Compliance as Code - Using InSpec

Transcript

1. November 15, 2016 Compliance as Code - using InSpec George

   Miranda, Product Marketing Director, Chef Software Inc.

2. Introductions George Miranda Director of Product Marketing @gmiranda23 • Distributed

   Systems Engineer • I play a developer on TV • At Chef for 4+ years Technical Evangelist Consultant BizDev Product Marketing • Spent a majority of my career in "the Enterprise" • I've had to go through MANY security audits in my career

3. Agenda • Constraints & myths • The role of InfoSec

   at velocity • Compliance as Code • An introduction to InSpec • Q&A @gmiranda23

4. Time, Cost, and Quality “Speed is the only dimension that

   matters” – Veresh Sita, CIO, Alaska Airlines @gmiranda23

5. QUALITY VELOCITY Innovation Quality/ Security/ Compliance The tradeoff myth @gmiranda23

6. The rise of IT Compliance • Continued security vulnerabilities created

   a need for IT compliance 1988 Morris Worm, National Bank Chicago $70M theft 1994 AOHell, Citibank $10M hack 1996 Brotherhood hacks, Canadian Broadcast Corp. 1998 Free Mitnick Logic Bomb Security incidents at 75% of IT organizations @gmiranda23

7. The State of Security in XXXX • In 60% of

   cases, attackers can compromise an organization within minutes • 99.9% of compromises exploited vulnerabilities more than a year after the vulnerability was published • Ten vulnerabilities account for 97% of the exploits observed Source: Verizon Data Breach Report @gmiranda23

8. The State of Security in 2014 • In 60% of

   cases, attackers can compromise an organization within minutes • 99.9% of compromises exploited vulnerabilities more than a year after the vulnerability was published • Ten vulnerabilities account for 97% of the exploits observed Source: Verizon Data Breach Report @gmiranda23

9. The cycle of regulation Loophole Exploitation Scandal Regulation @gmiranda23

10. Compliance and Security Compliance Security @gmiranda23

11. Offer baseline security and isolation layers @gmiranda23

12. Regulatory Compliance • PCI-DSS • Gramm-Leach-Bliley Act • HIPAA •

    Dodd-Frank • ISO • Sarbanes-Oxley • HITECH • Grundschutz European • Central Bank Regulations @gmiranda23

13. How most orgs handle these requirements

14. None

15. The promise of the coded business @gmiranda23

16. The conflict between compliance and velocity @gmiranda23

17. @gmiranda23

18. @gmiranda23

19. @gmiranda23

20. InSpec turns infrastructure testing, compliance, and security requirements into code

    Stats: 86 Releases, 59 Contributors, 2.900 Commits @gmiranda23

21. The changing role of the compliance officer @gmiranda23

22. Differences in verifying compliance policy Documentation SSH supports two different

    protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. @gmiranda23

23. Differences in verifying compliance policy Scripting Tools > grep "^Protocol"

    /etc/ssh/sshd_config | sed 's/Protocol //' 2 @gmiranda23

24. Differences in verifying compliance policy Compliance Language describe sshd_config do

    its('Protocol') { should eq 2 } end @gmiranda23

25. Differences in verifying compliance policy Compliance Language control 'ssh-1234' do

    impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore... " describe sshd_config do its('Protocol') { should eq 2 } end end @gmiranda23

26. InSpec for Windows control 'windows-base-201' do impact 1.0 title 'Strong

    Windows NTLMv2 Authentication Enabled; Weak LM Disabled' desc ' @link: http://support.microsoft.com/en-us/kb/823659 ' describe registry_key('HKLM\System\CurrentControlSet\Control\Lsa') do it { should exist } its('LmCompatibilityLevel') { should eq 4 } end end @gmiranda23

27. Different ways to run InSpec Test your machine locally >

    inspec exec test.rb Test a machine remotely via SSH > inspec exec test.rb -i identity.key -t ssh://[email protected] No ruby/agent on the node @gmiranda23

28. Different ways to run InSpec Test a machine remotely via

    WinRM > inspec exec test.rb -t winrm://[email protected] --password super Test Docker Container > inspec exec test.rb -t docker://5cc8837bb6a8 no SSH/agent in the container No ruby/agent on the node @gmiranda23

29. Different ways to run InSpec Database testing describe mysql_session.query("SELECT user,host

    FROM mysql.user WHERE host = '%'") do its(:stdout) { should be empty } end Cloud Provider testing security_groups.each do |security_group| describe security_group do it { should_not have_inbound_rule().with_source('0.0.0.0/0') } end end @gmiranda23

30. Mapping of Compliance Document to InSpec @gmiranda23

31. InSpec Profiles Windows Patch Profile OS Hardening Profile SSH Hardening

    Profile Linux Patch Profile https://github.com/dev-sec @gmiranda23

32. InSpec Profiles Windows Patch Profile OS Hardening Profile SSH Hardening

    Profile Linux Patch Profile https://github.com/dev-sec @gmiranda23

33. InSpec Profiles @gmiranda23

34. Security meets operations @gmiranda23

35. Each team uses separate tools @gmiranda23

36. Unified language @gmiranda23

37. @gmiranda23

38. @gmiranda23

39. None

40. Continuous Workflow Correct Detect @gmiranda23

41. Continuous Workflow @gmiranda23

42. Works with all DevOps tools e.g. @gmiranda23

43. Further Resources inspec.io • Hands on tutorials • Extensive documentation

    • Code examples learn.chef.io • More tutorials about Compliance and Inspec

44. Further Resources Save Your Crash Dummies! A Test-driven Infrastructure Solution

    http://bit.ly/crash_dummies @gmiranda23

45. Q&A Save Your Crash Dummies A Test-driven Infrastructure Solution Video:

    http://bit.ly/crash_dummies @gmiranda23 http://inspec.io http://learn.chef.io $ inspec exec <url> https://github.com/dev-sec/tests-ssh-hardening https://github.com/dev-sec/windows-patch-benchmark https://github.com/dev-sec/linux-patch-benchmark

46. November 15, 2016

47. November 15, 2016