Tweet
Tweet

Slide 1

Slide 1 text

November 15, 2016 Compliance as Code - using InSpec George Miranda, Product Marketing Director, Chef Software Inc.

Slide 2

Slide 2 text

Introductions George Miranda Director of Product Marketing @gmiranda23 • Distributed Systems Engineer • I play a developer on TV • At Chef for 4+ years Technical Evangelist Consultant BizDev Product Marketing • Spent a majority of my career in "the Enterprise" • I've had to go through MANY security audits in my career

Slide 3

Slide 3 text

Agenda • Constraints & myths • The role of InfoSec at velocity • Compliance as Code • An introduction to InSpec • Q&A @gmiranda23

Slide 4

Slide 4 text

Time, Cost, and Quality “Speed is the only dimension that matters” – Veresh Sita, CIO, Alaska Airlines @gmiranda23

Slide 5

Slide 5 text

QUALITY VELOCITY Innovation Quality/ Security/ Compliance The tradeoff myth @gmiranda23

Slide 6

Slide 6 text

The rise of IT Compliance • Continued security vulnerabilities created a need for IT compliance 1988 Morris Worm, National Bank Chicago $70M theft 1994 AOHell, Citibank $10M hack 1996 Brotherhood hacks, Canadian Broadcast Corp. 1998 Free Mitnick Logic Bomb Security incidents at 75% of IT organizations @gmiranda23

Slide 7

Slide 7 text

The State of Security in XXXX • In 60% of cases, attackers can compromise an organization within minutes • 99.9% of compromises exploited vulnerabilities more than a year after the vulnerability was published • Ten vulnerabilities account for 97% of the exploits observed Source: Verizon Data Breach Report @gmiranda23

Slide 8

Slide 8 text

The State of Security in 2014 • In 60% of cases, attackers can compromise an organization within minutes • 99.9% of compromises exploited vulnerabilities more than a year after the vulnerability was published • Ten vulnerabilities account for 97% of the exploits observed Source: Verizon Data Breach Report @gmiranda23

Slide 9

Slide 9 text

The cycle of regulation Loophole Exploitation Scandal Regulation @gmiranda23

Slide 10

Slide 10 text

Compliance and Security Compliance Security @gmiranda23

Slide 11

Slide 11 text

Offer baseline security and isolation layers @gmiranda23

Slide 12

Slide 12 text

Regulatory Compliance • PCI-DSS • Gramm-Leach-Bliley Act • HIPAA • Dodd-Frank • ISO • Sarbanes-Oxley • HITECH • Grundschutz European • Central Bank Regulations @gmiranda23

Slide 13

Slide 13 text

How most orgs handle these requirements

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

The promise of the coded business @gmiranda23

Slide 16

Slide 16 text

The conflict between compliance and velocity @gmiranda23

Slide 17

Slide 17 text

@gmiranda23

Slide 18

Slide 18 text

@gmiranda23

Slide 19

Slide 19 text

@gmiranda23

Slide 20

Slide 20 text

InSpec turns infrastructure testing, compliance, and security requirements into code Stats: 86 Releases, 59 Contributors, 2.900 Commits @gmiranda23

Slide 21

Slide 21 text

The changing role of the compliance officer @gmiranda23

Slide 22

Slide 22 text

Differences in verifying compliance policy Documentation SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. @gmiranda23

Slide 23

Slide 23 text

Differences in verifying compliance policy Scripting Tools > grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' 2 @gmiranda23

Slide 24

Slide 24 text

Differences in verifying compliance policy Compliance Language describe sshd_config do its('Protocol') { should eq 2 } end @gmiranda23

Slide 25

Slide 25 text

Differences in verifying compliance policy Compliance Language control 'ssh-1234' do impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore... " describe sshd_config do its('Protocol') { should eq 2 } end end @gmiranda23

Slide 26

Slide 26 text

InSpec for Windows control 'windows-base-201' do impact 1.0 title 'Strong Windows NTLMv2 Authentication Enabled; Weak LM Disabled' desc ' @link: http://support.microsoft.com/en-us/kb/823659 ' describe registry_key('HKLM\System\CurrentControlSet\Control\Lsa') do it { should exist } its('LmCompatibilityLevel') { should eq 4 } end end @gmiranda23

Slide 27

Slide 27 text

Different ways to run InSpec Test your machine locally > inspec exec test.rb Test a machine remotely via SSH > inspec exec test.rb -i identity.key -t ssh://[email protected] No ruby/agent on the node @gmiranda23

Slide 28

Slide 28 text

Different ways to run InSpec Test a machine remotely via WinRM > inspec exec test.rb -t winrm://[email protected] --password super Test Docker Container > inspec exec test.rb -t docker://5cc8837bb6a8 no SSH/agent in the container No ruby/agent on the node @gmiranda23

Slide 29

Slide 29 text

Different ways to run InSpec Database testing describe mysql_session.query("SELECT user,host FROM mysql.user WHERE host = '%'") do its(:stdout) { should be empty } end Cloud Provider testing security_groups.each do |security_group| describe security_group do it { should_not have_inbound_rule().with_source('0.0.0.0/0') } end end @gmiranda23

Slide 30

Slide 30 text

Mapping of Compliance Document to InSpec @gmiranda23

Slide 31

Slide 31 text

InSpec Profiles Windows Patch Profile OS Hardening Profile SSH Hardening Profile Linux Patch Profile https://github.com/dev-sec @gmiranda23

Slide 32

Slide 32 text

InSpec Profiles Windows Patch Profile OS Hardening Profile SSH Hardening Profile Linux Patch Profile https://github.com/dev-sec @gmiranda23

Slide 33

Slide 33 text

InSpec Profiles @gmiranda23

Slide 34

Slide 34 text

Security meets operations @gmiranda23

Slide 35

Slide 35 text

Each team uses separate tools @gmiranda23

Slide 36

Slide 36 text

Unified language @gmiranda23

Slide 37

Slide 37 text

@gmiranda23

Slide 38

Slide 38 text

@gmiranda23

Slide 39

Slide 39 text

No content

Slide 40

Slide 40 text

Continuous Workflow Correct Detect @gmiranda23

Slide 41

Slide 41 text

Continuous Workflow @gmiranda23

Slide 42

Slide 42 text

Works with all DevOps tools e.g. @gmiranda23

Slide 43

Slide 43 text

Further Resources inspec.io • Hands on tutorials • Extensive documentation • Code examples learn.chef.io • More tutorials about Compliance and Inspec

Slide 44

Slide 44 text

Further Resources Save Your Crash Dummies! A Test-driven Infrastructure Solution http://bit.ly/crash_dummies @gmiranda23

Slide 45

Slide 45 text

Q&A Save Your Crash Dummies A Test-driven Infrastructure Solution Video: http://bit.ly/crash_dummies @gmiranda23 http://inspec.io http://learn.chef.io $ inspec exec https://github.com/dev-sec/tests-ssh-hardening https://github.com/dev-sec/windows-patch-benchmark https://github.com/dev-sec/linux-patch-benchmark

Slide 46

Slide 46 text

November 15, 2016

Slide 47

Slide 47 text

November 15, 2016