Habitat-managed Chef with Policyfiles: Learn how to leverage the power of Habitat, chef-client and Policyfiles to produce an immutable application containing all of your chef cookbooks that can be locally tested and provides a consistent and guaranteed picture of desired configuration state across all target environments.
(DVO208) Mission-Critical Business Applications in the CloudAmazon Web Services
In every industry, organizations have been looking to move their entire business, not just their back office applications, to the cloud. Until recently, mission-critical applications have not been cloud-ready. Options have been limited to point solutions from multiple vendors that require extensive integration, and cloud applications that simply lack the deep, unique functionality required by manufacturers, hospitals, banks, or hotels. In this session, hear how enterprise application suites that run critical operations and provide real-time analytics have reached the tipping point and now make it possible to run your entire business in the cloud. Session sponsored by Infor.
How NBCUniversal is embracing DevOps to improve application delivery. Hear how they are using automation tools, like IBM UrbanCode to help standardize culture, speed time to market, integrate with existing tools, and deliver releases effectively. Learn more about UrbanCode here: http://ibm.biz/learnurbancode
What manufacturing teaches about DevOpsGordon Haff
Software development, like manufacturing, is a craft that requires the application of creative approaches to solve problems given a wide range of constraints. However, while engineering design may be craftwork, the production of most designed objects relies on a standardized and automated manufacturing process. By contrast, much of moving an application from prototype to production and, indeed, maintaining the application through its lifecycle has often remained craftwork. In this session, Gordon Haff discusses the many lessons and processes that DevOps can learn from manufacturing and the assembly line-like tools, such as Platform-as-a-Service, that provide the necessary abstraction and automation to make industrialized DevOps possible.
Habitat-managed Chef with Policyfiles: Learn how to leverage the power of Habitat, chef-client and Policyfiles to produce an immutable application containing all of your chef cookbooks that can be locally tested and provides a consistent and guaranteed picture of desired configuration state across all target environments.
(DVO208) Mission-Critical Business Applications in the CloudAmazon Web Services
In every industry, organizations have been looking to move their entire business, not just their back office applications, to the cloud. Until recently, mission-critical applications have not been cloud-ready. Options have been limited to point solutions from multiple vendors that require extensive integration, and cloud applications that simply lack the deep, unique functionality required by manufacturers, hospitals, banks, or hotels. In this session, hear how enterprise application suites that run critical operations and provide real-time analytics have reached the tipping point and now make it possible to run your entire business in the cloud. Session sponsored by Infor.
How NBCUniversal is embracing DevOps to improve application delivery. Hear how they are using automation tools, like IBM UrbanCode to help standardize culture, speed time to market, integrate with existing tools, and deliver releases effectively. Learn more about UrbanCode here: http://ibm.biz/learnurbancode
What manufacturing teaches about DevOpsGordon Haff
Software development, like manufacturing, is a craft that requires the application of creative approaches to solve problems given a wide range of constraints. However, while engineering design may be craftwork, the production of most designed objects relies on a standardized and automated manufacturing process. By contrast, much of moving an application from prototype to production and, indeed, maintaining the application through its lifecycle has often remained craftwork. In this session, Gordon Haff discusses the many lessons and processes that DevOps can learn from manufacturing and the assembly line-like tools, such as Platform-as-a-Service, that provide the necessary abstraction and automation to make industrialized DevOps possible.
Continuous Application Delivery to WebSphere - Featuring IBM UrbanCodeIBM UrbanCode Products
UrbanCode Deploy provides extensive capabilities for configuring WebSphere Application Server (WAS) through plug-ins: Application Deployment for WebSphere – which enables the auto-discovery of WAS cells; and Middleware Configuration for WebSphere – which allows for management of WAS configurations.
See how, when combined, UrbanCode Deploy and these plug-ins enable a rapid, controlled method for continuous delivery to WebSphere Application Servers.
InSpec is an open source testing framework for infrastructure with a human-readable language for specifying compliance, security, and other policy requirements. Easily integrate automated tests that check for advherence to policy into any stage of your deployment pipeline.
Automating and Accelerating Application Deployments to IBM WebSphere without ...XebiaLabs
Slides from the Jun 11, 2013 Global WebSphere Community webinar "Deploy. Faster. Automating and Accelerating Application Deployments to IBM WebSphere without Scripting"
As software teams transition to cloud-based architectures and adopt more agile processes, the tools they need to support their development cycles will change. In this session, we'll take you through the transition that Amazon made to a service-oriented architecture over a decade ago. We will share the lessons we learned, the processes we adopted, and the tools we built to increase both our agility and reliability. We will also introduce you to AWS CodeCommit, AWS CodePipeline, and AWS CodeDeploy, three new services born out of Amazon's internal DevOps experience.
12 Factor, or Cloud Native Apps – What EXACTLY Does that Mean for Spring Deve...cornelia davis
Talk given at SpringOne 2015
The third platform, characterized by a fluid infrastructure where virtualized servers come into and out of existence, and workloads are constantly being moved about and scaled up and down to meet variable demand, calls for new design patterns, processes and even culture. One of the most well known descriptions of these new paradigms is the Twelve Factor App (12factor.net), which describes elements of cloud native applications. Many of these needs are squarely met through the Spring Framework, others require support from other systems. In this session we will examine each of the twelve factors and present how Spring, and platforms such as Cloud Foundry satisfy them, and in some cases we’ll even suggest that responsibility should shift from Spring to platforms. At the conclusion you will understand what is needed for cloud-native applications, why and how to deliver on those requirements.
By talking about Microsoft's journey to Cloud cadence, this talk goes through all the DevOps practices such as Infrastructure as Code, CI/CD, Release Management and Hypothesis Driven Development.
It also introduces the impact of Docker and PaaS in DevOps.
Chef vs Puppet vs Ansible vs Saltstack | Configuration Management Tools | Dev...Simplilearn
This presentation "Chef vs Puppet vs Ansible vs Saltstack" will compare the DevOps configuration management tools Chef, Puppet, Ansible and Saltstack in terms of their capabilities, architecture, performance, ease of setup, language, scalability and pros and cons. The chef is a configuration management tool written in Ruby and Erlang. Puppet is an open-source software configuration management tool that runs on many Unix-like systems and also Windows. Ansible is yet another tool that automates software provisioning, configuration management, and application deployment. Saltstack is a Python-based open-source configuration management tool. Now, let us get started and get to know which is the best configuration management platform among Chef, Puppet, Ansible and Saltstack.
Below are the contents of our "Chef vs Puppet vs Ansible vs Saltstack" configuration management tools comparison slides:
1) Need for Configuration Management Tools
2) Chef - Infrastructure, Architecture, Pros and Cons
3) Puppet- Infrastructure, Architecture, Pros and Cons
4) Ansible - Infrastructure, Architecture, Pros and Cons
5) Saltstack - Infrastructure, Architecture, Pros and Cons
6) Comparison on the basis of architecture, ease of setup, language, scalability, management and interoperability.
Why learn DevOps?
Simplilearn’s DevOps training course is designed to help you become a DevOps practitioner and apply the latest in DevOps methodology to automate your software development lifecycle right out of the class. You will master configuration management; continuous integration deployment, delivery and monitoring using DevOps tools such as Git, Docker, Jenkins, Puppet and Nagios in a practical, hands-on and interactive approach. The DevOps training course focuses heavily on the use of Docker containers, a technology that is revolutionizing the way apps are deployed in the cloud today and is a critical skillset to master in the cloud age.
After completing the DevOps training course you will achieve hands-on expertise in various aspects of the DevOps delivery model. The practical learning outcomes of this Devops training course are:
An understanding of DevOps and the modern DevOps toolsets
The ability to automate all aspects of a modern code delivery and deployment pipeline using:
1. Source code management tools
2. Build tools
3. Test automation tools
4. Containerization through Docker
5. Configuration management tools
6. Monitoring tools
Who should take this course?
DevOps career opportunities are thriving worldwide. DevOps was featured as one of the 11 best jobs in America for 2017, according to CBS News, and data from Payscale.com shows that DevOps Managers earn as much as $122,234 per year, with DevOps engineers making as much as $151,461.
Learn more at https://www.simplilearn.com/cloud-computing/devops-practitioner-certification-training
Cloud-native Data: Every Microservice Needs a Cachecornelia davis
Presented at the Pivotal Toronto Users Group, March 2017
Cloud-native applications form the foundation for modern, cloud-scale digital solutions, and the patterns and practices for cloud-native at the app tier are becoming widely understood – statelessness, service discovery, circuit breakers and more. But little has changed in the data tier. Our modern apps are often connected to monolithic shared databases that have monolithic practices wrapped around them. As a result, the autonomy promised by moving to a microservices application architecture is compromised.
With lessons from the application tier to guide us, the industry is now figuring out what the cloud-native architectural patterns are at the data tier. Join us to explore some of these with Cornelia Davis, a five year Cloud Foundry veteran who is now focused on cloud-native data. As it happens, every microservice needs a cache and this evening will drill deep on that topic. She’ll cover a variety of caching patterns and use cases, and demonstrate how their use helps preserve the autonomy that is driving agile software delivery practices today.
As the world of system and application deployment continues to change, the sys admin and security community needs to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. Add in Dev/Ops and the traditional sys admin and security processes just don’t work. How can you rapidly deliver servers and applications while making sure they are built reliably and securely. Rackspace has been developing a tool to help them design, deploy and security assess complex configurations for customers called Checkmate. This talk will cover the concepts behind and the architecture of Checkmate and how it helps minimize the time to deploy systems and verify they have been created to spec and in a secure state. A discussion of how Checkmate has inspired the concept of Test Driven Security based on the Test Driven Development model familiar to the development world.
CI/CD - A strategy for success (North Africa Dreamin' Prez)Yassine ELQANDILI ☁
Presented at the first Dreamin Event in Africa "North Africa Dreamin 2019". This topic is to show you the key elements to take care of in order to deliver Salesforce projects successfully, taking the advantages of the latest Salesforce tools.
Devops: Who Does What? - Devops Enterprise Summit 2016cornelia davis
Within the IT organizational structures that have dominated the last several decades roles and responsibilities are fairly standardized. But with the dramatic changes that DevOps practices and supporting toolsets bring, many are left feeling a bit off balance - it’s no longer clear who is responsible for even things as “straight-forward” as development or operations.
In this talk I will take traditional roles that are distributed across fairly standard IT structures and sort them into a new organizational context. What is the role of the Enterprise Architect? Who does capacity planning and how? How can change management step out of the way all while still satisfying the requirements of safe deployments? How do agile teams interface with personnel responsible for maintaining legacy systems? I’ll leave the audience with a blueprint for a new organizational structure.
Continuous Application Delivery to WebSphere - Featuring IBM UrbanCodeIBM UrbanCode Products
UrbanCode Deploy provides extensive capabilities for configuring WebSphere Application Server (WAS) through plug-ins: Application Deployment for WebSphere – which enables the auto-discovery of WAS cells; and Middleware Configuration for WebSphere – which allows for management of WAS configurations.
See how, when combined, UrbanCode Deploy and these plug-ins enable a rapid, controlled method for continuous delivery to WebSphere Application Servers.
InSpec is an open source testing framework for infrastructure with a human-readable language for specifying compliance, security, and other policy requirements. Easily integrate automated tests that check for advherence to policy into any stage of your deployment pipeline.
Automating and Accelerating Application Deployments to IBM WebSphere without ...XebiaLabs
Slides from the Jun 11, 2013 Global WebSphere Community webinar "Deploy. Faster. Automating and Accelerating Application Deployments to IBM WebSphere without Scripting"
As software teams transition to cloud-based architectures and adopt more agile processes, the tools they need to support their development cycles will change. In this session, we'll take you through the transition that Amazon made to a service-oriented architecture over a decade ago. We will share the lessons we learned, the processes we adopted, and the tools we built to increase both our agility and reliability. We will also introduce you to AWS CodeCommit, AWS CodePipeline, and AWS CodeDeploy, three new services born out of Amazon's internal DevOps experience.
12 Factor, or Cloud Native Apps – What EXACTLY Does that Mean for Spring Deve...cornelia davis
Talk given at SpringOne 2015
The third platform, characterized by a fluid infrastructure where virtualized servers come into and out of existence, and workloads are constantly being moved about and scaled up and down to meet variable demand, calls for new design patterns, processes and even culture. One of the most well known descriptions of these new paradigms is the Twelve Factor App (12factor.net), which describes elements of cloud native applications. Many of these needs are squarely met through the Spring Framework, others require support from other systems. In this session we will examine each of the twelve factors and present how Spring, and platforms such as Cloud Foundry satisfy them, and in some cases we’ll even suggest that responsibility should shift from Spring to platforms. At the conclusion you will understand what is needed for cloud-native applications, why and how to deliver on those requirements.
By talking about Microsoft's journey to Cloud cadence, this talk goes through all the DevOps practices such as Infrastructure as Code, CI/CD, Release Management and Hypothesis Driven Development.
It also introduces the impact of Docker and PaaS in DevOps.
Chef vs Puppet vs Ansible vs Saltstack | Configuration Management Tools | Dev...Simplilearn
This presentation "Chef vs Puppet vs Ansible vs Saltstack" will compare the DevOps configuration management tools Chef, Puppet, Ansible and Saltstack in terms of their capabilities, architecture, performance, ease of setup, language, scalability and pros and cons. The chef is a configuration management tool written in Ruby and Erlang. Puppet is an open-source software configuration management tool that runs on many Unix-like systems and also Windows. Ansible is yet another tool that automates software provisioning, configuration management, and application deployment. Saltstack is a Python-based open-source configuration management tool. Now, let us get started and get to know which is the best configuration management platform among Chef, Puppet, Ansible and Saltstack.
Below are the contents of our "Chef vs Puppet vs Ansible vs Saltstack" configuration management tools comparison slides:
1) Need for Configuration Management Tools
2) Chef - Infrastructure, Architecture, Pros and Cons
3) Puppet- Infrastructure, Architecture, Pros and Cons
4) Ansible - Infrastructure, Architecture, Pros and Cons
5) Saltstack - Infrastructure, Architecture, Pros and Cons
6) Comparison on the basis of architecture, ease of setup, language, scalability, management and interoperability.
Why learn DevOps?
Simplilearn’s DevOps training course is designed to help you become a DevOps practitioner and apply the latest in DevOps methodology to automate your software development lifecycle right out of the class. You will master configuration management; continuous integration deployment, delivery and monitoring using DevOps tools such as Git, Docker, Jenkins, Puppet and Nagios in a practical, hands-on and interactive approach. The DevOps training course focuses heavily on the use of Docker containers, a technology that is revolutionizing the way apps are deployed in the cloud today and is a critical skillset to master in the cloud age.
After completing the DevOps training course you will achieve hands-on expertise in various aspects of the DevOps delivery model. The practical learning outcomes of this Devops training course are:
An understanding of DevOps and the modern DevOps toolsets
The ability to automate all aspects of a modern code delivery and deployment pipeline using:
1. Source code management tools
2. Build tools
3. Test automation tools
4. Containerization through Docker
5. Configuration management tools
6. Monitoring tools
Who should take this course?
DevOps career opportunities are thriving worldwide. DevOps was featured as one of the 11 best jobs in America for 2017, according to CBS News, and data from Payscale.com shows that DevOps Managers earn as much as $122,234 per year, with DevOps engineers making as much as $151,461.
Learn more at https://www.simplilearn.com/cloud-computing/devops-practitioner-certification-training
Cloud-native Data: Every Microservice Needs a Cachecornelia davis
Presented at the Pivotal Toronto Users Group, March 2017
Cloud-native applications form the foundation for modern, cloud-scale digital solutions, and the patterns and practices for cloud-native at the app tier are becoming widely understood – statelessness, service discovery, circuit breakers and more. But little has changed in the data tier. Our modern apps are often connected to monolithic shared databases that have monolithic practices wrapped around them. As a result, the autonomy promised by moving to a microservices application architecture is compromised.
With lessons from the application tier to guide us, the industry is now figuring out what the cloud-native architectural patterns are at the data tier. Join us to explore some of these with Cornelia Davis, a five year Cloud Foundry veteran who is now focused on cloud-native data. As it happens, every microservice needs a cache and this evening will drill deep on that topic. She’ll cover a variety of caching patterns and use cases, and demonstrate how their use helps preserve the autonomy that is driving agile software delivery practices today.
As the world of system and application deployment continues to change, the sys admin and security community needs to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. Add in Dev/Ops and the traditional sys admin and security processes just don’t work. How can you rapidly deliver servers and applications while making sure they are built reliably and securely. Rackspace has been developing a tool to help them design, deploy and security assess complex configurations for customers called Checkmate. This talk will cover the concepts behind and the architecture of Checkmate and how it helps minimize the time to deploy systems and verify they have been created to spec and in a secure state. A discussion of how Checkmate has inspired the concept of Test Driven Security based on the Test Driven Development model familiar to the development world.
CI/CD - A strategy for success (North Africa Dreamin' Prez)Yassine ELQANDILI ☁
Presented at the first Dreamin Event in Africa "North Africa Dreamin 2019". This topic is to show you the key elements to take care of in order to deliver Salesforce projects successfully, taking the advantages of the latest Salesforce tools.
Devops: Who Does What? - Devops Enterprise Summit 2016cornelia davis
Within the IT organizational structures that have dominated the last several decades roles and responsibilities are fairly standardized. But with the dramatic changes that DevOps practices and supporting toolsets bring, many are left feeling a bit off balance - it’s no longer clear who is responsible for even things as “straight-forward” as development or operations.
In this talk I will take traditional roles that are distributed across fairly standard IT structures and sort them into a new organizational context. What is the role of the Enterprise Architect? Who does capacity planning and how? How can change management step out of the way all while still satisfying the requirements of safe deployments? How do agile teams interface with personnel responsible for maintaining legacy systems? I’ll leave the audience with a blueprint for a new organizational structure.
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...Matt Ray
What are we going to do about all these legacy applications? Kubernetes, Docker or Server Core? With Habitat it doesn’t matter anymore! As companies make the transition from traditional IT infrastructure to cloud-native container platforms packaging, deploying and managing applications becomes the focus for developers and operators. Having a consistent approach to managing dependencies and building applications brings stability to CI/CD pipelines and frees developers to prioritize on features. Automated, repeatable builds with immutable artifacts and consistent management of any application on any platform allow operators to focus on stability and speed. Chef's Habitat project brings all of this together in an open source automation platform that enables modern application teams to build, deploy, and run any application in any environment - from traditional data-centers to containerized microservices. This presentation provided an overview of the benefits of Habitat and a live demo of applications being built and deployed on traditional operating systems across Docker and Kubernetes, seamlessly.
Wellington DevOps: Bringing Your Applications into the Future with HabitatMatt Ray
Short presentation from the Wellington DevOps Meetup March 13, 2019 on why Habitat is interesting for re-platforming existing applications onto new platforms.
Continuous Delivery for cloud - scenarios and scopeSanjeev Sharma
Cloud is both a catalyst and an enabler for DevOps. Having the flexibility and the services and capabilities provided by the Cloud lowers the barrier to adoption for organization looking to adopt DevOps. Hence, allowing them to achieve the business goals of Speed, Business Agility and Innovation.
This webinar will explore the impact of DevOps on using the Cloud as a Platform as a Service and vice versa. It will explore the different use cases of DevOps that are enabled or enhanced by the Cloud platform, and the different 'scopes' of adoption by organizations adopting Cloud and DevOps in an iterative manner.
Application Modernization With Cloud Native Approach_ An in-depth Guide.pdfbasilmph
Taking outdated applications and upgrading its platform infrastructure, internal
systems, and the way of using is known as application modernization. The
advantages of application modernization can be summarized as increasing the
speed with which new features are delivered, exposing the functionality of existing
applications to be consumed via API by other services, and re-platforming applications from on-premises to cloud-native application modernization.
There are options beyond a straight forward lift and shift into Infrastructure as a Service. This session is about learning about how Azure helps modernize applications faster utilising modern technologies like PaaS, containers and serverless
Migrating Thousands of Workloads to AWS at Enterprise Scale – Chris Wegmann, ...Amazon Web Services
At the end of this session participants will learn how to assess their enterprise application portfolio and move thousands of instances to AWS in a quick and repeatable fashion. Migrating workloads to AWS in an enterprise environment is not easy, but with the right approach, an enterprise sized organization can migrate thousands of instances to AWS quickly and cost effectively to ensure a strong ROI.
From the Amazon Web Services Singapore & Malaysia Summits 2015 Track 1 Breakout, 'The Journey to Digital Enterprise' Presented by Daniel Angelucci, CTO, CSC AMEA
App modernization projects are hard. Enterprises are looking to cloud-native platforms like Pivotal Cloud Foundry to run their applications, but they’re worried about the risks inherent to any replatforming effort.
Fortunately, several repeatable patterns of successful incremental migration have emerged.
In this webcast, Google Cloud’s Prithpal Bhogill and Pivotal’s Shaun Anderson will discuss best practices for app modernization and securely and seamlessly routing traffic between legacy stacks and Pivotal Cloud Foundry.
This talk is an in-depth look at all we, at Chef, have learned and what we love and what could be better about Configuration Management, Continuous Delivery and DevOps. We'll explore the pain points that still exist, especially as teams try to bring containers and microservices into production. We’ll then explore how to ensure the apps you build, deploy, and manage behave consistently in any runtime — metal, VMs, containers, and PaaS. You'll spend less time on the environment and more time building features.
Presented by Simon Fisher at DevOps World London November 2016
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
5. Our vision: The most enduring and
transformative companies use Chef to
become fast, efficient, and innovative
software-driven organizations.
Velocity: time from idea to shipIdea Ship
Infrastructure
Automation
Compliance
Automation
Application
Automation
8. My existing (legacy) apps run my
business. How can I get them
moving more quickly?
We hear two concerns from leaders most frequently:
Compliance is slowing us down,
and audits are painful. How can
we move faster while meeting
requirements?
18. Choice of tools for every stage and every requirement
Azure security and
management (security, backup,
monitoring, cost management)
Azure Database Migration Service
Azure Site Recovery
Azure Data Box
Assess Migrate Optimize
Data Migration Assistant
Azure Migrate
SQL Server Migration
Assistant
Microsoft
Partners
20. Summarizing cloud migration strategies
Redeploy as-is to cloud
• Reduce Capex
• Free up datacenter space
• Quick cloud ROI
IaaS
Minimally alter to take
better advantage of
cloud
• Faster, shorter, updates
• Code portability
• Greater cloud efficiency
(resources, speed, cost)
Containers
PaaS
Materially
alter/decompose
application to services
• App scale and agility
• Easier adoption of new
cloud capabilities
• Mix technology stacks
PaaS
Serverless
Microservices
New code written with
cloud native approach
• Accelerate innovation
• Build apps faster
• Reduce operational cost
Description
Drivers
Technologies
21. When to use which migration strategy (and tech)
Objective Rehost Refactor Rearchitect Rebuild Primary
technology
Achieve rapid time to cloud IaaS, DBaaS
Migration with minimal architectural and code impact IaaS, DBaaS
Free up data center space quickly IaaS, DBaaS
Reduce capital expenditure of existing applications IaaS, DBaaS
Leverage existing investments IaaS, PaaS,
Containers
Meet scalability requirements of existing apps more cost effectively PaaS,
Containers
Enable business agility with continuous innovation PaaS,
Containers
More easily integrate with other web and cloud apps PaaS,
Serverless
Enable multichannel access, including mobile and IoT PaaS,
Serverless
Deliver new and breakthrough capabilities faster PaaS,
Serverless
23. Azure Site Recovery (ASR) – GA
Migrate applications and VMs to Azure IaaS with confidence
Zero application data loss during migration
Near-zero application downtime during migration
Broad coverage for hypervisors, applications, operating
systems, and Azure features
No-impact application testing in Azure
Free usage during migration
24. Rehost Windows Server on Azure
Sample annual cost comparison of two D2V3 Windows Server VMs. Savings based two D2V3 VMs in US West 2 Region running 744 hours/month for 12 months; Base compute rate at SUSE Linux Enterprise rate for US West 2. Azure pricing as of 04/24/2018. AWS pricing as of 04/24.2018. Price subject to change.
25. Confidently rehost your databases with Azure Database
Migration Service – now generally available
Source Target Status
SQL Server Azure SQL Database (single/elastic) Generally
Available
SQL Server Azure SQL Database Managed Instance In preview
SQL Server SQL Server in Azure VMs In preview
MySQL Azure Database for MySQL In preview
PostgreSQL Azure Database for PostgreSQL In preview
Oracle SQL Server in Azure VMs
Azure SQL Database
In preview
https://datamigration.microsoft.com/
34. : Stay secure, well managed, and cost-efficient
after your move
Optimize
35. Protect your data
in the cloud
Azure Backup
Secure your
cloud resources
Azure Security Center
Monitor your
cloud health
Azure Log Analytics
Steps to start securing and managing your cloud
39. Lower your TCO significantly by migrating to Azure
Azure.com/tco
40. Get started at no cost: Built-in tools at each stage
Azure Site Recovery
During migration
Azure Migrate
Pre-migration
Azure cost management
Post-migration
45. What We Want to Share Today
● Highlights from Chef's 2018 State of
Applications survey: you have company
● Challenges with modernizing legacy
applications
● How Habitat can help you lift, shift, and
modernize to adopt cloud and container
technology even for older applications
47. Survey Insights
How do you measure app
deployment success?
Speed is success for applications - but achieving speed is a big challenge.
Speed*
How long does it take to complete
the app build process?
Days or Longer
How many builds before an app is
deployed to production?
61%
72%
Four or More
55%
* “Time from code to production” or “Time from commit to deploy”
46 45
34
48. Survey Insights
In 2 years, what percent of your apps will be
deployed on container platforms?
1/4 or More
51%
Which approach will you use to transition apps to
new architectures & infrastructures?
Aggressive plans for containerization,
most often by lifting, shifting, and
modernizing applications.
73%
52%
Lift, Shift,
Modernize
Rewrite
Apps
Speed is success for applications - but
achieving speed is a big challenge.
49. Survey Insights
Aggressive plans for containerization, most often
by lifting, shifting, and modernizing applications.
Which is the most challenging aspect of
the application lifecycle?
Management
44%
What percent of production apps run in
the following environments?
Environments are
heavily
heterogeneous,
and application
management is
most challenging.
Speed is success for applications - but
achieving speed is a big challenge.
50. In search of speed, organizations are moving to the
next platform while carrying legacy weight.
It’s already difficult to manage. It’s going to get harder.
Now is the time to think about a comprehensive
application strategy.
51. The Benefits and Problems of Legacy
Legacy is shorthand for critical business applications with longevity. But it
creates manageability problems:
Windows 2003
MSVC, COM+, etc.
Business App 1
Windows 2008 R2
MS .NET 2.0
Business App 2
Red Hat Linux 5
IBM WebSphere
Business App 3
Red Hat Linux 6
Tomcat 6 / Java 7
Business App 4
This is frustrating because the business value is in the app. Yet you carry all of
the burden to support it.
52. Heterogeneity is a reality in IT
Heterogeneous applications are the past, present and future.
How could we extract the applications' business value from the underlying
infrastructure to improve its manageability?
Business App 1 Business App 2 Business App 3 Business App 4
89% of respondents desire a cross-environment application packaging solution.
Source: Chef's 2018 State of Application Delivery Survey
53. Habitat enables application teams
to build, deploy, and manage any
application in any environment -
from traditional data centers to
containerized microservices.
Introducing Habitat
1. “Lift & Shift” Legacy Apps to
Modern Platforms
Organizations struggle to move
existing, business critical apps to
modern platforms
2. Deliver on a Cloud-Native
(Cloud/Containers) Strategy
Organizations hit a wall when
adopting and deploying to a cloud-
native platform
54. How does it work?
It splits the platform-independent part of the application from the platform-
dependent part.
BUILD DEPLOY MANAGE
Ring
Supervisor
Platform-Independent Build Export Platform-Dependent Deploy
55. How does it work?
● All of the problems shown previously
are a result of this pattern: building up
from the operating system.
● The entire triangle becomes the
artifact you carry around with you now
and in the future (including sometimes
the VM and the server!)
Libraries
Operating System
Application
Application &
Libraries
● Habitat builds from the application
down
● Embedded supervisor as standard
management interface
● Builds have strict dependency control
Application Libraries
OS
56. Customer Story - Modernizing Legacy Apps
The challenge:
● Large auto manufacturer moving COTS
apps to next generation data center
● Example legacy app: Windows application
written in Borland Delphi in 2003 - in
Portuguese
● Lot of value in the app, painful to rewrite
The solution:
● Package the application and its
dependencies with Habitat
● Enable the application to be deployed to any
environment - next generation datacenter
and beyond
● Manage the application through its lifecycle -
updates, patches, etc.
● Gain manageability benefits in the new
environment and maintain value of the app
without rewriting
57. What They’re Saying
"With Habitat, we have an easier onramp to
packaging our apps in any environment. The
learning curve for our dev teams who are doing
a little bit of ops as well as traditional software
engineering is a lot less steep. The fact that we
can radically simplify deployment processes by
treating every service as an artifact is very powerful.
Adopting Habitat means you have a reproducible,
consistent method for build and deploy, and you
can apply that model to every service or application that
you're running.
Once you've learned how one service is deployed
or managed, you've got everything you need to
figure out the next service after that."
“While the application portability benefits of containers
are widely recognized, lack of consistency in packaging
and orchestration across the application lifecycle has, in
many cases, limited the success of their deployment at
scale, even when using cloud-
native architectures.
Separating packaging, deployment concerns, and
artifacts is one strategy that can empower teams to
deliver on business objectives of delivering software
at speed, with high quality.”
Blake Irvin
Engineer at smartB Energy Management GmbH
Stephen Elliot
Program Vice President at IDC
59. The Benefits and Problems of Legacy
Legacy is shorthand for critical business applications with longevity. But it
creates manageability problems:
Windows 2003
MSVC, COM+, etc.
Business App 1
Windows 2008 R2
MS .NET 2.0
Business App 2
Red Hat Linux 5
IBM WebSphere
Business App 3
Red Hat Linux 6
Tomcat 6 / Java 7
Business App 4
This is frustrating because the business value is in the app. Yet you carry all of
the burden to support it.
60. Example Application: sqlwebadmin
Sample application from Microsoft's Codeplex Archive
Last updated in 2008, tightly coupled to Windows 2003
Windows 2003
ASP.NET 2.0
sqlwebadmin
This is frustrating because the business value is in the app. Yet you carry all of
the burden to support it.
Windows Server
2016
ASP.NET 2.0
sqlwebadmin
61. Building sqlwebadmin
● Habitat collects application details in a plan
● The Habitat Studio provides a 'clean room'
environment in which to build your artifact
● Habitat artifacts can be launched by the
'hab' CLI
63. Deploying sqlwebadmin
● Habitat services can be deployed into
supervisor rings
● SQLServer 2005 is published as a core
plan on bldr.habitat.sh
● Habitat artifacts use service binds to
allow inter-service communication
without hard-coding settings
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR
65. Managing sqlwebadmin
● Habitat artifacts define configuration
tunables as variables
● Configuration settings can be updated via
CLI or API on running instances or service
groups
● Configuration updates automatically trigger
any required run hooks within each service
ASP.NET 2.0
sqlwebadmin
ASP.NET 2.0
sqlwebadmin
hab config apply
67. Targeting Modern Runtimes
● Habitat artifacts can be natively exported to container formats like docker
● Exported artifacts can be run with runtime-specific tools (e.g. docker run,
docker-compose up)
● Habitat artifacts behave consistently in servers or containers
70. Audits are...
● Time-consuming: They distract from product development.
● Stressful: Sometimes auditors or compliance personnel see themselves as
the "police" rather than helping the business be successful.
● Overwhelming: Cloud scale plus an increase in regulations leads to
escalating data volume.
71. Traditional Approaches Exacerbate Audit Pain
Security reviews:
• are often manual (slow);
• generate too much data from scanning-oriented approaches;
• catch problems too late in the development cycle to economically fix;
• don't manage exceptions appropriately.
76. What we have here is a communication problem
Compliance
Security
Dev/Ops
77. Continuous Compliance Uses a Common Language
control 'ensure_selinux_installed' do
impact 1.0
title 'Ensure SELinux is installed'
desc <<-EOD
SELinux provides Mandatory Access Control
EOD
describe package('libselinux') do
it { should be_installed }
end
end
InSpec helps express security & compliance requirements as code and
incorporate it directly into the delivery process.
Systems shall have a Mandatory
Access Control system installed
and enabled.
78. Benefits of Continuous Compliance
● Maintain an up-to-date and historical record of compliance status to satisfy
both scheduled and ad-hoc audit requests
● Detect and correct security issues long before they reach production
● Reduce risk while delivering applications faster
Example: Major healthcare services
provider reduced audit cycle times
by 95% by continuously detecting
and remediating compliance errors.
80. PCI DSS Overview
● 12 Key Requirements
● Two key requirements (9 and 12) refer to
physical security and are not system-level tests
● CIS (Center for Internet Security) Benchmarks
can be used as the basis of a PCI compliance
policy
● Some customization is necessary. InSpec's
inheritance features allow this to be easily
done.
81.
82. PCI Requirement 8
Identify and authenticate access to system components. Example control:
Restrict logins to accounts (e.g. system accounts) that do not have a password.
control "cisecurity.benchmarks_rule_5.2.9_Ensure_SSH_PermitEmptyPasswords_is_disabled" do
title "Ensure SSH PermitEmptyPasswords is disabled"
desc "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts
with empty password strings. Rationale: Disallowing remote shell access to accounts that have an
empty password reduces the probability of unauthorized access to the system"
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.9"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitEmptyPasswords') { should eq 'no' }
end
end
83. Control Inheritance For Reusability
require_controls 'cis-rhel7-level1-server' do
control
"xccdf_org.cisecurity.benchmarks_rule_3.6.5_Ensure_firewall_rules_exist_for_all_open_
ports"
control
"xccdf_org.cisecurity.benchmarks_rule_5.3.1_Ensure_password_creation_requirements_are
_configured"
control "xccdf_org.cisecurity.benchmarks_rule_5.4.2_Ensure_system_accounts_are_non-
login"
control
"xccdf_org.cisecurity.benchmarks_rule_6.2.1_Ensure_password_fields_are_not_empty"
control
"xccdf_org.cisecurity.benchmarks_rule_5.4.1.4_Ensure_inactive_password_lock_is_30_day
s_or_less"
.
.
.
end
CIS Benchmark for
RHEL7, Level 1
Customer PCI-DSS
Profile
Inheritance and
customization
Chef Automate premium content
Customer-owned
86. Wrap-Up
• Audits can be time-consuming and stressful without automation.
• Existing approaches like scanning or packet capture gather too much data
and don't appropriately manage exceptions or customizations.
• They also leave compliance issues unchecked until too late in the process
when fixing them is expensive.
• To reduce stress, save time, and make systems safer, adopt a continuous
compliance approach to shift compliance left.
• InSpec and Chef Automate break down communication barriers between
groups involved in compliance by introducing a common language for
describing it.
• You can increase speed while decreasing risk with this approach.
87. Demo: How compliant is this
cloud environment?
Technical Session
Duration: 30 minutes
88. Mapping Generic Profiles to
Industry regulations
CIS maps industry specific requirements
to generic CIS controls
Chef Automate provides automated tests
written in InSpec that conform to the
industry specifications set by regulatory
bodies and many business verticals
89. Demo Flow
Demo 1 – Scanning Your Infrastructure
Demo 2 – Scanning a Chef Managed VM
Demo 3 – Configuring and Scanning Azure
90. Demo 1 Scanning Your Infrastructure
➔In the first demo we're going to use Chef Automate to perform a scan of a
RHEL7 virtual machine that is running in Azure. We’ll use a PCI DSS specific
profile
We will then view the scan results within the Chef Automate dashboard
➔Note:
• This virtual machine is NOT managed by Chef
• There is no Chef client on the machine - all Chef Automate needs is
SSH/WinRM access
91. Demo 2 Scanning a Chef Managed VM
➔In the second demo we're going to bootstrap a RHEL7 virtual machine that is
running in Azure to be managed by Chef
➔This VM will have a special 'Audit Cookbook' in its run-list, so the PCI_DSS
profile executes periodically each time Chef runs and posts the results to
Chef Automate, giving us Continuous Compliance
Once the bootstrap is complete, we will view the scan results within the Chef
Automate dashboard
92. ➔One key aspect of Chef Automate is its ability to not only scan virtual
machines running in a cloud, but also its ability to scan the cloud
infrastructure itself, for example: subscriptions, networking, and storage etc
➔In our third demo we will scan your Azure environment for compliance
against the 'CIS Azure Foundations Benchmark' profile
Demo 3 Scanning Your Azure Cloud
93. Conclusion
➔The InSpec profiles allow you to define Compliance as Code
➔Chef Automate includes a subscription to an extensive profile library
that is supported and maintained by Chef
➔With Chef Automate you can
• Continuously evaluate compliance of your infrastructure
• Scan unmanaged infrastructure if you have SSH/WinRM access
• View real-time and historical compliance reports so you can evaluate
your infrastructures adherence to compliance over time
• Scan your cloud infrastructure
94. Next Steps
Try Chef Automate Learn Chef Rally module
https://learn.chef.io/modules/try-chef-automate#/
Integrated Compliance Learn Chef Rally Track
https://learn.chef.io/tracks/integrated-compliance#/
We also recommend the Chef Automate Compliance public training
https://training.chef.io/instructor-led-training/chef-automate-compliance
96. Shared Responsibility Model in Azure
● Cloud Providers take on an increasing
role in Security as you adopt
○ Physical Security
○ Host Infrastructure
○ Network Controls
● Azure provides many Security
Certifications
○ ISO/IEC
○ CSA/CCM
○ ITAR
○ HIPAA
○ And many more...
Learn More About Shared Responsibility for Cloud Computing
aka.ms/sharedresponsibility
97. Shared Responsibility Model in Azure
● You still own critical portions of your
Cloud Security
○ IaaS OS
○ Application Level
○ Identity
○ Data
● Ensuring compliance against your
standards is critical
○ CIS Standards
○ PCI Standards
○ DISA STIGs
Learn More About Shared Responsibility for Cloud Computing
aka.ms/sharedresponsibility
98. PCI Shared Responsibility
Microsoft Azure maintains a PCI DSS validation using an approved Qualified
Security Assessor (QSA) and is certified as compliant under PCI DSS version 3.2
at Service Provider Level 1.
Azure PCI DSS compliance status does not automatically translate to PCI DSS
validation for the services that customers build or host on the Azure platform.
Customers are responsible for ensuring that they achieve compliance with
PCI DSS requirements.
See the Azure PCI Responsibility Matrix at:
aka.ms/pciresponsibilitymatrix
99. PCI DSS Requirement 2
Do not user vendor-supplied defaults for system passwords and other
parameters
2.2 Develop configuration standards for all system components. Assure that these
standards address all known security vulnerabilities and are consistent with
industry-accepted system hardening standards.
Sources of industry-accepted system hardening standards may include, but
are not limited to:
- Center for Internet Security (CIS)
- International Organization for Standardization (ISO)
- SysAdmin Audit Network Security (SANS) Institute
- National Institute of Standards Technology (NIST).
See the Azure PCI Responsibility Matrix at:
aka.ms/pciresponsibilitymatrix
100. PCI DSS Requirement 2.2 Azure Responsibilities
For Microsoft Azure, the Security Services team develops security configuration
standards for systems in the Microsoft Azure environment that are consistent with
industry-accepted hardening standards. These configurations are documented in
system baselines and relevant configuration changes are communicated to
impacted teams (e.g., IPAK team).
Procedures are implemented to monitor for compliance against the security
configuration standards. The security configuration standards for systems in
the Microsoft Azure environment are consistent with industry-accepted
hardening standards and are reviewed at least annually.
See the Azure PCI Responsibility Matrix at:
aka.ms/pciresponsibilitymatrix
101. PCI DSS Requirement 2.2 Customer Responsibilities
Customers are responsible for developing configuration standards for all in-scope
PaaS services. Hardening standards should follow guidelines published by
Microsoft Azure.
Customers are responsible for developing configuration standards for all
IaaS instance builds. Additional controls for this requirement include the use of
standard image file templates for server builds along with a clearly defined
configuration standard. Hardening standards should follow guidelines from
well-known organizations like CIS, ISO, NIST and SANS.
See the Azure PCI Responsibility Matrix at:
aka.ms/pciresponsibilitymatrix
102. Leveraging InSpec to Enforce Compliance
Beyond PCI DSS 2.2, there are many other controls in PCI that are based on CIS
controls.
InSpec lets your teams perform scans as frequently as you need to ensure
your systems remain compliant with your standards. Helping you maintain
your portion of the responsibility matrix.
Download the Chef Automate Guide to PCI Compliance with InSpec
whitepaper at:
https://www.chef.io/resource_category/white-paper/
103. Next Steps
● Install Chef Automate trial
○ automate.chef.io
● Install an InSpec profile from the profile store
● Scan your systems with Chef Automate
● Remediate any non-compliant systems
● Set up a scanning schedule to ensure ongoing compliance
● Fine-tune profiles to your exact requirements
Reach out to your Chef team with any questions; they’ll be happy to help!
104. Workshop: The InSpec language for
practitioners
Technical session
Duration: 75 minutes
105. Objectives
In this workshop we will
1. Get a workstation to play on
2. Identify a specific regulatory control and establish the corresponding technical
requirements
3. Create the appropriate InSpec profile and control, and run it locally and on
another student's workstation and observer its not compliant
4. Run the profile again locally but report to Chef Automate
5. Use Chef to make local workstation compliant
6. Rerun the InSpec profile locally again and report to Chef Automate showing its
compliant
107. TASK
The authenticity of host 12.34.56.78 (12.34.56.78)' can't be established.
ECDSA key fingerprint is
SHA256:zAtoeO29XbhRNvwg542cuh4qsKCEaX8hNIlEOCbgd3I.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '12.34.56.78' (ECDSA) to the list of known
hosts.
chef@12.34.56.78's password: My-12-Char-Password
Task: Log in to your workstation
ssh azureuser@12.34.56.78
111. InSpec and Compliance
Many industries are bound by regulations maintained by
external bodies
• Sarbanes-Oxley – Financial Regulations
• PCI – Payment Card Industry Regulations
• HIPAA – Healthcare Regulations
• GDPR – General Data Protection Regulations
• STIG – Security Protocol Regulations
• etc
Many of these rules relate to technical requirements in their application
and infrastructure that they must comply with
112. Center for Internet Security
Center for Internet Security provides
benchmarks for secure configuration
of many platforms and applications
e.g. https://tinyurl.com/CIS-RHEL7
These rules can be referred to when
creating InSpec rules for Regulatory
bodys' guidelines
See https://tinyurl.com/CIS-Poster
113. "The Chef Automate Guide to PCI DSS Compliance"
Whitepaper
Lets look at a specific requirement from the whitepaper
Requirement 7: Restrict access to cardholder data by business
need to know
1. …
2.Ensure SSH root login is disabled
"Disallowing root logins over SSH requires system admins to
authenticate using their own individual account, then escalating to root
only via sudo (if you’ve disabled access to "su" as in the control above).
This restriction limits opportunity for non-repudiation and provides a clear
audit trail in the event of a security incident. The PermitRootLogin
parameter specifies if the root user can login using ssh."
114. TASK
#PermitRootLogin yes
# the setting of "PermitRootLogin without-password".
Task: Check if SSH root login is disabled
sudo grep PermitRootLogin /etc/ssh/sshd_config
This requirement maps directly to a check you can perform on the system
Of course we can check a node manually, but this isn't practical when you
have 100's, or even 1000's, of nodes
The InSpec DSL is specifically designed to run such tests
115. No Consistency in Commands
● PermitRootLogin Configured?
● SSH v2 Configured?
● Using TLS or SSL?
● Does user 'foo' have sudo access?
● Does user 'foo' have write access to /etc?
• No consistency on command
structure, syntax, & command
line switches
• All configuration files are
proprietary
• They're platform specific
(RHEL, Debian, Windows, …)
116. What is InSpec?
InSpec provides consistent DSL that is platform agnostic to check status of
any component
packages
files
users
…
Complex implementation code abstracted out
Many InSpec profiles exist in the community and Chef supplies, maintains and
supports 100+ profiles aligned to industry specific compliance regulations
117. TASK
Commands:
inspec archive PATH # archive a profile to tar.gz (default) or zip
inspec artifact SUBCOMMAND ... # Sign, verify and install artifacts
inspec check PATH # verify all tests at the specified PATH
inspec compliance SUBCOMMAND ... # Chef Compliance commands
inspec detect # detect the target OS
inspec env # Output shell-appropriate completion configuration
inspec exec PATHS # run all test files at the specified PATH.
inspec habitat SUBCOMMAND ... # Commands for InSpec + Habitat Integration
inspec help [COMMAND] # Describe available commands or one specific command
...
The InSpec Command Line Interface
inspec --help
inspec init creates a profile
inspec check verifies the compliance profile code that you write
inspec exec will run the tests against a system
118. TASK
Create new profile at /home/azureuser/profiles/ssh
* Create file README.md
* Create directory controls
* Create file controls/example.rb
* Create file inspec.yml
* Create directory libraries
Task: Create an InSpec Profile for SSH
inspec init profile ~/profiles/ssh
119. TASK
Create new profile at /home/azureuser/profiles/ssh
* Create file README.md
* Create directory controls
* Create file controls/example.rb
* Create file inspec.yml
* Create directory libraries
Task: Create an InSpec Profile for SSH
inspec init profile ~/profiles/ssh
Use the
'inspec'
command To initialise (i.e.
create) a profile
Called 'ssh'
In the '~/profiles'
directory
121. The Anatomy of a Control File
● A control file within a profile contains
○ Some boilerplate information and a title
# encoding: utf-8
# copyright: 2018, The Authors
title 'sample section'
describe file('/tmp') do
it { should be_directory }
end
control 'tmp-1.0' do
tag 'tmp',
tag dir: '/tmp'
ref 'NSA-RH6 - Section 3.5.2.1'
impact 0.7
title 'Create /tmp directory'
desc 'An optional description...'
describe file('/tmp') do
it { should be_directory }
end
end
122. # encoding: utf-8
# copyright: 2018, The Authors
title 'sample section'
describe file('/tmp') do
it { should be_directory }
end
control 'tmp-1.0' do
tag 'tmp',
tag dir: '/tmp'
ref 'NSA-RH6 - Section 3.5.2.1'
impact 0.7
title 'Create /tmp directory'
desc 'An optional description...'
describe file('/tmp') do
it { should be_directory }
end
end
The Anatomy of a Control File
● A control file within a profile contains
○ Some boilerplate information and a title
○ One or more describe statements, each
containing one or more tests
123. # encoding: utf-8
# copyright: 2018, The Authors
title 'sample section'
describe file('/tmp') do
it { should be_directory }
end
control 'tmp-1.0' do
tag 'tmp',
tag dir: '/tmp'
ref 'NSA-RH6 - Section 3.5.2.1'
impact 0.7
title 'Create /tmp directory'
desc 'An optional description...'
describe file('/tmp') do
it { should be_directory }
end
end
The Anatomy of a Control File
● A control file within a profile contains
○ Some boilerplate information and a title
○ One or more describe statements, each
containing one or more tests
○ describe statements may be grouped within
control statements
124. # encoding: utf-8
# copyright: 2018, The Authors
title 'sample section'
describe file('/tmp') do
it { should be_directory }
end
control 'tmp-1.0' do
tag 'tmp',
tag dir: '/tmp'
ref 'NSA-RH6 - Section 3.5.2.1'
impact 0.7
title 'Create /tmp directory'
desc 'An optional description...'
describe file('/tmp') do
it { should be_directory }
end
end
The Anatomy of a Control File
● A control file within a profile contains
○ Some boilerplate information and a title
○ One or more describe statements, each
containing one or more tests
○ describe statements may be grouped within
control statements
○ control statements may include extra metadata
defining for example
■ a unique ID for this control
■ the criticality, if this control fails.
■ a human-readable title and description
■ reference documentation
125. TASK
Task: Remove example controls file
rm /home/azureuser/profiles/ssh/controls/example.rb
Bit of housekeeping – we don’t need the default controls file
126. TASK
vi ~/profiles/ssh/controls/PermitRootLogin.rb
control "cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_root_login_is_disabled" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Task: Create Controls File 'PermitRootLogin.rb'
Even Cheatier
cp ~/.PermitRootLogin.rb ~/profiles/ssh/controls/PermitRootLogin.rb
Cheat Sheet
https://goo.gl/38AFhn
Click ⌘+a, ⌘+c
127. Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control
Each control statement relates to a specific
compliance regulation.
128. Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control
129. Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control
130. Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control
131. Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control
132. Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control
CIS doc even gives details for a remediation
cookbook! More on this later.
133. Executing our code
● We now need to execute our InSpec profile
● We will use inspec exec command to do this
134. TASK
Profile: InSpec Profile (ssh)
Version: 0.1.0
Target: local://
× cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_root_login_is_disabled: Ensure SSH root
login is disabled
× SSHD Configuration PermitRootLogin should eq "no"
expected: "no"
got: nil
(compared using ==)
Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 0 successful, 1 failure, 0 skipped
Task: Run profile locally with InSpec command
sudo inspec exec profiles/ssh
136. TASK
Profile: InSpec Profile (ssh)
Version: 0.1.0
Target: ssh://azureuser@40.114.121.121:22
× cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_root_login_is_disabled: Ensure SSH root
login is disabled
× SSHD Configuration PermitRootLogin should eq "no"
expected: "no"
got: nil
(compared using ==)
Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 0 successful, 1 failure, 0 skipped
Task: Execute your profile on the remote target
inspec exec ~/profiles/ssh -t ssh://azureuser@104.211.54.213
--password My-12-Char-Password --sudo
Note the 'Target' is specified in the output
Note the 'Target' is specified in the output
137. InSpec and Chef Automate
● InSpec and Chef Automate go hand-in-hand to detect and report on
compliance issues
● InSpec profiles can be executed 'ad hoc' or at the end of each chef-client run
and a report back to Chef Automate
139. TASK
Run InSpec and Send Results to Chef Automate
sudo inspec exec ~/profiles/ssh --json-config reporter.json
Note, if you're using Chef on your nodes InSpec can be invoked on every chef-client run and report sent back to Chef Automate to ensure continuous compliance
141. Key Takeaways
● The format of the InSpec DSL fits neatly with the documents created by
industry-specific compliance regulatory bodies
● InSpec allows you to write those specifications as platform agnostic code
What's next…?
• In the next section we'll look at how you can use Chef to correct your
infrastructure
143. Detect and Correct
● Chef Automate not only allows you to invoke compliance scans across your
estate but it also facilitates remediation
● Chef builds out remediation cookbooks for all InSpec profiles on Chef
Automate
● For simplicity now we will run a simple remediation cookbook for our SSH
InSpec Profile on the local node
144. TASK
.chef/
└── cookbooks
└── ssh-remediation
├── Berksfile
├── CHANGELOG.md
├── chefignore
├── LICENSE
├── metadata.rb
├── README.md
├── recipes
│ └── default.rb
├── templates
│ └── sshd_config.erb
...
10 directories, 11 files
For expediency, the Cookbook is Already on the Workstation
tree .chef
145. TASK
...
template '/etc/ssh/ssh_config' do
source 'ssh_config.erb'
end
View the Chef Recipe and Template File
cat .chef/cookbooks/ssh-remediation/recipes/default.rb
...
#LoginGraceTime 2m
#PermitRootLogin yes
PermitRootLogin no
#StrictModes yes
...
cat .chef/cookbooks/ssh-remediation/templates/sshd_config.erb -n
Line 50
146. TASK
[✔] Packaging cookbook... done!
[✔] Generating local policyfile... exporting... done!
[✔] Applying ssh-remediation::default from /home/azureuser/.chef/cookbooks/ssh-remediation to target.
└── [✔] [localhost] Successfully converged ssh-remediation::default.
Run the cookbook on the local machine
chef-run azureuser@localhost ssh-remediation::default --password My-12-Char-
Password
147. TASK
Profile: InSpec Profile (ssh)
Version: 0.1.0
Target: local://
✔ cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_root_login_is_disabled: Ensure SSH
root login is disabled
✔ SSHD Configuration PermitRootLogin should eq "no"
Profile Summary: 1 successful control, 0 control failures, 0 controls skipped
Test Summary: 1 successful, 0 failures, 0 skipped
Rerun the InSpec Test
sudo inspec exec profiles/ssh
148. TASK
Post Results in Chef Automate
sudo inspec exec profiles/ssh/ --json-config reporter.json
149. View Scan History
● Click the 'Scan History' button to see
a compliance history for this node
● The corresponding 'Event Feed' for
this node will identify what changes
occurred on a node to bring it into, or
out of, compliance
150. Next Steps
LearnChef Rally
● Try Chef Automate module
https://learn.chef.io/modules/try-chef-automate#/
● Integrated Compliance Track
https://learn.chef.io/tracks/integrated-compliance#/
● Compliance Automation with InSpec Track
https://learn.chef.io/tracks/compliance-automation#/
Also, Chef Automate Compliance public training
https://training.chef.io/instructor-led-training/chef-automate-compliance