July 24, 2017 slides and demo for Automating Compliance with InSpec. The associated GitHub repository is here: https://github.com/mattray/inspec-workshop
Prescriptive Security with InSpec - All Things Open 2019Mandi Walls
What is Chef InSpec, and how can it help you manage and maintain system security through the full lifecycle of your applications? See how this powerful tool can keep your systems secure. Demo slides included in the appendix
Compliance Automation with InSpec - Chef NYC Meetup - April 2017adamleff
Presented at the Chef NYC meetup on April 20, 2017, this presentation reviews how to automate compliance scanning and reporting with InSpec by Chef and wrapped up with a hands-on workshop.
DevOpsDays Austin 2016 talk. Compliance and security are the next steps after Infrastructure as Code and Test-Driven Infrastructure in expanding your DevOps workflow. Chef's open-source InSpec and audit cookbooks provide an accessible pattern for building compliance into your continuous delivery pipelines.
Prescriptive Security with InSpec - All Things Open 2019Mandi Walls
What is Chef InSpec, and how can it help you manage and maintain system security through the full lifecycle of your applications? See how this powerful tool can keep your systems secure. Demo slides included in the appendix
Compliance Automation with InSpec - Chef NYC Meetup - April 2017adamleff
Presented at the Chef NYC meetup on April 20, 2017, this presentation reviews how to automate compliance scanning and reporting with InSpec by Chef and wrapped up with a hands-on workshop.
DevOpsDays Austin 2016 talk. Compliance and security are the next steps after Infrastructure as Code and Test-Driven Infrastructure in expanding your DevOps workflow. Chef's open-source InSpec and audit cookbooks provide an accessible pattern for building compliance into your continuous delivery pipelines.
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDays Riga
InSpec is an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security, and policy requirements.
Using a combination of command-line and remote-execution tools, InSpec can help you keep your infrastructure aligned with security and compliance guidelines on an ongoing basis, rather than waiting for and then remediating from arduous annual audits. InSpec’s flexibility makes it a key tool choice for incorporating security into a complete continuous delivery workflow, reducing the risk of new features and releases breaking established host-based security guidelines. This talk covers the basics of working with InSpec, writing tests to reflect your organization’s security guidelines, and managing InSpec as part of a high-velocity workflow.
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi WallsNETWAYS
InSpec is an open source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security, and policy requirements. Using a combination of command-line and remote-execution tools, InSpec can help you keep your infrastructure aligned with security and compliance guidelines on an ongoing basis, rather than waiting for and then remediating from arduous annual audits. InSpec’s flexibility makes it a key tool choice for incorporating security into a complete continuous delivery workflow, reducing the risk of new features and releases breaking established host-based security guidelines.
Introduction to InSpec and 1.0 release updateAlex Pop
Contains an introduction to infrastructure and compliance tests as code and how InSpec can be used for this.
Agenda:
* Why infrastructure tests as code
* What is InSpec and how it works
* Core and custom resources
* What's new in InSpec 1.0 (released Sept 26, 2016)
* Documentation and installation
* Integrations
* Demo
* Chef Community Summit
Adding Security to Your Workflow with InSpec (MAY 2017)Mandi Walls
An introduction to InSpec and its motivations for teams looking for a security and compliance tool for their organizations. May 2017 edition. Atmosphere.pl Krakow and Netways OSDC Berlin.
Inspec: Turn your compliance, security, and other policy requirements into au...Kangaroot
Inspec: Turn your compliance, security, and other policy requirements into automated tests at #OPEN18 by Mandi Walls, Technical Community Manager at Chef EMEA
InSpec is an open source testing framework for infrastructure with a human- & machine-readable language for specifying compliance, security, and policy requirements. Using a combination of command-line and remote-execution tools, InSpec can help you keep your infrastructure aligned with security and compliance guidelines on an ongoing basis, rather than waiting for and then remediating from arduous annual audits.
This talk covers the basics of working with InSpec 2.0, writing tests to reflect your organisation’s security guidelines, and managing InSpec as part of a high-velocity workflow.
Jumpstart your education on learning Chef InSpec to turn your DevOps into DevSecOps, by automating your integration testing and compliance/security scanning.
This is an approximately 90-minute InSpec workshop covering basic InSpec resources and profiles and applying them to Linux Hardening. Delivered at DevSecCon 2017 in London, October 20, 2017
Jumpstart your education on learning Chef InSpec to turn your DevOps into DevSecOps, by automating your integration testing and compliance/security scanning.
Presentation by Matt Ray
Compliance and security are the next steps after Infrastructure as Code and Test-Driven Infrastructure in expanding your DevOps workflow. Chef's open-source InSpec and audit cookbooks provide an accessible pattern for building compliance into your continuous delivery pipelines.
Melbourne Chef Meetup: Automating Azure Compliance with InSpecMatt Ray
June 26, 2017 presentation. With the move to infrastructure as code and continuous integration/continuous delivery pipelines, it looked like releases would become more frequent and less problematic. Then the auditors showed up and made everyone stop what they were doing. How could this have been prevented? What if the audits were part of the process instead of a roadblock? What sort of visibility do we have into the state of our Azure infrastructure compliance? This talk will provide an overview of Chef's open-source InSpec project (https://inspec.io) and how you can build "Compliance as Code" into your Azure-based infrastructure.
Compliance as Code with InSpec - DevOps Melbourne 2017Matt Ray
DevOps Melbourne Meetup March 28, 2017
PCI and auditors slowing you down? Compliance and security are the next steps in building your software-defined infrastructure. Chef's open-source project InSpec (https://inspec.io) and audit cookbooks provide an accessible pattern for building compliance into your continuous delivery pipelines.
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDays Riga
InSpec is an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security, and policy requirements.
Using a combination of command-line and remote-execution tools, InSpec can help you keep your infrastructure aligned with security and compliance guidelines on an ongoing basis, rather than waiting for and then remediating from arduous annual audits. InSpec’s flexibility makes it a key tool choice for incorporating security into a complete continuous delivery workflow, reducing the risk of new features and releases breaking established host-based security guidelines. This talk covers the basics of working with InSpec, writing tests to reflect your organization’s security guidelines, and managing InSpec as part of a high-velocity workflow.
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi WallsNETWAYS
InSpec is an open source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security, and policy requirements. Using a combination of command-line and remote-execution tools, InSpec can help you keep your infrastructure aligned with security and compliance guidelines on an ongoing basis, rather than waiting for and then remediating from arduous annual audits. InSpec’s flexibility makes it a key tool choice for incorporating security into a complete continuous delivery workflow, reducing the risk of new features and releases breaking established host-based security guidelines.
Introduction to InSpec and 1.0 release updateAlex Pop
Contains an introduction to infrastructure and compliance tests as code and how InSpec can be used for this.
Agenda:
* Why infrastructure tests as code
* What is InSpec and how it works
* Core and custom resources
* What's new in InSpec 1.0 (released Sept 26, 2016)
* Documentation and installation
* Integrations
* Demo
* Chef Community Summit
Adding Security to Your Workflow with InSpec (MAY 2017)Mandi Walls
An introduction to InSpec and its motivations for teams looking for a security and compliance tool for their organizations. May 2017 edition. Atmosphere.pl Krakow and Netways OSDC Berlin.
Inspec: Turn your compliance, security, and other policy requirements into au...Kangaroot
Inspec: Turn your compliance, security, and other policy requirements into automated tests at #OPEN18 by Mandi Walls, Technical Community Manager at Chef EMEA
InSpec is an open source testing framework for infrastructure with a human- & machine-readable language for specifying compliance, security, and policy requirements. Using a combination of command-line and remote-execution tools, InSpec can help you keep your infrastructure aligned with security and compliance guidelines on an ongoing basis, rather than waiting for and then remediating from arduous annual audits.
This talk covers the basics of working with InSpec 2.0, writing tests to reflect your organisation’s security guidelines, and managing InSpec as part of a high-velocity workflow.
Jumpstart your education on learning Chef InSpec to turn your DevOps into DevSecOps, by automating your integration testing and compliance/security scanning.
This is an approximately 90-minute InSpec workshop covering basic InSpec resources and profiles and applying them to Linux Hardening. Delivered at DevSecCon 2017 in London, October 20, 2017
Jumpstart your education on learning Chef InSpec to turn your DevOps into DevSecOps, by automating your integration testing and compliance/security scanning.
Presentation by Matt Ray
Compliance and security are the next steps after Infrastructure as Code and Test-Driven Infrastructure in expanding your DevOps workflow. Chef's open-source InSpec and audit cookbooks provide an accessible pattern for building compliance into your continuous delivery pipelines.
Melbourne Chef Meetup: Automating Azure Compliance with InSpecMatt Ray
June 26, 2017 presentation. With the move to infrastructure as code and continuous integration/continuous delivery pipelines, it looked like releases would become more frequent and less problematic. Then the auditors showed up and made everyone stop what they were doing. How could this have been prevented? What if the audits were part of the process instead of a roadblock? What sort of visibility do we have into the state of our Azure infrastructure compliance? This talk will provide an overview of Chef's open-source InSpec project (https://inspec.io) and how you can build "Compliance as Code" into your Azure-based infrastructure.
Compliance as Code with InSpec - DevOps Melbourne 2017Matt Ray
DevOps Melbourne Meetup March 28, 2017
PCI and auditors slowing you down? Compliance and security are the next steps in building your software-defined infrastructure. Chef's open-source project InSpec (https://inspec.io) and audit cookbooks provide an accessible pattern for building compliance into your continuous delivery pipelines.
Melbourne Infracoders: Compliance as Code with InSpecMatt Ray
Presentation to the Melbourne Infrastructure Coders Meetup November 8, 2016. Overview of InSpec (https://inspec.io) and the idea of "Compliance as Code"
http://www.meetup.com/Infrastructure-Coders/events/233990769/
OSDC 2017 - Mandi Walls - Building security into your workflow with inspecNETWAYS
InSpec is an open source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security, and policy requirements. Using a combination of command-line and remote-execution tools, InSpec can help you keep your infrastructure aligned with security and compliance guidelines on an ongoing basis, rather than waiting for and then remediating from arduous annual audits. InSpec’s flexibility makes it a key tool choice for incorporating security into a complete continuous delivery workflow, reducing the risk of new features and releases breaking established host-based security guidelines.
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017AgileNZ Conference
For too long, audits and security reviews have been seen as resistant to the frequent release of software. Auditors require access to static systems and environments, which would seem to make continuous delivery impossible. Too frequently audits are a fire drill sampling of the current state and temporary fixes are put in place to appease the compliance audit without being integrated into future releases.
About Matt Ray:
Matt Ray is the Manager and Solutions Architect for Asia Pacific and Japan for Chef. He has worked in large enterprise software companies and founded his own startups in a wide variety of industries including banking, retail and government.
He has been active in open source communities for over two decades and has spoken at, and helped organise, many conferences and Meetups. He currently resides in Sydney, Australia after relocating from Austin, Texas. He podcasts at SoftwareDefinedTalk.com, blogs at LeastResistance.net and is @mattray on Twitter, IRC, GitHub and too many Slacks.
Bare Metal to OpenStack with Razor and ChefMatt Ray
Slides from the OpenStack Spring 2013 Summit workshop presented by Egle Sigler (@eglute) and Matt Ray (@mattray) from Rackspace and Opscode respectively. Please refer to http://anystacker.com/ for additional content.
Docker - Demo on PHP Application deployment Arun prasath
Docker is an open-source project to easily create lightweight, portable, self-sufficient containers from any application. The same container that a developer builds and tests on a laptop can run at scale, in production, on VMs, bare metal, OpenStack clusters, public clouds and more.
In this demo, I will show how to build a Apache image from a Dockerfile and deploy a PHP application which is present in an external folder using custom configuration files.
(Click 2nd slide for video) Deploy PHP apps faster in 2017. This talk focuses on how PHP developers can use simple Ansible scripts to rapidly configure new dev and production servers from scratch, and deploy their apps. No more "snowflake servers"!
This is a general introduction to DevOps essentials and Ansible, with a few extras for PHP developers, including some best practice tips and overview of two major Ansible-based PHP projects, Drupal-VM and Trellis (modern WordPress setup).
In recent years there has been a tremendous amount of progress and innovation around tools and applications available to web developers that improve the quality, efficiency and speed of our applications, and it is hard to keep up with all of it.
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
Discover how a leading enterprise achieved visibility into their cloud costs with the CNCF project OpenCost. OpenCost models current and historical Kubernetes cloud spend and resource allocation by service, deployment, namespace, labels, and much more. This data provides transparency for cloud bills and can be used as the basis for optimizing your Kubernetes deployments based on cost allocation. This session delves into the real-world journey of implementing OpenCost for tracking cloud costs and how they optimized their infrastructure with this information. We’ll start with an introduction to OpenCost, its capabilities, and how to get started as a user and as a contributor. Then we’ll explore the challenges faced, lessons learned, and the tangible impact observed. From initial deployment to ongoing management, learn how OpenCost empowered the enterprise to make data-driven decisions, avoid cost overruns, and streamline their cloud budgeting. Join us for practical insights, success stories, and actionable steps to harness the power of OpenCost in your enterprise.
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
KubeCon EU 2024 Lightning Talk
Understanding the cost and efficiency of Kubernetes on public clouds is essential once you start expanding your infrastructure with real production workloads. The FinOps Certified Solution and CNCF Sandbox OpenCost project monitors cloud costs and models current and historical Kubernetes cloud spend and resource allocation by service, deployment, namespace, labels, and much more. This data provides transparency for cloud bills and can be used as the basis for optimizing your Kubernetes deployments based on cost allocation. This quick introduction to OpenCost will start your foundation for monitoring and Kubernetes and cloud costs.
SCaLE 20X: Kubernetes Cloud Cost Monitoring with OpenCost & Optimization Stra...Matt Ray
Understanding the cost and efficiency of Kubernetes on public clouds is essential once you start expanding your infrastructure with real production workloads. The CNCF Sandbox OpenCost project and specification models current and historical Kubernetes cloud spend and resource allocation by service, deployment, namespace, labels, and much more. This data provides transparency for cloud bills and can be used as the basis for optimizing your Kubernetes deployments based on cost allocation. Optimizing Kubernetes for cost and performance is an ongoing iterative process that starts with applications and works through the entire stack.
EmacsConf 2019: Interactive Remote Debugging and Development with TRAMP ModeMatt Ray
Emacs’ TRAMP Mode allows for remotely editing files and using Emacs Shell Mode with remote systems. This session walked through the basics of using TRAMP Mode with the Free Software tools Vagrant, Chef, InSpec, and the interactive Ruby debugging shell Pry. The speaker notes are included along with the demo notes. The YouTube recording of the talk is available here: https://youtu.be/4pHid-kTBHw
Wellington DevOps: Bringing Your Applications into the Future with HabitatMatt Ray
Short presentation from the Wellington DevOps Meetup March 13, 2019 on why Habitat is interesting for re-platforming existing applications onto new platforms.
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...Matt Ray
Ignite talks are 20 slides auto-advancing every 15 seconds. This session attempts to share the value of migrating existing applications from legacy to modern platforms.
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...Matt Ray
What are we going to do about all these legacy applications? Kubernetes, Docker or Server Core? With Habitat it doesn’t matter anymore! As companies make the transition from traditional IT infrastructure to cloud-native container platforms packaging, deploying and managing applications becomes the focus for developers and operators. Having a consistent approach to managing dependencies and building applications brings stability to CI/CD pipelines and frees developers to prioritize on features. Automated, repeatable builds with immutable artifacts and consistent management of any application on any platform allow operators to focus on stability and speed. Chef's Habitat project brings all of this together in an open source automation platform that enables modern application teams to build, deploy, and run any application in any environment - from traditional data-centers to containerized microservices. This presentation provided an overview of the benefits of Habitat and a live demo of applications being built and deployed on traditional operating systems across Docker and Kubernetes, seamlessly.
Presentation from Cloud Expo Asia Hong Kong covering the rationale for "Compliance as Code" and how InSpec may be applied to servers, cloud platforms, and much more to keep track of your compliance everywhere.
Opening keynote for DevOpsDays Jakarta. I attempted to tie the themes of DevOps to a timeline of when they received increasing focus. Books on the subjects provided a convenient way to mark those times.
https://www.devopsdays.org/events/2018-jakarta/program/matt-ray/
DevOps Talks Melbourne 2018: Whales, Cats and KubernetesMatt Ray
Kubernetes, Docker or VMs? With Habitat it doesn’t matter anymore! As companies make the transition from traditional IT infrastructure to cloud-native container platforms packaging, deploying and managing applications becomes the focus for developers and operators. Having a consistent approach to managing dependencies and building applications brings stability to CI/CD pipelines and frees developers to prioritize on features. Automated, repeatable builds with immutable artefacts and consistent management of any application on any platform allow operators to focus on stability and speed. Meet Habitat! This session will provide an overview of the benefits of Habitat and a live demo of applications being built and deployed on traditional operating systems across Docker and Kubernetes, seamlessly.
Presentation to the Perth MS Cloud Computing User Group on November 14, 2017. Covered off on how Chef, InSpec, Habitat and Chef Automate work with Windows, Azure and the Microsoft ecosystem.
An overview of Chef Automate and the various resources for Chef, InSpec and Habitat for Azure and Microsoft's other products. Presented September 20, 2017 at Tank Stream Labs.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
7. SSH Control
"SSH supports two different protocol
versions.The original version, SSHv1, was
subject to a number of security issues.
Please use SSHv2 instead to avoid
these."
9. Whip up a one-liner!
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
10. Apache Server Information Leakage
• Description
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OSType of the
Server.
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are
dependent upon specific software versions.
• How toTest
In order to test for ServerToken configuration, one should check the Apache configuration file.
• Misconfiguration
ServerTokens Full
• Remediation
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.This tells Apache to only
return "Apache" in the Server header, returned on every page request.
ServerTokens Prod
or
ServerTokens ProductOnly
https://www.owasp.org/index.php/SCG_WS_Apache
11. More grep and sed!
grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
20. Key Trends
• While individual rule compliance
is up, testing of security systems
is down
• Sustainability is low. Fewer than
a third of companies were found
to be still fully compliant less
than a year after successful
validation.
21.
22. Shell Scripts
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
49. InSpec
> inspec exec test.rb
Test a machine remotely via SSH
> inspec exec test.rb -i identity.key -t ssh://root@172.17.0.1
Test your machine locally
> inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super
Test Docker Container
> inspec exec test.rb -t docker://5cc8837bb6a8
Test a machine remotely via WinRM
AGENTLESS
50. Operating System & Application Coverage
• Microsoft Windows
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux Enterprise Server
• Oracle Enterprise Linux
• AIX
• HP-UX
• Solaris
• VMware ESXi
• MySQL
• Oracle
• PostgreSQL
• Tomcat
• SQL Server
• IIS
• HTTP request
63. kitchen converge
$ kitchen converge linux
-----> Starting Kitchen (v1.16.0)
-----> Converging <patchlinux-centos-73>...
Preparing files for transfer
Preparing dna.json
Resolving cookbook dependencies with Berkshelf 6.2.0...
Removing non-cookbook files before transfer
Preparing validation.pem
Preparing client.rb
…
64. kitchen verify
$ kitchen verify linux
-----> Starting Kitchen (v1.16.0)
-----> Setting up <patchlinux-centos-73>...
Finished setting up <patchlinux-centos-73> (0m0.00s).
-----> Verifying <patchlinux-centos-73>...
Loaded linux-patch-baseline
65. linux-patch-baseline profile
$ kitchen converge
$ kitchen verify
…
✔ verify-patches: Operating system is up-to-date
✔ Linux Update should be uptodate
↺ patches: All operating system updates are installed
↺ Skipped control due to only_if condition.
66. inspec-profile-wannacry-exploit profile
$ kitchen verify
…
✔ WannaCry Vulnerability Check: Hot-fix mitigation check for
WannaCry Ransomware vulnerability
✔ WMI with {:class=>"win32_quickfixengineering",
:filter=>"HotFixID = 'KB4019215'"} InstalledOn should not eq nil
Profile Summary: 1 successful, 0 failures, 0 skipped
Test Summary: 1 successful, 0 failures, 0 skipped
72. Chef Automate Compliance Features
• Configuration management and compliance status together
• Dashboards and reporting providing real-time and historical
views into fleet wide compliance status
• Full audit trail available via native data storage and reporting
• Premium compliance profiles assessing common industry
benchmarks
• Profile management via Chef Automate GUI
• Management of agentless scans & API assessments via GUI