$30 off During Our Annual Pro Sale. View Details »

Integrating Compliance into the Development Process - OWASP DC

Nathen Harvey
April 06, 2016
Technology
0
96

Integrating Compliance into the Development Process - OWASP DC

Everyone wants to move faster and ship updates with higher velocity. Regulatory burdens and compliance can add extra drag on the system. Controls that live in notebooks, spreadsheets, and PDF files are difficult to verify. Scanning the production systems for compliance means you find violations when it's too late and when they're most expensive to fix. Compliance must be managed as code and must be part of your everyday development process if you'd like to improve compliance and increase velocity. In this talk, we'll look at one way you can move compliance controls directly into your development process. We'll explore InSpec, an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements.

Recording of the presentation - https://www.youtube.com/watch?v=RaeN7w8rQAI

Nathen Harvey

April 06, 2016
Tweet

More Decks by Nathen Harvey

See All by Nathen Harvey
DevOps DC Meetup - November 13, 2018
nathenharvey
1
58
DevOps State of Mind
nathenharvey
0
140
Do Change with Communities of Practice
nathenharvey
2
100
DevOps State-of-mind
nathenharvey
1
30
DevOps Community Of Practice
nathenharvey
2
670
Application Automation & Containerization With Habitat - SCaLE 16x
nathenharvey
1
55
Application Automation & Containerization With Habitat
nathenharvey
1
100
The Journey to Continuous Automation
nathenharvey
1
260
Chef Update - InSpec & Habitat
nathenharvey
2
120

Other Decks in Technology

See All in Technology
実装がすべてではない、開発者の周りから考える Web プロダクトセキュリティ
oldbigbuddha
0
190
2023/11/15 コンテナでDb2やMQを動かす
hfukunak
0
110
RAG Approach on AWS
hayaok3
4
540
ROSCon 2023参加報告:Real-Time Workshop & Zenoh's Current Status and Forecast
takasehideki
1
180
急成長スタートアップにおける技術的負債とトレードオフ・スライダー / Technical Debt and Trade-off Sliders in Fast-Growing Startups
codenote
2
1.9k
Exploring Postgres VACUUM with the VACUUM Simulator
keiko713
5
550
Java Language Future
chiroito
4
1k
Self-RAG: Learning to Retrieve, Generate and Critique through Self-Reflections
peisuke
8
820
20年以上続くサービスの 管理画面リプレイスを行いながら 技術的負債と向き合った話
radkmb
0
1.7k
昨年のre:Invent目玉? Amazon VPC Latticeって結局いつ使えばいいのか考察してみた
minorun365
PRO
4
280
Oracle Cloud Infrastructure(OCI):ご利用ガイド/Onboarding Session Part1(はじめてのOracleCloud)
oracle4engineer
PRO
0
3.3k
エンジニア志望学生が"ブログの会社"に入社してみて思ったこと〜新卒目線のブログ戦略〜
oshanqq
1
480

Featured

See All Featured
How to name files
jennybc
59
87k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.9k
Building a Scalable Design System with Sketch
lauravandoore
453
32k
Adopting Sorbet at Scale
ufuk
66
8.2k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
12
1k
Git: the NoSQL Database
bkeepers
PRO
420
62k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
219
21k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
The MySQL Ecosystem @ GitHub 2015
samlambert
241
11k
No one is an island. Learnings from fostering a developers community.
thoeni
14
1.8k
The Mythical Team-Month
searls
214
41k
Learning to Love Humans: Emotional Interface Design
aarron
265
39k

Transcript

  1. Integrating Compliance into the
    Development Process

    View Slide

  2. https://youtu.be/RaeN7w8rQAI
    This was recorded at the OWASP DC Meetup

    View Slide

  3. View Slide

  4. View Slide

  5. View Slide

  6. View Slide

  7. View Slide

  8. SSH Control
    SSH supports two different protocol
    versions. The original version, SSHv1, was
    subject to a number of security issues.
    Please use SSHv2 instead to avoid these.

    View Slide

  9. How will I verify this?

    View Slide

  10. Whip up a one-liner!
    grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'

    View Slide

  11. Apache Server Information Leakage – Server Token Directive
    •  Description

    This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.

    This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are
    dependent upon specific software versions.
    •  How to Test

    In order to test for ServerToken configuration, one should check the Apache configuration file.
    •  Misconfiguration

    ServerTokens Full
    •  Remediation

    Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return
    "Apache" in the Server header, returned on every page request.

    ServerTokens Prod

    or

    ServerTokens ProductOnly
    https://www.owasp.org/index.php/SCG_WS_Apache

    View Slide

  12. Whip up a one-liner!
    grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

    View Slide

  13. View Slide

  14. View Slide

  15. View Slide

  16. View Slide

  17. View Slide

  18. Two-thirds of organizations did
    not adequately test the security
    of all in-scope systems!

    View Slide

  19. Key Trends
    •  While individual rule compliance
    is up, testing of security systems
    is down
    •  Sustainability is low. Fewer than
    a third of companies were found
    to be still fully compliant less
    than a year after successful
    validation.

    View Slide

  20. View Slide

  21. Shell Scripts
    grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
    grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

    View Slide

  22. Infrastructure Code
    package 'httpd' do
    action :install
    end
    service 'httpd' do
    action [ :start, :enable ]
    end

    View Slide

  23. What We Have Here Is A Communications Problem

    View Slide

  24. View Slide

  25. Security != Compliance

    View Slide

  26. View Slide

  27. View Slide

  28. View Slide

  29. View Slide

  30. View Slide

  31. View Slide

  32. InSpec

    View Slide

  33. Create a check
    describe service 'ssh-agent' do
    it { should be_running }
    end

    View Slide

  34. Test a target
    $ inspec exec test.rb
    .
    Finished in 0.00901 seconds (files took 0.98501 seconds to load)
    1 example, 0 failures

    View Slide

  35. Test Locally
    $ inspec exec test.rb

    View Slide

  36. Test Remote via SSH
    $ inspec exec test.rb -i ~/.aws/nathen.pem -t ssh://[email protected]

    View Slide

  37. Test Remote via WinRM
    $ inspec exec test.rb -t winrm://[email protected] --password super

    View Slide

  38. Test Docker Container
    $ inspec exec test.rb -t docker://3dda08e75838

    View Slide

  39. InSpec
    Test any target

    View Slide

  40. SSH Control
    SSH supports two different protocol
    versions. The original version, SSHv1, was
    subject to a number of security issues.
    Please use SSHv2 instead to avoid these.

    View Slide

  41. SSH Version Check
    describe file('/etc/ssh/sshd_config') do
    its(:content) { should match /Protocol 2/ }
    end

    View Slide

  42. SSH Version Check
    describe sshd_config do
    its('Protocol') { should cmp 2 }
    end

    View Slide

  43. Available Resources
    apache_conf
    apt
    audit_policy
    auditd_conf
    auditd_rules
    bond
    bridge
    csv
    command
    directory
    etc_group
    file
    gem
    group
    host
    inetd_conf
    interface
    iptables
    kernel_module
    kernel_parameter
    limits_conf
    login_defs
    mount
    mysql_conf
    mysql_session
    npm
    ntp_conf
    oneget
    os
    os_env
    package
    parse_config
    parse_config_file
    passwd
    pip
    port
    postgres_conf
    postgres_session
    powershell
    processes
    registry_key
    security_policy
    service
    ssh_config
    sshd_config
    user
    windows_feature
    yaml
    yum

    View Slide

  44. InSpec
    Test any target
    Be expressive

    View Slide

  45. View Slide

  46. ©2016 Chef Software Inc.
    Test Kitchen

    View Slide

  47. ©2016 Chef Software Inc.
    Test Kitchen Commands and Configuration

    View Slide

  48. InSpec
    kitchen-inspec

    View Slide

  49. Setup our test
    $ chef generate cookbook apache
    $ cd apache
    $ vim .kitchen.yml
    $ kitchen converge
    $ rm -rf test/integration/default/*
    $ mkdir -p test/integration/default/inspec/
    $ vim test/integration/default/inspec/default_spec.rb

    View Slide

  50. SSH Version Check
    describe sshd_config do
    its('Protocol') { should cmp 2 }
    end

    View Slide

  51. Run the test
    $ kitchen verify
    Failures:
    1) SSH Configuration Protocol should cmp 2
    Failure/Error: its('Protocol') { should cmp 2 }
    expected: 2
    got:

    View Slide

  52. Fix the issue (manually)
    $ kitchen login
    $ sudo vi /etc/ssh/sshd_config
    $ exit
    $ kitchen verify
    Finished in 0.0382 seconds (files took 0.7536 seconds to load)
    1 example, 0 failures
    Finished verifying (0m0.47s).

    View Slide

  53. Apache Server Information Leakage – Server Token Directive
    •  Description

    This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.

    This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are
    dependent upon specific software versions.
    •  How to Test

    In order to test for ServerToken configuration, one should check the Apache configuration file.
    •  Misconfiguration

    ServerTokens Full
    •  Remediation

    Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return
    "Apache" in the Server header, returned on every page request.

    ServerTokens Prod

    or

    ServerTokens ProductOnly
    https://www.owasp.org/index.php/SCG_WS_Apache

    View Slide

  54. Apache ServerTokens
    describe apache_conf do
    its('ServerTokens') { should eq ["Prod"] }
    end

    View Slide

  55. Verify Apache ServerTokens
    $ kitchen verify
    Pending: (Failures listed here are expected and do not affect your
    suite's status)
    1) Apache Config /etc/httpd/conf/httpd.conf Can't find file "/
    etc/httpd/conf/httpd.conf"
    # Not yet implemented
    # /Users/nathenharvey/.chefdk/gem/ruby/2.1.0/gems/
    inspec-0.12.0/lib/inspec/runner.rb:131
    Finished in 0.03081 seconds (files took 0.78295 seconds to load)
    2 examples, 0 failures, 1 pending

    View Slide

  56. Install Apache with a Chef Recipe
    $ vim recipes/default.rb
    package 'httpd' do
    action :install
    end
    service 'httpd' do
    action :start
    end

    View Slide

  57. Verify Apache
    $ kitchen converge
    $ kitchen verify
    Failures:
    1) Apache Config /etc/httpd/conf/httpd.conf ServerTokens should eq ["Prod"]
    Failure/Error: its('ServerTokens') { should eq ["Prod"] }
    expected: ["Prod"]
    got: nil
    (compared using ==)
    # ./test/integration/default/inspec/default_spec.rb:6:in `block (2 levels) in load'
    # /Users/nathenharvey/.chefdk/gem/ruby/2.1.0/gems/inspec-0.12.0/lib/inspec/runner_rspec.rb:55:in `run'
    Finished in 0.05239 seconds (files took 0.85597 seconds to load)
    2 examples, 1 failure

    View Slide

  58. Fix Apache
    $ kitchen login
    $ sudo vi /etc/httpd/conf/httpd.conf
    $ exit
    $ kitchen verify
    Finished in 0.03416 seconds (files took 0.75269 seconds to load)
    2 examples, 0 failures

    View Slide

  59. InSpec
    Test any target
    Be expressive

    View Slide

  60. InSpec
    kitchen-inspec

    View Slide

  61. InSpec
    Open Source
    https://github.com/chef/inspec

    View Slide

  62. InSpec
    Used with Chef Compliance

    View Slide

  63. View Slide

  64. View Slide

  65. Apache ServerTokens
    control "Apache Server Information Leakage"
    impact 0.1
    title 'Server Token Directive'
    desc <<-EOF
    This Directive Controls wheather Server response field is sent back to
    clients includes a description of Generic OS Type of the Server. This
    allows attackers to identify web servers details greatly and increases the
    efficiency of any attack,as security vulnerabilities are dependent upon
    specific software versions.
    EOF
    tag 'OWASP: SCG WS Apache', url: 'https://www.owasp.org/index.php/SCG_WS_Apache#Apache_Server_Information_Leakage'
    describe apache_conf do
    its('ServerTokens') { should eq ["Prod"] }
    end
    end

    View Slide

  66. View Slide

  67. View Slide

  68. Chef Provides a Proven Approach to DevOps
    Apps
    Runtime
    environments
    Infrastructure
    ..
    .
    Targets/Workloads
    Collaborative
    Development
    Chef Insights
    Production
    Chef Server
    Chef Server
    Chef Supermarket
    Assessment
    Chef Compliance
    Search
    Audit
    Discover
    Deploy
    Chef Delivery
    Local
    Development
    Model
    Build
    Test
    Chef DK
    Chef Client & Cookbooks

    View Slide

  69. View Slide

  70. View Slide

  71. https://www.chef.io/blog/2016/04/01/chef-compliance-1-0-release/

    View Slide

  72. View Slide

  73. View Slide

  74. View Slide

  75. Austin, TX | July 11-13
    Early Bird Pricing Through April 17th
    «  Workshops & Chef Training!
    «  Community Summit!
    «  Chef Partner Summit!
    «  Welcome Reception!
    «  Keynotes!
    «  Technical Sessions!
    «  Happy Hour!
    «  Keynotes!
    «  Technical Sessions!
    «  Awesome Chef Awards!
    «  Community Celebration!
    ChefConf.com

    View Slide

  76. Nathen Harvey
    VP, Community Development at Chef
    Co-host of the Food Fight Show Podcast
    Occasional farmer – http://ei.chef.io
    Love eggs – http://eggs.chef.io
    Part-time detective - http://bit.ly/detectivedecker
    @nathenharvey
    [email protected]

    View Slide

  77. View Slide