Security Tests for Security Groups
Shifted Left
Developer Advocate, HashiCorp
@joatmon08
Rosemary Wang
Slide 2
Slide 2 text
Rosemary Wang
Developer Advocate, HashiCorp
Infrastructure Engineer
Writer, Essential Infrastructure as Code
joatmon08.github.io
Slide 3
Slide 3 text
The application isn’t working!
Slide 4
Slide 4 text
Is there an
endpoint security group (ESG)
in Cisco ACI
that allows traffic?
Slide 5
Slide 5 text
Oops, I forgot to add it!
Slide 6
Slide 6 text
How do you automatically
synchronize IP addresses
from a service catalog
to an ESG?
Slide 7
Slide 7 text
Criteria
• Must have secure by default configuration
– Disable “Flood in Encapsulation”
– Enforce preferred policy control
– Set QoS priority class
• Must be fully automated
Slide 8
Slide 8 text
Solution
Security testing for ESG as
code
Example:
• ESG module for
Terraform
• pytest
Automatically sync services
from catalog to Cisco ACI
Example:
• Service catalog in Consul
• Automation with Consul-
Terraform-Sync