Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecCon London: Christoph Hartmann - DevSec: continuous compliance

DevSecCon London: Christoph Hartmann - DevSec: continuous compliance

Best-practices for server hardening and patching have been in place for decades. Nevertheless, it is still very cumbersome to enforce those rules continuously and many servers are still unsecured in 2016. DevOps tools like Chef, Puppet or Ansible help to enforce secure configuration, but they cannot fully assess a state of a machine e.g. you cannot easily verify if something is not installed. InSpec is here to help. It is an open source tool for infrastructure, security and compliance testing. InSpec’s DSL is a human and machine-readable assessment language that is extendable and customizable. Since testing can be fully automated with InSpec, companies are enabled to assess and enforce secure configuration across their IT fleet. Integration with CI/CD systems allows continuous testing in high-velocity organizations. This talk will give an introduction to InSpec and demonstrate how patch and security level can be assessed in CI/CD and production environments.


Christoph Hartmann

October 19, 2017

More Decks by Christoph Hartmann

Other Decks in Technology


  1. @chri_hartmann $> whoami Christoph Hartmann • 8+ years in industry

    • Deutsche Telekom and SAP • Co-Founded Dev-Sec.io project • Co-Founder of VulcanoSec • InSpec Creator • need for missing compliance solutions • close collaboration with auditors • Acquired by Chef Software • heading engineering for compliance chris-rock
  2. 73% Financially motivated 51% Organized Criminal Groups 75% External attacker

    Verizon Data Breach Report 2017 The tip of the iceberg Cyber-Threat landscape
  3. State of Security in 2014 • In 60% of cases,

    attackers can compromise organizations within minutes. • 99.9% of the exploited vulnerabilities were compromised more than a year after the vulnerability was published. • Ten vulnerabilities account for 97% of the exploits observed. Verizon Data Breach Report
  4. A5 – Security Misconfiguration Good security requires having a secure

    configuration defined and deployed for the application, frameworks, application server, web server, database server, platform, etc. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. A9 – Using Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. OWASP Top 10
  5. • Operating Systems • DBs, AppServers • Apps • On-prem,

    Cloud, Hybrid, Containers Deep analysis #1: Know your security stance
  6. • Prevent insecure production env. • Report and alert continuously

    • Provide proof Faulty assumptions #1: Know your security stance
  7. Reporting of compliance activity is extensive EY – A time

    of evolution for compliance: laying foundations for future success
  8. Huge scope remains for tapping into the power of technology

    EY – A time of evolution for compliance: laying foundations for future success
  9. Tradeoff: Speed vs Risk DevOps teams focus on faster innovation,

    potentially increasing risk InfoSec teams focus on mitigating risk, potentially reducing speed
  10. Documentation SSH supports two different protocol versions. The original version,

    SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.
  11. Standalone Usage $ inspec exec test.rb $ inspec exec test.rb

    -i vagrant.key -t ssh://[email protected]:11022 $ inspec exec test.rb -t winrm://[email protected] --password super $ inspec exec test.rb -t docker://3cc8837bb6a8 describe sshd_config do its('Protocol') { should cmp 2 } end
  12. apache apache_conf apt audit_policy auditd_conf auditd_rules bash bond bridge bsd_service

    command crontab csv dh_params directory docker docker_container docker_image etc_group file gem group groups grub_conf host http iis_site iis_website inetd_conf ini interface iptables json kernel_module kernel_parameter key_rsa launchd_service limits_conf login_defs mount mssql_session mysql mysql_conf mysql_session npm ntp_conf oneget oracledb_session os os_env package packages parse_config parse_config_file passwd pip port postgres postgres_conf postgres_session powershell ppa processes rabbitmq_config registry_key runit_service script security_policy service shadow ssh_config sshd_config ssl sys_info systemd_service sysv_service upstart_service user users vbscript windows_feature windows_registry_key windows_task wmi x509_certificate xinetd_conf yaml yum yumrepo zfs_dataset zfs_pool Built-in resources
  13. DevSec Profiles Operating Systems DevSec Linux Baseline DevSec Linux Patch

    Baseline DevSec Windows Baseline DevSec Windows Patch Baseline DevSec SSH Baseline DevSec SSL/TLS Baseline CIS Distribution Independent Applications DevSec Nginx Baseline DevSec MySQL Baseline DevSec PHP baseline DevSec Apache Baseline DevSec PostgreSQL Baseline Application Runtimes DevSec OpenStack Baseline CIS Docker Benchmark CIS Kubernetes Benchmark
  14. InSpec Profiles DevSec Windows Patch Baseline DevSec Linux Baseline DevSec

    Windows Baseline DevSec Linux Patch Baseline github.com/dev-sec github.com/chris-rock/acme-inspec-profile
  15. describe azure_virtual_machine(name: 'Linux- Internal-VM', resource_group: 'Inspec-Azure') do its('sku') { should

    eq '16.04.0-LTS' } its('publisher') { should eq 'Canonical' } its('offer') { should eq 'UbuntuServer' } its('size') { should eq 'Standard_DS2_v2' } its('location') { should eq 'westeurope' } its('admin_username') { should eq 'azure' } end InSpec for Azure
  16. control 'vmware-7.3.3' do impact 0.7 title 'Ensure that the vSwitch

    Promiscuous Mode policy is set to reject.' describe vmhost_vswitch(datacenter: 'vm001', host: 'localhost.localdomain',vswitch: 'vSwitch0') do its('allowPromiscuous') { should be false } end end InSpec for VmWare
  17. Further Resources inspec.io • Hands on tutorials • Extensive documentation

    • Code examples dev-sec.io • github.com/dev-sec/linux-baseline • github.com/dev-sec/windows-baseline • github.com/dev-sec/ssh-baseline • github.com/dev-sec/windows-patch-baseline • github.com/dev-sec/linux-patch-baseline