Slide 1

Slide 1 text

May 2021 | OWASP DevSlop Exploring Policy as Code

Slide 2

Slide 2 text

Rosemary’s first security incident... ▪ Insecure development environments ▪ Infrastructure as code probably would have helped ▪ We forgot about 0.0.0.0/0 ▪ We didn’t know what we should have known

Slide 3

Slide 3 text

Developer Advocate HashiCorp she/her @joatmon08 Rosemary Wang Open Source Engineer VMware she/her @tracypholmes Tracy Holmes

Slide 4

Slide 4 text

1. Introduction to Policy as Code 2. Using static analysis for configuration 3. Using dynamic analysis for runtime configuration 4. Adding policy as code to delivery pipelines

Slide 5

Slide 5 text

01 OWASP DevSlop / Policy as Code Introduction to Policy as Code

Slide 6

Slide 6 text

Policy What is it? Ensures systems comply with security, audit, and organizational requirements. Depends on industry, organization size, country, and more.

Slide 7

Slide 7 text

A. Development should not communicate with production. B. Write an application in Java. C. Password should not be older than 30 days. D. Two different people must approve for production. E. All cloud resources must be tagged. Which is not considered a policy?

Slide 8

Slide 8 text

A. Development should not communicate with production. B. Write an application in Java. C. Password should not be older than 30 days. D. Two different people must approve for production. E. All cloud resources must be tagged. Which is not considered a policy?

Slide 9

Slide 9 text

Policy as Code What is it? The management of an organization’s policies with code to ensure the conformance of changes.

Slide 10

Slide 10 text

Make a change. Check if an environment conforms to our organization’s policies. Check if a change conforms to our organization’s policies.

Slide 11

Slide 11 text

Make a change. Did two people approve that change? Have two people approved this change yet? Yes 3 months later…

Slide 12

Slide 12 text

Policy as Code Why do it? Communicate policy requirements across teams. Make unknown knowns into knowns. Prevent policy violations from going into production.

Slide 13

Slide 13 text

Policy as Code Codify all the policy! API Authorization Network Policy Infrastructure Configuration Access Control Configuration Runtime Security (e.g., Vulnerability Management)

Slide 14

Slide 14 text

Test Runtime Analysis as Integration Tests Production Runtime Analysis for Remediation Static Analysis as Unit Tests Dynamic Analysis

Slide 15

Slide 15 text

A. Shift-left security testing of infrastructure B. Static code analysis and scanning C. Code quality scanning D. Vulnerability scanning for servers E. Root access alerting Which of the following does not express policy as code?

Slide 16

Slide 16 text

A. Shift-left security testing of infrastructure B. Static code analysis and scanning C. Code quality scanning D. Vulnerability scanning for servers E. Root access alerting F. None of the above Which of the following does not express policy as code?

Slide 17

Slide 17 text

Policy as Code Tools Policy as Code State of System Parse for fields Check field values Pass or fail JSON or metadata format

Slide 18

Slide 18 text

02 OWASP DevSlop / Policy as Code Using static analysis

Slide 19

Slide 19 text

Test Runtime Analysis as Integration Tests Production Runtime Analysis for Remediation Static Analysis as Unit Tests Dynamic Analysis

Slide 20

Slide 20 text

github.com/ tracypholmes/policy- as-code-workshop

Slide 21

Slide 21 text

03 OWASP DevSlop / Policy as Code Using dynamic analysis

Slide 22

Slide 22 text

Test Runtime Analysis as Integration Tests Production Runtime Analysis for Remediation Static Analysis as Unit Tests Dynamic Analysis

Slide 23

Slide 23 text

github.com/ tracypholmes/policy- as-code-workshop

Slide 24

Slide 24 text

04 OWASP DevSlop / Policy as Code Adding to delivery pipelines

Slide 25

Slide 25 text

Policy Gates for Production Choose a level. ▪ Hard mandatory - policy must pass ▪ Soft mandatory - someone can manually override ▪ Advisory - informational / warning (Terminology borrowed from HashiCorp Sentinel)

Slide 26

Slide 26 text

Sharing Policy as Code Communicate context ▪ Modularize by business unit or application ▪ Version policies ▪ Offer shared libraries ▪ Consider setting enforcement level

Slide 27

Slide 27 text

★ shared-org-policies ○ naming ○ tagging ○ billing ○ secrets ○ access-management ○ vulnerability-management ○ runtime-security ★ infra-policies ○ aws ○ azure ○ gcp ○ saas ★ hello-world-policies ★ app-policies ○ static-code-analysis ○ authn ○ authz ○ kubernetes

Slide 28

Slide 28 text

Deploy to Dev Deploy to Prod Unit Test Integration Tests (B) Static Analysis (A) Production Runtime Analysis (C) Test Runtime Analysis

Slide 29

Slide 29 text

Deploy to Dev Deploy to Prod Unit Test Integration Tests B C A (B) Static Analysis (A) Production Runtime Analysis (C) Test Runtime Analysis

Slide 30

Slide 30 text

Developer Advocate HashiCorp she/her @joatmon08 Rosemary Wang Open Source Engineer VMware she/her @tracypholmes Tracy Holmes github.com/tracypholmes/policy-as-code-workshop