Successfully reported this slideshow.
Your SlideShare is downloading. ×

Introduction to devsecdotio

Ad

Introduction to
dev-sec.io
@attachmentgenie

Ad

Yes, its works in practice, but will it workYes, its works in practice, but will it work
in theoryin theory

Ad

$client_package$client_package == 'openssh-client''openssh-client'
package {package { 'openssh-client''openssh-client'::
e...

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Upcoming SlideShare
Service intergration
Service intergration
Loading in …3
×

Check these out next

1 of 16 Ad
1 of 16 Ad
Advertisement

More Related Content

Advertisement

Introduction to devsecdotio

  1. 1. Introduction to dev-sec.io @attachmentgenie
  2. 2. Yes, its works in practice, but will it workYes, its works in practice, but will it work in theoryin theory
  3. 3. $client_package$client_package == 'openssh-client''openssh-client' package {package { 'openssh-client''openssh-client':: ensure =>ensure => $package_version$package_version,, name =>name => $client_package$client_package,, }} requirerequire 'spec_helper''spec_helper' describedescribe 'ssh::client''ssh::client',, typetype:: :class:class dodo on_os_under_test.eachon_os_under_test.each dodo ||osos,, factsfacts|| contextcontext "on"on #{#{osos}}"" dodo letlet((:facts:facts) {) { factsfacts }} contextcontext 'with defaults for all parameters''with defaults for all parameters' dodo itit { is_expected.to contain_class({ is_expected.to contain_class('ssh::client''ssh::client') }) } itit { is_expected.to contain_class({ is_expected.to contain_class('ssh::params''ssh::params') }) } itit dodo is_expected.to contain_package(is_expected.to contain_package('openssh-client''openssh-client').with().with( 'ensure''ensure' =>=> 'present''present' )) endend
  4. 4. InSpec is an open-source testingInSpec is an open-source testing framework for infrastructure with aframework for infrastructure with a human-readable language for specifyinghuman-readable language for specifying compliance, security and other policycompliance, security and other policy requirements.requirements.
  5. 5. controlcontrol 'client 01''client 01' dodo impactimpact 1.01.0 titletitle 'Verify ssh client''Verify ssh client' descdesc 'Ensures ssh client should be installed''Ensures ssh client should be installed' client_packageclient_package == 'openssh-client''openssh-client' client_packageclient_package == 'openssh-clients''openssh-clients' ifif os[os[:family:family]] ==== 'redhat''redhat' describedescribe package(package(client_packageclient_package)) dodo itit { is_expected.to be_installed }{ is_expected.to be_installed } endend
  6. 6. Profile: tests fromProfile: tests from {:path=>"/home/attachmentgenie/Devshed/Projects/attachmentgenie/attachme{:path=>"/home/attachmentgenie/Devshed/Projects/attachmentgenie/attachme ntgenie-ssh/test/integration/default"} (tests fromntgenie-ssh/test/integration/default"} (tests from {:path=>".home.attachmentgenie.Devshed.Projects.attachmentgenie.attachmen{:path=>".home.attachmentgenie.Devshed.Projects.attachmentgenie.attachmen tgenie-ssh.test.integration.default"})tgenie-ssh.test.integration.default"}) Version: (not specified)Version: (not specified) Target: ssh://vagrant@127.0.0.1:2200Target: ssh://vagrant@127.0.0.1:2200 ✔✔ client 01: Verify ssh clientclient 01: Verify ssh client ✔✔ System Package openssh-client should be installedSystem Package openssh-client should be installed ✔✔ server 01: Verify ssh serviceserver 01: Verify ssh service ✔✔ Service ssh should be enabledService ssh should be enabled ✔✔ Service ssh should be installedService ssh should be installed ✔✔ Service ssh should be runningService ssh should be running × keys 01: Verify authorized keys for user vagrant (1 failed)× keys 01: Verify authorized keys for user vagrant (1 failed) ✔✔ File /home/vagrant/.ssh/authorized_keys should existFile /home/vagrant/.ssh/authorized_keys should exist ✔✔ File /home/vagrant/.ssh/authorized_keys should be fileFile /home/vagrant/.ssh/authorized_keys should be file
  7. 7. The intern just “solved” the problem withThe intern just “solved” the problem with $product by “fixing” the SSH config$product by “fixing” the SSH config
  8. 8. Obfuscated CodeObfuscated Code
  9. 9. InspecInspec controlcontrol 'sshd-06''sshd-06' dodo impactimpact 1.01.0 titletitle 'Server: Do not permit root-based login or do not allow'Server: Do not permit root-based login or do not allow password and keyboard-interactive authentication'password and keyboard-interactive authentication' descdesc 'Reduce the potential risk to gain full privileges access of'Reduce the potential risk to gain full privileges access of the system because of weak password and keyboard-interactivethe system because of weak password and keyboard-interactive authentication, do not allow logging in as the root user or withauthentication, do not allow logging in as the root user or with password authentication.'password authentication.' describedescribe sshd_configsshd_config dodo itsits(('PermitRootLogin''PermitRootLogin') {) { shouldshould matchmatch((//no|without-passwordno|without-password//) }) } endend endend
  10. 10. SOX, PCI, HIPAA, CISSOX, PCI, HIPAA, CIS
  11. 11. InSpec supports the creation ofInSpec supports the creation of complex test and compliance profiles,complex test and compliance profiles, which organize controls to supportwhich organize controls to support dependency management and codedependency management and code reusereuse
  12. 12. Dev-sec.io Inspec ProfilesDev-sec.io Inspec Profiles OSOS SSHSSH MysqlMysql PostgresqlPostgresql NginxNginx ApacheApache CIS DockerCIS Docker
  13. 13. InspecInspec ------ driver:driver: name:name: vagrantvagrant provisioner:provisioner: manifest:manifest: init.ppinit.pp manifests_path:manifests_path: examplesexamples name:name: puppet_applypuppet_apply require_chef_for_busser:require_chef_for_busser: falsefalse require_puppet_omnibus:require_puppet_omnibus: truetrue verifier:verifier: name:name: inspecinspec suite_name:suite_name: defaultdefault inspec_tests:inspec_tests: - https://github.com/dev-sec/ssh-baseline/archive/2.2.0.zip- https://github.com/dev-sec/ssh-baseline/archive/2.2.0.zip platforms:platforms: -- name:name: ubuntu-14.04ubuntu-14.04 -- name:name: ubuntu-16.04ubuntu-16.04 -- name:name: debian-7.11debian-7.11 -- name:name: debian-8.8debian-8.8 -- name:name: centos-6.9centos-6.9 -- name:name: centos-7.3centos-7.3
  14. 14. Sample HardeningSample Hardening implementationsimplementations OSOS SSHSSH MysqlMysql PostgresqlPostgresql NginxNginx
  15. 15. All the tools, like Ansible, Chef andAll the tools, like Ansible, Chef and PuppetPuppet
  16. 16. CommunityCommunity http://dev-sec.io/http://dev-sec.io/ @DevSecIO@DevSecIO https://github.com/dev-sechttps://github.com/dev-sec https://gitter.im/dev-sec/homehttps://gitter.im/dev-sec/home https://supermarket.chef.io/tools?q=devsechttps://supermarket.chef.io/tools?q=devsec https://supermarket.chef.io/cookbooks?q=hardeninghttps://supermarket.chef.io/cookbooks?q=hardening https://galaxy.ansible.com/dev-sec/https://galaxy.ansible.com/dev-sec/ https://forge.puppet.com/hardeninghttps://forge.puppet.com/hardening

×