Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Integrating Compliance into the Development Process - OWASP NoVA

Nathen Harvey
April 13, 2016
Technology
2
120

Integrating Compliance into the Development Process - OWASP NoVA

Video Recording: https://m.youtube.com/watch?v=usVSKz1IQC0

Everyone wants to move faster and ship updates with higher velocity. Regulatory burdens and compliance can add extra drag on the system. Controls that live in notebooks, spreadsheets, and PDF files are difficult to verify. Scanning the production systems for compliance means you find violations when it's too late and when they're most expensive to fix. Compliance must be managed as code and must be part of your everyday development process if you'd like to improve compliance and increase velocity. In this talk, we'll look at one way you can move compliance controls directly into your development process. We'll explore InSpec, an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements.

Presented at OWASP NoVA Meetup (http://www.meetup.com/OWASP-Northern-Virginia-Chapter/events/229746846/)

Nathen Harvey

April 13, 2016
Tweet

More Decks by Nathen Harvey

See All by Nathen Harvey
DevOps DC Meetup - November 13, 2018
nathenharvey
1
58
DevOps State of Mind
nathenharvey
0
140
Do Change with Communities of Practice
nathenharvey
2
100
DevOps State-of-mind
nathenharvey
1
30
DevOps Community Of Practice
nathenharvey
2
720
Application Automation & Containerization With Habitat - SCaLE 16x
nathenharvey
1
57
Application Automation & Containerization With Habitat
nathenharvey
1
110
The Journey to Continuous Automation
nathenharvey
1
290
Chef Update - InSpec & Habitat
nathenharvey
2
140

Other Decks in Technology

See All in Technology
LayerXにおけるLLMプロダクト開発の今までとこれから
layerx
PRO
1
330
Gitlab本から学んだこと - そーだいなるプレイバック / gitlab-book
soudai
4
430
Google Cloud の AI を支える裏側のインフラを垣間見る!
maroon1st
0
350
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
2.1k
チームでロジカルシンキングに改めて向き合っている話 〜学習環境と実践⽅法〜
sansantech
PRO
3
2.5k
EMとして2023年度に頑張ったこと / What we did well in FY2023 as a EM
pauli
1
170
VS CodeでAWSを操作しよう
smt7174
8
1.7k
LLM開発・活用の舞台裏@2024.04.25
yushin_n
1
300
JAWS-UG Bedrock Claude Night
yamahiro
3
610
どうするコスト最適化のトレードオフ
tetsuyaooooo
1
520
Delivering Millions of Messages within seconds @ Duolingo
pelelgrino
0
350
KubeConにproposalを送りたい人へのアドバイス
sat
PRO
3
250

Featured

See All Featured
Bootstrapping a Software Product
garrettdimon
PRO
302
110k
Docker and Python
trallard
34
2.7k
Code Reviewing Like a Champion
maltzj
514
39k
For a Future-Friendly Web
brad_frost
172
9k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
125
32k
How to train your dragon (web standard)
notwaldorf
73
5.2k
Teambox: Starting and Learning
jrom
128
8.4k
The MySQL Ecosystem @ GitHub 2015
samlambert
243
12k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
116
18k
What’s in a name? Adding method to the madness
productmarketing
PRO
16
2.6k
Robots, Beer and Maslow
schacon
PRO
155
7.9k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
121
39k

Transcript

  1. Integrating Compliance into the Development Process

  2. None
  3. None
  4. None
  5. None
  6. None
  7. None

  8. SSH Control SSH supports two different protocol versions. The original

    version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.

  9. How will I verify this?

  10. Whip up a one-liner! grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol

    //'

  11. Apache Server Information Leakage – Server Token Directive •  Description

      This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.   This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions. •  How to Test   In order to test for ServerToken configuration, one should check the Apache configuration file. •  Misconfiguration   ServerTokens Full •  Remediation   Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request.   ServerTokens Prod   or   ServerTokens ProductOnly https://www.owasp.org/index.php/SCG_WS_Apache

  12. Whip up a one-liner! grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens

    //'
  13. None

  14. Whip up a two-liner! TARGET=2 grep "^Protocol" /etc/ssh/sshd_config | sed

    's/Protocol //' > /dev/null && echo $TARGET
  15. None
  16. None
  17. None
  18. None
  19. None

  20. Two-thirds of organizations did not adequately test the security of

    all in-scope systems!

  21. Key Trends •  While individual rule compliance is up, testing

    of security systems is down •  Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.
  22. None

  23. Shell Scripts grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' grep

    "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

  24. Infrastructure Code package 'httpd' do action :install end service 'httpd'

    do action [ :start, :enable ] end

  25. What We Have Here Is A Communications Problem

  26. None

  27. Security != Compliance

  28. None
  29. None
  30. None
  31. None
  32. None
  33. None

  34. InSpec

  35. Create a check describe service 'ssh-agent' do it { should

    be_running } end

  36. Test a target $ inspec exec test.rb . Finished in

    0.00901 seconds (files took 0.98501 seconds to load) 1 example, 0 failures

  37. Test Locally $ inspec exec test.rb

  38. Test Remote via SSH $ inspec exec test.rb -i ~/.aws/nathen.pem

    -t ssh://[email protected]

  39. Test Remote via WinRM $ inspec exec test.rb -t winrm://[email protected]

    --password super

  40. Test Docker Container $ inspec exec test.rb -t docker://3dda08e75838

  41. InSpec Test any target

  42. SSH Control SSH supports two different protocol versions. The original

    version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.

  43. SSH Version Check describe file('/etc/ssh/sshd_config') do its(:content) { should match

    /Protocol 2/ } end

  44. SSH Version Check describe sshd_config do its('Protocol') { should cmp

    2 } end

  45. SSH Version Check describe sshd_config do title 'SSH Version 2'

    
 
 its('Protocol') { should cmp 2 } end

  46. SSH Version Check describe sshd_config do title 'SSH Version 2'

    desc <<-EOF SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. EOF its('Protocol') { should cmp 2 } end

  47. SSH Version Check describe sshd_config do impact 1.0 title 'SSH

    Version 2' desc <<-EOF SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. EOF its('Protocol') { should cmp 2 } end

  48. Available Resources apache_conf apt audit_policy auditd_conf auditd_rules bond bridge csv

    command directory etc_group file gem group host inetd_conf interface iptables kernel_module kernel_parameter limits_conf login_defs mount mysql_conf mysql_session npm ntp_conf oneget os os_env package parse_config parse_config_file passwd pip port postgres_conf postgres_session powershell processes registry_key security_policy service ssh_config sshd_config user windows_feature yaml yum

  49. etc_group describe etc_group.where(item: 'value', item: 'value') do its('gids') { should_not

    contain_duplicates } its('groups') { should include 'user_name' } its('users') { should include 'user_name' } end

  50. host describe host('example.com', port: 80, proto: 'tcp') do it {

    should be_reachable } end

  51. login_defs describe login_defs do its('PASS_MAX_DAYS') { should eq '180' }

    its('PASS_MIN_DAYS') { should eq '1' } its('PASS_MIN_LEN') { should eq '15' } its('PASS_WARN_AGE') { should eq '30' } end

  52. mysql_conf describe mysql_conf do its('slow_query_log_file') { should eq 'hostname_slow.log' }

    its('slow_query_log') { should eq '0' } its('log_queries_not_using_indexes') { should eq '1' } its('long_query_time') { should eq '0.5' } its('min_examined_row_limit') { should eq '100' } end

  53. mysql_session sql = mysql_session('my_user','password') describe sql.query('show databases like \'test\';') do

    its(:stdout) { should_not match(/test/) } end

  54. registry_key describe registry_key('Task Scheduler','HKEY_LOCAL_MACHINE\..\Schedule') do its('Start') { should eq 2

    } end

  55. InSpec Test any target Be expressive

  56. InSpec Open Source https://github.com/chef/inspec

  57. None

  58. The promise of the coded business

  59. The changing role of the compliance officer

  60. A single accelerated cycle

  61. Security meets operations

  62. Unified language

  63. None
  64. None
  65. None

  66. Continuous workflow

  67. Workflow

  68. Scan for Compliance

  69. Local development

  70. None
  71. None

  72. Chef Provides a Proven Approach to DevOps Apps Runtime environments

    Infrastructure .. . Targets/Workloads Collaborative Development Chef Insights Production Chef Server Chef Server Chef Supermarket Assessment Chef Compliance Search Audit Discover Deploy Chef Delivery Local Development Model Build Test Chef DK Chef Client & Cookbooks
  73. None
  74. None

  75. https://www.chef.io/blog/2016/04/01/chef-compliance-1-0-release/

  76. None
  77. None

  78. Austin, TX | July 11-13 Early Bird Pricing Through April

    17th «  Workshops & Chef Training! «  Community Summit! «  Chef Partner Summit! «  Welcome Reception! «  Keynotes! «  Technical Sessions! «  Happy Hour! «  Keynotes! «  Technical Sessions! «  Awesome Chef Awards! «  Community Celebration! ChefConf.com
  79. None