Submit Search
Upload
Compliance as Code: Shifting Compliance Left in Continuous Delivery
•
2 likes
•
516 views
Matt Ray
Follow
July 25, 2017 RSA Singapore presentation.
Read less
Read more
Technology
Report
Share
Report
Share
1 of 56
Download now
Download to read offline
Recommended
SonarQube - The leading platform for Continuous Code Quality
SonarQube - The leading platform for Continuous Code Quality
Larry Nung
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
Sonarqube
Sonarqube
Peerapat Asoktummarungsri
Continuous Development Pipeline
Continuous Development Pipeline
Izzet Mustafaiev
The story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps Engineer
Manu Pk
Static code analysis with sonar qube
Static code analysis with sonar qube
Hayi Nukman
CI/CD for everyone else
CI/CD for everyone else
Victor Morales
Software development terminology
Software development terminology
jstack
Recommended
SonarQube - The leading platform for Continuous Code Quality
SonarQube - The leading platform for Continuous Code Quality
Larry Nung
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
Sonarqube
Sonarqube
Peerapat Asoktummarungsri
Continuous Development Pipeline
Continuous Development Pipeline
Izzet Mustafaiev
The story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps Engineer
Manu Pk
Static code analysis with sonar qube
Static code analysis with sonar qube
Hayi Nukman
CI/CD for everyone else
CI/CD for everyone else
Victor Morales
Software development terminology
Software development terminology
jstack
Jenkins with SonarQube
Jenkins with SonarQube
Somkiat Puisungnoen
Embracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetry
Cyrille Le Clerc
DevOps & Security: Here & Now
DevOps & Security: Here & Now
Checkmarx
Improving software quality using Continuous Integration
Improving software quality using Continuous Integration
Wouter Konecny
Sonarqube
Sonarqube
Kalkey
Groovy there's a docker in my application pipeline
Groovy there's a docker in my application pipeline
Kris Buytaert
Continuous integration using Jenkins and Sonar
Continuous integration using Jenkins and Sonar
Pascal Larocque
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
Rogue Wave Software
Continuous Integration 101
Continuous Integration 101
John Ferguson Smart Limited
Under the hood of the particular service platform
Under the hood of the particular service platform
Particular Software
Building a high quality+ products with SCA
Building a high quality+ products with SCA
Suman Sourav
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security
DevOps.com
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)
Nagaraju Repala
Tests your pipeline might be missing
Tests your pipeline might be missing
Gene Gotimer
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
DevOps.com
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOps
DevOps.com
Improve Development Process with Open Source Software
Improve Development Process with Open Source Software
elliando dias
Network Security Open Source Software Developer Certification
Network Security Open Source Software Developer Certification
Vskills
DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)
Arjun Comar
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2
Chef
More Related Content
What's hot
Jenkins with SonarQube
Jenkins with SonarQube
Somkiat Puisungnoen
Embracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetry
Cyrille Le Clerc
DevOps & Security: Here & Now
DevOps & Security: Here & Now
Checkmarx
Improving software quality using Continuous Integration
Improving software quality using Continuous Integration
Wouter Konecny
Sonarqube
Sonarqube
Kalkey
Groovy there's a docker in my application pipeline
Groovy there's a docker in my application pipeline
Kris Buytaert
Continuous integration using Jenkins and Sonar
Continuous integration using Jenkins and Sonar
Pascal Larocque
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
Rogue Wave Software
Continuous Integration 101
Continuous Integration 101
John Ferguson Smart Limited
Under the hood of the particular service platform
Under the hood of the particular service platform
Particular Software
Building a high quality+ products with SCA
Building a high quality+ products with SCA
Suman Sourav
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security
DevOps.com
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)
Nagaraju Repala
Tests your pipeline might be missing
Tests your pipeline might be missing
Gene Gotimer
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
DevOps.com
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOps
DevOps.com
Improve Development Process with Open Source Software
Improve Development Process with Open Source Software
elliando dias
Network Security Open Source Software Developer Certification
Network Security Open Source Software Developer Certification
Vskills
DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)
Arjun Comar
What's hot
(20)
Jenkins with SonarQube
Jenkins with SonarQube
Embracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetry
DevOps & Security: Here & Now
DevOps & Security: Here & Now
Improving software quality using Continuous Integration
Improving software quality using Continuous Integration
Sonarqube
Sonarqube
Groovy there's a docker in my application pipeline
Groovy there's a docker in my application pipeline
Continuous integration using Jenkins and Sonar
Continuous integration using Jenkins and Sonar
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
Continuous Integration 101
Continuous Integration 101
Under the hood of the particular service platform
Under the hood of the particular service platform
Building a high quality+ products with SCA
Building a high quality+ products with SCA
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)
Tests your pipeline might be missing
Tests your pipeline might be missing
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOps
Improve Development Process with Open Source Software
Improve Development Process with Open Source Software
Network Security Open Source Software Developer Certification
Network Security Open Source Software Developer Certification
DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)
Similar to Compliance as Code: Shifting Compliance Left in Continuous Delivery
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2
Chef
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
Priyanka Aash
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
AgileNZ Conference
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
Matt Ray
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for Cloud
Priyanka Aash
Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec
Matt Ray
Practical Approaches to Cloud Native Security
Practical Approaches to Cloud Native Security
Karthik Gaekwad
DevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Rubal Jain
Automating Compliance with InSpec - AWS North Sydney
Automating Compliance with InSpec - AWS North Sydney
Matt Ray
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Priyanka Aash
Cloud security : Automate or die
Cloud security : Automate or die
Priyanka Aash
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Matt Ray
Compliance as Code Everywhere
Compliance as Code Everywhere
Matt Ray
Security Process in DevSecOps
Security Process in DevSecOps
Opsta
How Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOps
Andrew Storms
Continuous integration
Continuous integration
Lior Tal
Introduction to Continuous integration
Introduction to Continuous integration
liortal53
Continous integration and delivery for single page applications
Continous integration and delivery for single page applications
Sunil Dalal
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
Priyanka Aash
Similar to Compliance as Code: Shifting Compliance Left in Continuous Delivery
(20)
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for Cloud
Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec
Practical Approaches to Cloud Native Security
Practical Approaches to Cloud Native Security
DevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Automating Compliance with InSpec - AWS North Sydney
Automating Compliance with InSpec - AWS North Sydney
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Cloud security : Automate or die
Cloud security : Automate or die
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Compliance as Code Everywhere
Compliance as Code Everywhere
Security Process in DevSecOps
Security Process in DevSecOps
How Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOps
Continuous integration
Continuous integration
Introduction to Continuous integration
Introduction to Continuous integration
Continous integration and delivery for single page applications
Continous integration and delivery for single page applications
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
More from Matt Ray
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Matt Ray
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
Matt Ray
SCaLE 20X: Kubernetes Cloud Cost Monitoring with OpenCost & Optimization Stra...
SCaLE 20X: Kubernetes Cloud Cost Monitoring with OpenCost & Optimization Stra...
Matt Ray
HashiTalks 2020 - Chef Tools & Terraform: Better Together
HashiTalks 2020 - Chef Tools & Terraform: Better Together
Matt Ray
EmacsConf 2019: Interactive Remote Debugging and Development with TRAMP Mode
EmacsConf 2019: Interactive Remote Debugging and Development with TRAMP Mode
Matt Ray
Wellington DevOps: Bringing Your Applications into the Future with Habitat
Wellington DevOps: Bringing Your Applications into the Future with Habitat
Matt Ray
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...
Matt Ray
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...
Matt Ray
DevOpsDays Jakarta: State of DevOps 2018
DevOpsDays Jakarta: State of DevOps 2018
Matt Ray
DevOps Talks Melbourne 2018: Whales, Cats and Kubernetes
DevOps Talks Melbourne 2018: Whales, Cats and Kubernetes
Matt Ray
Infrastructure and Compliance Delight with Chef Automate
Infrastructure and Compliance Delight with Chef Automate
Matt Ray
Cooking Up Windows with Chef Automate
Cooking Up Windows with Chef Automate
Matt Ray
DevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat Ignite
Matt Ray
Chef Automate - Azure Sydney User Group
Chef Automate - Azure Sydney User Group
Matt Ray
Automating Applications with Habitat - Sydney Cloud Native Meetup
Automating Applications with Habitat - Sydney Cloud Native Meetup
Matt Ray
Chef Automate - Infracoders Canberra August 8, 2017
Chef Automate - Infracoders Canberra August 8, 2017
Matt Ray
OpsWorks for Chef Automate - Auckland AWS
OpsWorks for Chef Automate - Auckland AWS
Matt Ray
Chef Automate - Wellington DevOps August 2, 2017
Chef Automate - Wellington DevOps August 2, 2017
Matt Ray
Automating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore Meetup
Matt Ray
DevOps Sydney: Chef Automate
DevOps Sydney: Chef Automate
Matt Ray
More from Matt Ray
(20)
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
SCaLE 20X: Kubernetes Cloud Cost Monitoring with OpenCost & Optimization Stra...
SCaLE 20X: Kubernetes Cloud Cost Monitoring with OpenCost & Optimization Stra...
HashiTalks 2020 - Chef Tools & Terraform: Better Together
HashiTalks 2020 - Chef Tools & Terraform: Better Together
EmacsConf 2019: Interactive Remote Debugging and Development with TRAMP Mode
EmacsConf 2019: Interactive Remote Debugging and Development with TRAMP Mode
Wellington DevOps: Bringing Your Applications into the Future with Habitat
Wellington DevOps: Bringing Your Applications into the Future with Habitat
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...
DevOpsDays Jakarta: State of DevOps 2018
DevOpsDays Jakarta: State of DevOps 2018
DevOps Talks Melbourne 2018: Whales, Cats and Kubernetes
DevOps Talks Melbourne 2018: Whales, Cats and Kubernetes
Infrastructure and Compliance Delight with Chef Automate
Infrastructure and Compliance Delight with Chef Automate
Cooking Up Windows with Chef Automate
Cooking Up Windows with Chef Automate
DevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat Ignite
Chef Automate - Azure Sydney User Group
Chef Automate - Azure Sydney User Group
Automating Applications with Habitat - Sydney Cloud Native Meetup
Automating Applications with Habitat - Sydney Cloud Native Meetup
Chef Automate - Infracoders Canberra August 8, 2017
Chef Automate - Infracoders Canberra August 8, 2017
OpsWorks for Chef Automate - Auckland AWS
OpsWorks for Chef Automate - Auckland AWS
Chef Automate - Wellington DevOps August 2, 2017
Chef Automate - Wellington DevOps August 2, 2017
Automating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore Meetup
DevOps Sydney: Chef Automate
DevOps Sydney: Chef Automate
Recently uploaded
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
apidays
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Zilliz
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
apidays
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
The Digital Insurer
Architecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
apidays
Recently uploaded
(20)
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
Architecting Cloud Native Applications
Architecting Cloud Native Applications
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Compliance as Code: Shifting Compliance Left in Continuous Delivery
1.
SESSION ID:SESSION ID: #RSAC Matt Ray Compliance as Code: Shifting Compliance Left in Continuous Delivery Manager/Solutions Architect APJ Chef Software @mattray
2.
#RSAC
3.
#RSAC
4.
#RSAC Continuous Integration Continuous Integration requires developers to integrate code into a shared repository several times a day. Each check-in is then verified by an automated build, allowing teams to detect problems early. By integrating regularly, you can detect errors quickly, and locate them more easily.
5.
#RSAC Continuous Deployment Continuous Integration is the practice of testing each change done to your codebase automatically and as early as possible. Continuous Deployment follows the testing that happens during Continuous Integration and pushes changes to a staging or production system. This makes sure a version of your code is accessible at all times.
6.
#RSAC CI/CD Pipelines
7.
#RSAC Audits and Security Reviews
8.
#RSAC
9.
#RSAC SSH Control “SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.”
10.
#RSAC How will I verify this?
11.
#RSAC A one-liner with grep! grep "^Protocol" /etc/ssh/sshd_config
| sed 's/Protocol //'
12.
#RSAC
13.
#RSAC More grep and sed! grep "^ServerTokens" /etc/httpd/conf/httpd.conf
| sed 's/ServerTokens //'
14.
#RSAC
15.
#RSAC
16.
#RSAC
17.
#RSAC
18.
#RSAC
19.
#RSAC C o m p l i a n c e
20.
#RSAC
21.
#RSAC “Two-thirds of organizations did not adequately test the security of all in- scope systems”
22.
#RSAC While individual rule compliance is up, testing of security systems is down Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation. Key Trends
23.
#RSAC
24.
#RSAC Shell Scripts grep "^Protocol" /etc/ssh/sshd_config
| sed 's/Protocol //' grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
25.
#RSAC Infrastructure Code package 'httpd' do action
:install end service 'httpd' do action [ :start, :enable ] end
26.
#RSAC We Have A Communications Problem
27.
#RSAC
28.
#RSAC Security != Compliance
29.
#RSAC Secure Compliant
30.
#RSAC
31.
#RSAC
32.
#RSAC
33.
#RSAC
34.
#RSAC
35.
#RSAC Role of the Compliance Officer Compliance at VelocityManual Compliance Reactive engagement Proactive engagement Checking implementations by hand Expressing policy as testable code Short term compliance Long term process improvement
36.
#RSAC Compliance as Code • Source control • Versioned •
Tested • Shared
37.
#RSAC
38.
#RSAC Detect and Correct Scan for Compliance Build & Test Locally Build & Test CI/CD Remediate Verify
39.
#RSAC Accelerated Cycle INFRASTRUCTURE AS CODE POLICY AS CODE PRACTICE AS CODE Separate certification & testing Common language for describing & applying policy Compliance at velocity
40.
#RSAC Turns security and compliance into code
41.
#RSAC Compliance Language
42.
#RSAC One Language • Linux, Windows, BSD, Solaris, AIX, HP-UX, ...
43.
#RSAC Windows
44.
#RSAC One Language • Linux, Windows, BSD, Solaris, AIX, HP-UX, ... • Bare-metal, VMs, Containers •
Databases, APIs, Cloud Platforms, ...
45.
#RSAC Databases
46.
#RSAC Cloud Platforms
47.
#RSAC One Language • Linux, Windows, BSD, Solaris, AIX, HP-UX, ... • Bare-metal, VMs, Containers •
Databases, APIs, Cloud Platforms, ...
48.
#RSAC Examples of Available Resources apache_conf apt audit_policy auditd_conf auditd_rules command crontab directory etc_group file gem group host inetd_conf interface iptables kernel_module kernel_parameter limits_conf mount mysql_conf mysql_session npm os os_env package parse_config passwd pip port postgres_conf postgres_session powershell processes registry_key security_policy service ssh_config sshd_config user windows_feature yum
49.
#RSAC InSpec > inspec exec
test.rb Test a machine remotely via SSH > inspec exec test.rb -i identity.key -t ssh://root@172.17.0.1 Test your machine locally > inspec exec test.rb -t winrm://Admin@192.168.1.2 --password xyz Test Docker Container > inspec exec test.rb -t docker://5cc8837bb6a8 Test a machine remotely via WinRM AGENTLESS
50.
#RSAC Operating System & Application Coverage Microsoft Windows Red Hat Enterprise Linux Ubuntu Linux SUSE Linux Enterprise Server Oracle Enterprise Linux AIX HP-UX Solaris VMware ESXi MySQL Oracle PostgreSQL Tomcat SQL Server IIS HTTP request
51.
#RSAC Open Source Community https://inspec.io Code https://github.com/chef/inspec Profiles https://supermarket.chef.io Tutorials https://learn.chef.io #inspec in https://chefcommunity.slack.com
52.
#RSAC What is it not? IDS / IPS Firewall Antivirus Pentesting tool
53.
#RSAC CONTINUOUS COMPLIANCE AUTOMATIONFIREWALL ANTIVIRUS INTRUSION DETECTION/ PREVENTION PENETRATION TESTING InSpec -
Part of your InfoSec toolchain
54.
#RSAC The New DevSecOps The Old Way People working directly on machines SECURITY DEVOPS COMPLIANCE The New Way Shared tooling across organizations
55.
#RSAC Thanks! Matt Ray Manager/Solutions Architect APJ matt@chef.io @mattray
56.
#RSAC Sponsors of DevOps Connect: DevSecOps
Download now