corman and I are presenting an extension of these concepts and prescriptive steps at RSA 2012 in a presentation called "Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed."
Okay, here are the notes/tweets from James' presentation:
- @wickett/Karayanev: @wickett/@ernestmueller r amazing boundary spanner between Infosec, IT ops and Dev: always awesome insights
- "Biggest surprise: how easily in PIE we had assurance that we knew about all deployment and changes, DevOps style"
- "What do we like about PIE? Collab system design/development; automated building/provisioning/controlling cloud"
- "From source to running system in minutes; for Azure, 1h; all infrastructure as code (#puppet/#chef)"
- "We use PIE for cloud provisioning, creating new env, backups, logging, testing, release, revision ctrl, etc."
- "The most diff part of defining architecture is the arrows: the dependencies. architects not used to rigor up front" info on PIE for @mortman: http://t.co/sRqSYzQs
- "We wanted to abstract all cloud providers for PIE, just in case Rackspace came to us w/sweet deal."
- "Never again will dev give ops something to deploy, who then need to ask for firewall port open" (Haha)
- "All security testing being run by Dev, not Ops or Infosec. Noticing vulns/defects fixed faster" #devops
- "We use Campfire extensively to keep entire global team sync'ed." #rugged #devops
Also, they are looking for people to use PIE, and other people who want to contribute to its development. (Contact @arnestmueller or @wickett for more info!)
DevOps, lascon, security/compliance, talks