Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSec: Continuous Patch and Security Assessment with InSpec

DevSec: Continuous Patch and Security Assessment with InSpec

Christoph Hartmann

November 15, 2018
Tweet

More Decks by Christoph Hartmann

Other Decks in Technology

Transcript

  1. DevSec: Continuous Patch and
    Security Assessment with InSpec
    Christoph Hartmann
    Lead Engineer
    Chef Software
    @chri_hartmann
    Patrick Münch
    IT-Security Consultant
    SVA GmbH
    @atomiczero111

    View Slide

  2. $> whoami
    • IT-Security Consultant at SVA GmbH
    • Co-Founded Dev-Sec.io project
    • Penetration-Testing
    • Offensive Security Certified Professional
    • Offensive Security Certified Expert
    @atomiczero111
    Patrick Münch
    atomic111

    View Slide

  3. @chri_hartmann
    $> whoami
    Christoph Hartmann
    • Engineering Lead at Chef Software
    • Co-Founded Dev-Sec.io project
    • Co-Founder of VulcanoSec
    • Acquired by Chef Software
    • InSpec Creator
    chris-rock

    View Slide

  4. Agenda
    Compliance
    DevOps

    View Slide

  5. Join
    github.com/chef/inspec
    Join
    github.com/dev-sec

    View Slide

  6. Challenges

    View Slide

  7. The tip of the iceberg
    Heartbleed Shellshock WannaCry
    Cyber-Threat landscape

    View Slide

  8. State of Security in 2014
    • In 60% of cases, attackers can compromise organizations
    within minutes.
    • 99.9% of the exploited vulnerabilities were compromised
    more than a year after the vulnerability was published.
    • Ten vulnerabilities account for 97% of the exploits
    observed.
    Verizon Data Breach Report

    View Slide

  9. OWASP Top 10

    View Slide

  10. A5 – Security Misconfiguration
    Good security requires having a secure configuration defined and deployed for the application, frameworks,
    application server, web server, database server, platform, etc. Secure settings should be defined,
    implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to
    date.
    A9 – Using Components with Known Vulnerabilities
    Components, such as libraries, frameworks, and other software modules, run with the same privileges as
    the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or
    server takeover. Applications and APIs using components with known vulnerabilities may undermine
    application defenses and enable various attacks and impacts.
    OWASP Top 10

    View Slide

  11. Source:
    http://content.time.com/time/covers/europe/0,16641,20020708,00.html

    View Slide

  12. View Slide

  13. View Slide

  14. Regulatory Compliance
    PCI-DSS Gramm-Leach-Bliley Act HIPAA
    Dodd-Frank ISO Sarbanes-Oxley
    HITECH Grundschutz
    European Central Bank
    Regulations

    View Slide

  15. Reporting of compliance activity is extensive
    EY – A time of evolution for
    compliance: laying foundations
    for future success

    View Slide

  16. Huge scope remains for tapping into the power of
    technology
    EY – A time of evolution for
    compliance: laying foundations
    for future success

    View Slide

  17. COMPLIANCE AND SECURITY
    Compliance
    Security

    View Slide

  18. Automation

    View Slide

  19. View Slide

  20. View Slide

  21. github.com/dev-sec

    View Slide

  22. View Slide

  23. Scale

    View Slide

  24. Scale

    View Slide

  25. Scale

    View Slide

  26. DevOps Cloud IoT

    View Slide

  27. View Slide

  28. Compliance
    DevOps

    View Slide

  29. Security & Compliance

    View Slide

  30. View Slide

  31. View Slide

  32. Language
    Compliance DevOps
    Security

    View Slide

  33. Compliance-Driven
    Infrastructure

    View Slide

  34. Tradeoff: Speed vs Risk
    DevOps teams focus on faster
    innovation, potentially increasing
    risk
    InfoSec teams focus on mitigating
    risk, potentially reducing speed

    View Slide

  35. Drivers for Compliance
    Security
    Reduce risk and protect business
    Liability
    Avoid negligence

    View Slide

  36. QUALITY/COMPLIANCE
    RATE OF INNOVATION
    Scale Speed and Compliance

    View Slide

  37. Detect
    Correct
    Compliance Continuous

    View Slide

  38. Let’s talk about solutions
    github.com/dev-sec

    View Slide

  39. Works with all DevOps tools e.g.

    View Slide

  40. InSpec turns infrastructure testing, compliance
    and security requirements into code

    View Slide

  41. Surface check
    #1: Know your security stance

    View Slide

  42. Surface check Deep analysis
    #1: Know your security stance

    View Slide

  43. • Operating Systems
    • DBs, AppServers
    • Apps
    • On-prem, Cloud, Hybrid,
    Containers
    Deep analysis
    #1: Know your security stance

    View Slide

  44. Faulty assumptions
    #1: Know your security stance

    View Slide

  45. Faulty assumptions
    #1: Know your security stance

    View Slide

  46. • Prevent insecure production env.
    • Report and alert continuously
    • Provide proof
    Faulty assumptions
    #1: Know your security stance

    View Slide

  47. Documentation
    SSH supports two different protocol versions. The original
    version, SSHv1, was subject to a number of security issues.
    Please use SSHv2 instead to avoid these.

    View Slide

  48. Scripting tools

    View Slide

  49. The better way
    TESTING A REQUIREMENT

    View Slide

  50. Standalone Usage
    $ inspec exec test.rb
    $ inspec exec test.rb -i vagrant.key -t ssh://[email protected]:11022
    $ inspec exec test.rb -t winrm://[email protected] --password super
    $ inspec exec test.rb -t docker://3cc8837bb6a8
    describe sshd_config do
    its('Protocol') { should cmp 2 }
    end

    View Slide

  51. Mapping of Compliance Document to InSpec

    View Slide

  52. Compliance Language

    View Slide

  53. apache apache_conf apt audit_policy auditd_conf auditd_rules bash bond bridge
    bsd_service command crontab csv dh_params directory docker docker_container
    docker_image etc_group file gem group groups grub_conf host http iis_site iis_website
    inetd_conf ini interface iptables json kernel_module kernel_parameter key_rsa
    launchd_service limits_conf login_defs mount mssql_session mysql mysql_conf
    mysql_session npm ntp_conf oneget oracledb_session os os_env package packages
    parse_config parse_config_file passwd pip port postgres postgres_conf postgres_session
    powershell ppa processes rabbitmq_config registry_key runit_service script
    security_policy service shadow ssh_config sshd_config ssl sys_info systemd_service
    sysv_service upstart_service user users vbscript windows_feature windows_registry_key
    windows_task wmi x509_certificate xinetd_conf yaml yum yumrepo zfs_dataset zfs_pool
    Built-in resources

    View Slide

  54. Supported Operating Systems

    View Slide

  55. InSpec Profiles
    Folder Structure

    View Slide

  56. InSpec Profiles
    inspec.yml

    View Slide

  57. $ inspec supermarket profiles
    == Available profiles:
    * apache2-compliance-test-tthompson
    thompsontelmate/apache2-compliance-test-tthompson
    * Apache DISA STIG som3guy/apache-disa-stig
    * chef-alfresco-inspec-mysql alfresco/chef-alfresco-inspec-mysql
    * chef-alfresco-inspec-tomcat alfresco/chef-alfresco-inspec-tomcat
    * chef-client-hardening sliim/chef-client-hardening
    * CIS Docker Benchmark dev-sec/cis-docker-benchmark
    * CVE-2016-5195 ndobson/cve-2016-5195
    * DevSec Apache Baseline dev-sec/apache-baseline
    * DevSec Linux Baseline dev-sec/linux-baseline
    InSpec Supermarket

    View Slide

  58. Demo: Deploy Website to Production
    Ubuntu
    Apache WebServer
    DevSec Static
    Website

    View Slide

  59. github.com/dev-sec

    View Slide

  60. DevSec InSpec Profiles
    Operating Systems
    DevSec Linux Baseline
    DevSec Linux Patch Baseline
    DevSec Windows Baseline
    DevSec Windows Patch Baseline
    DevSec SSH Baseline
    DevSec SSL/TLS Baseline
    CIS Distribution Independent
    Applications
    DevSec Nginx Baseline
    DevSec MySQL Baseline
    DevSec PHP baseline
    DevSec Apache Baseline
    DevSec PostgreSQL Baseline
    Application Runtimes
    DevSec OpenStack Baseline
    CIS Docker Benchmark
    CIS Kubernetes Benchmark

    View Slide

  61. Linux Patch
    Benchmark Acme Inc
    include_controls ’linux-patch baseline’
    depends:
    - name: linux-patch baseline
    InSpec Profile Management

    View Slide

  62. Manage Baselines
    My CIS L1
    (inspec overlay)
    CIS Lvl1
    (xml base profile)

    View Slide

  63. Manage Baseline Overlays
    Dev
    Production
    Test
    My CIS L1
    (inspec overlay)
    CIS Lvl1
    (xml base profile)

    View Slide

  64. InSpec Profiles
    github.com/dev-se
    c
    DevSec Windows
    Patch
    Baseline
    DevSec Linux
    Baseline
    DevSec Windows
    Baseline
    DevSec Linux
    Patch
    Baseline

    View Slide

  65. InSpec Profiles
    github.com/dev-sec
    github.com/chris-rock/acme-inspec-profil
    DevSec Windows
    Patch
    Baseline
    DevSec Linux
    Baseline
    DevSec Windows
    Baseline
    DevSec Linux
    Patch
    Baseline

    View Slide

  66. InSpec Profiles
    DevSec Windows
    Patch
    Baseline
    DevSec Linux
    Baseline
    DevSec Windows
    Baseline
    DevSec Linux
    Patch
    Baseline
    github.com/dev-sec
    github.com/chris-rock/acme-inspec-profil

    View Slide

  67. InSpec Profiles

    View Slide

  68. Continuous Compliance
    Compliance
    DevOps

    View Slide

  69. Continuous Compliance
    Scan for
    Compliance
    Build & Test
    Locally
    Build & Test
    CI/CD Remediate Verify

    View Slide

  70. Further Resources
    inspec.io
    • Hands on tutorials
    • Extensive documentation
    • Code examples
    dev-sec.io
    • Security Baselines
    • Ansible, Chef & Puppet Hardening
    Modules
    • Documentation

    View Slide

  71. Further Resources
    Compliance- und Sicherheitsanforderungen
    automatisieren und effizienter managen
    https://youtu.be/0aEYp15VP_M
    BSI-Compliance - SVA Experten-Tipp
    https://youtu.be/DTvtACNzLro

    View Slide

  72. Join
    github.com/chef/inspec
    Join
    github.com/dev-sec

    View Slide

  73. Contact Details
    Christoph Hartmann
    Engineering Lead Compliance
    eMail: [email protected]
    Twitter: @chri_hartmann
    Patrick Münch
    IT-Security Consultant
    eMail: [email protected]
    Twitter: @atomiczero111

    View Slide