Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Integrating Compliance into the Development Pro...

Integrating Compliance into the Development Process - OWASP NoVA

Video Recording: https://m.youtube.com/watch?v=usVSKz1IQC0

Everyone wants to move faster and ship updates with higher velocity. Regulatory burdens and compliance can add extra drag on the system. Controls that live in notebooks, spreadsheets, and PDF files are difficult to verify. Scanning the production systems for compliance means you find violations when it's too late and when they're most expensive to fix. Compliance must be managed as code and must be part of your everyday development process if you'd like to improve compliance and increase velocity. In this talk, we'll look at one way you can move compliance controls directly into your development process. We'll explore InSpec, an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements.

Presented at OWASP NoVA Meetup (http://www.meetup.com/OWASP-Northern-Virginia-Chapter/events/229746846/)

Nathen Harvey

April 13, 2016
Tweet

More Decks by Nathen Harvey

Other Decks in Technology

Transcript

  1. SSH Control SSH supports two different protocol versions. The original

    version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.
  2. Apache Server Information Leakage – Server Token Directive •  Description

      This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.   This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions. •  How to Test   In order to test for ServerToken configuration, one should check the Apache configuration file. •  Misconfiguration   ServerTokens Full •  Remediation   Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request.   ServerTokens Prod   or   ServerTokens ProductOnly https://www.owasp.org/index.php/SCG_WS_Apache
  3. Key Trends •  While individual rule compliance is up, testing

    of security systems is down •  Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.
  4. Shell Scripts grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' grep

    "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
  5. Test a target $ inspec exec test.rb . Finished in

    0.00901 seconds (files took 0.98501 seconds to load) 1 example, 0 failures
  6. SSH Control SSH supports two different protocol versions. The original

    version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.
  7. SSH Version Check describe sshd_config do title 'SSH Version 2'

    
 
 its('Protocol') { should cmp 2 } end
  8. SSH Version Check describe sshd_config do title 'SSH Version 2'

    desc <<-EOF SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. EOF its('Protocol') { should cmp 2 } end
  9. SSH Version Check describe sshd_config do impact 1.0 title 'SSH

    Version 2' desc <<-EOF SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. EOF its('Protocol') { should cmp 2 } end
  10. Available Resources apache_conf apt audit_policy auditd_conf auditd_rules bond bridge csv

    command directory etc_group file gem group host inetd_conf interface iptables kernel_module kernel_parameter limits_conf login_defs mount mysql_conf mysql_session npm ntp_conf oneget os os_env package parse_config parse_config_file passwd pip port postgres_conf postgres_session powershell processes registry_key security_policy service ssh_config sshd_config user windows_feature yaml yum
  11. etc_group describe etc_group.where(item: 'value', item: 'value') do its('gids') { should_not

    contain_duplicates } its('groups') { should include 'user_name' } its('users') { should include 'user_name' } end
  12. login_defs describe login_defs do its('PASS_MAX_DAYS') { should eq '180' }

    its('PASS_MIN_DAYS') { should eq '1' } its('PASS_MIN_LEN') { should eq '15' } its('PASS_WARN_AGE') { should eq '30' } end
  13. mysql_conf describe mysql_conf do its('slow_query_log_file') { should eq 'hostname_slow.log' }

    its('slow_query_log') { should eq '0' } its('log_queries_not_using_indexes') { should eq '1' } its('long_query_time') { should eq '0.5' } its('min_examined_row_limit') { should eq '100' } end
  14. Chef Provides a Proven Approach to DevOps Apps Runtime environments

    Infrastructure .. . Targets/Workloads Collaborative Development Chef Insights Production Chef Server Chef Server Chef Supermarket Assessment Chef Compliance Search Audit Discover Deploy Chef Delivery Local Development Model Build Test Chef DK Chef Client & Cookbooks
  15. Austin, TX | July 11-13 Early Bird Pricing Through April

    17th «  Workshops & Chef Training! «  Community Summit! «  Chef Partner Summit! «  Welcome Reception! «  Keynotes! «  Technical Sessions! «  Happy Hour! «  Keynotes! «  Technical Sessions! «  Awesome Chef Awards! «  Community Celebration! ChefConf.com