Sonatype , profile picture
Uploaded bySonatype
PPTX, PDF978 views

Compliance as Code - Using the Open Source InSpec testing Framework

The document discusses the concept of 'Compliance as Code' using InSpec, presented by George Miranda, emphasizing the importance of integrating compliance into the development workflow to enhance security and operational velocity. It covers the historical context of IT compliance, common regulatory requirements, and how InSpec transforms compliance and security requirements into code for efficient testing and validation. Additionally, it highlights the evolving role of the compliance officer and the collaborative nature of security within development teams.

Embed presentation

Downloaded 30 times
November 15, 2016 Compliance as Code - using InSpec George Miranda, Product Marketing Director, Chef Software Inc.
Introductions George Miranda Director of Product Marketing @gmiranda23 • Distributed Systems Engineer • I play a developer on TV • At Chef for 4+ years Technical Evangelist Consultant BizDev Product Marketing • Spent a majority of my career in "the Enterprise" • I've had to go through MANY security audits in my career
Agenda • Constraints & myths • The role of InfoSec at velocity • Compliance as Code • An introduction to InSpec • Q&A @gmiranda23
Time, Cost, and Quality “Speed is the only dimension that matters” – Veresh Sita, CIO, Alaska Airlines @gmiranda23
QUALITY VELOCITY Innovation Quality/ Security/ Compliance The tradeoff myth @gmiranda23
The rise of IT Compliance • Continued security vulnerabilities created a need for IT compliance 1988 Morris Worm, National Bank Chicago $70M theft 1994 AOHell, Citibank $10M hack 1996 Brotherhood hacks, Canadian Broadcast Corp. 1998 Free Mitnick Logic Bomb Security incidents at 75% of IT organizations @gmiranda23
The State of Security in XXXX • In 60% of cases, attackers can compromise an organization within minutes • 99.9% of compromises exploited vulnerabilities more than a year after the vulnerability was published • Ten vulnerabilities account for 97% of the exploits observed Source: Verizon Data Breach Report@gmiranda23
The State of Security in 2014 • In 60% of cases, attackers can compromise an organization within minutes • 99.9% of compromises exploited vulnerabilities more than a year after the vulnerability was published • Ten vulnerabilities account for 97% of the exploits observed Source: Verizon Data Breach Report@gmiranda23
The cycle of regulation Loophole Exploitation Scandal Regulation @gmiranda23
Compliance and Security Compliance Security @gmiranda23
Offer baseline security and isolation layers @gmiranda23
Regulatory Compliance • PCI-DSS • Gramm-Leach-Bliley Act • HIPAA • Dodd-Frank • ISO • Sarbanes-Oxley • HITECH • Grundschutz European • Central Bank Regulations @gmiranda23
How most orgs handle these requirements
The promise of the coded business @gmiranda23
The conflict between compliance and velocity @gmiranda23
@gmiranda23
@gmiranda23
@gmiranda23
InSpec turns infrastructure testing, compliance, and security requirements into code Stats: 86 Releases, 59 Contributors, 2.900 Commits @gmiranda23
The changing role of the compliance officer @gmiranda23
Differences in verifying compliance policy Documentation SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. @gmiranda23
Differences in verifying compliance policy Scripting Tools > grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' 2 @gmiranda23
Differences in verifying compliance policy Compliance Language describe sshd_config do its('Protocol') { should eq 2 } end @gmiranda23
Differences in verifying compliance policy Compliance Language control 'ssh-1234' do impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore... " describe sshd_config do its('Protocol') { should eq 2 } end end @gmiranda23
InSpec for Windows control 'windows-base-201' do impact 1.0 title 'Strong Windows NTLMv2 Authentication Enabled; Weak LM Disabled' desc ' @link: http://support.microsoft.com/en-us/kb/823659 ' describe registry_key('HKLMSystemCurrentControlSetControlLsa') do it { should exist } its('LmCompatibilityLevel') { should eq 4 } end end @gmiranda23
Different ways to run InSpec Test your machine locally > inspec exec test.rb Test a machine remotely via SSH > inspec exec test.rb -i identity.key -t ssh://root@172.17.0.1 No ruby/agent on the node @gmiranda23
Different ways to run InSpec Test a machine remotely via WinRM > inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super Test Docker Container > inspec exec test.rb -t docker://5cc8837bb6a8 no SSH/agent in the container No ruby/agent on the node @gmiranda23
Different ways to run InSpec Database testing describe mysql_session.query("SELECT user,host FROM mysql.user WHERE host = '%'") do its(:stdout) { should be empty } end Cloud Provider testing security_groups.each do |security_group| describe security_group do it { should_not have_inbound_rule().with_source('0.0.0.0/0') } end end @gmiranda23
Mapping of Compliance Document to InSpec @gmiranda23
InSpec Profiles Windows Patch Profile OS Hardening Profile SSH Hardening Profile Linux Patch Profile https://github.com/dev-sec@gmiranda23
InSpec Profiles Windows Patch Profile OS Hardening Profile SSH Hardening Profile Linux Patch Profile https://github.com/dev-sec@gmiranda23
InSpec Profiles @gmiranda23
Security meets operations @gmiranda23
Each team uses separate tools @gmiranda23
Unified language @gmiranda23
@gmiranda23
@gmiranda23
Continuous Workflow CorrectDetect @gmiranda23
Continuous Workflow @gmiranda23
Works with all DevOps tools e.g. @gmiranda23
Shifting InfoSec to the left Source: Sciencing the Crap Out of DevOps – Dr. Nicole Forsgren @gmiranda23
Further Resources inspec.io • Hands on tutorials • Extensive documentation • Code examples learn.chef.io • More tutorials about Compliance and Inspec
Further Resources Save Your Crash Dummies! A Test-driven Infrastructure Solution http://bit.ly/crash_dummies @gmiranda23
Q&A Save Your Crash Dummies A Test-driven Infrastructure Solution Video: http://bit.ly/crash_dummies @gmiranda23 http://inspec.io http://learn.chef.io $ inspec exec <url> https://github.com/dev-sec/tests-ssh-hardening https://github.com/dev-sec/windows-patch- benchmark https://github.com/dev-sec/linux-patch- benchmark
November 15, 2016
November 15, 2016

More Related Content

PPTX
Compliance Automation with Inspec Part 1
byChef
 
PPTX
Compliance Automation with Inspec Part 3
byChef
 
PDF
Chef compliance - Intermediate Training
bySarah Hynes Cheney
 
PPTX
Compliance Automation with InSpec
byNathen Harvey
 
PPTX
Compliance Automation with Inspec Part 2
byChef
 
PDF
Intermediate/Compliance training Guide
byChef
 
PPTX
Achieving DevOps Success with Chef Automate
byChef
 
PDF
Infrastructure and Compliance Delight with Chef Automate
byMatt Ray
 
Compliance Automation with Inspec Part 1
byChef
 
Compliance Automation with Inspec Part 3
byChef
 
Chef compliance - Intermediate Training
bySarah Hynes Cheney
 
Compliance Automation with InSpec
byNathen Harvey
 
Compliance Automation with Inspec Part 2
byChef
 
Intermediate/Compliance training Guide
byChef
 
Achieving DevOps Success with Chef Automate
byChef
 
Infrastructure and Compliance Delight with Chef Automate
byMatt Ray
 

What's hot

PPTX
Application Automation with Habitat
byChef
 
PDF
Cooking Up Windows with Chef Automate
byMatt Ray
 
PPTX
London Community Summit - Chef at SkyBet
byChef
 
PPTX
Compliance Automation with Inspec Part 4
byChef
 
PDF
Using Habitat to Unify Dev to CI to Production - Configmgmt Camp Feb/2018 Gent
bySalim Afiune Maya
 
PDF
Bay Area Chef Meetup February
byJessica DeVita
 
PPTX
Chef Compliance & Workflow w/Delivery
byChef
 
PDF
Compliance as Code
byMatt Ray
 
PDF
Twelve-Factor App: Software Application Architecture
bySigfred Balatan Jr.
 
PDF
Compliance as Code Everywhere
byMatt Ray
 
PDF
KKBOX WWDC17 Performance and Testing - Hokila
byLiyao Chen
 
PPTX
Chef Hack Day Denver
byChef
 
PDF
Veracode Integration Adapter - Datasheet
byKovair
 
PDF
Delivery pipelines at Symphony Talent - Present and Future
byNathan Jones
 
PDF
Automated Infrastructure Security: Monitoring using FOSS
bySonatype
 
PDF
New Products Overview: Use Cases and Demos
byCaitlin Magat
 
PDF
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
byDevOps.com
 
PDF
Your Resolution for 2018: Five Principles For Securing DevOps
byDevOps.com
 
PDF
Prepare to defend thyself with Blue/Green
bySonatype
 
PDF
HashiTalks 2020 - Chef Tools & Terraform: Better Together
byMatt Ray
 
Application Automation with Habitat
byChef
 
Cooking Up Windows with Chef Automate
byMatt Ray
 
London Community Summit - Chef at SkyBet
byChef
 
Compliance Automation with Inspec Part 4
byChef
 
Using Habitat to Unify Dev to CI to Production - Configmgmt Camp Feb/2018 Gent
bySalim Afiune Maya
 
Bay Area Chef Meetup February
byJessica DeVita
 
Chef Compliance & Workflow w/Delivery
byChef
 
Compliance as Code
byMatt Ray
 
Twelve-Factor App: Software Application Architecture
bySigfred Balatan Jr.
 
Compliance as Code Everywhere
byMatt Ray
 
KKBOX WWDC17 Performance and Testing - Hokila
byLiyao Chen
 
Chef Hack Day Denver
byChef
 
Veracode Integration Adapter - Datasheet
byKovair
 
Delivery pipelines at Symphony Talent - Present and Future
byNathan Jones
 
Automated Infrastructure Security: Monitoring using FOSS
bySonatype
 
New Products Overview: Use Cases and Demos
byCaitlin Magat
 
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
byDevOps.com
 
Your Resolution for 2018: Five Principles For Securing DevOps
byDevOps.com
 
Prepare to defend thyself with Blue/Green
bySonatype
 
HashiTalks 2020 - Chef Tools & Terraform: Better Together
byMatt Ray
 

Viewers also liked

PDF
Modern Infrastructure Automation
bySonatype
 
PPTX
London Community Summit 2016 - Community Update
byChef
 
PPTX
INSPEC
byJessica Danielle Smith
 
PDF
2016 - Compliance as Code - InSpec
bydevopsdaysaustin
 
PDF
Automating Security in Building Software
bySonatype
 
PPTX
Starting and Scaling DevOps In the Enterprise
bySonatype
 
PPTX
DevOps and Continuous Delivery Reference Architectures - Volume 2
bySonatype
 
PDF
Multi Security Checkpoints on DevOps Platform
bySonatype
 
PPTX
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
bySonatype
 
Modern Infrastructure Automation
bySonatype
 
London Community Summit 2016 - Community Update
byChef
 
INSPEC
byJessica Danielle Smith
 
2016 - Compliance as Code - InSpec
bydevopsdaysaustin
 
Automating Security in Building Software
bySonatype
 
Starting and Scaling DevOps In the Enterprise
bySonatype
 
DevOps and Continuous Delivery Reference Architectures - Volume 2
bySonatype
 
Multi Security Checkpoints on DevOps Platform
bySonatype
 
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
bySonatype
 

Similar to Compliance as Code - Using the Open Source InSpec testing Framework

PDF
Compliance Automation with InSpec
byChristoph Hartmann
 
PDF
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
byAgileNZ Conference
 
PDF
Mitigate potential compliance risks
byJürgen Brüder
 
PPTX
InSpec - June 2018 at Open28.be
byMandi Walls
 
PDF
Inspec: Turn your compliance, security, and other policy requirements into au...
byKangaroot
 
PPTX
Adding Security and Compliance to Your Workflow with InSpec
byMandi Walls
 
PDF
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
byMatt Ray
 
PPTX
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
byadamleff
 
PDF
Philly security shell meetup
byNicole Johnson
 
PPTX
Building Security into Your Workflow with InSpec
byMandi Walls
 
PPTX
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
byAlert Logic
 
PDF
InSpec Keynote at ChefConf
byChristoph Hartmann
 
PDF
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
byMatt Ray
 
PPTX
Ingite Slides for InSpec
byMandi Walls
 
PPTX
BuildStuff.LT 2018 InSpec Workshop
byMandi Walls
 
PPTX
InSpec Workflow for DevOpsDays Riga 2017
byMandi Walls
 
PDF
Compliance as Code with InSpec - DevOps Melbourne 2017
byMatt Ray
 
PPTX
2019 Chef InSpec Jumpstart Part 1 of 2
byLarry Eichenbaum
 
PPTX
InSpec For DevOpsDays Amsterdam 2017
byMandi Walls
 
PPTX
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
byDevOpsDays Riga
 
Compliance Automation with InSpec
byChristoph Hartmann
 
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
byAgileNZ Conference
 
Mitigate potential compliance risks
byJürgen Brüder
 
InSpec - June 2018 at Open28.be
byMandi Walls
 
Inspec: Turn your compliance, security, and other policy requirements into au...
byKangaroot
 
Adding Security and Compliance to Your Workflow with InSpec
byMandi Walls
 
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
byMatt Ray
 
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
byadamleff
 
Philly security shell meetup
byNicole Johnson
 
Building Security into Your Workflow with InSpec
byMandi Walls
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
byAlert Logic
 
InSpec Keynote at ChefConf
byChristoph Hartmann
 
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
byMatt Ray
 
Ingite Slides for InSpec
byMandi Walls
 
BuildStuff.LT 2018 InSpec Workshop
byMandi Walls
 
InSpec Workflow for DevOpsDays Riga 2017
byMandi Walls
 
Compliance as Code with InSpec - DevOps Melbourne 2017
byMatt Ray
 
2019 Chef InSpec Jumpstart Part 1 of 2
byLarry Eichenbaum
 
InSpec For DevOpsDays Amsterdam 2017
byMandi Walls
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
byDevOpsDays Riga
 

More from Sonatype

PPTX
DevOps Days Columbus - Derek Weeks - 2019
bySonatype
 
PDF
2019 DevSecOps Reference Architectures
bySonatype
 
PDF
RSAC DevSecOpsDays 2018 - We are all Equifax
bySonatype
 
PPTX
DevSecOps reference architectures 2018
bySonatype
 
PDF
30+ Nexus Integrations to Accelerate DevOps
bySonatype
 
PDF
2017 DevSecOps Survey
bySonatype
 
PPTX
DevOps Friendly Doc Publishing for APIs & Microservices
bySonatype
 
PDF
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
bySonatype
 
PPTX
DevOps and All the Continuouses w/ Helen Beal
bySonatype
 
PDF
Serverless and the Way Forward
bySonatype
 
PDF
A Small Association's Journey to DevOps w/ Edward Ruiz
bySonatype
 
PDF
What's My Security Policy Doing to My Help Desk w/ Chris Swan
bySonatype
 
PDF
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
bySonatype
 
PDF
Static Analysis For Security and DevOps Happiness w/ Justin Collins
bySonatype
 
PDF
System Hardening Using Ansible
bySonatype
 
PDF
There is No Server: Immutable Infrastructure and Serverless Architecture
bySonatype
 
PDF
Getting out of the Job Jungle with Jenkins
bySonatype
 
PDF
Continuous Everyone: Engaging People Across the Continuous Pipeline
bySonatype
 
PDF
The Road to Continuous Deployment
bySonatype
 
PDF
Docker Inside/Out: The 'Real' Real- World World of Stacking Containers in pro...
bySonatype
 
DevOps Days Columbus - Derek Weeks - 2019
bySonatype
 
2019 DevSecOps Reference Architectures
bySonatype
 
RSAC DevSecOpsDays 2018 - We are all Equifax
bySonatype
 
DevSecOps reference architectures 2018
bySonatype
 
30+ Nexus Integrations to Accelerate DevOps
bySonatype
 
2017 DevSecOps Survey
bySonatype
 
DevOps Friendly Doc Publishing for APIs & Microservices
bySonatype
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
bySonatype
 
DevOps and All the Continuouses w/ Helen Beal
bySonatype
 
Serverless and the Way Forward
bySonatype
 
A Small Association's Journey to DevOps w/ Edward Ruiz
bySonatype
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
bySonatype
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
bySonatype
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
bySonatype
 
System Hardening Using Ansible
bySonatype
 
There is No Server: Immutable Infrastructure and Serverless Architecture
bySonatype
 
Getting out of the Job Jungle with Jenkins
bySonatype
 
Continuous Everyone: Engaging People Across the Continuous Pipeline
bySonatype
 
The Road to Continuous Deployment
bySonatype
 
Docker Inside/Out: The 'Real' Real- World World of Stacking Containers in pro...
bySonatype
 

Recently uploaded

PDF
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
PPTX
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
PDF
HuemanAI Platform Overview.pptx (1) (2).pdf
byAnkur Handoo
 
PDF
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
PDF
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
PDF
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
PDF
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
PDF
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
PPTX
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
PDF
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
PDF
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
PPTX
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
PDF
Metrics, Logs, Traces, and Mayhem_ Introducing an observability adventure gam...
byImma Valls Bernaus
 
PDF
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
PPTX
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
PDF
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
PDF
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
PDF
Complete iOS Delivery App Features & Admin Tools
byShiv Technolabs Pvt. Ltd.
 
PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PPTX
Chapter Two Logic and Language - Copy.pptx
byGediyonBelay
 
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
HuemanAI Platform Overview.pptx (1) (2).pdf
byAnkur Handoo
 
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
Metrics, Logs, Traces, and Mayhem_ Introducing an observability adventure gam...
byImma Valls Bernaus
 
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
Complete iOS Delivery App Features & Admin Tools
byShiv Technolabs Pvt. Ltd.
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
Chapter Two Logic and Language - Copy.pptx
byGediyonBelay
 

Compliance as Code - Using the Open Source InSpec testing Framework

  • 1.
    November 15, 2016 Complianceas Code - using InSpec George Miranda, Product Marketing Director, Chef Software Inc.
  • 2.
    Introductions George Miranda Director ofProduct Marketing @gmiranda23 • Distributed Systems Engineer • I play a developer on TV • At Chef for 4+ years Technical Evangelist Consultant BizDev Product Marketing • Spent a majority of my career in "the Enterprise" • I've had to go through MANY security audits in my career
  • 3.
    Agenda • Constraints &myths • The role of InfoSec at velocity • Compliance as Code • An introduction to InSpec • Q&A @gmiranda23
  • 4.
    Time, Cost, andQuality “Speed is the only dimension that matters” – Veresh Sita, CIO, Alaska Airlines @gmiranda23
  • 5.
  • 6.
    The rise ofIT Compliance • Continued security vulnerabilities created a need for IT compliance 1988 Morris Worm, National Bank Chicago $70M theft 1994 AOHell, Citibank $10M hack 1996 Brotherhood hacks, Canadian Broadcast Corp. 1998 Free Mitnick Logic Bomb Security incidents at 75% of IT organizations @gmiranda23
  • 7.
    The State ofSecurity in XXXX • In 60% of cases, attackers can compromise an organization within minutes • 99.9% of compromises exploited vulnerabilities more than a year after the vulnerability was published • Ten vulnerabilities account for 97% of the exploits observed Source: Verizon Data Breach Report@gmiranda23
  • 8.
    The State ofSecurity in 2014 • In 60% of cases, attackers can compromise an organization within minutes • 99.9% of compromises exploited vulnerabilities more than a year after the vulnerability was published • Ten vulnerabilities account for 97% of the exploits observed Source: Verizon Data Breach Report@gmiranda23
  • 9.
    The cycle ofregulation Loophole Exploitation Scandal Regulation @gmiranda23
  • 10.
  • 11.
    Offer baseline securityand isolation layers @gmiranda23
  • 12.
    Regulatory Compliance • PCI-DSS •Gramm-Leach-Bliley Act • HIPAA • Dodd-Frank • ISO • Sarbanes-Oxley • HITECH • Grundschutz European • Central Bank Regulations @gmiranda23
  • 13.
    How most orgshandle these requirements
  • 15.
    The promise ofthe coded business @gmiranda23
  • 16.
    The conflict betweencompliance and velocity @gmiranda23
  • 17.
  • 18.
  • 19.
  • 20.
    InSpec turns infrastructuretesting, compliance, and security requirements into code Stats: 86 Releases, 59 Contributors, 2.900 Commits @gmiranda23
  • 21.
    The changing roleof the compliance officer @gmiranda23
  • 22.
    Differences in verifyingcompliance policy Documentation SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. @gmiranda23
  • 23.
    Differences in verifyingcompliance policy Scripting Tools > grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' 2 @gmiranda23
  • 24.
    Differences in verifyingcompliance policy Compliance Language describe sshd_config do its('Protocol') { should eq 2 } end @gmiranda23
  • 25.
    Differences in verifyingcompliance policy Compliance Language control 'ssh-1234' do impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore... " describe sshd_config do its('Protocol') { should eq 2 } end end @gmiranda23
  • 26.
    InSpec for Windows control'windows-base-201' do impact 1.0 title 'Strong Windows NTLMv2 Authentication Enabled; Weak LM Disabled' desc ' @link: http://support.microsoft.com/en-us/kb/823659 ' describe registry_key('HKLMSystemCurrentControlSetControlLsa') do it { should exist } its('LmCompatibilityLevel') { should eq 4 } end end @gmiranda23
  • 27.
    Different ways torun InSpec Test your machine locally > inspec exec test.rb Test a machine remotely via SSH > inspec exec test.rb -i identity.key -t ssh://root@172.17.0.1 No ruby/agent on the node @gmiranda23
  • 28.
    Different ways torun InSpec Test a machine remotely via WinRM > inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super Test Docker Container > inspec exec test.rb -t docker://5cc8837bb6a8 no SSH/agent in the container No ruby/agent on the node @gmiranda23
  • 29.
    Different ways torun InSpec Database testing describe mysql_session.query("SELECT user,host FROM mysql.user WHERE host = '%'") do its(:stdout) { should be empty } end Cloud Provider testing security_groups.each do |security_group| describe security_group do it { should_not have_inbound_rule().with_source('0.0.0.0/0') } end end @gmiranda23
  • 30.
    Mapping of ComplianceDocument to InSpec @gmiranda23
  • 31.
    InSpec Profiles Windows Patch Profile OSHardening Profile SSH Hardening Profile Linux Patch Profile https://github.com/dev-sec@gmiranda23
  • 32.
    InSpec Profiles Windows Patch Profile OSHardening Profile SSH Hardening Profile Linux Patch Profile https://github.com/dev-sec@gmiranda23
  • 33.
  • 34.
  • 35.
    Each team usesseparate tools @gmiranda23
  • 36.
  • 37.
  • 38.
  • 40.
  • 41.
  • 42.
    Works with allDevOps tools e.g. @gmiranda23
  • 43.
    Shifting InfoSec tothe left Source: Sciencing the Crap Out of DevOps – Dr. Nicole Forsgren @gmiranda23
  • 44.
    Further Resources inspec.io • Handson tutorials • Extensive documentation • Code examples learn.chef.io • More tutorials about Compliance and Inspec
  • 45.
    Further Resources Save YourCrash Dummies! A Test-driven Infrastructure Solution http://bit.ly/crash_dummies @gmiranda23
  • 46.
    Q&A Save Your CrashDummies A Test-driven Infrastructure Solution Video: http://bit.ly/crash_dummies @gmiranda23 http://inspec.io http://learn.chef.io $ inspec exec <url> https://github.com/dev-sec/tests-ssh-hardening https://github.com/dev-sec/windows-patch- benchmark https://github.com/dev-sec/linux-patch- benchmark
  • 47.
  • 48.