2. Agenda
19:00-20:00 Talk
• Do you know all your IT-vulnerabilities?
• Edmund Haselwanter,CEO @ Infralovers
20:00-21:00 Networking
• At the bar in the front
www.infralovers.com
3. A little bit of History
• Client: Can we automate our Compliance Profiles?
> YES, we can!
• Prototype with Serverspec for Compliance Check
Automation and Chef and Puppet for Infrastructure
Automation
• Opensourced at https://dev-sec.io
www.infralovers.com
4.
5.
6.
7. A little bit of History II
• Birth of InSpec (https://inspec.io)
✓ Inspired by Serverspec
✓ Compliance Primitives (Profiles, Weight, Description, ..)
✓ Better Transport Options (SSH/WinRM/Docker)
✓ A lot more Resources
• InSpec 2.0 Supports Cloud Platforms like AWS, Azure, …
www.infralovers.com
8.
9. PART OF A PROCESS OF CONTINUOUS COMPLIANCE
Scan for
Compliance
Build & Test
Locally
Build & Test
CI/CD Remediate Verify
A SIMPLE EXAMPLE OF AN INSPEC CIS RULE
InSpec
▪ Translate compliance into Code
▪ Clearly express statements of policy
▪ Move risk to build/test from runtime
▪ Find issues early
▪ Write code quickly
▪ Run code anywhere
▪ Inspect machines, data and APIs
Turn security and
compliance into code
control ‘cis-1.4.1’ do
title ‘1.4.1 Enable SELinux in /etc/grub.conf’
desc ‘
Do not disable SELinux and enforcing
in your GRUB configuration. These are important security
features that prevent attackers from escalating their access
to your systems. For reference see …
‘
impact 1.0
expect(grub_conf.param ‘selinux’).to_not eq ‘0’
expect(grub_conf.param ‘enforcing’).to_not eq ‘0’
end
11. Compliance as Code
ROLE OF THE COMPLIANCE OFFICERACCELERATED CYCLE
INFRASTRUCTURE
AS CODE
POLICY
AS CODE
PRACTICE
AS CODE
Separate
certificatio
n & testing
Common
language for
describing &
applying policy
Compliance at velocity
Compliance at VelocityManual Compliance
Reactive
engagement
Proactive
engagement
Checking
implementations
by hand
Expressing policy
as testable code
Short term
compliance
Long term process
improvement
One language, One workflow
15. Chef Automate
• Commercial Offeringfrom Chef Inc
• Comes with readymade Compliance Profiles
• Supports Notifications(e.g. Slack/ServiceNow/Custom)
• Shiny Web UI to gain Visibility into current State
www.infralovers.com
16. The Chef Automate Platform
Continuous Automation for High Velocity IT
Workflow • Local development • Integration • Tooling (APIs & SDKs)
COLLABORATE
▪ Package
▪ Test
▪ Approve
BUILD
▪ Provision
▪ Configure
▪ Execute
▪ Update
DEPLOY
▪ Secure
▪ Comply
▪ Audit
▪ Measure
▪ Log
MANAGE
Infrastructure Automation Compliance AutomationApplication Automation
OSS AUTOMATION ENGINES
Increase Speed
▪ Package infrastructure and app
configuration as code
▪ Continuously automate
infrastructure and app updates
Improve Efficiency
▪ Define and execute standard
workflows and automation
▪ Audit and measure effectiveness of
automation
Decrease Risk
▪ Define compliance rules as code
▪ Deliver continuous compliance as
part of standard workflow
17. Jumpstart your compliance test coverage
Compliance in production
Amazon Linux
2014.09 / 2015.03
CentOS
6 / 7
HP UX
11i
IBM AIX
5.3 / 6.1 / 7.1
RHEL
6 / 7
SLES
11 / 12
Ubuntu Server
12.04 / 14.04
Windows
7 / 8 / 10 / 2012 / 2012R2
Chef Automate ships with profiles for:
18. Visibility into the real-time compliance of your entire fleet
Compliance in production