Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Tests for Security Groups, Shifted Left

Security Tests for Security Groups, Shifted Left

Originally presented at Cisco DevNet Create, October 2021.

How can you shift security testing left to prevent an insecure network policy from being pushed to production? In this talk, I’ll show how you can security test network policies in a Cisco ACI configuration managed by Consul-Terraform-Sync - before you apply the changes to live infrastructure!


Rosemary Wang

October 20, 2021

More Decks by Rosemary Wang

Other Decks in Technology


  1. Security Tests for Security Groups Shifted Left Developer Advocate, HashiCorp

    @joatmon08 Rosemary Wang
  2. Rosemary Wang Developer Advocate, HashiCorp Infrastructure Engineer Writer, Essential Infrastructure

    as Code joatmon08.github.io
  3. The application isn’t working!

  4. Is there an endpoint security group (ESG) in Cisco ACI

    that allows traffic?
  5. Oops, I forgot to add it!

  6. How do you automatically synchronize IP addresses from a service

    catalog to an ESG?
  7. Criteria • Must have secure by default configuration – Disable

    “Flood in Encapsulation” – Enforce preferred policy control – Set QoS priority class • Must be fully automated
  8. Solution Security testing for ESG as code Example: • ESG

    module for Terraform • pytest Automatically sync services from catalog to Cisco ACI Example: • Service catalog in Consul • Automation with Consul- Terraform-Sync
  9. None
  10. github.com/joatmon08/terraform- aci-esg-nia

  11. None