Compliance-Driven Infrastructure

Transcript

1. COMPLIANCE-DRIVEN INFRASTRUCTURE the quest to make testing and security part

   of devops Christoph Hartmann @chri_hartmann | [email protected]

2. @chri_hartmann $> whoami Christoph Hartmann • 8 years in industry

   • Deutsche Telekom and SAP • Co-Founded startup VulcanoSec • need for missing compliance solutions • close collaboration with auditors • Acquired by Chef Software • heading engineering for compliance • InSpec Creator

3. Why do we need compliance? Is compliance preventing innovation? Compliance-Driven

   Infrastructure

4. Source: http://content.time.com/time/covers/europe/0,16641,20020708,00.html

5. None
6. None

7. Regulatory Compliance PCI-DSS Gramm-Leach-Bliley Act HIPAA Dodd-Frank ISO Sarbanes-Oxley HITECH

   Grundschutz European Central Bank Regulations

8. COMPLIANCE AND SECURITY Compliance Security

9. State of Security in 2014 • In 60% of cases,

   attackers can compromise organizations within minutes. • 99.9% of the exploited vulnerabilities were compromised more than a year after the vulnerability was published. • Ten vulnerabilities account for 97% of the exploits observed. Verizon Data Breach Report

10. Why do we need compliance? Is compliance preventing innovation? Compliance-Driven

    Infrastructure

11. Deployment Compliance DevOps

12. compliance is perceived as blocker

13. None
14. None

15. Language Compliance DevOps Security

16. Scale

17. Scale

18. Scale

19. QUALITY VELOCITY Innovation Quality/ Security/ Compliance The tradeoff myth

20. Book: The High Velocity Edge - Steven J. Spears Competitive

    advantage

21. Why do we need compliance? Is compliance preventing innovation? Compliance-Driven

    Infrastructure

22. Security meets operations Compliance DevOps Security

23. Common Language Language Compliance DevOps Security

24. InSpec turns infrastructure testing, compliance and security requirements into code

25. Documentation SSH supports two different protocol versions. The original version,

    SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.

26. Scripting tools

27. The better way TESTING A REQUIREMENT

28. Compliance Language

29. Standalone Usage $ inspec exec test.rb $ inspec exec test.rb

    -i vagrant.key -t ssh://[email protected]:11022 $ inspec exec test.rb -t winrm://[email protected] --password super $ inspec exec test.rb -t docker://3cc8837bb6a8 describe sshd_config do its('Protocol') { should cmp 2 } end

30. Supported Operating Sysyems

31. apache, apache_conf, apt, audit_policy, auditd_conf, auditd_rules, bash, bond, bridge, bsd_service,

    command, csv, directory, etc_group, file, gem, group, groups, grub_conf, host, iis_site, inetd_conf, ini, interface, iptables, json, kernel_module, kernel_parameter, launchd_service, limits_conf, login_defs, mount, mssql_session, mysql, mysql_conf, mysql_session, npm, ntp_conf, oneget, os, os_env, package, parse_config, parse_config_file, passwd, pip, port, postgres, postgres_conf, postgres_session, powershell, ppa, processes, registry_key, runit_service, script, security_policy, service, shadow, ssh_config, sshd_config, ssl, sys_info, systemd_service, sysv_service, upstart_service, user, users, vbscript, windows_feature, wmi, xinetd_conf, yaml, yum Built-in resources

32. Works with all DevOps tools e.g.

33. Silo Breaking • Build foundation for communication • Share knowledge

    and code • Codify agreements after audits

34. Mapping of Compliance Document to InSpec

35. Make Adjustments My CIS L1 (inspec overlay) CIS Lvl1 (xml

    base profile)

36. Optimize for specific environments Dev Production Test My CIS L1

    (inspec overlay) CIS Lvl1 (xml base profile)

37. InSpec Profiles Windows Patch Profile OS Hardening Profile SSH Hardening

    Profile Linux Patch Profile github.com/dev-sec github.com/chris-rock/acme-inspec-profile

38. InSpec Profiles Windows Patch Profile OS Hardening Profile SSH Hardening

    Profile Linux Patch Profile github.com/dev-sec github.com/chris-rock/acme-inspec-profile

39. InSpec Profiles

40. Continuous Compliance Compliance DevOps

41. Continuous Compliance

42. Continuous Compliance Scan for Compliance Build & Test Locally Build

    & Test CI/CD Remediate Verify

43. Continuous Compliance DevOps Compliance Security

44. The changing role of the compliance officer

45. Continuous Compliance

46. Why do we need compliance? Is compliance preventing innovation? Compliance-Driven

    Infrastructure

47. Further Resources inspec.io • Hands on tutorials • Extensive documentation

    • Code examples learn.chef.io • More tutorials about Compliance and Inspec

48. Further Resources Save Your Crash Dummies! A Test-driven Infrastructure Solution

    http://bit.ly/crash_dummies dev-sec.io github.com/dev-sec/tests-os-hardening github.com/dev-sec/tests-ssh-hardening github.com/dev-sec/windows-patch-benchmark github.com/dev-sec/linux-patch-benchmark

49. @chri_hartmann Christoph Hartmann Join [email protected]

50. Chef vs InSpec