Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Compliance as Code

Compliance as Code

Bolting compliance and security onto an application after it’s been deployed is an easy way to ensure those applications are vulnerable to attack and violate your organization’s policy. Yet, that is often the approach that is taken. Developers must shift compliance to the early phases of the process. With InSpec, verifying compliance and security controls is just as easy as running unit tests.

This presentation was given at a joint meetup with the Derby DevOps (https://www.meetup.com/DevOps-Louisville/events/242003342/) and Louisville AWS Users Group (https://www.meetup.com/Louisville-AWS-Users-Group/events/242737663/).

Nathen Harvey

August 29, 2017
Tweet

More Decks by Nathen Harvey

Other Decks in Technology

Transcript

  1. Compliance as Code Nathen Harvey VP, Community Development @nathenharvey

  2. INTRODUCTIONS Nathen Harvey VP, Community Development Chef Software, Inc. @nathenharvey

    .
  3. This is a true story... Auditor: "Communication from your network

    devices to your authentication server must be encrypted."
  4. This is a true story... Auditor: "Communication from your network

    devices to your authentication server must be encrypted." Me: "We use BlahBlah TACACS+ server. You can't disable encryption."
  5. This is a true story... Auditor: "Okay. Please show me

    that encryption is enabled in your configuration."
  6. This is a true story... Auditor: "Okay. Please show me

    that encryption is enabled in your configuration." Me: "Um… I can't. I can't disable it, so I can't show you where it's enabled. But I can show you that I'm using BlahBlah TACACS+ server."
  7. This is a true story... Auditor: "Can you show me

    how you can't disable it?"
  8. This is a true story... Auditor: "Can you show me

    how you can't disable it?" Me:
  9. This is a true story... Me: "How about I show

    you where I configured the encryption key? Is that good enough?"
  10. This is a true story... Me: "How about I show

    you where I configured the encryption key? Is that good enough?" Auditor: "Ummmm… sure."
  11. Why did I tell you this? •  How to prove

    "compliance" might not be obvious •  What the auditor was looking for can be automated •  This happened multiple times a year •  We really need to automate
  12. OMG so much compliance •  PCI-DSS •  Dodd-Frank •  HITECH

    •  ISO •  HIPAA •  Grundschutz •  Sarbanes-Oxley •  General Data Protection Regulation (GDPR) •  Gramm-Leach-Bliley Act
  13. None
  14. ABA: Always Be Automating

  15. Compliance: the everlasting roadblock...

  16. Product Ideas and Features

  17. Compliance: the everlasting roadblock...

  18. Compliance: the everlasting roadblock...

  19. The OODA Loop Observe Orient Decide Act

  20. OODA: Observe •  How do you know when it's time

    for a new compliance control? •  Who is responsible?
  21. None
  22. None
  23. None
  24. An Example from Documentation 404.3.5: Communication between network devices and

    central authentication systems must be encrypted at all times.
  25. OODA: Orient

  26. I can totally script that... $ grep "key" /etc/tac_plus.conf |

    sed 's/key = //' s00persecretkey $
  27. ...but there's no context.

  28. Install TACACS+

  29. None
  30. A tale of three personas...

  31. … and a single language.

  32. From lemons... $ grep "key" /etc/tac_plus.conf | sed 's/key =

    //' s00persecretkey $
  33. … create lemonade! describe ini('/etc/tac_plus/tac_plus.conf') do its('key') { should_not be_nil

    } end
  34. … create lemonade! control 'sox-404.3.5' do title 'Network Device to

    Central Auth Encryption' impact 1.0 desc " All communication between network devices and central auth must be encrypted. Our TACACS+ servers encrypt all the time and the presence of a pre-shared key proves it." describe ini('/etc/tac_plus/tac_plus.conf') do its('key') { should_not be_nil } end end
  35. Map Documentation to Controls control 'sox-404.3.5' do title 'Network Device

    to Central Auth Encryption' impact 1.0 desc " All communication between network devices and central auth must be encrypted. Our TACACS+ servers encrypt all the time and the presence of a pre-shared key proves it." describe ini('/etc/tac_plus/tac_plus.conf') do its('key') { should_not be_nil } end end 404.3.5: Communication between network devices and central authentication systems must be encrypted at all times.
  36. Share Context control 'sox-404.3.5' do title 'Network Device to Central

    Auth Encryption' impact 1.0 desc " All communication between network devices and central auth must be encrypted. Our TACACS+ servers encrypt all the time and the presence of a pre-shared key proves it." describe ini('/etc/tac_plus/tac_plus.conf') do its('key') { should_not be_nil } end end 404.3.5: Communication between network devices and central authentication systems must be encrypted at all times.
  37. Automate Test Execution control 'sox-404.3.5' do title 'Network Device to

    Central Auth Encryption' impact 1.0 desc " All communication between network devices and central auth must be encrypted. Our TACACS+ servers encrypt all the time and the presence of a pre-shared key proves it." describe ini('/etc/tac_plus/tac_plus.conf') do its('key') { should_not be_nil } end end 404.3.5: Communication between network devices and central authentication systems must be encrypted at all times.
  38. One Language •  Linux •  Windows •  BSD •  Solaris

    •  AIX •  … and more
  39. Yup, I said Windows... control 'windows-base-201' do impact 1.0 title

    'Strong Windows NTLMv2 Authentication Enabled' desc 'http://support.microsoft.com/en-us/kb/823659' describe registry_key('HKLM\System\CurrentControlSet\Control\Lsa') do it { should exist } its('LmCompatibilityLevel') { should cmp 4 } end end
  40. One Language •  Bare Metal •  VMs •  Containers

  41. Test Locally $ inspec exec /path/to/profile

  42. Test Remotely $ inspec exec /path/to/profile -i ssh.key -t ssh://me@myhost

  43. Test Remotely $ inspec exec /path/to/profile -t winrm://me@myhost --password secret

  44. Test Remotely $ inspec exec /path/to/profile -t docker://3cc8837bb6a8

  45. Test via Chef Client Runs Chef Client Chef Server Chef

    Automate InSpec via "audit" cookbook
  46. Test via Test Kitchen verifier: name: inspec inspec_tests: - name:

    company-base compliance: company/base-profile - name: app1 compliance: company/app1-profile
  47. Compliance at every step

  48. OODA: Decide •  How urgent is this? •  Where does

    this fall in our backlog? •  How do we become compliant?
  49. Assessing Impact and Priority control 'sox-404.3.5' do title 'Network Device

    to Central Auth Encryption' impact 1.0 desc " All communication between network devices and central auth must be encrypted. Our TACACS+ servers encrypt all the time and the presence of a pre-shared key proves it." describe ini('/etc/tac_plus/tac_plus.conf') do its('key') { should_not be_nil } end end 404.3.5: Communication between network devices and central authentication systems must be encrypted at all times.
  50. Assessing Impact and Priority control 'no-telnet' do title 'telnet not

    installed' impact 0.5 tag 'pci' ref 'pci stage 1', url: 'https://wiki.mycompany.biz/…' desc " PCI-DSS requires all admin traffic to be encrypted. Telnet is not encrypted and is therefore not permitted." describe package('telnetd') do it { should_not be_installed } end end
  51. OODA: Act •  What does remediation look like? •  Can

    I test my remediation steps?
  52. Compliance at every step

  53. The OODA Loop Observe Orient Decide Act

  54. The OODA Loop Observe Orient Decide Act

  55. Why InSpec? •  Break down silos between organizations •  Codify

    your compliance agreements and requirements •  Share context about your compliance requirements •  Achieve safety at velocity with compliance at every step
  56. The OODA Loop Observe Orient Decide Act

  57. 55% Step one: Detect Gain visibility into current status to

    satisfy audits and drive decision-making of organizations do compliance assessments inconsistently or not at all. Apply policies and gain a complete view across the fleet ▪  Accurately assess risk ▪  Prioritize remediation actions ▪  Maintain audit readiness ▪  Create and adjust policies ” Continuous visibility means that you enter into audits knowing the outcome. Jon Williams, NIU ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
  58. ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

    ✓ ✓ ✓ Step two: Correct Remediate issues to improve performance and security ▪  Prioritize actions based on impact ▪  Improve application performance ▪  Close security holes ▪  Prove policy compliance Web & Media Giant Can patch 250,000 nodes within 6 hours of a patch being made available Develop, test, and deploy remediation to address issues across the fleet ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ of organizations need days or longer to remediate issues. 58%
  59. Continuous Workflow Detect Correct

  60. https://supermarket.chef.io/tools?type=compliance_profile http://dev-sec.io/ https://github.com/chef-cookbooks/audit#configure-node Compliance Profiles

  61. https://github.com/chef/inspec-aws https://github.com/chef/inspec-azure https://github.com/chef/inspec-vmware InSpec, meet my IaaS Provider

  62. Thank You! Nathen Harvey VP, Community Development Chef Software, Inc.

    @nathenharvey .