SlideShare a Scribd company logo

DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017

AgileNZ Conference
AgileNZ Conference

For too long, audits and security reviews have been seen as resistant to the frequent release of software. Auditors require access to static systems and environments, which would seem to make continuous delivery impossible. Too frequently audits are a fire drill sampling of the current state and temporary fixes are put in place to appease the compliance audit without being integrated into future releases. About Matt Ray: Matt Ray is the Manager and Solutions Architect for Asia Pacific and Japan for Chef. He has worked in large enterprise software companies and founded his own startups in a wide variety of industries including banking, retail and government. He has been active in open source communities for over two decades and has spoken at, and helped organise, many conferences and Meetups. He currently resides in Sydney, Australia after relocating from Austin, Texas. He podcasts at SoftwareDefinedTalk.com, blogs at LeastResistance.net and is @mattray on Twitter, IRC, GitHub and too many Slacks.

Presentations & Public Speaking
1 of 51
DevSec Delight with Compliance as Code Matt Ray Manager/Solutions Architect APJ Chef
Matt Ray Manager/Solutions Architect – APJ Chef Software matt@chef.io @mattray Software Defined Talk
SSH Control "SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these."
How will I verify this?
Whip up a one-liner! grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
Apache Server Information Leakage • Description • This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server. • This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions. • How to Test • In order to test for ServerToken configuration, one should check the Apache configuration file. • Misconfiguration • ServerTokens Full • Remediation • Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request. • ServerTokens Prod • or • ServerTokens ProductOnly https://www.owasp.org/index.php/SCG_WS_Apache
More grep and sed! grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
Passed the Audit
C o m p l i a n c e
“Two-thirds of organizations did not adequately test the security of all in-scope systems”
Key Trends • While individual rule compliance is up, testing of security systems is down • Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.
Security != Compliance Security Theatre
Shell Scripts grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
Infrastructure Code package 'httpd' do action :install end service 'httpd' do action [ :start, :enable ] end
We Have A Communications Problem
Compliance Language
One Language Linux, Windows
Windows
One Language Linux, Windows, MacOS, Solaris, AIX, ...
Examples of Available Resources apache_conf apt audit_policy auditd_conf auditd_rules bond bridge command crontab directory etc_group file gem group host inetd_conf interface iptables kernel_module kernel_parameter limits_conf login_defs mount mysql_conf mysql_session npm ntp_conf oneget os os_env package parse_config parse_config_file passwd pip port postgres_conf postgres_session powershell processes registry_key security_policy service ssh_config sshd_config user windows_feature yum
What is it not? • IDS / IPS • Firewall • Antivirus • Pentesting tool
One Language Linux, Windows, MacOS, Solaris, AIX, ... Bare-metal, VMs, Containers Nodes, Databases
DB Testing
One Language Linux, Windows, MacOS, Solaris, AIX, ... Bare-metal, VMs, Containers Nodes, Databases, APIs
Cloud Testing
InSpec > inspec exec test.rb Test a machine remotely via SSH > inspec exec test.rb -i identity.key -t ssh://root@172.17.0.1 Test your machine locally > inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super Test Docker Container > inspec exec test.rb -t docker://5cc8837bb6a8 Test a machine remotely via WinRM AGENTLESS
One Language Linux, Windows, MacOS, Solaris, AIX, ... Bare-metal, VMs, Containers Nodes, Databases, APIs, Cloud Platforms, ...
Open Source Community •https://inspec.io •https://github.com/chef/inspec •https://supermarket.chef.io •https://learn.chef.io •#inspec in https://chefcommunity.slack.com
55% Step one: Detect Gain visibility into current status to satisfy audits and drive decision-making of organizations do compliance assessments inconsistently or not at all. Apply policies and gain a complete view across the fleet ▪ Accurately assess risk ▪ Prioritize remediation actions ▪ Maintain audit readiness ▪ Create and adjust policies ” Continuous visibility means that you enter into audits knowing the outcome. Jon Williams, NIU ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
Step two: Correct Remediate issues to improve performance and security ▪ Prioritize actions based on impact ▪ Improve application performance ▪ Close security holes ▪ Prove policy compliance Web & Media Giant Can patch 250,000 nodes within 6 hours of a patch being made available Develop, test, and deploy remediation to address issues across the fleet of organizations need days or longer to remediate issues.58%
59% Step three: Automate Deploy applications faster and manage risk continuously ▪ Increase speed while reducing risk ▪ Improve software change efficiency ▪ Maintain security and compliance ▪ Align DevOps and InfoSec Every resource and app in HPC environment automatically qualified as compliant with FDA standards before deployment of organizations do not assess for compliance until code is running in production. Deploy applications with confidence
The journey to continuous compliance Detect Correct Automate 1. Detect Gain visibility and develop baselines 2. Correct Remediate priority issues 3. Automate Continuously detect & correct
Chef Automate enables the entire journey Detect ▪ Test against industry benchmarks ▪ Report and address audit needs Correct ▪ Close detect/correct loop in one platform ▪ Develop baselines for automation Automate ▪ Detect and correct before production ▪ Single language across DevOps, InfoSec Chef Automate is a single platform to support the entire journey
Dig into the new way of learning about Chef, Automation, and DevOps. Self-paced training on Linux and Windows and much more! learn.chef.io
Thanks for listening

Recommended

Technical Capabilities as enabler for Agile and DevOps
Technical Capabilities as enabler for Agile and DevOpsTechnical Capabilities as enabler for Agile and DevOps
Technical Capabilities as enabler for Agile and DevOps
Nelis Boucké
 
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
Abeer R
 
SRE in Enterprise - Local Journey DevopsDays Galway
SRE in Enterprise - Local Journey DevopsDays GalwaySRE in Enterprise - Local Journey DevopsDays Galway
SRE in Enterprise - Local Journey DevopsDays Galway
Kevin Connaughton
 
Dev ops culture and practices
Dev ops culture and practicesDev ops culture and practices
Dev ops culture and practices
AnkaraCloud
 
SRE-iously! Defining the Principles, Habits, and Practices of Site Reliabilit...
SRE-iously! Defining the Principles, Habits, and Practices of Site Reliabilit...SRE-iously! Defining the Principles, Habits, and Practices of Site Reliabilit...
SRE-iously! Defining the Principles, Habits, and Practices of Site Reliabilit...
Tori Wieldt
 
The Next Wave of Reliability Engineering
The Next Wave of Reliability EngineeringThe Next Wave of Reliability Engineering
The Next Wave of Reliability Engineering
Michael Kehoe
 
Diving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsDiving Deeper into DevOps Deployments
Diving Deeper into DevOps Deployments
Jules Pierre-Louis
 
DevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementDevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident Management
ShriniKulkarni
 

Recommended

Technical Capabilities as enabler for Agile and DevOps
Technical Capabilities as enabler for Agile and DevOpsTechnical Capabilities as enabler for Agile and DevOps
Technical Capabilities as enabler for Agile and DevOps
Nelis Boucké
 
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
Abeer R
 
SRE in Enterprise - Local Journey DevopsDays Galway
SRE in Enterprise - Local Journey DevopsDays GalwaySRE in Enterprise - Local Journey DevopsDays Galway
SRE in Enterprise - Local Journey DevopsDays Galway
Kevin Connaughton
 
Dev ops culture and practices
Dev ops culture and practicesDev ops culture and practices
Dev ops culture and practices
AnkaraCloud
 
SRE-iously! Defining the Principles, Habits, and Practices of Site Reliabilit...
SRE-iously! Defining the Principles, Habits, and Practices of Site Reliabilit...SRE-iously! Defining the Principles, Habits, and Practices of Site Reliabilit...
SRE-iously! Defining the Principles, Habits, and Practices of Site Reliabilit...
Tori Wieldt
 
The Next Wave of Reliability Engineering
The Next Wave of Reliability EngineeringThe Next Wave of Reliability Engineering
The Next Wave of Reliability Engineering
Michael Kehoe
 
Diving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsDiving Deeper into DevOps Deployments
Diving Deeper into DevOps Deployments
Jules Pierre-Louis
 
DevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementDevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident Management
ShriniKulkarni
 
Security Implications for a DevOps Transformation
Security Implications for a DevOps TransformationSecurity Implications for a DevOps Transformation
Security Implications for a DevOps Transformation
Deborah Schalm
 
Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...
Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...
Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...
Serena Software
 
Where Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOpsWhere Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOps
QASymphony
 
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
Serena Software
 
Fail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins World
Fail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins WorldFail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins World
Fail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins World
CA Technologies
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Puppet
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Matt Tesauro
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Deborah Schalm
 
Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?
QASource
 
Secure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart waySecure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart way
Eficode
 
Site (Service) Reliability Engineering
Site (Service) Reliability EngineeringSite (Service) Reliability Engineering
Site (Service) Reliability Engineering
Mark Underwood
 
A beginners guide to scaling DevOps
A beginners guide to scaling DevOpsA beginners guide to scaling DevOps
A beginners guide to scaling DevOps
Eficode
 
Continuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a TimeContinuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a Time
Gene Gotimer
 
Why Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityWhy Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and Observability
Eficode
 
DevOps not a Toolbox
DevOps not a ToolboxDevOps not a Toolbox
DevOps not a Toolbox
DevOps Indonesia
 
Observability at Scale
Observability at Scale Observability at Scale
Observability at Scale
Knoldus Inc.
 
Critical Considerations for Continuous Delivery 04.09.2018
Critical Considerations for Continuous Delivery 04.09.2018Critical Considerations for Continuous Delivery 04.09.2018
Critical Considerations for Continuous Delivery 04.09.2018
Claire Priester Papas
 
Building Production-Ready Microservices: DevopsExchangeSF
Building Production-Ready Microservices: DevopsExchangeSFBuilding Production-Ready Microservices: DevopsExchangeSF
Building Production-Ready Microservices: DevopsExchangeSF
Michael Kehoe
 
Site Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Site Reliability Engineering (SRE) - Tech Talk by Keet SugathadasaSite Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Site Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Keet Sugathadasa
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24
 
Build for Speed - Gareth Evans - AgileNZ 2017
Build for Speed - Gareth Evans - AgileNZ 2017Build for Speed - Gareth Evans - AgileNZ 2017
Build for Speed - Gareth Evans - AgileNZ 2017
AgileNZ Conference
 
Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...
Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...
Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...
AgileNZ Conference
 

More Related Content

What's hot

Security Implications for a DevOps Transformation
Security Implications for a DevOps TransformationSecurity Implications for a DevOps Transformation
Security Implications for a DevOps Transformation
Deborah Schalm
 
Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...
Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...
Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...
Serena Software
 
Where Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOpsWhere Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOps
QASymphony
 
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
Serena Software
 
Fail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins World
Fail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins WorldFail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins World
Fail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins World
CA Technologies
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Puppet
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Matt Tesauro
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Deborah Schalm
 
Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?
QASource
 
Secure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart waySecure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart way
Eficode
 
Site (Service) Reliability Engineering
Site (Service) Reliability EngineeringSite (Service) Reliability Engineering
Site (Service) Reliability Engineering
Mark Underwood
 
A beginners guide to scaling DevOps
A beginners guide to scaling DevOpsA beginners guide to scaling DevOps
A beginners guide to scaling DevOps
Eficode
 
Continuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a TimeContinuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a Time
Gene Gotimer
 
Why Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityWhy Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and Observability
Eficode
 
DevOps not a Toolbox
DevOps not a ToolboxDevOps not a Toolbox
DevOps not a Toolbox
DevOps Indonesia
 
Observability at Scale
Observability at Scale Observability at Scale
Observability at Scale
Knoldus Inc.
 
Critical Considerations for Continuous Delivery 04.09.2018
Critical Considerations for Continuous Delivery 04.09.2018Critical Considerations for Continuous Delivery 04.09.2018
Critical Considerations for Continuous Delivery 04.09.2018
Claire Priester Papas
 
Building Production-Ready Microservices: DevopsExchangeSF
Building Production-Ready Microservices: DevopsExchangeSFBuilding Production-Ready Microservices: DevopsExchangeSF
Building Production-Ready Microservices: DevopsExchangeSF
Michael Kehoe
 
Site Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Site Reliability Engineering (SRE) - Tech Talk by Keet SugathadasaSite Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Site Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Keet Sugathadasa
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24
 

What's hot (20)

Security Implications for a DevOps Transformation
Security Implications for a DevOps TransformationSecurity Implications for a DevOps Transformation
Security Implications for a DevOps Transformation
 
Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...
Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...
Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...
 
Where Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOpsWhere Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOps
 
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
 
Fail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins World
Fail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins WorldFail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins World
Fail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins World
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?
 
Secure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart waySecure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart way
 
Site (Service) Reliability Engineering
Site (Service) Reliability EngineeringSite (Service) Reliability Engineering
Site (Service) Reliability Engineering
 
A beginners guide to scaling DevOps
A beginners guide to scaling DevOpsA beginners guide to scaling DevOps
A beginners guide to scaling DevOps
 
Continuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a TimeContinuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a Time
 
Why Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityWhy Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and Observability
 
DevOps not a Toolbox
DevOps not a ToolboxDevOps not a Toolbox
DevOps not a Toolbox
 
Observability at Scale
Observability at Scale Observability at Scale
Observability at Scale
 
Critical Considerations for Continuous Delivery 04.09.2018
Critical Considerations for Continuous Delivery 04.09.2018Critical Considerations for Continuous Delivery 04.09.2018
Critical Considerations for Continuous Delivery 04.09.2018
 
Building Production-Ready Microservices: DevopsExchangeSF
Building Production-Ready Microservices: DevopsExchangeSFBuilding Production-Ready Microservices: DevopsExchangeSF
Building Production-Ready Microservices: DevopsExchangeSF
 
Site Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Site Reliability Engineering (SRE) - Tech Talk by Keet SugathadasaSite Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Site Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...
 

Viewers also liked

Build for Speed - Gareth Evans - AgileNZ 2017
Build for Speed - Gareth Evans - AgileNZ 2017Build for Speed - Gareth Evans - AgileNZ 2017
Build for Speed - Gareth Evans - AgileNZ 2017
AgileNZ Conference
 
Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...
Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...
Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...
AgileNZ Conference
 
Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj...
Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj... Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj...
Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj...
AgileNZ Conference
 
The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017
The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017
The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017
AgileNZ Conference
 
Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017
Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017
Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017
AgileNZ Conference
 
Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017
Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017
Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017
AgileNZ Conference
 
Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...
Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...
Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...
AgileNZ Conference
 
Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017
Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017
Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017
AgileNZ Conference
 
Born to Learn - Aurelien Beraud - AgileNZ 2017
Born to Learn - Aurelien Beraud - AgileNZ 2017Born to Learn - Aurelien Beraud - AgileNZ 2017
Born to Learn - Aurelien Beraud - AgileNZ 2017
AgileNZ Conference
 
Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017
Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017
Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017
AgileNZ Conference
 
Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017
Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017
Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017
AgileNZ Conference
 
Security Certification or How I Learned to Stop Worrying & Love Stories - And...
Security Certification or How I Learned to Stop Worrying & Love Stories - And...Security Certification or How I Learned to Stop Worrying & Love Stories - And...
Security Certification or How I Learned to Stop Worrying & Love Stories - And...
AgileNZ Conference
 
Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...
Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...
Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...
AgileNZ Conference
 
Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...
Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...
Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...
AgileNZ Conference
 
Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017
Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017
Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017
AgileNZ Conference
 
Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017
Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017
Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017
AgileNZ Conference
 
The Foundations of Business Agility - Shane Hastie - AgileNZ 2017
The Foundations of Business Agility - Shane Hastie - AgileNZ 2017The Foundations of Business Agility - Shane Hastie - AgileNZ 2017
The Foundations of Business Agility - Shane Hastie - AgileNZ 2017
AgileNZ Conference
 
The Art of Building a Roadmap - Sherif Mansour
The Art of Building a Roadmap - Sherif MansourThe Art of Building a Roadmap - Sherif Mansour
The Art of Building a Roadmap - Sherif Mansour
AgileNZ Conference
 
Sandy Mamoli (Nomad8)
Sandy Mamoli (Nomad8)Sandy Mamoli (Nomad8)
Sandy Mamoli (Nomad8)
AgileNZ Conference
 
Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017
Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017
Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017
AgileNZ Conference
 

Viewers also liked (20)

Build for Speed - Gareth Evans - AgileNZ 2017
Build for Speed - Gareth Evans - AgileNZ 2017Build for Speed - Gareth Evans - AgileNZ 2017
Build for Speed - Gareth Evans - AgileNZ 2017
 
Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...
Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...
Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...
 
Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj...
Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj... Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj...
Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj...
 
The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017
The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017
The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017
 
Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017
Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017
Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017
 
Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017
Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017
Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017
 
Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...
Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...
Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...
 
Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017
Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017
Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017
 
Born to Learn - Aurelien Beraud - AgileNZ 2017
Born to Learn - Aurelien Beraud - AgileNZ 2017Born to Learn - Aurelien Beraud - AgileNZ 2017
Born to Learn - Aurelien Beraud - AgileNZ 2017
 
Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017
Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017
Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017
 
Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017
Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017
Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017
 
Security Certification or How I Learned to Stop Worrying & Love Stories - And...
Security Certification or How I Learned to Stop Worrying & Love Stories - And...Security Certification or How I Learned to Stop Worrying & Love Stories - And...
Security Certification or How I Learned to Stop Worrying & Love Stories - And...
 
Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...
Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...
Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...
 
Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...
Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...
Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...
 
Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017
Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017
Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017
 
Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017
Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017
Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017
 
The Foundations of Business Agility - Shane Hastie - AgileNZ 2017
The Foundations of Business Agility - Shane Hastie - AgileNZ 2017The Foundations of Business Agility - Shane Hastie - AgileNZ 2017
The Foundations of Business Agility - Shane Hastie - AgileNZ 2017
 
The Art of Building a Roadmap - Sherif Mansour
The Art of Building a Roadmap - Sherif MansourThe Art of Building a Roadmap - Sherif Mansour
The Art of Building a Roadmap - Sherif Mansour
 
Sandy Mamoli (Nomad8)
Sandy Mamoli (Nomad8)Sandy Mamoli (Nomad8)
Sandy Mamoli (Nomad8)
 
Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017
Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017
Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017
 

Similar to DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017

DevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeDevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
Matt Ray
 
Automating Compliance with InSpec - AWS North Sydney
Automating Compliance with InSpec - AWS North SydneyAutomating Compliance with InSpec - AWS North Sydney
Automating Compliance with InSpec - AWS North Sydney
Matt Ray
 
Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec
Matt Ray
 
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpecMelbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Matt Ray
 
Melbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpecMelbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpec
Matt Ray
 
Compliance as Code Everywhere
Compliance as Code EverywhereCompliance as Code Everywhere
Compliance as Code Everywhere
Matt Ray
 
Bay Area Chef Meetup February
Bay Area Chef Meetup FebruaryBay Area Chef Meetup February
Bay Area Chef Meetup February
Jessica DeVita
 
Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2
Chef
 
Achieving DevOps Success with Chef Automate
Achieving DevOps Success with Chef AutomateAchieving DevOps Success with Chef Automate
Achieving DevOps Success with Chef Automate
Chef
 
Anatomy of a Build Pipeline
Anatomy of a Build PipelineAnatomy of a Build Pipeline
Anatomy of a Build Pipeline
Samuel Brown
 
Joomla Code Quality Control and Automation Testing
Joomla Code Quality Control and Automation TestingJoomla Code Quality Control and Automation Testing
Joomla Code Quality Control and Automation Testing
Shyam Sunder Verma
 
Infrastructure and Compliance Delight with Chef Automate
Infrastructure and Compliance Delight with Chef AutomateInfrastructure and Compliance Delight with Chef Automate
Infrastructure and Compliance Delight with Chef Automate
Matt Ray
 
devops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptxdevops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptx
Deepakgupta273447
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, ChefCompliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Alert Logic
 
Transforming Software Development
Transforming Software DevelopmentTransforming Software Development
Transforming Software Development
Amazon Web Services
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpec
Mandi Walls
 
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetingsSlides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings10n Software, LLC
 
AWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for DevelopersAWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for Developers
Amazon Web Services
 
AWS CodeDeploy: Manage Deployment Complexity
AWS CodeDeploy: Manage Deployment ComplexityAWS CodeDeploy: Manage Deployment Complexity
AWS CodeDeploy: Manage Deployment Complexity
Amazon Web Services
 
Twelve-Factor App: Software Application Architecture
Twelve-Factor App: Software Application ArchitectureTwelve-Factor App: Software Application Architecture
Twelve-Factor App: Software Application Architecture
Sigfred Balatan Jr.
 

Similar to DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017 (20)

DevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeDevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
 
Automating Compliance with InSpec - AWS North Sydney
Automating Compliance with InSpec - AWS North SydneyAutomating Compliance with InSpec - AWS North Sydney
Automating Compliance with InSpec - AWS North Sydney
 
Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec
 
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpecMelbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
 
Melbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpecMelbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpec
 
Compliance as Code Everywhere
Compliance as Code EverywhereCompliance as Code Everywhere
Compliance as Code Everywhere
 
Bay Area Chef Meetup February
Bay Area Chef Meetup FebruaryBay Area Chef Meetup February
Bay Area Chef Meetup February
 
Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2
 
Achieving DevOps Success with Chef Automate
Achieving DevOps Success with Chef AutomateAchieving DevOps Success with Chef Automate
Achieving DevOps Success with Chef Automate
 
Anatomy of a Build Pipeline
Anatomy of a Build PipelineAnatomy of a Build Pipeline
Anatomy of a Build Pipeline
 
Joomla Code Quality Control and Automation Testing
Joomla Code Quality Control and Automation TestingJoomla Code Quality Control and Automation Testing
Joomla Code Quality Control and Automation Testing
 
Infrastructure and Compliance Delight with Chef Automate
Infrastructure and Compliance Delight with Chef AutomateInfrastructure and Compliance Delight with Chef Automate
Infrastructure and Compliance Delight with Chef Automate
 
devops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptxdevops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptx
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, ChefCompliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
 
Transforming Software Development
Transforming Software DevelopmentTransforming Software Development
Transforming Software Development
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpec
 
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetingsSlides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings
 
AWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for DevelopersAWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for Developers
 
AWS CodeDeploy: Manage Deployment Complexity
AWS CodeDeploy: Manage Deployment ComplexityAWS CodeDeploy: Manage Deployment Complexity
AWS CodeDeploy: Manage Deployment Complexity
 
Twelve-Factor App: Software Application Architecture
Twelve-Factor App: Software Application ArchitectureTwelve-Factor App: Software Application Architecture
Twelve-Factor App: Software Application Architecture
 

More from AgileNZ Conference

Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017
Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017
Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017
AgileNZ Conference
 
Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017
Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017
Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017
AgileNZ Conference
 
Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017
Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017
Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017
AgileNZ Conference
 
A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...
A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...
A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...
AgileNZ Conference
 
Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017
Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017
Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017
AgileNZ Conference
 
Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017
Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017
Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017
AgileNZ Conference
 
Gavin Coughlan (Boost)
Gavin Coughlan (Boost)Gavin Coughlan (Boost)
Gavin Coughlan (Boost)
AgileNZ Conference
 
Claire Jaycock & Ant Boobier (BNZ)
Claire Jaycock & Ant Boobier (BNZ)Claire Jaycock & Ant Boobier (BNZ)
Claire Jaycock & Ant Boobier (BNZ)
AgileNZ Conference
 
Ahmed Sidky (ICAgile)
Ahmed Sidky (ICAgile)Ahmed Sidky (ICAgile)
Ahmed Sidky (ICAgile)
AgileNZ Conference
 
Anthony Marter (Orion Health)
Anthony Marter (Orion Health)Anthony Marter (Orion Health)
Anthony Marter (Orion Health)
AgileNZ Conference
 

More from AgileNZ Conference (10)

Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017
Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017
Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017
 
Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017
Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017
Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017
 
Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017
Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017
Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017
 
A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...
A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...
A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...
 
Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017
Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017
Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017
 
Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017
Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017
Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017
 
Gavin Coughlan (Boost)
Gavin Coughlan (Boost)Gavin Coughlan (Boost)
Gavin Coughlan (Boost)
 
Claire Jaycock & Ant Boobier (BNZ)
Claire Jaycock & Ant Boobier (BNZ)Claire Jaycock & Ant Boobier (BNZ)
Claire Jaycock & Ant Boobier (BNZ)
 
Ahmed Sidky (ICAgile)
Ahmed Sidky (ICAgile)Ahmed Sidky (ICAgile)
Ahmed Sidky (ICAgile)
 
Anthony Marter (Orion Health)
Anthony Marter (Orion Health)Anthony Marter (Orion Health)
Anthony Marter (Orion Health)
 

Recently uploaded

Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
IP ServerOne
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
khadija278284
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Sebastiano Panichella
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
Sebastiano Panichella
 
Gregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptxGregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptx
gharris9
 
María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024
eCommerce Institute
 
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
OECD Directorate for Financial and Enterprise Affairs
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
Howard Spence
 
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdfSupercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Access Innovations, Inc.
 
Media as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern EraMedia as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern Era
faizulhassanfaiz1670
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
Vladimir Samoylov
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
Access Innovations, Inc.
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
OWASP Beja
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Orkestra
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
Faculty of Medicine And Health Sciences
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Sebastiano Panichella
 
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Matjaž Lipuš
 

Recently uploaded (17)

Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
 
Gregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptxGregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptx
 
María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024
 
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
 
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdfSupercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
 
Media as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern EraMedia as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern Era
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
 
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
 

DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017

  • 1. DevSec Delight with Compliance as Code Matt Ray Manager/Solutions Architect APJ Chef
  • 2. Matt Ray Manager/Solutions Architect – APJ Chef Software matt@chef.io @mattray Software Defined Talk
  • 3.
  • 4.
  • 5.
  • 6. SSH Control "SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these."
  • 7. How will I verify this?
  • 8. Whip up a one-liner! grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
  • 9. Apache Server Information Leakage • Description • This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server. • This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions. • How to Test • In order to test for ServerToken configuration, one should check the Apache configuration file. • Misconfiguration • ServerTokens Full • Remediation • Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request. • ServerTokens Prod • or • ServerTokens ProductOnly https://www.owasp.org/index.php/SCG_WS_Apache
  • 10. More grep and sed! grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
  • 11.
  • 12.
  • 13.
  • 15.
  • 16.
  • 18.
  • 19.
  • 20. “Two-thirds of organizations did not adequately test the security of all in-scope systems”
  • 21. Key Trends • While individual rule compliance is up, testing of security systems is down • Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.
  • 23.
  • 24. Shell Scripts grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
  • 25. Infrastructure Code package 'httpd' do action :install end service 'httpd' do action [ :start, :enable ] end
  • 26. We Have A Communications Problem
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 35. One Language Linux, Windows, MacOS, Solaris, AIX, ...
  • 36. Examples of Available Resources apache_conf apt audit_policy auditd_conf auditd_rules bond bridge command crontab directory etc_group file gem group host inetd_conf interface iptables kernel_module kernel_parameter limits_conf login_defs mount mysql_conf mysql_session npm ntp_conf oneget os os_env package parse_config parse_config_file passwd pip port postgres_conf postgres_session powershell processes registry_key security_policy service ssh_config sshd_config user windows_feature yum
  • 37. What is it not? • IDS / IPS • Firewall • Antivirus • Pentesting tool
  • 38. One Language Linux, Windows, MacOS, Solaris, AIX, ... Bare-metal, VMs, Containers Nodes, Databases
  • 40. One Language Linux, Windows, MacOS, Solaris, AIX, ... Bare-metal, VMs, Containers Nodes, Databases, APIs
  • 42. InSpec > inspec exec test.rb Test a machine remotely via SSH > inspec exec test.rb -i identity.key -t ssh://root@172.17.0.1 Test your machine locally > inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super Test Docker Container > inspec exec test.rb -t docker://5cc8837bb6a8 Test a machine remotely via WinRM AGENTLESS
  • 43. One Language Linux, Windows, MacOS, Solaris, AIX, ... Bare-metal, VMs, Containers Nodes, Databases, APIs, Cloud Platforms, ...
  • 45. 55% Step one: Detect Gain visibility into current status to satisfy audits and drive decision-making of organizations do compliance assessments inconsistently or not at all. Apply policies and gain a complete view across the fleet ▪ Accurately assess risk ▪ Prioritize remediation actions ▪ Maintain audit readiness ▪ Create and adjust policies ” Continuous visibility means that you enter into audits knowing the outcome. Jon Williams, NIU ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
  • 46. Step two: Correct Remediate issues to improve performance and security ▪ Prioritize actions based on impact ▪ Improve application performance ▪ Close security holes ▪ Prove policy compliance Web & Media Giant Can patch 250,000 nodes within 6 hours of a patch being made available Develop, test, and deploy remediation to address issues across the fleet of organizations need days or longer to remediate issues.58%
  • 47. 59% Step three: Automate Deploy applications faster and manage risk continuously ▪ Increase speed while reducing risk ▪ Improve software change efficiency ▪ Maintain security and compliance ▪ Align DevOps and InfoSec Every resource and app in HPC environment automatically qualified as compliant with FDA standards before deployment of organizations do not assess for compliance until code is running in production. Deploy applications with confidence
  • 48. The journey to continuous compliance Detect Correct Automate 1. Detect Gain visibility and develop baselines 2. Correct Remediate priority issues 3. Automate Continuously detect & correct
  • 49. Chef Automate enables the entire journey Detect ▪ Test against industry benchmarks ▪ Report and address audit needs Correct ▪ Close detect/correct loop in one platform ▪ Develop baselines for automation Automate ▪ Detect and correct before production ▪ Single language across DevOps, InfoSec Chef Automate is a single platform to support the entire journey
  • 50. Dig into the new way of learning about Chef, Automation, and DevOps. Self-paced training on Linux and Windows and much more! learn.chef.io