$30 off During Our Annual Pro Sale. View Details »

Integrating Compliance into the Development Process - OWASP NoVA

Nathen Harvey
April 13, 2016
Technology
2
120

Integrating Compliance into the Development Process - OWASP NoVA

Video Recording: https://m.youtube.com/watch?v=usVSKz1IQC0

Everyone wants to move faster and ship updates with higher velocity. Regulatory burdens and compliance can add extra drag on the system. Controls that live in notebooks, spreadsheets, and PDF files are difficult to verify. Scanning the production systems for compliance means you find violations when it's too late and when they're most expensive to fix. Compliance must be managed as code and must be part of your everyday development process if you'd like to improve compliance and increase velocity. In this talk, we'll look at one way you can move compliance controls directly into your development process. We'll explore InSpec, an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements.

Presented at OWASP NoVA Meetup (http://www.meetup.com/OWASP-Northern-Virginia-Chapter/events/229746846/)

Nathen Harvey

April 13, 2016
Tweet

More Decks by Nathen Harvey

See All by Nathen Harvey
DevOps DC Meetup - November 13, 2018
nathenharvey
1
58
DevOps State of Mind
nathenharvey
0
140
Do Change with Communities of Practice
nathenharvey
2
100
DevOps State-of-mind
nathenharvey
1
30
DevOps Community Of Practice
nathenharvey
2
670
Application Automation & Containerization With Habitat - SCaLE 16x
nathenharvey
1
55
Application Automation & Containerization With Habitat
nathenharvey
1
100
The Journey to Continuous Automation
nathenharvey
1
260
Chef Update - InSpec & Habitat
nathenharvey
2
120

Other Decks in Technology

See All in Technology
走馬灯のIaCは考えておいて
nwiizo
6
3.3k
Exploring Postgres VACUUM with the VACUUM Simulator
keiko713
5
660
SOLID Is Dead, Long Live SOLID
lemiorhan
2
190
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
6
5.2k
VS CodeとPostmanを活用した効率的なAPI開発 / Efficient API development using VS Code and Postman
yokawasa
3
290
Garoon 開発チーム / Garoon development team
cybozuinsideout
PRO
0
2.2k
お客様、そこは秘孔です!突かないでください! HTTP/2 Rapid reset の概要と対策
murachiakira
0
150
device mapperによるディスクI/O障害のエミュレーション
sat
PRO
6
1.6k
CPOが開発する覚悟 〜コンパウンドスタートアップにおける、爆速の新規プロダクト開発スタイル〜
mosa_siru
7
5.7k
ChatGPT for Developer - 超入門
dahatake
41
22k
231116 あつまれ入力デバイスの沼 Ryu.Cyberさん
comucal
PRO
0
180
GPT APIを使ったテキスト生成コンペ@YANS2023に参加した話
naohachi89
2
680

Featured

See All Featured
Build your cross-platform service in a week with App Engine
jlugia
223
17k
Faster Mobile Websites
deanohume
296
29k
10 Git Anti Patterns You Should be Aware of
lemiorhan
644
57k
A Philosophy of Restraint
colly
194
15k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
4k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
15
1.7k
Three Pipe Problems
jasonvnalue
89
9.3k
Building Applications with DynamoDB
mza
87
5.3k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
2k
Done Done
chrislema
178
15k
The Art of Programming - Codeland 2020
erikaheidi
39
12k
Rebuilding a faster, lazier Slack
samanthasiow
71
7.9k

Transcript

  1. Integrating Compliance into the
    Development Process

    View Slide

  2. View Slide

  3. View Slide

  4. View Slide

  5. View Slide

  6. View Slide

  7. View Slide

  8. SSH Control
    SSH supports two different protocol
    versions. The original version, SSHv1, was
    subject to a number of security issues.
    Please use SSHv2 instead to avoid these.

    View Slide

  9. How will I verify this?

    View Slide

  10. Whip up a one-liner!
    grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'

    View Slide

  11. Apache Server Information Leakage – Server Token Directive
    •  Description

    This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.

    This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are
    dependent upon specific software versions.
    •  How to Test

    In order to test for ServerToken configuration, one should check the Apache configuration file.
    •  Misconfiguration

    ServerTokens Full
    •  Remediation

    Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return
    "Apache" in the Server header, returned on every page request.

    ServerTokens Prod

    or

    ServerTokens ProductOnly
    https://www.owasp.org/index.php/SCG_WS_Apache

    View Slide

  12. Whip up a one-liner!
    grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

    View Slide

  13. View Slide

  14. Whip up a two-liner!
    TARGET=2
    grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
    > /dev/null && echo $TARGET

    View Slide

  15. View Slide

  16. View Slide

  17. View Slide

  18. View Slide

  19. View Slide

  20. Two-thirds of organizations did
    not adequately test the
    security of all in-scope systems!

    View Slide

  21. Key Trends
    •  While individual rule compliance
    is up, testing of security systems
    is down
    •  Sustainability is low. Fewer than
    a third of companies were found
    to be still fully compliant less
    than a year after successful
    validation.

    View Slide

  22. View Slide

  23. Shell Scripts
    grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
    grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

    View Slide

  24. Infrastructure Code
    package 'httpd' do
    action :install
    end
    service 'httpd' do
    action [ :start, :enable ]
    end

    View Slide

  25. What We Have Here Is A Communications Problem

    View Slide

  26. View Slide

  27. Security != Compliance

    View Slide

  28. View Slide

  29. View Slide

  30. View Slide

  31. View Slide

  32. View Slide

  33. View Slide

  34. InSpec

    View Slide

  35. Create a check
    describe service 'ssh-agent' do
    it { should be_running }
    end

    View Slide

  36. Test a target
    $ inspec exec test.rb
    .
    Finished in 0.00901 seconds (files took 0.98501 seconds to load)
    1 example, 0 failures

    View Slide

  37. Test Locally
    $ inspec exec test.rb

    View Slide

  38. Test Remote via SSH
    $ inspec exec test.rb -i ~/.aws/nathen.pem -t ssh://[email protected]

    View Slide

  39. Test Remote via WinRM
    $ inspec exec test.rb -t winrm://[email protected] --password super

    View Slide

  40. Test Docker Container
    $ inspec exec test.rb -t docker://3dda08e75838

    View Slide

  41. InSpec
    Test any target

    View Slide

  42. SSH Control
    SSH supports two different protocol
    versions. The original version, SSHv1, was
    subject to a number of security issues.
    Please use SSHv2 instead to avoid these.

    View Slide

  43. SSH Version Check
    describe file('/etc/ssh/sshd_config') do
    its(:content) { should match /Protocol 2/ }
    end

    View Slide

  44. SSH Version Check
    describe sshd_config do
    its('Protocol') { should cmp 2 }
    end

    View Slide

  45. SSH Version Check
    describe sshd_config do
    title 'SSH Version 2'


    its('Protocol') { should cmp 2 }
    end

    View Slide

  46. SSH Version Check
    describe sshd_config do
    title 'SSH Version 2'
    desc <<-EOF
    SSH supports two different protocol versions. The original version, SSHv1,
    was subject to a number of security issues. Please use SSHv2 instead to avoid
    these.
    EOF
    its('Protocol') { should cmp 2 }
    end

    View Slide

  47. SSH Version Check
    describe sshd_config do
    impact 1.0
    title 'SSH Version 2'
    desc <<-EOF
    SSH supports two different protocol versions. The original version, SSHv1,
    was subject to a number of security issues. Please use SSHv2 instead to avoid
    these.
    EOF
    its('Protocol') { should cmp 2 }
    end

    View Slide

  48. Available Resources
    apache_conf
    apt
    audit_policy
    auditd_conf
    auditd_rules
    bond
    bridge
    csv
    command
    directory
    etc_group
    file
    gem
    group
    host
    inetd_conf
    interface
    iptables
    kernel_module
    kernel_parameter
    limits_conf
    login_defs
    mount
    mysql_conf
    mysql_session
    npm
    ntp_conf
    oneget
    os
    os_env
    package
    parse_config
    parse_config_file
    passwd
    pip
    port
    postgres_conf
    postgres_session
    powershell
    processes
    registry_key
    security_policy
    service
    ssh_config
    sshd_config
    user
    windows_feature
    yaml
    yum

    View Slide

  49. etc_group
    describe etc_group.where(item: 'value', item: 'value') do
    its('gids') { should_not contain_duplicates }
    its('groups') { should include 'user_name' }
    its('users') { should include 'user_name' }
    end

    View Slide

  50. host
    describe host('example.com', port: 80, proto: 'tcp') do
    it { should be_reachable }
    end

    View Slide

  51. login_defs
    describe login_defs do
    its('PASS_MAX_DAYS') { should eq '180' }
    its('PASS_MIN_DAYS') { should eq '1' }
    its('PASS_MIN_LEN') { should eq '15' }
    its('PASS_WARN_AGE') { should eq '30' }
    end

    View Slide

  52. mysql_conf
    describe mysql_conf do
    its('slow_query_log_file') { should eq 'hostname_slow.log' }
    its('slow_query_log') { should eq '0' }
    its('log_queries_not_using_indexes') { should eq '1' }
    its('long_query_time') { should eq '0.5' }
    its('min_examined_row_limit') { should eq '100' }
    end

    View Slide

  53. mysql_session
    sql = mysql_session('my_user','password')
    describe sql.query('show databases like \'test\';') do
    its(:stdout) { should_not match(/test/) }
    end

    View Slide

  54. registry_key
    describe registry_key('Task Scheduler','HKEY_LOCAL_MACHINE\..\Schedule') do
    its('Start') { should eq 2 }
    end

    View Slide

  55. InSpec
    Test any target
    Be expressive

    View Slide

  56. InSpec
    Open Source
    https://github.com/chef/inspec

    View Slide

  57. View Slide

  58. The promise of the coded business

    View Slide

  59. The changing role of the compliance officer

    View Slide

  60. A single accelerated cycle

    View Slide

  61. Security meets operations

    View Slide

  62. Unified language

    View Slide

  63. View Slide

  64. View Slide

  65. View Slide

  66. Continuous workflow

    View Slide

  67. Workflow

    View Slide

  68. Scan for Compliance

    View Slide

  69. Local development

    View Slide

  70. View Slide

  71. View Slide

  72. Chef Provides a Proven Approach to DevOps
    Apps
    Runtime
    environments
    Infrastructure
    ..
    .
    Targets/Workloads
    Collaborative
    Development
    Chef Insights
    Production
    Chef Server
    Chef Server
    Chef Supermarket
    Assessment
    Chef Compliance
    Search
    Audit
    Discover
    Deploy
    Chef
    Delivery
    Local
    Development
    Model
    Build
    Test
    Chef DK
    Chef Client & Cookbooks

    View Slide

  73. View Slide

  74. View Slide

  75. https://www.chef.io/blog/2016/04/01/chef-compliance-1-0-release/

    View Slide

  76. View Slide

  77. View Slide

  78. Austin, TX | July 11-13
    Early Bird Pricing Through April 17th
    «  Workshops & Chef Training!
    «  Community Summit!
    «  Chef Partner Summit!
    «  Welcome Reception!
    «  Keynotes!
    «  Technical Sessions!
    «  Happy Hour!
    «  Keynotes!
    «  Technical Sessions!
    «  Awesome Chef Awards!
    «  Community Celebration!
    ChefConf.com

    View Slide

  79. View Slide