Compliance as Code - Using the Open Source InSpec testing Framework
Transcript of Compliance as Code - Using the Open Source InSpec testing Framework
![Page 1: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/1.jpg)
November 15, 2016
Compliance as Code - using InSpecGeorge Miranda, Product Marketing Director, Chef Software Inc.
![Page 2: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/2.jpg)
Introductions
George MirandaDirector of Product Marketing @gmiranda23
• Distributed Systems Engineer
• I play a developer on TV• At Chef for 4+ years
Technical Evangelist Consultant BizDev Product Marketing
• Spent a majority of my career in "the Enterprise"
• I've had to go through MANY security audits in my career
![Page 3: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/3.jpg)
Agenda• Constraints & myths• The role of InfoSec at velocity• Compliance as Code• An introduction to InSpec• Q&A
@gmiranda23
![Page 4: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/4.jpg)
Time, Cost, and Quality
“Speed is the only dimension that matters” – Veresh Sita, CIO, Alaska
Airlines
@gmiranda23
![Page 5: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/5.jpg)
QUAL
ITY
VELOCITYInnovation
Quality/Security/Compliance
The tradeoff myth
@gmiranda23
![Page 6: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/6.jpg)
The rise of IT Compliance• Continued security vulnerabilities created a need for IT compliance
1988 Morris Worm, National Bank Chicago$70M theft
1994 AOHell, Citibank$10M hack
1996 Brotherhood hacks, Canadian Broadcast Corp.
1998 Free Mitnick Logic BombSecurity incidents at 75% of IT organizations
@gmiranda23
![Page 7: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/7.jpg)
The State of Security in XXXX• In 60% of cases, attackers can compromise an organization within minutes
• 99.9% of compromises exploited vulnerabilities more than a year after the vulnerability was published
• Ten vulnerabilities account for 97% of the exploits observed
Source: Verizon Data Breach Report@gmiranda23
![Page 8: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/8.jpg)
The State of Security in 2014• In 60% of cases, attackers can compromise an organization within minutes
• 99.9% of compromises exploited vulnerabilities more than a year after the vulnerability was published
• Ten vulnerabilities account for 97% of the exploits observed
Source: Verizon Data Breach Report@gmiranda23
![Page 9: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/9.jpg)
The cycle of regulation
Loophole
Exploitation
Scandal
Regulation
@gmiranda23
![Page 10: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/10.jpg)
Compliance and Security
Compliance
Security
@gmiranda23
![Page 11: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/11.jpg)
Offer baseline security and isolation layers
@gmiranda23
![Page 12: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/12.jpg)
Regulatory Compliance• PCI-DSS• Gramm-Leach-Bliley Act• HIPAA• Dodd-Frank• ISO• Sarbanes-Oxley• HITECH• Grundschutz European• Central Bank Regulations
@gmiranda23
![Page 13: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/13.jpg)
How most orgs handle these requirements
![Page 14: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/14.jpg)
![Page 15: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/15.jpg)
The promise of the coded business
@gmiranda23
![Page 16: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/16.jpg)
The conflict between compliance and velocity
@gmiranda23
![Page 17: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/17.jpg)
@gmiranda23
![Page 18: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/18.jpg)
@gmiranda23
![Page 19: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/19.jpg)
@gmiranda23
![Page 20: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/20.jpg)
InSpec turns infrastructure testing, compliance, and security requirements into code
Stats: 86 Releases, 59 Contributors, 2.900 Commits@gmiranda23
![Page 21: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/21.jpg)
The changing role of the compliance officer
@gmiranda23
![Page 22: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/22.jpg)
Differences in verifying compliance policy
DocumentationSSH supports two different protocol
versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2
instead to avoid these.
@gmiranda23
![Page 23: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/23.jpg)
Differences in verifying compliance policy
Scripting Tools
> grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' 2
@gmiranda23
![Page 24: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/24.jpg)
Differences in verifying compliance policy
Compliance Language
describe sshd_config do its('Protocol') { should eq 2 } end
@gmiranda23
![Page 25: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/25.jpg)
Differences in verifying compliance policy
Compliance Languagecontrol 'ssh-1234' do impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore... "
describe sshd_config do its('Protocol') { should eq 2 } endend
@gmiranda23
![Page 26: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/26.jpg)
InSpec for Windowscontrol 'windows-base-201' do impact 1.0 title 'Strong Windows NTLMv2 Authentication Enabled; Weak LM Disabled' desc ' @link: http://support.microsoft.com/en-us/kb/823659 '
describe registry_key('HKLM\System\CurrentControlSet\Control\Lsa') do it { should exist } its('LmCompatibilityLevel') { should eq 4 } endend
@gmiranda23
![Page 27: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/27.jpg)
Different ways to run InSpec
Test your machine locally > inspec exec test.rb
Test a machine remotely via SSH > inspec exec test.rb -i identity.key -t ssh://[email protected]
No ruby/agent on the node
@gmiranda23
![Page 28: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/28.jpg)
Different ways to run InSpec
Test a machine remotely via WinRM > inspec exec test.rb -t winrm://[email protected] --password super
Test Docker Container > inspec exec test.rb -t docker://5cc8837bb6a8
no SSH/agent in the container
No ruby/agent on the node
@gmiranda23
![Page 29: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/29.jpg)
Different ways to run InSpecDatabase testing
describe mysql_session.query("SELECT user,host FROM mysql.user WHERE host = '%'") do its(:stdout) { should be empty }end
Cloud Provider testingsecurity_groups.each do |security_group| describe security_group do it { should_not have_inbound_rule().with_source('0.0.0.0/0') } endend
@gmiranda23
![Page 30: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/30.jpg)
Mapping of Compliance Document to InSpec
@gmiranda23
![Page 31: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/31.jpg)
InSpec Profiles
Windows PatchProfile
OS HardeningProfile
SSH HardeningProfile
Linux PatchProfile
https://github.com/dev-sec@gmiranda23
![Page 32: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/32.jpg)
InSpec Profiles
Windows PatchProfile
OS HardeningProfile
SSH HardeningProfile
Linux PatchProfile
https://github.com/dev-sec@gmiranda23
![Page 33: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/33.jpg)
InSpec Profiles
@gmiranda23
![Page 34: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/34.jpg)
Security meets operations
@gmiranda23
![Page 35: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/35.jpg)
Each team uses separate tools
@gmiranda23
![Page 36: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/36.jpg)
Unified language
@gmiranda23
![Page 37: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/37.jpg)
@gmiranda23
![Page 38: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/38.jpg)
@gmiranda23
![Page 39: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/39.jpg)
![Page 40: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/40.jpg)
Continuous Workflow
CorrectDetect
@gmiranda23
![Page 41: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/41.jpg)
Continuous Workflow
@gmiranda23
![Page 42: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/42.jpg)
Works with all DevOps tools e.g.
@gmiranda23
![Page 43: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/43.jpg)
Shifting InfoSec to the left
Effective test data management
Comprehensive test and deploy automationTrunk-based development
and continuous integration
Everything as code and all code in version controlIncorporating security
into the delivery process
Factors on the left model continuous delivery,
which leads to…
Less rework
Lower levels of deployment pain
Performance-oriented culture
Higher levels of IT throughput and
stabilityIdentifying strongly with
the organization you work for
Lower change failure rates
Higher levels of org performanc
e (productivity, market
share, profitability
)
Source: Sciencing the Crap Out of DevOps – Dr. Nicole Forsgren https://www.youtube.com/watch?v=QqpGyycz7Kk
@gmiranda23
![Page 44: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/44.jpg)
Further Resources
inspec.io• Hands on tutorials• Extensive documentation• Code examples
learn.chef.io• More tutorials about
Compliance and Inspec
![Page 45: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/45.jpg)
Further Resources
Save Your Crash Dummies!A Test-driven Infrastructure Solution
http://bit.ly/crash_dummies@gmiranda23
![Page 46: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/46.jpg)
Q&A
Save Your Crash DummiesA Test-driven Infrastructure SolutionVideo: http://bit.ly/crash_dummies
@gmiranda23
http://inspec.iohttp://learn.chef.io
$ inspec exec <url>https://github.com/dev-sec/tests-ssh-hardeninghttps://github.com/dev-sec/windows-patch-benchmarkhttps://github.com/dev-sec/linux-patch-benchmark
![Page 47: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/47.jpg)
November 15, 2016
![Page 48: Compliance as Code - Using the Open Source InSpec testing Framework](https://reader031.fdocuments.in/reader031/viewer/2022030218/5886b7431a28ab6d0e8b745d/html5/thumbnails/48.jpg)
November 15, 2016