SlideShare a Scribd company logo

The Science of Compliance - Early Code to Secure your Node (11/6/19)

J
judy (fink) johnson

We all know that the earlier in the software development process you start your development and test, the more money you save in the long run. In this session, we will discuss methodologies for inserting/continuing compliance checking at various places in the development process - from the Operating System to the code, test, and development systems to various places in the CI process including code, unit test, integration test, and even continuous compliance checking while your code is running.

Technology
1 of 29
Download to read offline
The Science of Compliance Early Code to Secure your Node judy johnson Software Engineer Onyx Point @miz_j
● Programming since the 19XXes when my Dad brought home a PDP-8 ● Software engineer for [many] years - Hardware Control, Digital Signal Processing, SatCom, now Security Framework ● Various job titles: Software Engineer, Systems Engineer, Project Manager, ScrumMaster, and a Record Store Clerk ● Onyx Point since 2015 ● Interests - baking, hockey, rock concerts, reading, volunteering (especially in events that promote diversity in tech) About the Speaker
So… why is DevOps so important to me? ● Cooperation ● Communication ● Repeatability/Consistency ● Efficiency © 123RF
● Fun activity with family and friends ● Stress relief ● Enables creativity ● Makes people happy ● “Practice makes perfect” ● Makes a great analogy to continue through this talk... ...and why is baking so important to me?
The DevOps Cycle
The Baking Cycle
What is DevSecOps? “DevSecOps means thinking about application and infrastructure security from the start. It also means automating some security gates to keep the DevOps workflow from slowing down. However, effective DevOps security requires more than new tools—it builds on the cultural changes of DevOps to integrate the work of security teams sooner rather than later.” (from RedHat)
...what does the “Sec” in the middle mean to me? ● “In high-performing organizations, everyone within the team shares a common goal - quality, availability, and security aren’t the responsibility of individual departments, but are a part of everyone’s job, every day.” - Gene Kim ● Of course security should be part of continuous improvement ● But is the “Sec” necessary, or implied? DevSecCodeTestRunDeployMLEtcOps
PROVABLE DISPROVABLE SECURITY X ✔ COMPLIANCE ✔ ✔ ● Compliance - enforcing a defined/testable set of rules ● Security - ensuring that your system is not vulnerable ● Both are attempts to minimize risk Security vs Compliance
© NIST Risk Management Framework
● Compliance is following the recipe ● Correct controls (temperature, measurement, etc), create consistent, predictable product ● A “typo” or incident could ruin your product ● Substitutions - are they valid? ● Mistake? Learn and document ● Minimizing Risk - Follow instructions, Document anomalies Baking and Compliance
● Improve Security ● Implement of security concepts in a provable way ● Maintain Trust/Integrity ● Maintain Consistency (process management) ● Maintain Control Why do we need compliance?
How do you know you are Compliant? ● Out-of-the-box testing tools based on a specific set of rules (e.g.Nessus, OpenScap, OVAL) ● Toolkits to test compliance status - more flexible (e.g. InSpec, ServerSpec) ● Manual tests ● Compliance tests from scratch
How do you know you are Recipe Compliant? ● Did your cake rise? ● Were your cookies the right consistency? ● Were your “auditors” - (friends, family, co-workers) satisfied with the product? ● Is the house on fire? © 123RF
Typical Process - Old School ● Requirements Created ● Code Written ● Code Reviewed and Tested ● Security Team runs Tests ● An action plan may be written ● Code is rewritten/re-reviewed/re-tested ● New requirements - do we learn from mistakes? © 123RF
Ideal Process ● Code and Compliance Requirements Created ● Compliance & Code Written simultaneously ● Compliance code shared/reused ● Compliance tickets reside with target code tickets ● ALL Code Reviewed and Tested ● ALL Code is rewritten/re-reviewed/re-tested
Hardening your O/S ● Hardening begins with O/S ● Non-compliant code will be exposed early ● Development platform has the same rules as target platforms ● Compliance issues and fixes are found early and shared early ● Items such as disk and data encryption, which are hard to add later, are set early
Ensuring your systems are Compliant ● Development - Eliminate some of the threats immediately ○ e.g. ports, encryption ● Test - Testing framework and platform (CI) ○ test under varying conditions ○ test all components together ○ last chance to catch issues before code goes live ● Production - Your production environment is open to threats ○ “Chaos Monkey”-like tools randomly test for various issues ○ canary deployments and feature flags (small sample)
Adding Compliance to Testing ● Acceptance tests - Beaker/VM/Container tests ● Chef’s Inspec ● Manual testing ● Static code analysis tools ● Dynamic code analysis tools ● Use the tools you have!
Compliance Testing in CI ● Passing once is not enough ● Ensure that your automated tests (spec, acceptance, integration) run with every check-in and/or periodically Continuous testing of your recipe (check out this great video https://www.youtube.com/watch?v=rfROcNPsb3w) © 123RF
Tools for Correction Compliance ● Puppet ● Salt ● Ansible ● Chef ● Any programming language, script, manual Recipe ● Cake mix (customize within constraints) ● Pre-mixed spices ● Frosting to cover up any goofs ● Salt ;-) © 123RF © Paul Prudhomme
OK, it’s passed all the tests, and I’ve deployed... ● Puppet ○ Ensures your setup remains solid by running every 30 minutes (or predetermined) ● Cron job or CI tool ○ Can recheck and reset if there is an issue ● Ensure that reoccurring issues are documented and addressed
Sample Commercial Tools - Development Stages ● SCA – Software Composition Analysis - Dependency Check, Blackduck, NexusIQ, SourceClear, Whitesource ● SAST - Static Application Security Testing (White Box Testing) [Source Code Check] – SonarQube, Veracode, Checkmarx, Coverity, Fortify, and language-specific tools Brakeman (Ruby), Bandit (Python) ● DAST - Dynamic Application Security Testing (Black Box Testing) [running app] - Burp, Zap, Sn1per, Nikto, WebInspect, AppScan, Acunetix, Netsparker thanks, Thaddeus @thaddeuswalsh)
Other types of tools ● Infrastructure Vulnerability Management – Tenable, Qualys, Rapid7, OpenVAS ● Container – Clair, Trivy, Aqua, Twistlock ● Cloud - Prowler (AWS assessment tool) ● Database scanner - SQLmap (open source SQL Injection and db takeover tool), (tool listings thanks to Thaddeus @thaddeuswalsh)
My baking slide (1) Carrot Cake ● 1 1/2 cups corn oil ● 2 cups sugar (not salt :) ) ● 3 eggs ● 2 cups flour ● 1 1/2 teaspoons cinnamon ● 2 teaspoons baking soda ● 2 teaspoons vanilla ● 1/2 teaspoon salt (not sugar :) ) ● 2 cups grated carrots ● 1 cup chopped walnuts Combine all ingredients. Pour in greased 13" x 9" pan. Bake at 350 for 45 minutes. Cool, frost. ● Carrot cake is one of my favorites! ● Vegetables and security - necessary evils to some ● Carrot - a vegetable and unexpected - are baked in, yet the cake is sweet and moist
● Imagine the frosting as your app. ● Solid base - add your personal touch ● Ensure that you do not alter the foundation that the cake has created when you personalize it Cream Cheese Frosting ● 3 oz cream cheese ● 1 2/3 cups confectioners sugar ● 1/8 teaspoon salt ● 1 teaspoon vanilla Combine all ingredients. Beat until creamy. Spread on cake. My baking slide (2)
● A secure O/S on development and all other platforms allows you to start with an advantage ● Compliance testing can - and should - be done at all stages of your CI ● Watch your test tool - there can be false positives as well as false negatives ● A tool such as Puppet or Cron can run (or run scripts) at regular time increments to check your compliance, and alert you if something needs correction ● Correction can be done with an automated tool or manually ● Ensure that security is integrated into your team and process ● No matter what you are creating, remember to bake in the goodness! Summary...
Thanks! To co-workers who teach me every day, and peer review my code, documents, and cookies… to family and friends who inspire me daily… to the friends who helped me put this together and make it pretty Thanks AllDayDevOps! Never stop learning – and make sure you have time to spend on things you enjoy! Thanks!
The Science of Compliance - Early Code to Secure your Node (11/6/19)

Recommended

DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingMatt Tesauro
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationVMware Tanzu
 
How to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsHow to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsDevOps.com
 
Endpoint Security Shifting Paradigms 5
Endpoint Security Shifting Paradigms 5Endpoint Security Shifting Paradigms 5
Endpoint Security Shifting Paradigms 5tafinley
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
Proactive monitoring tools or services - Open Source
Proactive monitoring tools or services - Open Source Proactive monitoring tools or services - Open Source
Proactive monitoring tools or services - Open Source B.A.
 

Recommended

DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingMatt Tesauro
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationVMware Tanzu
 
How to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsHow to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsDevOps.com
 
Endpoint Security Shifting Paradigms 5
Endpoint Security Shifting Paradigms 5Endpoint Security Shifting Paradigms 5
Endpoint Security Shifting Paradigms 5tafinley
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
Proactive monitoring tools or services - Open Source
Proactive monitoring tools or services - Open Source Proactive monitoring tools or services - Open Source
Proactive monitoring tools or services - Open Source B.A.
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
 
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)Rich Mills
 
Continuous Testing in containerized environment
Continuous Testing in containerized environmentContinuous Testing in containerized environment
Continuous Testing in containerized environmentNicolas Giron
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 
Break Up the Monolith- Testing Microservices by Marcus Merrell
Break Up the Monolith- Testing Microservices by Marcus MerrellBreak Up the Monolith- Testing Microservices by Marcus Merrell
Break Up the Monolith- Testing Microservices by Marcus MerrellSauce Labs
 
Mobile security recipes for xamarin
Mobile security recipes for xamarinMobile security recipes for xamarin
Mobile security recipes for xamarinNicolas Milcoff
 
Pay pal paypal continuous performance as a self-service with fully-automated...
Pay pal paypal continuous performance as a self-service with fully-automated...Pay pal paypal continuous performance as a self-service with fully-automated...
Pay pal paypal continuous performance as a self-service with fully-automated...Dynatrace
 
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...apidays
 
Introduction to Software Engineering
Introduction to Software EngineeringIntroduction to Software Engineering
Introduction to Software EngineeringInternational Islamic University Islamabad
 
Developers Testing - Girl Code at bloomon
Developers Testing - Girl Code at bloomonDevelopers Testing - Girl Code at bloomon
Developers Testing - Girl Code at bloomonIneke Scheffers
 
Services, tools & practices for a software house
Services, tools & practices for a software houseServices, tools & practices for a software house
Services, tools & practices for a software houseParis Apostolopoulos
 
Starting Test Automation In Your Project - Webinar by 99X Technology
Starting Test Automation In Your Project - Webinar by 99X TechnologyStarting Test Automation In Your Project - Webinar by 99X Technology
Starting Test Automation In Your Project - Webinar by 99X Technology99X Technology
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Practical Software Testing Tools
Practical Software Testing ToolsPractical Software Testing Tools
Practical Software Testing ToolsDr Ganesh Iyer
 
HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software jamieayre
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and HowNotSoSecure Global Services
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 
High Performance Software Engineering Teams
High Performance Software Engineering TeamsHigh Performance Software Engineering Teams
High Performance Software Engineering TeamsLars Thorup
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

More Related Content

Similar to The Science of Compliance - Early Code to Secure your Node (11/6/19)

DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
 
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)Rich Mills
 
Continuous Testing in containerized environment
Continuous Testing in containerized environmentContinuous Testing in containerized environment
Continuous Testing in containerized environmentNicolas Giron
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 
Break Up the Monolith- Testing Microservices by Marcus Merrell
Break Up the Monolith- Testing Microservices by Marcus MerrellBreak Up the Monolith- Testing Microservices by Marcus Merrell
Break Up the Monolith- Testing Microservices by Marcus MerrellSauce Labs
 
Mobile security recipes for xamarin
Mobile security recipes for xamarinMobile security recipes for xamarin
Mobile security recipes for xamarinNicolas Milcoff
 
Pay pal paypal continuous performance as a self-service with fully-automated...
Pay pal paypal continuous performance as a self-service with fully-automated...Pay pal paypal continuous performance as a self-service with fully-automated...
Pay pal paypal continuous performance as a self-service with fully-automated...Dynatrace
 
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...apidays
 
Developers Testing - Girl Code at bloomon
Developers Testing - Girl Code at bloomonDevelopers Testing - Girl Code at bloomon
Developers Testing - Girl Code at bloomonIneke Scheffers
 
Services, tools & practices for a software house
Services, tools & practices for a software houseServices, tools & practices for a software house
Services, tools & practices for a software houseParis Apostolopoulos
 
Starting Test Automation In Your Project - Webinar by 99X Technology
Starting Test Automation In Your Project - Webinar by 99X TechnologyStarting Test Automation In Your Project - Webinar by 99X Technology
Starting Test Automation In Your Project - Webinar by 99X Technology99X Technology
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Practical Software Testing Tools
Practical Software Testing ToolsPractical Software Testing Tools
Practical Software Testing ToolsDr Ganesh Iyer
 
HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software jamieayre
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 
High Performance Software Engineering Teams
High Performance Software Engineering TeamsHigh Performance Software Engineering Teams
High Performance Software Engineering TeamsLars Thorup
 

Similar to The Science of Compliance - Early Code to Secure your Node (11/6/19) (20)

DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16
 
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
 
Continuous Testing in containerized environment
Continuous Testing in containerized environmentContinuous Testing in containerized environment
Continuous Testing in containerized environment
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
Break Up the Monolith- Testing Microservices by Marcus Merrell
Break Up the Monolith- Testing Microservices by Marcus MerrellBreak Up the Monolith- Testing Microservices by Marcus Merrell
Break Up the Monolith- Testing Microservices by Marcus Merrell
 
Mobile security recipes for xamarin
Mobile security recipes for xamarinMobile security recipes for xamarin
Mobile security recipes for xamarin
 
Pay pal paypal continuous performance as a self-service with fully-automated...
Pay pal paypal continuous performance as a self-service with fully-automated...Pay pal paypal continuous performance as a self-service with fully-automated...
Pay pal paypal continuous performance as a self-service with fully-automated...
 
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
 
Introduction to Software Engineering
Introduction to Software EngineeringIntroduction to Software Engineering
Introduction to Software Engineering
 
Developers Testing - Girl Code at bloomon
Developers Testing - Girl Code at bloomonDevelopers Testing - Girl Code at bloomon
Developers Testing - Girl Code at bloomon
 
Services, tools & practices for a software house
Services, tools & practices for a software houseServices, tools & practices for a software house
Services, tools & practices for a software house
 
Starting Test Automation In Your Project - Webinar by 99X Technology
Starting Test Automation In Your Project - Webinar by 99X TechnologyStarting Test Automation In Your Project - Webinar by 99X Technology
Starting Test Automation In Your Project - Webinar by 99X Technology
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Practical Software Testing Tools
Practical Software Testing ToolsPractical Software Testing Tools
Practical Software Testing Tools
 
HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
High Performance Software Engineering Teams
High Performance Software Engineering TeamsHigh Performance Software Engineering Teams
High Performance Software Engineering Teams
 

Recently uploaded

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Recently uploaded (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

The Science of Compliance - Early Code to Secure your Node (11/6/19)

  • 1. The Science of Compliance Early Code to Secure your Node judy johnson Software Engineer Onyx Point @miz_j
  • 2. ● Programming since the 19XXes when my Dad brought home a PDP-8 ● Software engineer for [many] years - Hardware Control, Digital Signal Processing, SatCom, now Security Framework ● Various job titles: Software Engineer, Systems Engineer, Project Manager, ScrumMaster, and a Record Store Clerk ● Onyx Point since 2015 ● Interests - baking, hockey, rock concerts, reading, volunteering (especially in events that promote diversity in tech) About the Speaker
  • 3. So… why is DevOps so important to me? ● Cooperation ● Communication ● Repeatability/Consistency ● Efficiency © 123RF
  • 4. ● Fun activity with family and friends ● Stress relief ● Enables creativity ● Makes people happy ● “Practice makes perfect” ● Makes a great analogy to continue through this talk... ...and why is baking so important to me?
  • 7. What is DevSecOps? “DevSecOps means thinking about application and infrastructure security from the start. It also means automating some security gates to keep the DevOps workflow from slowing down. However, effective DevOps security requires more than new tools—it builds on the cultural changes of DevOps to integrate the work of security teams sooner rather than later.” (from RedHat)
  • 8. ...what does the “Sec” in the middle mean to me? ● “In high-performing organizations, everyone within the team shares a common goal - quality, availability, and security aren’t the responsibility of individual departments, but are a part of everyone’s job, every day.” - Gene Kim ● Of course security should be part of continuous improvement ● But is the “Sec” necessary, or implied? DevSecCodeTestRunDeployMLEtcOps
  • 9. PROVABLE DISPROVABLE SECURITY X ✔ COMPLIANCE ✔ ✔ ● Compliance - enforcing a defined/testable set of rules ● Security - ensuring that your system is not vulnerable ● Both are attempts to minimize risk Security vs Compliance
  • 11. ● Compliance is following the recipe ● Correct controls (temperature, measurement, etc), create consistent, predictable product ● A “typo” or incident could ruin your product ● Substitutions - are they valid? ● Mistake? Learn and document ● Minimizing Risk - Follow instructions, Document anomalies Baking and Compliance
  • 12. ● Improve Security ● Implement of security concepts in a provable way ● Maintain Trust/Integrity ● Maintain Consistency (process management) ● Maintain Control Why do we need compliance?
  • 13. How do you know you are Compliant? ● Out-of-the-box testing tools based on a specific set of rules (e.g.Nessus, OpenScap, OVAL) ● Toolkits to test compliance status - more flexible (e.g. InSpec, ServerSpec) ● Manual tests ● Compliance tests from scratch
  • 14. How do you know you are Recipe Compliant? ● Did your cake rise? ● Were your cookies the right consistency? ● Were your “auditors” - (friends, family, co-workers) satisfied with the product? ● Is the house on fire? © 123RF
  • 15. Typical Process - Old School ● Requirements Created ● Code Written ● Code Reviewed and Tested ● Security Team runs Tests ● An action plan may be written ● Code is rewritten/re-reviewed/re-tested ● New requirements - do we learn from mistakes? © 123RF
  • 16. Ideal Process ● Code and Compliance Requirements Created ● Compliance & Code Written simultaneously ● Compliance code shared/reused ● Compliance tickets reside with target code tickets ● ALL Code Reviewed and Tested ● ALL Code is rewritten/re-reviewed/re-tested
  • 17. Hardening your O/S ● Hardening begins with O/S ● Non-compliant code will be exposed early ● Development platform has the same rules as target platforms ● Compliance issues and fixes are found early and shared early ● Items such as disk and data encryption, which are hard to add later, are set early
  • 18. Ensuring your systems are Compliant ● Development - Eliminate some of the threats immediately ○ e.g. ports, encryption ● Test - Testing framework and platform (CI) ○ test under varying conditions ○ test all components together ○ last chance to catch issues before code goes live ● Production - Your production environment is open to threats ○ “Chaos Monkey”-like tools randomly test for various issues ○ canary deployments and feature flags (small sample)
  • 19. Adding Compliance to Testing ● Acceptance tests - Beaker/VM/Container tests ● Chef’s Inspec ● Manual testing ● Static code analysis tools ● Dynamic code analysis tools ● Use the tools you have!
  • 20. Compliance Testing in CI ● Passing once is not enough ● Ensure that your automated tests (spec, acceptance, integration) run with every check-in and/or periodically Continuous testing of your recipe (check out this great video https://www.youtube.com/watch?v=rfROcNPsb3w) © 123RF
  • 21. Tools for Correction Compliance ● Puppet ● Salt ● Ansible ● Chef ● Any programming language, script, manual Recipe ● Cake mix (customize within constraints) ● Pre-mixed spices ● Frosting to cover up any goofs ● Salt ;-) © 123RF © Paul Prudhomme
  • 22. OK, it’s passed all the tests, and I’ve deployed... ● Puppet ○ Ensures your setup remains solid by running every 30 minutes (or predetermined) ● Cron job or CI tool ○ Can recheck and reset if there is an issue ● Ensure that reoccurring issues are documented and addressed
  • 23. Sample Commercial Tools - Development Stages ● SCA – Software Composition Analysis - Dependency Check, Blackduck, NexusIQ, SourceClear, Whitesource ● SAST - Static Application Security Testing (White Box Testing) [Source Code Check] – SonarQube, Veracode, Checkmarx, Coverity, Fortify, and language-specific tools Brakeman (Ruby), Bandit (Python) ● DAST - Dynamic Application Security Testing (Black Box Testing) [running app] - Burp, Zap, Sn1per, Nikto, WebInspect, AppScan, Acunetix, Netsparker thanks, Thaddeus @thaddeuswalsh)
  • 24. Other types of tools ● Infrastructure Vulnerability Management – Tenable, Qualys, Rapid7, OpenVAS ● Container – Clair, Trivy, Aqua, Twistlock ● Cloud - Prowler (AWS assessment tool) ● Database scanner - SQLmap (open source SQL Injection and db takeover tool), (tool listings thanks to Thaddeus @thaddeuswalsh)
  • 25. My baking slide (1) Carrot Cake ● 1 1/2 cups corn oil ● 2 cups sugar (not salt :) ) ● 3 eggs ● 2 cups flour ● 1 1/2 teaspoons cinnamon ● 2 teaspoons baking soda ● 2 teaspoons vanilla ● 1/2 teaspoon salt (not sugar :) ) ● 2 cups grated carrots ● 1 cup chopped walnuts Combine all ingredients. Pour in greased 13" x 9" pan. Bake at 350 for 45 minutes. Cool, frost. ● Carrot cake is one of my favorites! ● Vegetables and security - necessary evils to some ● Carrot - a vegetable and unexpected - are baked in, yet the cake is sweet and moist
  • 26. ● Imagine the frosting as your app. ● Solid base - add your personal touch ● Ensure that you do not alter the foundation that the cake has created when you personalize it Cream Cheese Frosting ● 3 oz cream cheese ● 1 2/3 cups confectioners sugar ● 1/8 teaspoon salt ● 1 teaspoon vanilla Combine all ingredients. Beat until creamy. Spread on cake. My baking slide (2)
  • 27. ● A secure O/S on development and all other platforms allows you to start with an advantage ● Compliance testing can - and should - be done at all stages of your CI ● Watch your test tool - there can be false positives as well as false negatives ● A tool such as Puppet or Cron can run (or run scripts) at regular time increments to check your compliance, and alert you if something needs correction ● Correction can be done with an automated tool or manually ● Ensure that security is integrated into your team and process ● No matter what you are creating, remember to bake in the goodness! Summary...
  • 28. Thanks! To co-workers who teach me every day, and peer review my code, documents, and cookies… to family and friends who inspire me daily… to the friends who helped me put this together and make it pretty Thanks AllDayDevOps! Never stop learning – and make sure you have time to spend on things you enjoy! Thanks!