$30 off During Our Annual Pro Sale. View Details »

The Quest to Make Testing and Security part of DevOps

The Quest to Make Testing and Security part of DevOps

An introduction to InSpec, an open-source framework for integration testing infrastructure code and for compliance and security automation.

Nathen Harvey

January 26, 2017
Tweet

More Decks by Nathen Harvey

Other Decks in Technology

Transcript

  1. The Quest to Make Testing and Security part of DevOps

    InSpec Nathen Harvey VP, Community Development 24 January 2017
  2. Introductions Nathen Harvey - VP, Community Development Chris Nimmer –

    Regional Director, Federal Galen Emery – Solutions Architect
  3. Agenda Infrastructure as Code & Test-driven Development Compliance as Code

    Demonstration Q & A
  4. Infrastructure Automation Delivering Infrastructure as Code

  5. Infrastructure as Code •  Programmatically provision and configure components • 

    Treat like any other code base •  Reconstruct business from code repository, data backup, and compute resources
  6. Infrastructure as Code •  Develop reusable policies •  Expose tunable

    settings •  Test locally to reduce risk, and ensure compliance •  Commit to Source Code •  Automated Testing through Continuous Integration •  Automatically promote across environments BUILD DEPLOY MANAGE •  Easily deploy new configurations in a matter of minutes. •  Continuously verify and repair misconfigured systems
  7. •  Write a unit test, watch it fail •  Write

    some code •  Write and run more unit tests •  Run some integration/acceptance tests •  Code review •  Delivery pipeline to production •  Lowered chance of production failure Test-Driven Development Add a test Run the tests Make a little change Run the tests pass [development continues] fail fail pass pass [development stops]
  8. Software Testing and Why it Matters quantity less time more

    time manual tests automated GUI tests integration tests unit tests quantity less time more time manual session based tests automated GUI tests automated API tests automated unit tests automated integration tests automated component tests Testing builds safety through feedback loops Inexpensive experiments to provide validation Reduces risk Optimize Testing: Do more of the inexpensive testing first!
  9. Infrastructure policies need testing   ↳ Linting   ↳ Static

    Analysis   ↳ Unit Testing   ↳ Integration Testing ↳ Compliance Testing Remember… “Infrastructure as Code” should be tested like ANY other codebase.
  10. Integration Testing – Add tests describe package 'httpd' do it

    { should be_installed } end describe service 'httpd' do it { should be_running } it { should be_enabled } end describe port(80) do it { should be_listening } end Add a test Run the tests Make a little change Run the tests pass [development continues] fail fail pass pass [development stops]
  11. Integration Testing - Run the tests Add a test Run

    the tests Make a little change Run the tests pass [development continues] fail fail pass pass [development stops]
  12. Integration Testing – Make a change package 'httpd' do action

    :install end service 'httpd' do action [ :start, :enable ] end Add a test Run the tests Make a little change Run the tests pass [development continues] fail fail pass pass [development stops]
  13. Integration Testing – Apply the change Add a test Run

    the tests Make a little change Run the tests pass [development continues] fail fail pass pass [development stops]
  14. Integration Testing – Run the tests Add a test Run

    the tests Make a little change Run the tests pass [development continues] fail fail pass pass [development stops]
  15. InSpec Compliance as Code

  16. InSpec is compliance as code – a human-readable language for

    automating the continuous testing and compliance auditing of your entire infrastructure.
  17. Compliance as Code ROLE OF THE COMPLIANCE OFFICER ACCELERATED CYCLE

    INFRASTRUCTURE AS CODE POLICY AS CODE PRACTICE AS CODE Separate certification & testing Common language for describing & applying policy Compliance at velocity Compliance at Velocity Manual Compliance Reactive engagement Proactive engagement Checking implementations by hand Expressing policy as testable code Short term compliance Long term process improvement One language, One workflow
  18. SSH Control SSH supports two different protocol versions. The original

    version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.
  19. Mapping Compliance Document to InSpec control 'ssh-6.2.1' do title 'Set

    SSH Protocol to 2' end
  20. Mapping Compliance Document to InSpec control 'ssh-6.2.1' do title 'Set

    SSH Protocol to 2' desc " SSH supports two different ... " end
  21. Mapping Compliance Document to InSpec control 'ssh-6.2.1' do title 'Set

    SSH Protocol to 2' desc " SSH supports two different ... " describe sshd_config do its('Protocol') { should cmp('2') } end end
  22. Mapping Compliance Document to InSpec control 'ssh-6.2.1' do impact 1.0

    title 'Set SSH Protocol to 2' desc " SSH supports two different ... " describe sshd_config do its('Protocol') { should cmp('2') } end end
  23. Differences in verifying compliance policy > grep "^Protocol" /etc/ssh/ sshd_config

    | sed 's/Protocol //' 2 DOCUMENTATION SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. describe sshd_config do its('Protocol') { should eq 2 } end control 'ssh-1234' do impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore... " describe sshd_config do its('Protocol') { should eq 2 } end end SCRIPTING TOOLS COMPLIANCE LANGUAGE COMPLIANCE LANGUAGE
  24. ONE LANGUAGE InSpec InSpec for Windows control 'windows-base-201' do impact

    1.0 title 'Strong Windows NTLMv2 Authentication Enabled; Weak LM Disabled' desc ' @link: http://support.microsoft.com/en-us/kb/823659 ' describe registry_key ('HKLM\System\CurrentControlSet\Control\Lsa') do it { should exist } its('LmCompatibilityLevel') { should eq 4 } end end
  25. InSpec •  Baremetal •  VMs •  Containers ONE LANGUAGE

  26. Different ways to run InSpec > inspec exec test.rb Test

    a machine remotely via SSH > inspec exec test.rb -i identity.key -t ssh://root@172.17.0.1 Test your machine locally > inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super Test Docker Container > inspec exec test.rb -t docker://5cc8837bb6a8 Test a machine remotely via WinRM No ruby/agent on the node No ruby/agent on the node no SSH/agent in the container
  27. •  Baremetal •  VMs •  Containers •  Databases •  API

    endpoints (e.g. cloud) InSpec Database Testing describe mysql_session.query("SELECT user,host FROM mysql.user WHERE host = '%'") do its(:stdout) { should be empty } end Cloud Provider Testing security_groups.each do |security_group| describe security_group do it { should_not have_inbound_rule().with_source('0.0.0.0/0') } end end ONE LANGUAGE
  28. InSpec ONE WORKFLOW Security meets operations COMPLIANCE SECURITY DEVOPS

  29. InSpec Each team uses separate tools SECURITY DEVOPS COMPLIANCE Unified

    language SECURITY DEVOPS COMPLIANCE
  30. Continuous Workflow Correct Detect

  31. PART OF A PROCESS OF CONTINUOUS COMPLIANCE Scan for Compliance

    Build & Test Locally Build & Test CI/CD Remediate Verify A SIMPLE EXAMPLE OF AN INSPEC CIS RULE InSpec ▪  Translate compliance into Code ▪  Clearly express statements of policy ▪  Move risk to build/test from runtime ▪  Find issues early ▪  Write code quickly ▪  Run code anywhere ▪  Inspect machines, data, and APIs Turn security and compliance into code control ‘cis-1.4.1’ do title ‘1.4.1 Enable SELinux in /etc/grub.conf’ desc ‘ Do not disable SELinux and enforcing in your GRUB configuration. These are important security features that prevent attackers from escalating their access to your systems. For reference see … ‘ impact 1.0 expect(grub_conf.param ‘selinux’).to_not eq ‘0’ expect(grub_conf.param ‘enforcing’).to_not eq ‘0’ end
  32. What InSpec is not •  Intrusion Detection System •  Intrusion

    Prevention System •  Firewall •  Antivirus •  Penetration Testing Tool
  33. Success example: Web & Media Giant

  34. Success example: Top five global bank

  35. The Chef Automate Platform Continuous Automation for High Velocity IT

  36. Delivering software at speed The capabilities needed across infrastructure, applications,

    and compliance Workflow • Local development • Integration • Tooling (APIs & SDKs) COLLABORATE ▪  Package ▪  Test ▪  Approve BUILD ▪  Provision ▪  Configure ▪  Execute ▪  Update DEPLOY ▪  Secure ▪  Comply ▪  Audit ▪  Measure ▪  Log MANAGE “Continuous configuration automation tools (aka infrastructure as code) are foundational to DevOps initiatives. —Gartner, Inc. Market Guide for Continuous Configuration Automation Tools, Dec 2016 “ How..? CAN YOU DELIVER SOFTWARE AT SPEED FOR YOUR BUSINESS
  37. The Chef Automate Platform Continuous Automation for High Velocity IT

    Workflow • Local development • Integration • Tooling (APIs & SDKs) COLLABORATE ▪  Package ▪  Test ▪  Approve BUILD ▪  Provision ▪  Configure ▪  Execute ▪  Update DEPLOY ▪  Secure ▪  Comply ▪  Audit ▪  Measure ▪  Log MANAGE Infrastructure Automation Compliance Automation Application Automation OSS AUTOMATION ENGINES Increase Speed ▪  Package infrastructure and app configuration as code ▪  Continuously automate infrastructure and app updates Improve Efficiency ▪  Define and execute standard workflows and automation ▪  Audit and measure effectiveness of automation Decrease Risk ▪  Define compliance rules as code ▪  Deliver continuous compliance as part of standard workflow
  38. Deliver on Compliance Reduce risk through automation of security and

    compliance management COMPLIANCE TEST COVERAGE ▪  Package compliance as Code ▪  Automate compliance testing ▪  Log and audit policy failures for compliance remediation Workflow • Local development • Integration • Tooling (APIs & SDKs) COLLABORATE ▪  Package ▪  Test ▪  Approve BUILD ▪  Provision ▪  Configure ▪  Execute ▪  Update DEPLOY ▪  Secure ▪  Comply ▪  Audit ▪  Measure ▪  Log MANAGE Infrastructure Automation Compliance Automation Application Automation OSS AUTOMATION ENGINES
  39. Velocity: time from idea to ship Software success metrics Quantifying

    outcomes to deliver software at speed Deployment frequency Time from commit to deploy Mean time to resolve Time deploying remediation Change failure rate SPEED Measure of rate of software change EFFICIENCY Measure of effectiveness of software change RISK Measure of quality of software change Compliance testing coverage Idea Ship
  40. Standard Bank pushes ideas from commit to deploy in 18

    minutes with Chef Focus on Speed Measuring the rate of software change HIGH IT PERFORMERS MEDIUM IT PERFORMERS LOW IT PERFORMERS On-demand Week - Month Month – 6 Month < 1 Hour Week - Month Month - 6 month USE CASES INCLUDE: ▪  Application Delivery ▪  Build Pipelines DEPLOYMENT FREQUENCY TIME FROM COMMIT TO DEPLOY
  41. Intuit reduced change failure rate by 90% with Chef Focus

    on Efficiency Measuring the effectiveness of software change HIGH IT PERFORMERS MEDIUM IT PERFORMERS LOW IT PERFORMERS 0-15% 16-30% 31-45% < 1 Hour < 1 Day < 1 Day USE CASES INCLUDE: ▪  Configuration Management ▪  Server Drift CHANGE FAILURE RATE MEAN TIME TO RESOLVE
  42. Equifax easily scans and maintains security policies with Chef Focus

    on Risk Measuring the quality of software change HIGH IT PERFORMERS MEDIUM IT PERFORMERS LOW IT PERFORMERS 95%+ 25%-95% 0-25% < 1 Hour Week - Month Month - 6 Months USE CASES INCLUDE: ▪  Compliance Automation ▪  Compliance Coverage COMPLIANCE TESTING COVERAGE TIME DEPLOYING REMEDIATION
  43. Demo solution details Ohai is Chef’s built-in extensible system discovery

    tool. While Ohai’s primary purpose is setting up the context of a chef-client run by discovering and setting system attributes, it can be used in many custom applications. Chef-client includes Ohai data during every run. Chef can take action based on attributes detected and set by Ohai. Test-kitchen is a test harness tool to execute your configuration code on one or more platforms in isolation. It allows you to quickly model and test proposed changes on non-critical systems. All Chef cookbooks should be setup with test-kitchen verifications embedded in them. InSpec is a human- readable language for automated testing and compliance auditing of your entire infrastructure. These tests are useful for verifying that your servers and applications are configured correctly. InSpec tests are extensible with metadata that leverages the compliance features of Chef Automate to assist with continuous compliance reporting. Chef-client & Ohai Test-kitchen InSpec & Chef Automate Workflow • Local development • Integration • Tooling (APIs & SDKs) COLLABORATE ▪  Package ▪  Test BUILD Infrastructure Automation Compliance Automation Application Automation ▪  Secure ▪  Comply MANAGE OSS AUTOMATION ENGINES ▪  Provision ▪  Configure DEPLOY
  44. The Quest to Make Testing and Security part of DevOps

    InSpec Nathen Harvey VP, Community Development 24 January 2017