Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Compliance as Code - Using InSpec

Compliance as Code - Using InSpec

Slides from my talk for All Day DevOps 2016 -- http://sched.co/8618

George Miranda

November 15, 2016
Tweet

More Decks by George Miranda

Other Decks in Technology

Transcript

  1. November 15, 2016 Compliance as Code - using InSpec George

    Miranda, Product Marketing Director, Chef Software Inc.
  2. Introductions George Miranda Director of Product Marketing @gmiranda23 • Distributed

    Systems Engineer • I play a developer on TV • At Chef for 4+ years Technical Evangelist Consultant BizDev Product Marketing • Spent a majority of my career in "the Enterprise" • I've had to go through MANY security audits in my career
  3. Agenda • Constraints & myths • The role of InfoSec

    at velocity • Compliance as Code • An introduction to InSpec • Q&A @gmiranda23
  4. Time, Cost, and Quality “Speed is the only dimension that

    matters” – Veresh Sita, CIO, Alaska Airlines @gmiranda23
  5. The rise of IT Compliance • Continued security vulnerabilities created

    a need for IT compliance 1988 Morris Worm, National Bank Chicago $70M theft 1994 AOHell, Citibank $10M hack 1996 Brotherhood hacks, Canadian Broadcast Corp. 1998 Free Mitnick Logic Bomb Security incidents at 75% of IT organizations @gmiranda23
  6. The State of Security in XXXX • In 60% of

    cases, attackers can compromise an organization within minutes • 99.9% of compromises exploited vulnerabilities more than a year after the vulnerability was published • Ten vulnerabilities account for 97% of the exploits observed Source: Verizon Data Breach Report @gmiranda23
  7. The State of Security in 2014 • In 60% of

    cases, attackers can compromise an organization within minutes • 99.9% of compromises exploited vulnerabilities more than a year after the vulnerability was published • Ten vulnerabilities account for 97% of the exploits observed Source: Verizon Data Breach Report @gmiranda23
  8. Regulatory Compliance • PCI-DSS • Gramm-Leach-Bliley Act • HIPAA •

    Dodd-Frank • ISO • Sarbanes-Oxley • HITECH • Grundschutz European • Central Bank Regulations @gmiranda23
  9. InSpec turns infrastructure testing, compliance, and security requirements into code

    Stats: 86 Releases, 59 Contributors, 2.900 Commits @gmiranda23
  10. Differences in verifying compliance policy Documentation SSH supports two different

    protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. @gmiranda23
  11. Differences in verifying compliance policy Scripting Tools > grep "^Protocol"

    /etc/ssh/sshd_config | sed 's/Protocol //' 2 @gmiranda23
  12. Differences in verifying compliance policy Compliance Language control 'ssh-1234' do

    impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore... " describe sshd_config do its('Protocol') { should eq 2 } end end @gmiranda23
  13. InSpec for Windows control 'windows-base-201' do impact 1.0 title 'Strong

    Windows NTLMv2 Authentication Enabled; Weak LM Disabled' desc ' @link: http://support.microsoft.com/en-us/kb/823659 ' describe registry_key('HKLM\System\CurrentControlSet\Control\Lsa') do it { should exist } its('LmCompatibilityLevel') { should eq 4 } end end @gmiranda23
  14. Different ways to run InSpec Test your machine locally >

    inspec exec test.rb Test a machine remotely via SSH > inspec exec test.rb -i identity.key -t ssh://[email protected] No ruby/agent on the node @gmiranda23
  15. Different ways to run InSpec Test a machine remotely via

    WinRM > inspec exec test.rb -t winrm://[email protected] --password super Test Docker Container > inspec exec test.rb -t docker://5cc8837bb6a8 no SSH/agent in the container No ruby/agent on the node @gmiranda23
  16. Different ways to run InSpec Database testing describe mysql_session.query("SELECT user,host

    FROM mysql.user WHERE host = '%'") do its(:stdout) { should be empty } end Cloud Provider testing security_groups.each do |security_group| describe security_group do it { should_not have_inbound_rule().with_source('0.0.0.0/0') } end end @gmiranda23
  17. InSpec Profiles Windows Patch Profile OS Hardening Profile SSH Hardening

    Profile Linux Patch Profile https://github.com/dev-sec @gmiranda23
  18. InSpec Profiles Windows Patch Profile OS Hardening Profile SSH Hardening

    Profile Linux Patch Profile https://github.com/dev-sec @gmiranda23
  19. Further Resources inspec.io • Hands on tutorials • Extensive documentation

    • Code examples learn.chef.io • More tutorials about Compliance and Inspec
  20. Q&A Save Your Crash Dummies A Test-driven Infrastructure Solution Video:

    http://bit.ly/crash_dummies @gmiranda23 http://inspec.io http://learn.chef.io $ inspec exec <url> https://github.com/dev-sec/tests-ssh-hardening https://github.com/dev-sec/windows-patch-benchmark https://github.com/dev-sec/linux-patch-benchmark