Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AllDayDevOps 2017: Continuous Patch and Security Assessment with InSpec

Christoph Hartmann
October 24, 2017
Technology
0
140

AllDayDevOps 2017: Continuous Patch and Security Assessment with InSpec

Best-practices for server hardening and patching have been in place for decades. Nevertheless, it is still very cumbersome to enforce those rules continuously and many servers are still unsecured in 2016. DevOps tools like Chef, Puppet or Ansible help to enforce secure configuration, but they cannot fully assess a state of a machine e.g. you cannot easily verify if something is not installed. InSpec is here to help. It is an open source tool for infrastructure, security and compliance testing. InSpec’s DSL is a human and machine-readable assessment language that is extendable and customizable. Since testing can be fully automated with InSpec, companies are enabled to assess and enforce secure configuration across their IT fleet. Integration with CI/CD systems allows continuous testing in high-velocity organizations. This talk will give an introduction to InSpec and demonstrate how patch and security level can be assessed in CI/CD and production environments.

Christoph Hartmann

October 24, 2017
Tweet

More Decks by Christoph Hartmann

See All by Christoph Hartmann
The death of security as we know it: Platform and Security Engineering join forces to build more secure and robust applications
chrisrock
0
16
Testing Cloud Provisioning with Terraform and InSpec
chrisrock
2
600
DevSec: Continuous Patch and Security Assessment with InSpec
chrisrock
0
200
Chef Summit London: InSpec Keynote
chrisrock
0
240
DevSecCon London: Christoph Hartmann - DevSec: continuous compliance
chrisrock
0
190
ChefConf 2017 InSpec 2 Announcement
chrisrock
0
140
Compliance-Driven Infrastructure
chrisrock
0
140
Infrastructure and Security Testing with InSpec
chrisrock
0
190

Other Decks in Technology

See All in Technology
Mirror mirror... what am I typing next?
spinscale
0
140
ジェネレーティブAI実践入門/20230524
yoshidashingo
4
2.3k
SQLを活用したデータ分析におけるChatGPTの活用法
hikarut
6
2.5k
社内でChatGPTを利用するためのガイドラインを整備した話
yoshikieguchi
0
690
Snowflake×dbt×Terraformでモダンなデータ基盤開発してみた
kevinrobot34
0
270
[Journal club] Hyena Hierarchy: Towards Larger Convolutional Language Models
keio_smilab
PRO
1
110
AI in Action
charmichokshi
0
140
とあるQAエンジニアが、マイクロサービスの開発チームと、出会ったーー / Scrum Fest Niigata 2023
yoyakoba
0
110
ShowNet2022 Topology
shownet
PRO
0
640
CyberAgent AI事業本部MLOps研修基礎編
hosimesi11
2
300
[春のDojo祭り'23] データドリブンな時代に求められるプロセスマイニング入門
tkhresk
0
130
Google I/O 2023で話されたWeb MLの話を紹介したい! / IoTLT vol.99
you
0
100

Featured

See All Featured
Designing Experiences People Love
moore
130
22k
How To Stay Up To Date on Web Technology
chriscoyier
779
250k
Mobile First: as difficult as doing things right
swwweet
213
8k
What the flash - Photography Introduction
edds
64
10k
Stop Working from a Prison Cell
hatefulcrawdad
264
18k
RailsConf 2023
tenderlove
0
88
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
183
15k
Music & Morning Musume
bryan
37
4.8k
Clear Off the Table
cherdarchuk
81
300k
BBQ
matthewcrist
75
8.2k
The Power of CSS Pseudo Elements
geoffreycrofte
54
4.5k
How GitHub Uses GitHub to Build GitHub
holman
466
280k

Transcript

  1. Continuous Patch and
    Security Assessment with InSpec
    Christoph Hartmann
    Lead Engineer
    Chef Software
    @chri_hartmann

    View Slide

  2. @chri_hartmann
    $> whoami
    Christoph Hartmann
    • Engineering Lead at Chef Software
    • Co-Founded Dev-Sec.io project
    • Co-Founder of VulcanoSec
    • Acquired by Chef Software
    • InSpec Creator
    chris-rock

    View Slide

  3. InSpec turns infrastructure testing, compliance
    and security requirements into code

    View Slide

  4. Agenda
    Compliance
    DevOps

    View Slide

  5. Challenges in Production
    #1

    View Slide

  6. The tip of the iceberg
    Heartbleed Shellshock WannaCry
    Cyber-Threat landscape

    View Slide

  7. 73%
    Financially
    motivated
    51%
    Organized
    Criminal
    Groups
    75%
    External
    attacker
    Verizon Data Breach
    Report 2017
    The tip of the iceberg
    Cyber-Threat landscape

    View Slide

  8. State of Security in 2014
    • In 60% of cases, attackers can compromise organizations
    within minutes.
    • 99.9% of the exploited vulnerabilities were compromised
    more than a year after the vulnerability was published.
    • Ten vulnerabilities account for 97% of the exploits
    observed.
    Verizon Data Breach Report

    View Slide

  9. OWASP Top 10

    View Slide

  10. A5 – Security Misconfiguration
    Good security requires having a secure configuration defined and deployed for the application,
    frameworks, application server, web server, database server, platform, etc. Secure settings should be
    defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept
    up to date.
    A9 – Using Components with Known Vulnerabilities
    Components, such as libraries, frameworks, and other software modules, run with the same privileges as
    the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or
    server takeover. Applications and APIs using components with known vulnerabilities may undermine
    application defenses and enable various attacks and impacts.
    OWASP Top 10

    View Slide

  11. Source: http://content.time.com/time/covers/europe/0,16641,20020708,00.html

    View Slide

  12. View Slide

  13. View Slide

  14. Regulatory Compliance
    PCI-DSS Gramm-Leach-Bliley Act HIPAA
    Dodd-Frank ISO Sarbanes-Oxley
    HITECH Grundschutz
    European Central Bank
    Regulations

    View Slide

  15. Reporting of compliance activity is extensive
    EY – A time of evolution for
    compliance: laying foundations
    for future success

    View Slide

  16. Huge scope remains for tapping into the
    power of technology
    EY – A time of evolution for
    compliance: laying foundations
    for future success

    View Slide

  17. COMPLIANCE AND SECURITY
    Compliance
    Security

    View Slide

  18. Let’s Automate
    #2

    View Slide

  19. View Slide

  20. View Slide

  21. github.com/dev-sec

    View Slide

  22. View Slide

  23. Scale

    View Slide

  24. Scale

    View Slide

  25. Scale

    View Slide

  26. View Slide

  27. View Slide

  28. Agenda
    Compliance
    DevOps

    View Slide

  29. Wait!
    #3

    View Slide

  30. View Slide

  31. Drivers for Compliance
    Security
    Reduce risk and protect business
    Liability
    Avoid negligence

    View Slide

  32. View Slide

  33. Language
    Compliance DevOps
    Security

    View Slide

  34. Compliance-Driven
    Infrastructure
    #4

    View Slide

  35. Tradeoff: Speed vs Risk
    DevOps teams focus on faster
    innovation, potentially increasing
    risk
    InfoSec teams focus on mitigating
    risk, potentially reducing speed

    View Slide

  36. QUALITY/COMPLIANCE
    RATE OF INNOVATION
    Scale Speed and Compliance

    View Slide

  37. Detect
    Correct
    Compliance Continuous

    View Slide

  38. Let’s talk about solutions
    github.com/dev-sec

    View Slide

  39. Works with all DevOps tools e.g.

    View Slide

  40. InSpec turns infrastructure testing, compliance
    and security requirements into code

    View Slide

  41. Surface check
    #1: Know your security stance

    View Slide

  42. Surface check Deep analysis
    #1: Know your security stance

    View Slide

  43. • Operating Systems
    • DBs, AppServers
    • Apps
    • On-prem, Cloud,
    Hybrid, Containers
    Deep analysis
    #1: Know your security stance

    View Slide

  44. Faulty assumptions
    #1: Know your security stance

    View Slide

  45. Faulty assumptions
    #1: Know your security stance

    View Slide

  46. • Prevent insecure production env.
    • Report and alert continuously
    • Provide proof
    Faulty assumptions
    #1: Know your security stance

    View Slide

  47. Documentation
    SSH supports two different protocol versions. The original
    version, SSHv1, was subject to a number of security issues.
    Please use SSHv2 instead to avoid these.

    View Slide

  48. Scripting tools

    View Slide

  49. The better way
    TESTING A REQUIREMENT

    View Slide

  50. Standalone Usage
    $ inspec exec test.rb
    $ inspec exec test.rb -i vagrant.key -t ssh://[email protected]:11022
    $ inspec exec test.rb -t winrm://[email protected] --password super
    $ inspec exec test.rb -t docker://3cc8837bb6a8
    describe sshd_config do
    its('Protocol') { should cmp 2 }
    end

    View Slide

  51. Mapping of Compliance Document to InSpec

    View Slide

  52. Compliance Language

    View Slide

  53. apache apache_conf apt audit_policy auditd_conf auditd_rules bash bond bridge
    bsd_service command crontab csv dh_params directory docker docker_container
    docker_image etc_group file gem group groups grub_conf host http iis_site iis_website
    inetd_conf ini interface iptables json kernel_module kernel_parameter key_rsa
    launchd_service limits_conf login_defs mount mssql_session mysql mysql_conf
    mysql_session npm ntp_conf oneget oracledb_session os os_env package packages
    parse_config parse_config_file passwd pip port postgres postgres_conf postgres_session
    powershell ppa processes rabbitmq_config registry_key runit_service script
    security_policy service shadow ssh_config sshd_config ssl sys_info systemd_service
    sysv_service upstart_service user users vbscript windows_feature windows_registry_key
    windows_task wmi x509_certificate xinetd_conf yaml yum yumrepo zfs_dataset
    zfs_pool
    Built-in resources

    View Slide

  54. Supported Operating Systems

    View Slide

  55. InSpec Profiles
    Folder Structure

    View Slide

  56. InSpec Profiles
    inspec.yml

    View Slide

  57. $ inspec supermarket profiles
    == Available profiles:
    * apache2-compliance-test-tthompson thompsontelmate/apache2-
    compliance-test-tthompson
    * Apache DISA STIG som3guy/apache-disa-stig
    * chef-alfresco-inspec-mysql alfresco/chef-alfresco-inspec-mysql
    * chef-alfresco-inspec-tomcat alfresco/chef-alfresco-inspec-tomcat
    * chef-client-hardening sliim/chef-client-hardening
    * CIS Docker Benchmark dev-sec/cis-docker-benchmark
    * CVE-2016-5195 ndobson/cve-2016-5195
    * DevSec Apache Baseline dev-sec/apache-baseline
    InSpec Supermarket

    View Slide

  58. github.com/dev-sec

    View Slide

  59. DevSec InSpec Profiles
    Operating Systems
    DevSec Linux Baseline
    DevSec Linux Patch Baseline
    DevSec Windows Baseline
    DevSec Windows Patch Baseline
    DevSec SSH Baseline
    DevSec SSL/TLS Baseline
    CIS Distribution Independent
    Applications
    DevSec Nginx Baseline
    DevSec MySQL Baseline
    DevSec PHP baseline
    DevSec Apache Baseline
    DevSec PostgreSQL Baseline
    Application Runtimes
    DevSec OpenStack Baseline
    CIS Docker Benchmark
    CIS Kubernetes Benchmark

    View Slide

  60. Linux Patch
    Benchmark Acme Inc
    include_controls ’linux-patch baseline’
    depends:
    - name: linux-patch baseline
    InSpec Profile Management

    View Slide

  61. Manage Baselines
    My CIS L1
    (inspec overlay)
    CIS Lvl1
    (xml base profile)

    View Slide

  62. Manage Baseline Overlays
    Dev
    Production
    Test
    My CIS L1
    (inspec overlay)
    CIS Lvl1
    (xml base profile)

    View Slide

  63. InSpec Profiles
    github.com/dev-sec
    DevSec Windows
    Patch
    Baseline
    DevSec Linux
    Baseline
    DevSec Windows
    Baseline
    DevSec Linux
    Patch
    Baseline

    View Slide

  64. InSpec Profiles
    github.com/dev-sec
    github.com/chris-rock/acme-inspec-profile
    DevSec Windows
    Patch
    Baseline
    DevSec Linux
    Baseline
    DevSec Windows
    Baseline
    DevSec Linux
    Patch
    Baseline

    View Slide

  65. InSpec Profiles
    DevSec Windows
    Patch
    Baseline
    DevSec Linux
    Baseline
    DevSec Windows
    Baseline
    DevSec Linux
    Patch
    Baseline
    github.com/dev-sec
    github.com/chris-rock/acme-inspec-profile

    View Slide

  66. InSpec Profiles

    View Slide

  67. Continuous Compliance
    Compliance
    DevOps

    View Slide

  68. Continuous Compliance
    Scan for
    Compliance
    Build &
    Test Locally
    Build &
    Test CI/CD Remediate Verify

    View Slide

  69. Outlook
    #4

    View Slide

  70. 225 releases
    (once a week)
    19 days
    Issue resolution time
    137 Contributors 880 Stars
    InSpec Project Health

    View Slide

  71. Infrastructure

    View Slide

  72. chef/inspec-vmware
    chef/inspec-azure chef/inspec-aws
    InSpec for Platforms

    View Slide

  73. describe aws_iam_user(’iam_user') do
    its('has_mfa_enabled?') { should be false }
    its('has_console_password?') { should be false }
    end
    InSpec for AWS

    View Slide

  74. describe azure_virtual_machine(name: 'Linux-
    Internal-VM', resource_group: 'Inspec-Azure') do
    its('sku') { should eq '16.04.0-LTS' }
    its('publisher') { should eq 'Canonical' }
    its('offer') { should eq 'UbuntuServer' }
    its('size') { should eq 'Standard_DS2_v2' }
    its('location') { should eq 'westeurope' }
    its('admin_username') { should eq 'azure' }
    end
    InSpec for Azure

    View Slide

  75. control 'vmware-7.3.3' do
    impact 0.7
    title 'Ensure that the vSwitch Promiscuous
    Mode policy is set to reject.'
    describe vmhost_vswitch(datacenter: 'vm001',
    host: 'localhost.localdomain',vswitch:
    'vSwitch0') do
    its('allowPromiscuous') { should be false }
    end
    end
    InSpec for VmWare

    View Slide

  76. Further Resources
    inspec.io
    • Hands on tutorials
    • Extensive documentation
    • Code examples
    dev-sec.io
    • github.com/dev-sec/linux-baseline
    • github.com/dev-sec/windows-baseline
    • github.com/dev-sec/windows-patch-baseline
    • github.com/dev-sec/linux-patch-baseline

    View Slide

  77. Join
    github.com/chef/inspec

    View Slide

  78. Session Title
    Your Name
    Your Title
    Your Company
    Your @TwitterHandle

    View Slide

  79. Session Title
    Your Name
    Your Title
    Your Company
    Your @TwitterHandle

    View Slide

  80. @chri_hartmann
    Christoph Hartmann
    [email protected]

    View Slide

  81. bit.ly/addo-slack
    Find me on slack, right now!

    View Slide

  82. View Slide