Integrating Compliance into the Development Process - OWASP DC

Transcript

1. Integrating Compliance into the Development Process

2. https://youtu.be/RaeN7w8rQAI This was recorded at the OWASP DC Meetup

3. None
4. None
5. None
6. None
7. None

8. SSH Control SSH supports two different protocol versions. The original

   version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.

9. How will I verify this?

10. Whip up a one-liner! grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol

    //'

11. Apache Server Information Leakage – Server Token Directive •  Description

      This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.   This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions. •  How to Test   In order to test for ServerToken configuration, one should check the Apache configuration file. •  Misconfiguration   ServerTokens Full •  Remediation   Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request.   ServerTokens Prod   or   ServerTokens ProductOnly https://www.owasp.org/index.php/SCG_WS_Apache

12. Whip up a one-liner! grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens

    //'
13. None
14. None
15. None
16. None
17. None

18. Two-thirds of organizations did not adequately test the security of

    all in-scope systems!

19. Key Trends •  While individual rule compliance is up, testing

    of security systems is down •  Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.
20. None

21. Shell Scripts grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' grep

    "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

22. Infrastructure Code package 'httpd' do action :install end service 'httpd'

    do action [ :start, :enable ] end

23. What We Have Here Is A Communications Problem

24. None

25. Security != Compliance

26. None
27. None
28. None
29. None
30. None
31. None

32. InSpec

33. Create a check describe service 'ssh-agent' do it { should

    be_running } end

34. Test a target $ inspec exec test.rb . Finished in

    0.00901 seconds (files took 0.98501 seconds to load) 1 example, 0 failures

35. Test Locally $ inspec exec test.rb

36. Test Remote via SSH $ inspec exec test.rb -i ~/.aws/nathen.pem

    -t ssh://[email protected]

37. Test Remote via WinRM $ inspec exec test.rb -t winrm://[email protected]

    --password super

38. Test Docker Container $ inspec exec test.rb -t docker://3dda08e75838

39. InSpec Test any target

40. SSH Control SSH supports two different protocol versions. The original

    version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.

41. SSH Version Check describe file('/etc/ssh/sshd_config') do its(:content) { should match

    /Protocol 2/ } end

42. SSH Version Check describe sshd_config do its('Protocol') { should cmp

    2 } end

43. Available Resources apache_conf apt audit_policy auditd_conf auditd_rules bond bridge csv

    command directory etc_group file gem group host inetd_conf interface iptables kernel_module kernel_parameter limits_conf login_defs mount mysql_conf mysql_session npm ntp_conf oneget os os_env package parse_config parse_config_file passwd pip port postgres_conf postgres_session powershell processes registry_key security_policy service ssh_config sshd_config user windows_feature yaml yum

44. InSpec Test any target Be expressive

45. None

46. ©2016 Chef Software Inc. Test Kitchen

47. ©2016 Chef Software Inc. Test Kitchen Commands and Configuration

48. InSpec kitchen-inspec

49. Setup our test $ chef generate cookbook apache $ cd

    apache $ vim .kitchen.yml $ kitchen converge $ rm -rf test/integration/default/* $ mkdir -p test/integration/default/inspec/ $ vim test/integration/default/inspec/default_spec.rb

50. SSH Version Check describe sshd_config do its('Protocol') { should cmp

    2 } end

51. Run the test $ kitchen verify Failures: 1) SSH Configuration

    Protocol should cmp 2 Failure/Error: its('Protocol') { should cmp 2 } expected: 2 got:

52. Fix the issue (manually) $ kitchen login $ sudo vi

    /etc/ssh/sshd_config $ exit $ kitchen verify Finished in 0.0382 seconds (files took 0.7536 seconds to load) 1 example, 0 failures Finished verifying <default-centos-71> (0m0.47s).

53. Apache Server Information Leakage – Server Token Directive •  Description

      This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.   This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions. •  How to Test   In order to test for ServerToken configuration, one should check the Apache configuration file. •  Misconfiguration   ServerTokens Full •  Remediation   Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request.   ServerTokens Prod   or   ServerTokens ProductOnly https://www.owasp.org/index.php/SCG_WS_Apache

54. Apache ServerTokens describe apache_conf do its('ServerTokens') { should eq ["Prod"]

    } end

55. Verify Apache ServerTokens $ kitchen verify Pending: (Failures listed here

    are expected and do not affect your suite's status) 1) Apache Config /etc/httpd/conf/httpd.conf Can't find file "/ etc/httpd/conf/httpd.conf" # Not yet implemented # /Users/nathenharvey/.chefdk/gem/ruby/2.1.0/gems/ inspec-0.12.0/lib/inspec/runner.rb:131 Finished in 0.03081 seconds (files took 0.78295 seconds to load) 2 examples, 0 failures, 1 pending

56. Install Apache with a Chef Recipe $ vim recipes/default.rb package

    'httpd' do action :install end service 'httpd' do action :start end

57. Verify Apache $ kitchen converge $ kitchen verify Failures: 1)

    Apache Config /etc/httpd/conf/httpd.conf ServerTokens should eq ["Prod"] Failure/Error: its('ServerTokens') { should eq ["Prod"] } expected: ["Prod"] got: nil (compared using ==) # ./test/integration/default/inspec/default_spec.rb:6:in `block (2 levels) in load' # /Users/nathenharvey/.chefdk/gem/ruby/2.1.0/gems/inspec-0.12.0/lib/inspec/runner_rspec.rb:55:in `run' Finished in 0.05239 seconds (files took 0.85597 seconds to load) 2 examples, 1 failure

58. Fix Apache $ kitchen login $ sudo vi /etc/httpd/conf/httpd.conf $

    exit $ kitchen verify Finished in 0.03416 seconds (files took 0.75269 seconds to load) 2 examples, 0 failures

59. InSpec Test any target Be expressive

60. InSpec kitchen-inspec

61. InSpec Open Source https://github.com/chef/inspec

62. InSpec Used with Chef Compliance

63. None
64. None

65. Apache ServerTokens control "Apache Server Information Leakage" impact 0.1 title

    'Server Token Directive' desc <<-EOF This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server. This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions. EOF tag 'OWASP: SCG WS Apache', url: 'https://www.owasp.org/index.php/SCG_WS_Apache#Apache_Server_Information_Leakage' describe apache_conf do its('ServerTokens') { should eq ["Prod"] } end end
66. None
67. None

68. Chef Provides a Proven Approach to DevOps Apps Runtime environments

    Infrastructure .. . Targets/Workloads Collaborative Development Chef Insights Production Chef Server Chef Server Chef Supermarket Assessment Chef Compliance Search Audit Discover Deploy Chef Delivery Local Development Model Build Test Chef DK Chef Client & Cookbooks
69. None
70. None

71. https://www.chef.io/blog/2016/04/01/chef-compliance-1-0-release/

72. None
73. None
74. None

75. Austin, TX | July 11-13 Early Bird Pricing Through April

    17th «  Workshops & Chef Training! «  Community Summit! «  Chef Partner Summit! «  Welcome Reception! «  Keynotes! «  Technical Sessions! «  Happy Hour! «  Keynotes! «  Technical Sessions! «  Awesome Chef Awards! «  Community Celebration! ChefConf.com

76. Nathen Harvey VP, Community Development at Chef Co-host of the

    Food Fight Show Podcast Occasional farmer – http://ei.chef.io Love eggs – http://eggs.chef.io Part-time detective - http://bit.ly/detectivedecker @nathenharvey [email protected]
77. None