Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Exploring Policy as Code

Rosemary Wang
May 23, 2021
Technology
1
180

Exploring Policy as Code

How do you check for security requirements while you build your cloud infrastructure? In this workshop,
we'll walk through how to use policy as code to deliver and release an immutable machine image with
security in mind. Learn to use static analysis to check provisioning scripts for security requirements.

- Build a container image with Packer and Docker
- Write some unit tests which statically analyze both Packer and Docker configuration
- Write some integration tests which dynamically analyze a test container instance
- Add them to a delivery pipeline

Rosemary Wang

May 23, 2021
Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang
Secure Day 2 operations with Boundary and Vault
joatmon08
0
15
Can You Test Your Infrastructure as Code?
joatmon08
1
51
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
21
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
26
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
31
Break Glass, Repair Fast, Reconcile Automation
joatmon08
2
40
Building a Developer Platform? Ask these questions.
joatmon08
0
27
From Cloud-Hosted to Cloud-Native
joatmon08
0
53
Refactoring Applications for Dynamic Secrets
joatmon08
1
37

Other Decks in Technology

See All in Technology
Terraform CI/CD パイプラインにおける AWS CodeCommit の代替手段
hiyanger
1
240
Security-JAWS【第35回】勉強会クラウドにおけるマルウェアやコンテンツ改ざんへの対策
4su_para
0
170
隣接領域をBeyondするFinatextのエンジニア組織設計 / beyond-engineering-areas
stajima
1
270
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
150
元旅行会社の情シス部員が教えるおすすめなre:Inventへの行き方 / What is the most efficient way to re:Invent
naospon
2
330
適材適所の技術選定 〜GraphQL・REST API・tRPC〜 / Optimal Technology Selection
kakehashi
1
150
iOS/Androidで同じUI体験をネ イティブで作成する際に気をつ けたい落とし穴
fumiyasac0921
1
110
マルチモーダル / AI Agent / LLMOps 3つの技術トレンドで理解するLLMの今後の展望
hirosatogamo
37
12k
第1回 国土交通省 データコンペ参加者向け勉強会③ - Snowflake x estie編 -
estie
0
120
AGIについてChatGPTに聞いてみた
blueb
0
130
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
860
[FOSS4G 2024 Japan LT] LLMを使ってGISデータ解析を自動化したい!
nssv
1
210

Featured

See All Featured
GraphQLとの向き合い方2022年版
quramy
43
13k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
Into the Great Unknown - MozCon
thekraken
32
1.5k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Six Lessons from altMBA
skipperchong
27
3.5k
How to train your dragon (web standard)
notwaldorf
88
5.7k
How GitHub (no longer) Works
holman
310
140k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k

Transcript

  1. May 2021 | OWASP DevSlop Exploring Policy as Code

  2. Rosemary’s first security incident... ▪ Insecure development environments ▪ Infrastructure

    as code probably would have helped ▪ We forgot about 0.0.0.0/0 ▪ We didn’t know what we should have known

  3. Developer Advocate HashiCorp she/her @joatmon08 Rosemary Wang Open Source Engineer

    VMware she/her @tracypholmes Tracy Holmes

  4. 1. Introduction to Policy as Code 2. Using static analysis

    for configuration 3. Using dynamic analysis for runtime configuration 4. Adding policy as code to delivery pipelines

  5. 01 OWASP DevSlop / Policy as Code Introduction to Policy

    as Code

  6. Policy What is it? Ensures systems comply with security, audit,

    and organizational requirements. Depends on industry, organization size, country, and more.

  7. A. Development should not communicate with production. B. Write an

    application in Java. C. Password should not be older than 30 days. D. Two different people must approve for production. E. All cloud resources must be tagged. Which is not considered a policy?

  8. A. Development should not communicate with production. B. Write an

    application in Java. C. Password should not be older than 30 days. D. Two different people must approve for production. E. All cloud resources must be tagged. Which is not considered a policy?

  9. Policy as Code What is it? The management of an

    organization’s policies with code to ensure the conformance of changes.

  10. Make a change. Check if an environment conforms to our

    organization’s policies. Check if a change conforms to our organization’s policies.

  11. Make a change. Did two people approve that change? Have

    two people approved this change yet? Yes 3 months later…

  12. Policy as Code Why do it? Communicate policy requirements across

    teams. Make unknown knowns into knowns. Prevent policy violations from going into production.

  13. Policy as Code Codify all the policy! API Authorization Network

    Policy Infrastructure Configuration Access Control Configuration Runtime Security (e.g., Vulnerability Management)

  14. Test Runtime Analysis as Integration Tests Production Runtime Analysis for

    Remediation Static Analysis as Unit Tests Dynamic Analysis

  15. A. Shift-left security testing of infrastructure B. Static code analysis

    and scanning C. Code quality scanning D. Vulnerability scanning for servers E. Root access alerting Which of the following does not express policy as code?

  16. A. Shift-left security testing of infrastructure B. Static code analysis

    and scanning C. Code quality scanning D. Vulnerability scanning for servers E. Root access alerting F. None of the above Which of the following does not express policy as code?

  17. Policy as Code Tools Policy as Code State of System

    Parse for fields Check field values Pass or fail JSON or metadata format

  18. 02 OWASP DevSlop / Policy as Code Using static analysis

  19. Test Runtime Analysis as Integration Tests Production Runtime Analysis for

    Remediation Static Analysis as Unit Tests Dynamic Analysis

  20. github.com/ tracypholmes/policy- as-code-workshop

  21. 03 OWASP DevSlop / Policy as Code Using dynamic analysis

  22. Test Runtime Analysis as Integration Tests Production Runtime Analysis for

    Remediation Static Analysis as Unit Tests Dynamic Analysis

  23. github.com/ tracypholmes/policy- as-code-workshop

  24. 04 OWASP DevSlop / Policy as Code Adding to delivery

    pipelines

  25. Policy Gates for Production Choose a level. ▪ Hard mandatory

    - policy must pass ▪ Soft mandatory - someone can manually override ▪ Advisory - informational / warning (Terminology borrowed from HashiCorp Sentinel)

  26. Sharing Policy as Code Communicate context ▪ Modularize by business

    unit or application ▪ Version policies ▪ Offer shared libraries ▪ Consider setting enforcement level

  27. ★ shared-org-policies ◦ naming ◦ tagging ◦ billing ◦ secrets

    ◦ access-management ◦ vulnerability-management ◦ runtime-security ★ infra-policies ◦ aws ◦ azure ◦ gcp ◦ saas ★ hello-world-policies ★ app-policies ◦ static-code-analysis ◦ authn ◦ authz ◦ kubernetes

  28. Deploy to Dev Deploy to Prod Unit Test Integration Tests

    (B) Static Analysis (A) Production Runtime Analysis (C) Test Runtime Analysis

  29. Deploy to Dev Deploy to Prod Unit Test Integration Tests

    B C A (B) Static Analysis (A) Production Runtime Analysis (C) Test Runtime Analysis

  30. Developer Advocate HashiCorp she/her @joatmon08 Rosemary Wang Open Source Engineer

    VMware she/her @tracypholmes Tracy Holmes github.com/tracypholmes/policy-as-code-workshop