Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Compliance-Driven Infrastructure

Christoph Hartmann
November 15, 2016
Technology
0
140

Compliance-Driven Infrastructure

Christoph Hartmann

November 15, 2016
Tweet

More Decks by Christoph Hartmann

See All by Christoph Hartmann
The death of security as we know it: Platform and Security Engineering join forces to build more secure and robust applications
chrisrock
0
16
Testing Cloud Provisioning with Terraform and InSpec
chrisrock
2
600
DevSec: Continuous Patch and Security Assessment with InSpec
chrisrock
0
200
Chef Summit London: InSpec Keynote
chrisrock
0
240
AllDayDevOps 2017: Continuous Patch and Security Assessment with InSpec
chrisrock
0
140
DevSecCon London: Christoph Hartmann - DevSec: continuous compliance
chrisrock
0
200
ChefConf 2017 InSpec 2 Announcement
chrisrock
0
140
Infrastructure and Security Testing with InSpec
chrisrock
0
190

Other Decks in Technology

See All in Technology
Semantic KernelでGPTと外部ツールを連携する
takashi1029
1
1.1k
MySQL and Vitess (and Kubernetes) at HubSpot
jfg956
0
150
CyberAgent AI事業本部MLOps研修基礎編
hosimesi11
2
460
カーネルコードの歩き方
sat
PRO
3
2.5k
Search Evolution - Keeping up with the hype?
spinscale
0
120
どうしてもcgoから逃げられなくなったあなたに知ってほしいcgoの使い方入門
sakiengineer
1
490
ChatGPTとこころを整理してみる
nagauta
0
370
NAB Show 2023 動画技術関連レポート / NAB Show 2023 Report
cyberagentdevelopers
PRO
1
120
Get started with OSS contributions
sinsoku
2
640
ChatGPTを活用した 便利ツールの紹介
hankehly
0
400
Go1.20からサポートされるtree構造のerrの紹介と、treeを考慮した複数マッチができるライブラリを作った話/introduction of tree structure err added since go 1_20
convto
0
150
KEDAで始めるイベント駆動システム #k8snovice / keda-tutorial
chmikata
1
130

Featured

See All Featured
Infographics Made Easy
chrislema
236
17k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
176
9.4k
Web Components: a chance to create the future
zenorocha
304
41k
Art, The Web, and Tiny UX
lynnandtonic
285
18k
A Tale of Four Properties
chriscoyier
149
21k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
123
29k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
32
8.3k
Building a Scalable Design System with Sketch
lauravandoore
451
31k
The Art of Programming - Codeland 2020
erikaheidi
37
11k
GraphQLとの向き合い方2022年版
quramy
23
11k
StorybookのUI Testing Handbookを読んだ
zakiyama
9
3.5k
Large-scale JavaScript Application Architecture
addyosmani
500
110k

Transcript

  1. COMPLIANCE-DRIVEN INFRASTRUCTURE
    the quest to make testing and security part of devops
    Christoph Hartmann
    @chri_hartmann | [email protected]

    View Slide

  2. @chri_hartmann
    $> whoami
    Christoph Hartmann
    • 8 years in industry
    • Deutsche Telekom and SAP
    • Co-Founded startup VulcanoSec
    • need for missing compliance solutions
    • close collaboration with auditors
    • Acquired by Chef Software
    • heading engineering for compliance
    • InSpec Creator

    View Slide

  3. Why do we need compliance?
    Is compliance preventing innovation?
    Compliance-Driven Infrastructure

    View Slide

  4. Source: http://content.time.com/time/covers/europe/0,16641,20020708,00.html

    View Slide

  5. View Slide

  6. View Slide

  7. Regulatory Compliance
    PCI-DSS Gramm-Leach-Bliley Act HIPAA
    Dodd-Frank ISO Sarbanes-Oxley
    HITECH Grundschutz
    European Central Bank
    Regulations

    View Slide

  8. COMPLIANCE AND SECURITY
    Compliance
    Security

    View Slide

  9. State of Security in 2014
    • In 60% of cases, attackers can compromise organizations
    within minutes.
    • 99.9% of the exploited vulnerabilities were compromised
    more than a year after the vulnerability was published.
    • Ten vulnerabilities account for 97% of the exploits
    observed.
    Verizon Data Breach Report

    View Slide

  10. Why do we need compliance?
    Is compliance preventing innovation?
    Compliance-Driven Infrastructure

    View Slide

  11. Deployment
    Compliance
    DevOps

    View Slide

  12. compliance
    is perceived as blocker

    View Slide

  13. View Slide

  14. View Slide

  15. Language
    Compliance DevOps
    Security

    View Slide

  16. Scale

    View Slide

  17. Scale

    View Slide

  18. Scale

    View Slide

  19. QUALITY
    VELOCITY
    Innovation
    Quality/
    Security/
    Compliance
    The tradeoff myth

    View Slide

  20. Book: The High Velocity Edge - Steven J. Spears
    Competitive advantage

    View Slide

  21. Why do we need compliance?
    Is compliance preventing innovation?
    Compliance-Driven Infrastructure

    View Slide

  22. Security meets operations
    Compliance DevOps
    Security

    View Slide

  23. Common Language
    Language
    Compliance DevOps
    Security

    View Slide

  24. InSpec turns infrastructure testing, compliance
    and security requirements into code

    View Slide

  25. Documentation
    SSH supports two different protocol versions. The original
    version, SSHv1, was subject to a number of security issues.
    Please use SSHv2 instead to avoid these.

    View Slide

  26. Scripting tools

    View Slide

  27. The better way
    TESTING A REQUIREMENT

    View Slide

  28. Compliance Language

    View Slide

  29. Standalone Usage
    $ inspec exec test.rb
    $ inspec exec test.rb -i vagrant.key -t ssh://[email protected]:11022
    $ inspec exec test.rb -t winrm://[email protected] --password super
    $ inspec exec test.rb -t docker://3cc8837bb6a8
    describe sshd_config do
    its('Protocol') { should cmp 2 }
    end

    View Slide

  30. Supported Operating Sysyems

    View Slide

  31. apache, apache_conf, apt, audit_policy, auditd_conf, auditd_rules, bash, bond, bridge,
    bsd_service, command, csv, directory, etc_group, file, gem, group, groups, grub_conf, host,
    iis_site, inetd_conf, ini, interface, iptables, json, kernel_module, kernel_parameter,
    launchd_service, limits_conf, login_defs, mount, mssql_session, mysql, mysql_conf,
    mysql_session, npm, ntp_conf, oneget, os, os_env, package, parse_config, parse_config_file,
    passwd, pip, port, postgres, postgres_conf, postgres_session, powershell, ppa, processes,
    registry_key, runit_service, script, security_policy, service, shadow, ssh_config,
    sshd_config, ssl, sys_info, systemd_service, sysv_service, upstart_service, user, users, vbscript,
    windows_feature, wmi, xinetd_conf, yaml, yum
    Built-in resources

    View Slide

  32. Works with all DevOps tools e.g.

    View Slide

  33. Silo Breaking
    • Build foundation for communication
    • Share knowledge and code
    • Codify agreements after audits

    View Slide

  34. Mapping of Compliance Document to InSpec

    View Slide

  35. Make Adjustments
    My CIS L1
    (inspec overlay)
    CIS Lvl1
    (xml base profile)

    View Slide

  36. Optimize for specific environments
    Dev
    Production
    Test
    My CIS L1
    (inspec overlay)
    CIS Lvl1
    (xml base profile)

    View Slide

  37. InSpec Profiles
    Windows Patch
    Profile
    OS Hardening
    Profile
    SSH Hardening
    Profile
    Linux Patch
    Profile
    github.com/dev-sec
    github.com/chris-rock/acme-inspec-profile

    View Slide

  38. InSpec Profiles
    Windows Patch
    Profile
    OS Hardening
    Profile
    SSH Hardening
    Profile
    Linux Patch
    Profile
    github.com/dev-sec
    github.com/chris-rock/acme-inspec-profile

    View Slide

  39. InSpec Profiles

    View Slide

  40. Continuous Compliance
    Compliance
    DevOps

    View Slide

  41. Continuous Compliance

    View Slide

  42. Continuous Compliance
    Scan for
    Compliance
    Build &
    Test Locally
    Build &
    Test CI/CD Remediate Verify

    View Slide

  43. Continuous Compliance
    DevOps Compliance Security

    View Slide

  44. The changing role of the compliance officer

    View Slide

  45. Continuous Compliance

    View Slide

  46. Why do we need compliance?
    Is compliance preventing innovation?
    Compliance-Driven Infrastructure

    View Slide

  47. Further Resources
    inspec.io
    • Hands on tutorials
    • Extensive documentation
    • Code examples
    learn.chef.io
    • More tutorials about
    Compliance and Inspec

    View Slide

  48. Further Resources
    Save Your Crash Dummies!
    A Test-driven Infrastructure Solution
    http://bit.ly/crash_dummies
    dev-sec.io
    github.com/dev-sec/tests-os-hardening
    github.com/dev-sec/tests-ssh-hardening
    github.com/dev-sec/windows-patch-benchmark
    github.com/dev-sec/linux-patch-benchmark

    View Slide

  49. @chri_hartmann
    Christoph Hartmann
    Join
    [email protected]

    View Slide

  50. Chef vs InSpec

    View Slide