Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecCon London: Christoph Hartmann - DevSec: continuous compliance

DevSecCon London: Christoph Hartmann - DevSec: continuous compliance

Best-practices for server hardening and patching have been in place for decades. Nevertheless, it is still very cumbersome to enforce those rules continuously and many servers are still unsecured in 2016. DevOps tools like Chef, Puppet or Ansible help to enforce secure configuration, but they cannot fully assess a state of a machine e.g. you cannot easily verify if something is not installed. InSpec is here to help. It is an open source tool for infrastructure, security and compliance testing. InSpec’s DSL is a human and machine-readable assessment language that is extendable and customizable. Since testing can be fully automated with InSpec, companies are enabled to assess and enforce secure configuration across their IT fleet. Integration with CI/CD systems allows continuous testing in high-velocity organizations. This talk will give an introduction to InSpec and demonstrate how patch and security level can be assessed in CI/CD and production environments.

https://www.devseccon.com/london-2017/session/devsec-continuous-compliance/

Christoph Hartmann

October 19, 2017
Tweet

More Decks by Christoph Hartmann

Other Decks in Technology

Transcript

  1. DevSec:
    Continuous Compliance
    Christoph Hartmann
    @chri_hartmann | [email protected]

    View Slide

  2. @chri_hartmann
    $> whoami
    Christoph Hartmann
    • 8+ years in industry
    • Deutsche Telekom and SAP
    • Co-Founded Dev-Sec.io project
    • Co-Founder of VulcanoSec
    • InSpec Creator
    • need for missing compliance solutions
    • close collaboration with auditors
    • Acquired by Chef Software
    • heading engineering for compliance
    chris-rock

    View Slide

  3. Agenda
    #1 Cyber-Threat Landscape
    #2 Challenges
    #3 Compliance-Driven Infrastructure
    #4 Outlook

    View Slide

  4. COMPLIANCE AND SECURITY
    Compliance
    Security

    View Slide

  5. Cyber-Threat Landscape
    #1

    View Slide

  6. The tip of the iceberg
    Heartbleed Shellshock WannaCry
    Cyber-Threat landscape

    View Slide

  7. 73%
    Financially
    motivated
    51%
    Organized
    Criminal
    Groups
    75%
    External
    attacker
    Verizon Data Breach
    Report 2017
    The tip of the iceberg
    Cyber-Threat landscape

    View Slide

  8. State of Security in 2014
    • In 60% of cases, attackers can compromise organizations
    within minutes.
    • 99.9% of the exploited vulnerabilities were compromised
    more than a year after the vulnerability was published.
    • Ten vulnerabilities account for 97% of the exploits
    observed.
    Verizon Data Breach Report

    View Slide

  9. OWASP Top 10

    View Slide

  10. A5 – Security Misconfiguration
    Good security requires having a secure configuration defined and deployed for the application,
    frameworks, application server, web server, database server, platform, etc. Secure settings should be
    defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept
    up to date.
    A9 – Using Components with Known Vulnerabilities
    Components, such as libraries, frameworks, and other software modules, run with the same privileges as
    the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or
    server takeover. Applications and APIs using components with known vulnerabilities may undermine
    application defenses and enable various attacks and impacts.
    OWASP Top 10

    View Slide

  11. Drivers for Compliance
    Security
    Reduce risk and protect business
    Liability
    Avoid negligence

    View Slide

  12. Surface check
    #1: Know your security stance

    View Slide

  13. Surface check Deep analysis
    #1: Know your security stance

    View Slide

  14. • Operating Systems
    • DBs, AppServers
    • Apps
    • On-prem, Cloud,
    Hybrid, Containers
    Deep analysis
    #1: Know your security stance

    View Slide

  15. Faulty assumptions
    #1: Know your security stance

    View Slide

  16. Faulty assumptions
    #1: Know your security stance

    View Slide

  17. • Prevent insecure production env.
    • Report and alert continuously
    • Provide proof
    Faulty assumptions
    #1: Know your security stance

    View Slide

  18. Source: http://content.time.com/time/covers/europe/0,16641,20020708,00.html

    View Slide

  19. View Slide

  20. View Slide

  21. Regulatory Compliance
    PCI-DSS Gramm-Leach-Bliley Act HIPAA
    Dodd-Frank ISO Sarbanes-Oxley
    HITECH Grundschutz
    European Central Bank
    Regulations

    View Slide

  22. Reporting of compliance activity is extensive
    EY – A time of evolution for
    compliance: laying foundations
    for future success

    View Slide

  23. Huge scope remains for tapping into the
    power of technology
    EY – A time of evolution for
    compliance: laying foundations
    for future success

    View Slide

  24. Challenges
    #2

    View Slide

  25. View Slide

  26. View Slide

  27. Language
    Compliance DevOps
    Security

    View Slide

  28. Scale

    View Slide

  29. Scale

    View Slide

  30. Scale

    View Slide

  31. View Slide

  32. Language
    Compliance DevOps
    Security

    View Slide

  33. Compliance-Driven
    Infrastructure
    #3

    View Slide

  34. Tradeoff: Speed vs Risk
    DevOps teams focus on faster
    innovation, potentially increasing
    risk
    InfoSec teams focus on mitigating
    risk, potentially reducing speed

    View Slide

  35. QUALITY/COMPLIANCE
    RATE OF INNOVATION
    Scale Speed and Compliance

    View Slide

  36. Let’s talk about solutions
    github.com/dev-sec

    View Slide

  37. Detect
    Correct
    Compliance Continuous

    View Slide

  38. Works with all DevOps tools e.g.

    View Slide

  39. InSpec turns infrastructure testing, compliance
    and security requirements into code

    View Slide

  40. Documentation
    SSH supports two different protocol versions. The original
    version, SSHv1, was subject to a number of security issues.
    Please use SSHv2 instead to avoid these.

    View Slide

  41. Scripting tools

    View Slide

  42. The better way
    TESTING A REQUIREMENT

    View Slide

  43. Compliance Language

    View Slide

  44. Standalone Usage
    $ inspec exec test.rb
    $ inspec exec test.rb -i vagrant.key -t ssh://[email protected]:11022
    $ inspec exec test.rb -t winrm://[email protected] --password super
    $ inspec exec test.rb -t docker://3cc8837bb6a8
    describe sshd_config do
    its('Protocol') { should cmp 2 }
    end

    View Slide

  45. Supported Operating Systems

    View Slide

  46. apache apache_conf apt audit_policy auditd_conf auditd_rules bash bond bridge
    bsd_service command crontab csv dh_params directory docker docker_container
    docker_image etc_group file gem group groups grub_conf host http iis_site iis_website
    inetd_conf ini interface iptables json kernel_module kernel_parameter key_rsa
    launchd_service limits_conf login_defs mount mssql_session mysql mysql_conf
    mysql_session npm ntp_conf oneget oracledb_session os os_env package packages
    parse_config parse_config_file passwd pip port postgres postgres_conf postgres_session
    powershell ppa processes rabbitmq_config registry_key runit_service script
    security_policy service shadow ssh_config sshd_config ssl sys_info systemd_service
    sysv_service upstart_service user users vbscript windows_feature windows_registry_key
    windows_task wmi x509_certificate xinetd_conf yaml yum yumrepo zfs_dataset
    zfs_pool
    Built-in resources

    View Slide

  47. Mapping of Compliance Document to InSpec

    View Slide

  48. Manage Baselines
    My CIS L1
    (inspec overlay)
    CIS Lvl1
    (xml base profile)

    View Slide

  49. Manage Baseline Overlays
    Dev
    Production
    Test
    My CIS L1
    (inspec overlay)
    CIS Lvl1
    (xml base profile)

    View Slide

  50. github.com/dev-sec

    View Slide

  51. DevSec Profiles
    Operating Systems
    DevSec Linux Baseline
    DevSec Linux Patch Baseline
    DevSec Windows Baseline
    DevSec Windows Patch Baseline
    DevSec SSH Baseline
    DevSec SSL/TLS Baseline
    CIS Distribution Independent
    Applications
    DevSec Nginx Baseline
    DevSec MySQL Baseline
    DevSec PHP baseline
    DevSec Apache Baseline
    DevSec PostgreSQL Baseline
    Application Runtimes
    DevSec OpenStack Baseline
    CIS Docker Benchmark
    CIS Kubernetes Benchmark

    View Slide

  52. InSpec Profiles
    github.com/dev-sec
    DevSec Windows
    Patch
    Baseline
    DevSec Linux
    Baseline
    DevSec Windows
    Baseline
    DevSec Linux
    Patch
    Baseline

    View Slide

  53. InSpec Profiles
    github.com/dev-sec
    github.com/chris-rock/acme-inspec-profile
    DevSec Windows
    Patch
    Baseline
    DevSec Linux
    Baseline
    DevSec Windows
    Baseline
    DevSec Linux
    Patch
    Baseline

    View Slide

  54. InSpec Profiles
    DevSec Windows
    Patch
    Baseline
    DevSec Linux
    Baseline
    DevSec Windows
    Baseline
    DevSec Linux
    Patch
    Baseline
    github.com/dev-sec
    github.com/chris-rock/acme-inspec-profile

    View Slide

  55. InSpec Profiles

    View Slide

  56. Continuous Compliance
    Compliance
    DevOps

    View Slide

  57. Continuous Compliance
    Scan for
    Compliance
    Build &
    Test Locally
    Build &
    Test CI/CD Remediate Verify

    View Slide

  58. Outlook
    #4

    View Slide

  59. Infrastructure

    View Slide

  60. chef/inspec-vmware
    chef/inspec-azure chef/inspec-aws
    InSpec for Platforms

    View Slide

  61. describe aws_iam_user(’iam_user') do
    its('has_mfa_enabled?') { should be false }
    its('has_console_password?') { should be false }
    end
    InSpec for AWS

    View Slide

  62. describe azure_virtual_machine(name: 'Linux-
    Internal-VM', resource_group: 'Inspec-Azure') do
    its('sku') { should eq '16.04.0-LTS' }
    its('publisher') { should eq 'Canonical' }
    its('offer') { should eq 'UbuntuServer' }
    its('size') { should eq 'Standard_DS2_v2' }
    its('location') { should eq 'westeurope' }
    its('admin_username') { should eq 'azure' }
    end
    InSpec for Azure

    View Slide

  63. control 'vmware-7.3.3' do
    impact 0.7
    title 'Ensure that the vSwitch Promiscuous
    Mode policy is set to reject.'
    describe vmhost_vswitch(datacenter: 'vm001',
    host: 'localhost.localdomain',vswitch:
    'vSwitch0') do
    its('allowPromiscuous') { should be false }
    end
    end
    InSpec for VmWare

    View Slide

  64. Further Resources
    inspec.io
    • Hands on tutorials
    • Extensive documentation
    • Code examples
    dev-sec.io
    • github.com/dev-sec/linux-baseline
    • github.com/dev-sec/windows-baseline
    • github.com/dev-sec/ssh-baseline
    • github.com/dev-sec/windows-patch-baseline
    • github.com/dev-sec/linux-patch-baseline

    View Slide

  65. @chri_hartmann
    Christoph Hartmann
    [email protected]

    View Slide

  66. Chef vs InSpec

    View Slide