DevSec: Continuous Patch and Security Assessment with InSpec Christoph Hartmann Lead Engineer Chef Software @chri_hartmann Patrick Münch IT-Security Consultant SVA GmbH @atomiczero111 

$> whoami • IT-Security Consultant at SVA GmbH • Co-Founded Dev-Sec.io project • Penetration-Testing • Offensive Security Certified Professional • Offensive Security Certified Expert @atomiczero111 Patrick Münch atomic111 

@chri_hartmann $> whoami Christoph Hartmann • Engineering Lead at Chef Software • Co-Founded Dev-Sec.io project • Co-Founder of VulcanoSec • Acquired by Chef Software • InSpec Creator chris-rock 

Agenda Compliance DevOps 

Join github.com/chef/inspec Join github.com/dev-sec 

Challenges 

The tip of the iceberg Heartbleed Shellshock WannaCry Cyber-Threat landscape 

State of Security in 2014 • In 60% of cases, attackers can compromise organizations within minutes. • 99.9% of the exploited vulnerabilities were compromised more than a year after the vulnerability was published. • Ten vulnerabilities account for 97% of the exploits observed. Verizon Data Breach Report 

OWASP Top 10 

A5 – Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, platform, etc. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. A9 – Using Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. OWASP Top 10 

Source: http://content.time.com/time/covers/europe/0,16641,20020708,00.html 

No content

No content

Regulatory Compliance PCI-DSS Gramm-Leach-Bliley Act HIPAA Dodd-Frank ISO Sarbanes-Oxley HITECH Grundschutz European Central Bank Regulations 

Reporting of compliance activity is extensive EY – A time of evolution for compliance: laying foundations for future success 

Huge scope remains for tapping into the power of technology EY – A time of evolution for compliance: laying foundations for future success 

COMPLIANCE AND SECURITY Compliance Security 

Automation 

No content

No content

github.com/dev-sec 

No content

Scale 

Scale 

Scale 

DevOps Cloud IoT 

No content

Compliance DevOps 

Security & Compliance 

No content

No content

Language Compliance DevOps Security 

Compliance-Driven Infrastructure 

Tradeoff: Speed vs Risk DevOps teams focus on faster innovation, potentially increasing risk InfoSec teams focus on mitigating risk, potentially reducing speed 

Drivers for Compliance Security Reduce risk and protect business Liability Avoid negligence 

QUALITY/COMPLIANCE RATE OF INNOVATION Scale Speed and Compliance 

Detect Correct Compliance Continuous 

Let’s talk about solutions github.com/dev-sec 

Works with all DevOps tools e.g. 

InSpec turns infrastructure testing, compliance and security requirements into code 

Surface check #1: Know your security stance 

Surface check Deep analysis #1: Know your security stance 

• Operating Systems • DBs, AppServers • Apps • On-prem, Cloud, Hybrid, Containers Deep analysis #1: Know your security stance 

Faulty assumptions #1: Know your security stance 

Faulty assumptions #1: Know your security stance 

• Prevent insecure production env. • Report and alert continuously • Provide proof Faulty assumptions #1: Know your security stance 

Documentation SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. 

Scripting tools 

The better way TESTING A REQUIREMENT 

Standalone Usage $ inspec exec test.rb $ inspec exec test.rb -i vagrant.key -t ssh://[email protected]:11022 $ inspec exec test.rb -t winrm://[email protected] --password super $ inspec exec test.rb -t docker://3cc8837bb6a8 describe sshd_config do its('Protocol') { should cmp 2 } end 

Mapping of Compliance Document to InSpec 

Compliance Language 

apache apache_conf apt audit_policy auditd_conf auditd_rules bash bond bridge bsd_service command crontab csv dh_params directory docker docker_container docker_image etc_group file gem group groups grub_conf host http iis_site iis_website inetd_conf ini interface iptables json kernel_module kernel_parameter key_rsa launchd_service limits_conf login_defs mount mssql_session mysql mysql_conf mysql_session npm ntp_conf oneget oracledb_session os os_env package packages parse_config parse_config_file passwd pip port postgres postgres_conf postgres_session powershell ppa processes rabbitmq_config registry_key runit_service script security_policy service shadow ssh_config sshd_config ssl sys_info systemd_service sysv_service upstart_service user users vbscript windows_feature windows_registry_key windows_task wmi x509_certificate xinetd_conf yaml yum yumrepo zfs_dataset zfs_pool Built-in resources 

Supported Operating Systems 

InSpec Profiles Folder Structure 

InSpec Profiles inspec.yml 

$ inspec supermarket profiles == Available profiles: * apache2-compliance-test-tthompson thompsontelmate/apache2-compliance-test-tthompson * Apache DISA STIG som3guy/apache-disa-stig * chef-alfresco-inspec-mysql alfresco/chef-alfresco-inspec-mysql * chef-alfresco-inspec-tomcat alfresco/chef-alfresco-inspec-tomcat * chef-client-hardening sliim/chef-client-hardening * CIS Docker Benchmark dev-sec/cis-docker-benchmark * CVE-2016-5195 ndobson/cve-2016-5195 * DevSec Apache Baseline dev-sec/apache-baseline * DevSec Linux Baseline dev-sec/linux-baseline InSpec Supermarket 

Demo: Deploy Website to Production Ubuntu Apache WebServer DevSec Static Website 

github.com/dev-sec 

DevSec InSpec Profiles Operating Systems DevSec Linux Baseline DevSec Linux Patch Baseline DevSec Windows Baseline DevSec Windows Patch Baseline DevSec SSH Baseline DevSec SSL/TLS Baseline CIS Distribution Independent Applications DevSec Nginx Baseline DevSec MySQL Baseline DevSec PHP baseline DevSec Apache Baseline DevSec PostgreSQL Baseline Application Runtimes DevSec OpenStack Baseline CIS Docker Benchmark CIS Kubernetes Benchmark 

Linux Patch Benchmark Acme Inc include_controls ’linux-patch baseline’ depends: - name: linux-patch baseline InSpec Profile Management 

Manage Baselines My CIS L1 (inspec overlay) CIS Lvl1 (xml base profile) 

Manage Baseline Overlays Dev Production Test My CIS L1 (inspec overlay) CIS Lvl1 (xml base profile) 

InSpec Profiles github.com/dev-se c DevSec Windows Patch Baseline DevSec Linux Baseline DevSec Windows Baseline DevSec Linux Patch Baseline 

InSpec Profiles github.com/dev-sec github.com/chris-rock/acme-inspec-profil DevSec Windows Patch Baseline DevSec Linux Baseline DevSec Windows Baseline DevSec Linux Patch Baseline 

InSpec Profiles DevSec Windows Patch Baseline DevSec Linux Baseline DevSec Windows Baseline DevSec Linux Patch Baseline github.com/dev-sec github.com/chris-rock/acme-inspec-profil 

InSpec Profiles 

Continuous Compliance Compliance DevOps 

Continuous Compliance Scan for Compliance Build & Test Locally Build & Test CI/CD Remediate Verify 

Further Resources inspec.io • Hands on tutorials • Extensive documentation • Code examples dev-sec.io • Security Baselines • Ansible, Chef & Puppet Hardening Modules • Documentation 

Further Resources Compliance- und Sicherheitsanforderungen automatisieren und effizienter managen https://youtu.be/0aEYp15VP_M BSI-Compliance - SVA Experten-Tipp https://youtu.be/DTvtACNzLro 

Join github.com/chef/inspec Join github.com/dev-sec 

Contact Details Christoph Hartmann Engineering Lead Compliance eMail: [email protected] Twitter: @chri_hartmann Patrick Münch IT-Security Consultant eMail: [email protected] Twitter: @atomiczero111