November 15, 2016 Compliance as Code - using InSpec George Miranda, Product Marketing Director, Chef Software Inc.
November 15, 2016
Compliance as Code - using InSpecGeorge Miranda, Product Marketing Director, Chef Software Inc.
Introductions
George MirandaDirector of Product Marketing @gmiranda23
• Distributed Systems Engineer
• I play a developer on TV• At Chef for 4+ years
Technical Evangelist Consultant BizDev Product Marketing
• Spent a majority of my career in "the Enterprise"
• I've had to go through MANY security audits in my career
Agenda• Constraints & myths• The role of InfoSec at velocity• Compliance as Code• An introduction to InSpec• Q&A
@gmiranda23
Time, Cost, and Quality
“Speed is the only dimension that matters” – Veresh Sita, CIO, Alaska
Airlines
@gmiranda23
QUAL
ITY
VELOCITYInnovation
Quality/Security/Compliance
The tradeoff myth
@gmiranda23
The rise of IT Compliance• Continued security vulnerabilities created a need for IT compliance
1988 Morris Worm, National Bank Chicago$70M theft
1994 AOHell, Citibank$10M hack
1996 Brotherhood hacks, Canadian Broadcast Corp.
1998 Free Mitnick Logic BombSecurity incidents at 75% of IT organizations
@gmiranda23
The State of Security in XXXX• In 60% of cases, attackers can compromise an organization within minutes
• 99.9% of compromises exploited vulnerabilities more than a year after the vulnerability was published
• Ten vulnerabilities account for 97% of the exploits observed
Source: Verizon Data Breach Report@gmiranda23
The State of Security in 2014• In 60% of cases, attackers can compromise an organization within minutes
• 99.9% of compromises exploited vulnerabilities more than a year after the vulnerability was published
• Ten vulnerabilities account for 97% of the exploits observed
Source: Verizon Data Breach Report@gmiranda23
The cycle of regulation
Loophole
Exploitation
Scandal
Regulation
@gmiranda23
Compliance and Security
Compliance
Security
@gmiranda23
Offer baseline security and isolation layers
@gmiranda23
Regulatory Compliance• PCI-DSS• Gramm-Leach-Bliley Act• HIPAA• Dodd-Frank• ISO• Sarbanes-Oxley• HITECH• Grundschutz European• Central Bank Regulations
@gmiranda23
How most orgs handle these requirements
The promise of the coded business
@gmiranda23
The conflict between compliance and velocity
@gmiranda23
@gmiranda23
@gmiranda23
@gmiranda23
InSpec turns infrastructure testing, compliance, and security requirements into code
Stats: 86 Releases, 59 Contributors, 2.900 Commits@gmiranda23
The changing role of the compliance officer
@gmiranda23
Differences in verifying compliance policy
DocumentationSSH supports two different protocol
versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2
instead to avoid these.
@gmiranda23
Differences in verifying compliance policy
Scripting Tools
> grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' 2
@gmiranda23
Differences in verifying compliance policy
Compliance Language
describe sshd_config do its('Protocol') { should eq 2 } end
@gmiranda23
Differences in verifying compliance policy
Compliance Languagecontrol 'ssh-1234' do impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore... "
describe sshd_config do its('Protocol') { should eq 2 } endend
@gmiranda23
InSpec for Windowscontrol 'windows-base-201' do impact 1.0 title 'Strong Windows NTLMv2 Authentication Enabled; Weak LM Disabled' desc ' @link: http://support.microsoft.com/en-us/kb/823659 '
describe registry_key('HKLM\System\CurrentControlSet\Control\Lsa') do it { should exist } its('LmCompatibilityLevel') { should eq 4 } endend
@gmiranda23
Different ways to run InSpec
Test your machine locally > inspec exec test.rb
Test a machine remotely via SSH > inspec exec test.rb -i identity.key -t ssh://[email protected]
No ruby/agent on the node
@gmiranda23
Different ways to run InSpec
Test a machine remotely via WinRM > inspec exec test.rb -t winrm://[email protected] --password super
Test Docker Container > inspec exec test.rb -t docker://5cc8837bb6a8
no SSH/agent in the container
No ruby/agent on the node
@gmiranda23
Different ways to run InSpecDatabase testing
describe mysql_session.query("SELECT user,host FROM mysql.user WHERE host = '%'") do its(:stdout) { should be empty }end
Cloud Provider testingsecurity_groups.each do |security_group| describe security_group do it { should_not have_inbound_rule().with_source('0.0.0.0/0') } endend
@gmiranda23
Mapping of Compliance Document to InSpec
@gmiranda23
InSpec Profiles
Windows PatchProfile
OS HardeningProfile
SSH HardeningProfile
Linux PatchProfile
https://github.com/dev-sec@gmiranda23
InSpec Profiles
Windows PatchProfile
OS HardeningProfile
SSH HardeningProfile
Linux PatchProfile
https://github.com/dev-sec@gmiranda23
InSpec Profiles
@gmiranda23
Security meets operations
@gmiranda23
Each team uses separate tools
@gmiranda23
Unified language
@gmiranda23
@gmiranda23
@gmiranda23
Continuous Workflow
CorrectDetect
@gmiranda23
Continuous Workflow
@gmiranda23
Works with all DevOps tools e.g.
@gmiranda23
Shifting InfoSec to the left
Effective test data management
Comprehensive test and deploy automationTrunk-based development
and continuous integration
Everything as code and all code in version controlIncorporating security
into the delivery process
Factors on the left model continuous delivery,
which leads to…
Less rework
Lower levels of deployment pain
Performance-oriented culture
Higher levels of IT throughput and
stabilityIdentifying strongly with
the organization you work for
Lower change failure rates
Higher levels of org performanc
e (productivity, market
share, profitability
)
Source: Sciencing the Crap Out of DevOps – Dr. Nicole Forsgren https://www.youtube.com/watch?v=QqpGyycz7Kk
@gmiranda23
Further Resources
inspec.io• Hands on tutorials• Extensive documentation• Code examples
learn.chef.io• More tutorials about
Compliance and Inspec
Further Resources
Save Your Crash Dummies!A Test-driven Infrastructure Solution
http://bit.ly/crash_dummies@gmiranda23
Q&A
Save Your Crash DummiesA Test-driven Infrastructure SolutionVideo: http://bit.ly/crash_dummies
@gmiranda23
http://inspec.iohttp://learn.chef.io
$ inspec exec <url>https://github.com/dev-sec/tests-ssh-hardeninghttps://github.com/dev-sec/windows-patch-benchmarkhttps://github.com/dev-sec/linux-patch-benchmark
November 15, 2016
November 15, 2016