Integrating Compliance into the Development Process - OWASP NoVA

Transcript

1. Integrating Compliance into the Development Process

2. None
3. None
4. None
5. None
6. None
7. None

8. SSH Control SSH supports two different protocol versions. The original

   version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.

9. How will I verify this?

10. Whip up a one-liner! grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol

    //'

11. Apache Server Information Leakage – Server Token Directive •  Description

      This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.   This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions. •  How to Test   In order to test for ServerToken configuration, one should check the Apache configuration file. •  Misconfiguration   ServerTokens Full •  Remediation   Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request.   ServerTokens Prod   or   ServerTokens ProductOnly https://www.owasp.org/index.php/SCG_WS_Apache

12. Whip up a one-liner! grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens

    //'
13. None

14. Whip up a two-liner! TARGET=2 grep "^Protocol" /etc/ssh/sshd_config | sed

    's/Protocol //' > /dev/null && echo $TARGET
15. None
16. None
17. None
18. None
19. None

20. Two-thirds of organizations did not adequately test the security of

    all in-scope systems!

21. Key Trends •  While individual rule compliance is up, testing

    of security systems is down •  Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.
22. None

23. Shell Scripts grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' grep

    "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

24. Infrastructure Code package 'httpd' do action :install end service 'httpd'

    do action [ :start, :enable ] end

25. What We Have Here Is A Communications Problem

26. None

27. Security != Compliance

28. None
29. None
30. None
31. None
32. None
33. None

34. InSpec

35. Create a check describe service 'ssh-agent' do it { should

    be_running } end

36. Test a target $ inspec exec test.rb . Finished in

    0.00901 seconds (files took 0.98501 seconds to load) 1 example, 0 failures

37. Test Locally $ inspec exec test.rb

38. Test Remote via SSH $ inspec exec test.rb -i ~/.aws/nathen.pem

    -t ssh://[email protected]

39. Test Remote via WinRM $ inspec exec test.rb -t winrm://[email protected]

    --password super

40. Test Docker Container $ inspec exec test.rb -t docker://3dda08e75838

41. InSpec Test any target

42. SSH Control SSH supports two different protocol versions. The original

    version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.

43. SSH Version Check describe file('/etc/ssh/sshd_config') do its(:content) { should match

    /Protocol 2/ } end

44. SSH Version Check describe sshd_config do its('Protocol') { should cmp

    2 } end

45. SSH Version Check describe sshd_config do title 'SSH Version 2'

    
 
 its('Protocol') { should cmp 2 } end

46. SSH Version Check describe sshd_config do title 'SSH Version 2'

    desc <<-EOF SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. EOF its('Protocol') { should cmp 2 } end

47. SSH Version Check describe sshd_config do impact 1.0 title 'SSH

    Version 2' desc <<-EOF SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. EOF its('Protocol') { should cmp 2 } end

48. Available Resources apache_conf apt audit_policy auditd_conf auditd_rules bond bridge csv

    command directory etc_group file gem group host inetd_conf interface iptables kernel_module kernel_parameter limits_conf login_defs mount mysql_conf mysql_session npm ntp_conf oneget os os_env package parse_config parse_config_file passwd pip port postgres_conf postgres_session powershell processes registry_key security_policy service ssh_config sshd_config user windows_feature yaml yum

49. etc_group describe etc_group.where(item: 'value', item: 'value') do its('gids') { should_not

    contain_duplicates } its('groups') { should include 'user_name' } its('users') { should include 'user_name' } end

50. host describe host('example.com', port: 80, proto: 'tcp') do it {

    should be_reachable } end

51. login_defs describe login_defs do its('PASS_MAX_DAYS') { should eq '180' }

    its('PASS_MIN_DAYS') { should eq '1' } its('PASS_MIN_LEN') { should eq '15' } its('PASS_WARN_AGE') { should eq '30' } end

52. mysql_conf describe mysql_conf do its('slow_query_log_file') { should eq 'hostname_slow.log' }

    its('slow_query_log') { should eq '0' } its('log_queries_not_using_indexes') { should eq '1' } its('long_query_time') { should eq '0.5' } its('min_examined_row_limit') { should eq '100' } end

53. mysql_session sql = mysql_session('my_user','password') describe sql.query('show databases like \'test\';') do

    its(:stdout) { should_not match(/test/) } end

54. registry_key describe registry_key('Task Scheduler','HKEY_LOCAL_MACHINE\..\Schedule') do its('Start') { should eq 2

    } end

55. InSpec Test any target Be expressive

56. InSpec Open Source https://github.com/chef/inspec

57. None

58. The promise of the coded business

59. The changing role of the compliance officer

60. A single accelerated cycle

61. Security meets operations

62. Unified language

63. None
64. None
65. None

66. Continuous workflow

67. Workflow

68. Scan for Compliance

69. Local development

70. None
71. None

72. Chef Provides a Proven Approach to DevOps Apps Runtime environments

    Infrastructure .. . Targets/Workloads Collaborative Development Chef Insights Production Chef Server Chef Server Chef Supermarket Assessment Chef Compliance Search Audit Discover Deploy Chef Delivery Local Development Model Build Test Chef DK Chef Client & Cookbooks
73. None
74. None

75. https://www.chef.io/blog/2016/04/01/chef-compliance-1-0-release/

76. None
77. None

78. Austin, TX | July 11-13 Early Bird Pricing Through April

    17th «  Workshops & Chef Training! «  Community Summit! «  Chef Partner Summit! «  Welcome Reception! «  Keynotes! «  Technical Sessions! «  Happy Hour! «  Keynotes! «  Technical Sessions! «  Awesome Chef Awards! «  Community Celebration! ChefConf.com
79. None