Slide 1

Slide 1 text

Continuous Patch and Security Assessment with InSpec Christoph Hartmann Lead Engineer Chef Software @chri_hartmann

Slide 2

Slide 2 text

@chri_hartmann $> whoami Christoph Hartmann • Engineering Lead at Chef Software • Co-Founded Dev-Sec.io project • Co-Founder of VulcanoSec • Acquired by Chef Software • InSpec Creator chris-rock

Slide 3

Slide 3 text

InSpec turns infrastructure testing, compliance and security requirements into code

Slide 4

Slide 4 text

Agenda Compliance DevOps

Slide 5

Slide 5 text

Challenges in Production #1

Slide 6

Slide 6 text

The tip of the iceberg Heartbleed Shellshock WannaCry Cyber-Threat landscape

Slide 7

Slide 7 text

73% Financially motivated 51% Organized Criminal Groups 75% External attacker Verizon Data Breach Report 2017 The tip of the iceberg Cyber-Threat landscape

Slide 8

Slide 8 text

State of Security in 2014 • In 60% of cases, attackers can compromise organizations within minutes. • 99.9% of the exploited vulnerabilities were compromised more than a year after the vulnerability was published. • Ten vulnerabilities account for 97% of the exploits observed. Verizon Data Breach Report

Slide 9

Slide 9 text

OWASP Top 10

Slide 10

Slide 10 text

A5 – Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, platform, etc. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. A9 – Using Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. OWASP Top 10

Slide 11

Slide 11 text

Source: http://content.time.com/time/covers/europe/0,16641,20020708,00.html

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

Regulatory Compliance PCI-DSS Gramm-Leach-Bliley Act HIPAA Dodd-Frank ISO Sarbanes-Oxley HITECH Grundschutz European Central Bank Regulations

Slide 15

Slide 15 text

Reporting of compliance activity is extensive EY – A time of evolution for compliance: laying foundations for future success

Slide 16

Slide 16 text

Huge scope remains for tapping into the power of technology EY – A time of evolution for compliance: laying foundations for future success

Slide 17

Slide 17 text

COMPLIANCE AND SECURITY Compliance Security

Slide 18

Slide 18 text

Let’s Automate #2

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

github.com/dev-sec

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

Scale

Slide 24

Slide 24 text

Scale

Slide 25

Slide 25 text

Scale

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

Agenda Compliance DevOps

Slide 29

Slide 29 text

Wait! #3

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

Drivers for Compliance Security Reduce risk and protect business Liability Avoid negligence

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

Language Compliance DevOps Security

Slide 34

Slide 34 text

Compliance-Driven Infrastructure #4

Slide 35

Slide 35 text

Tradeoff: Speed vs Risk DevOps teams focus on faster innovation, potentially increasing risk InfoSec teams focus on mitigating risk, potentially reducing speed

Slide 36

Slide 36 text

QUALITY/COMPLIANCE RATE OF INNOVATION Scale Speed and Compliance

Slide 37

Slide 37 text

Detect Correct Compliance Continuous

Slide 38

Slide 38 text

Let’s talk about solutions github.com/dev-sec

Slide 39

Slide 39 text

Works with all DevOps tools e.g.

Slide 40

Slide 40 text

InSpec turns infrastructure testing, compliance and security requirements into code

Slide 41

Slide 41 text

Surface check #1: Know your security stance

Slide 42

Slide 42 text

Surface check Deep analysis #1: Know your security stance

Slide 43

Slide 43 text

• Operating Systems • DBs, AppServers • Apps • On-prem, Cloud, Hybrid, Containers Deep analysis #1: Know your security stance

Slide 44

Slide 44 text

Faulty assumptions #1: Know your security stance

Slide 45

Slide 45 text

Faulty assumptions #1: Know your security stance

Slide 46

Slide 46 text

• Prevent insecure production env. • Report and alert continuously • Provide proof Faulty assumptions #1: Know your security stance

Slide 47

Slide 47 text

Documentation SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.

Slide 48

Slide 48 text

Scripting tools

Slide 49

Slide 49 text

The better way TESTING A REQUIREMENT

Slide 50

Slide 50 text

Standalone Usage $ inspec exec test.rb $ inspec exec test.rb -i vagrant.key -t ssh://[email protected]:11022 $ inspec exec test.rb -t winrm://[email protected] --password super $ inspec exec test.rb -t docker://3cc8837bb6a8 describe sshd_config do its('Protocol') { should cmp 2 } end

Slide 51

Slide 51 text

Mapping of Compliance Document to InSpec

Slide 52

Slide 52 text

Compliance Language

Slide 53

Slide 53 text

apache apache_conf apt audit_policy auditd_conf auditd_rules bash bond bridge bsd_service command crontab csv dh_params directory docker docker_container docker_image etc_group file gem group groups grub_conf host http iis_site iis_website inetd_conf ini interface iptables json kernel_module kernel_parameter key_rsa launchd_service limits_conf login_defs mount mssql_session mysql mysql_conf mysql_session npm ntp_conf oneget oracledb_session os os_env package packages parse_config parse_config_file passwd pip port postgres postgres_conf postgres_session powershell ppa processes rabbitmq_config registry_key runit_service script security_policy service shadow ssh_config sshd_config ssl sys_info systemd_service sysv_service upstart_service user users vbscript windows_feature windows_registry_key windows_task wmi x509_certificate xinetd_conf yaml yum yumrepo zfs_dataset zfs_pool Built-in resources

Slide 54

Slide 54 text

Supported Operating Systems

Slide 55

Slide 55 text

InSpec Profiles Folder Structure

Slide 56

Slide 56 text

InSpec Profiles inspec.yml

Slide 57

Slide 57 text

$ inspec supermarket profiles == Available profiles: * apache2-compliance-test-tthompson thompsontelmate/apache2- compliance-test-tthompson * Apache DISA STIG som3guy/apache-disa-stig * chef-alfresco-inspec-mysql alfresco/chef-alfresco-inspec-mysql * chef-alfresco-inspec-tomcat alfresco/chef-alfresco-inspec-tomcat * chef-client-hardening sliim/chef-client-hardening * CIS Docker Benchmark dev-sec/cis-docker-benchmark * CVE-2016-5195 ndobson/cve-2016-5195 * DevSec Apache Baseline dev-sec/apache-baseline InSpec Supermarket

Slide 58

Slide 58 text

github.com/dev-sec

Slide 59

Slide 59 text

DevSec InSpec Profiles Operating Systems DevSec Linux Baseline DevSec Linux Patch Baseline DevSec Windows Baseline DevSec Windows Patch Baseline DevSec SSH Baseline DevSec SSL/TLS Baseline CIS Distribution Independent Applications DevSec Nginx Baseline DevSec MySQL Baseline DevSec PHP baseline DevSec Apache Baseline DevSec PostgreSQL Baseline Application Runtimes DevSec OpenStack Baseline CIS Docker Benchmark CIS Kubernetes Benchmark

Slide 60

Slide 60 text

Linux Patch Benchmark Acme Inc include_controls ’linux-patch baseline’ depends: - name: linux-patch baseline InSpec Profile Management

Slide 61

Slide 61 text

Manage Baselines My CIS L1 (inspec overlay) CIS Lvl1 (xml base profile)

Slide 62

Slide 62 text

Manage Baseline Overlays Dev Production Test My CIS L1 (inspec overlay) CIS Lvl1 (xml base profile)

Slide 63

Slide 63 text

InSpec Profiles github.com/dev-sec DevSec Windows Patch Baseline DevSec Linux Baseline DevSec Windows Baseline DevSec Linux Patch Baseline

Slide 64

Slide 64 text

InSpec Profiles github.com/dev-sec github.com/chris-rock/acme-inspec-profile DevSec Windows Patch Baseline DevSec Linux Baseline DevSec Windows Baseline DevSec Linux Patch Baseline

Slide 65

Slide 65 text

InSpec Profiles DevSec Windows Patch Baseline DevSec Linux Baseline DevSec Windows Baseline DevSec Linux Patch Baseline github.com/dev-sec github.com/chris-rock/acme-inspec-profile

Slide 66

Slide 66 text

InSpec Profiles

Slide 67

Slide 67 text

Continuous Compliance Compliance DevOps

Slide 68

Slide 68 text

Continuous Compliance Scan for Compliance Build & Test Locally Build & Test CI/CD Remediate Verify

Slide 69

Slide 69 text

Outlook #4

Slide 70

Slide 70 text

225 releases (once a week) 19 days Issue resolution time 137 Contributors 880 Stars InSpec Project Health

Slide 71

Slide 71 text

Infrastructure

Slide 72

Slide 72 text

chef/inspec-vmware chef/inspec-azure chef/inspec-aws InSpec for Platforms

Slide 73

Slide 73 text

describe aws_iam_user(’iam_user') do its('has_mfa_enabled?') { should be false } its('has_console_password?') { should be false } end InSpec for AWS

Slide 74

Slide 74 text

describe azure_virtual_machine(name: 'Linux- Internal-VM', resource_group: 'Inspec-Azure') do its('sku') { should eq '16.04.0-LTS' } its('publisher') { should eq 'Canonical' } its('offer') { should eq 'UbuntuServer' } its('size') { should eq 'Standard_DS2_v2' } its('location') { should eq 'westeurope' } its('admin_username') { should eq 'azure' } end InSpec for Azure

Slide 75

Slide 75 text

control 'vmware-7.3.3' do impact 0.7 title 'Ensure that the vSwitch Promiscuous Mode policy is set to reject.' describe vmhost_vswitch(datacenter: 'vm001', host: 'localhost.localdomain',vswitch: 'vSwitch0') do its('allowPromiscuous') { should be false } end end InSpec for VmWare

Slide 76

Slide 76 text

Further Resources inspec.io • Hands on tutorials • Extensive documentation • Code examples dev-sec.io • github.com/dev-sec/linux-baseline • github.com/dev-sec/windows-baseline • github.com/dev-sec/windows-patch-baseline • github.com/dev-sec/linux-patch-baseline

Slide 77

Slide 77 text

Join github.com/chef/inspec

Slide 78

Slide 78 text

Session Title Your Name Your Title Your Company Your @TwitterHandle

Slide 79

Slide 79 text

Session Title Your Name Your Title Your Company Your @TwitterHandle

Slide 80

Slide 80 text

@chri_hartmann Christoph Hartmann [email protected]

Slide 81

Slide 81 text

bit.ly/addo-slack Find me on slack, right now!

Slide 82

Slide 82 text

No content