Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Exploring Policy as Code

Exploring Policy as Code

How do you check for security requirements while you build your cloud infrastructure? In this workshop,
we'll walk through how to use policy as code to deliver and release an immutable machine image with
security in mind. Learn to use static analysis to check provisioning scripts for security requirements.

- Build a container image with Packer and Docker
- Write some unit tests which statically analyze both Packer and Docker configuration
- Write some integration tests which dynamically analyze a test container instance
- Add them to a delivery pipeline

Be8b596c46f4c9a1aec6a7586af33134?s=128

Rosemary Wang

May 23, 2021
Tweet

More Decks by Rosemary Wang

Other Decks in Technology

Transcript

  1. May 2021 | OWASP DevSlop Exploring Policy as Code

  2. Rosemary’s first security incident... ▪ Insecure development environments ▪ Infrastructure

    as code probably would have helped ▪ We forgot about 0.0.0.0/0 ▪ We didn’t know what we should have known
  3. Developer Advocate HashiCorp she/her @joatmon08 Rosemary Wang Open Source Engineer

    VMware she/her @tracypholmes Tracy Holmes
  4. 1. Introduction to Policy as Code 2. Using static analysis

    for configuration 3. Using dynamic analysis for runtime configuration 4. Adding policy as code to delivery pipelines
  5. 01 OWASP DevSlop / Policy as Code Introduction to Policy

    as Code
  6. Policy What is it? Ensures systems comply with security, audit,

    and organizational requirements. Depends on industry, organization size, country, and more.
  7. A. Development should not communicate with production. B. Write an

    application in Java. C. Password should not be older than 30 days. D. Two different people must approve for production. E. All cloud resources must be tagged. Which is not considered a policy?
  8. A. Development should not communicate with production. B. Write an

    application in Java. C. Password should not be older than 30 days. D. Two different people must approve for production. E. All cloud resources must be tagged. Which is not considered a policy?
  9. Policy as Code What is it? The management of an

    organization’s policies with code to ensure the conformance of changes.
  10. Make a change. Check if an environment conforms to our

    organization’s policies. Check if a change conforms to our organization’s policies.
  11. Make a change. Did two people approve that change? Have

    two people approved this change yet? Yes 3 months later…
  12. Policy as Code Why do it? Communicate policy requirements across

    teams. Make unknown knowns into knowns. Prevent policy violations from going into production.
  13. Policy as Code Codify all the policy! API Authorization Network

    Policy Infrastructure Configuration Access Control Configuration Runtime Security (e.g., Vulnerability Management)
  14. Test Runtime Analysis as Integration Tests Production Runtime Analysis for

    Remediation Static Analysis as Unit Tests Dynamic Analysis
  15. A. Shift-left security testing of infrastructure B. Static code analysis

    and scanning C. Code quality scanning D. Vulnerability scanning for servers E. Root access alerting Which of the following does not express policy as code?
  16. A. Shift-left security testing of infrastructure B. Static code analysis

    and scanning C. Code quality scanning D. Vulnerability scanning for servers E. Root access alerting F. None of the above Which of the following does not express policy as code?
  17. Policy as Code Tools Policy as Code State of System

    Parse for fields Check field values Pass or fail JSON or metadata format
  18. 02 OWASP DevSlop / Policy as Code Using static analysis

  19. Test Runtime Analysis as Integration Tests Production Runtime Analysis for

    Remediation Static Analysis as Unit Tests Dynamic Analysis
  20. github.com/ tracypholmes/policy- as-code-workshop

  21. 03 OWASP DevSlop / Policy as Code Using dynamic analysis

  22. Test Runtime Analysis as Integration Tests Production Runtime Analysis for

    Remediation Static Analysis as Unit Tests Dynamic Analysis
  23. github.com/ tracypholmes/policy- as-code-workshop

  24. 04 OWASP DevSlop / Policy as Code Adding to delivery

    pipelines
  25. Policy Gates for Production Choose a level. ▪ Hard mandatory

    - policy must pass ▪ Soft mandatory - someone can manually override ▪ Advisory - informational / warning (Terminology borrowed from HashiCorp Sentinel)
  26. Sharing Policy as Code Communicate context ▪ Modularize by business

    unit or application ▪ Version policies ▪ Offer shared libraries ▪ Consider setting enforcement level
  27. ★ shared-org-policies ◦ naming ◦ tagging ◦ billing ◦ secrets

    ◦ access-management ◦ vulnerability-management ◦ runtime-security ★ infra-policies ◦ aws ◦ azure ◦ gcp ◦ saas ★ hello-world-policies ★ app-policies ◦ static-code-analysis ◦ authn ◦ authz ◦ kubernetes
  28. Deploy to Dev Deploy to Prod Unit Test Integration Tests

    (B) Static Analysis (A) Production Runtime Analysis (C) Test Runtime Analysis
  29. Deploy to Dev Deploy to Prod Unit Test Integration Tests

    B C A (B) Static Analysis (A) Production Runtime Analysis (C) Test Runtime Analysis
  30. Developer Advocate HashiCorp she/her @joatmon08 Rosemary Wang Open Source Engineer

    VMware she/her @tracypholmes Tracy Holmes github.com/tracypholmes/policy-as-code-workshop