Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Jessica	DeVita
Technical	Evangelist
Chef	Software
@ubergeekgirl
Baking Safety Into
Infrastructure Testing
What the heck is an
evangelist?
• Software
• Safety
• Common ground
• Compliance as code
Software is everywhere!
Motorcycles
Medical Devices
Pre-DevOps
DevOps to the rescue!
Why does safety matter?
What about Security?
Dev
QA
Security	Review
Staging
Prod
Patching
I love	working	with	our	security	team,	
Said	no one	ever
Regulations!
OFAC USA	PATRIOT	Act Gramm-Leach-Bliley	Act Red	Flags	Rule
Bank	Secrecy	Act Sarbanes-Oxley Regulation	E Dodd-...
"Society's ability to regulate industries
effectively is limited by it's ability to access
and understand code, as we saw ...
Fear-based culture
Safety can be predicted by
organizational culture
RonWestrum
Psychological Safety is the most powerful
predictor of successful teams
John
Allspaw
PDF Club
Common Ground
and Coordination
in Joint Activity
Intention
• Phases
• Signaling
• Coordination
devices &
costs
• Interpred...
Common	Ground	in	Joint	Activity
• Intention
• Signals	and	cues
• Conversation,	effective	Coordination
• Inter-predictabili...
Intention
Interdependence
Common ground is
Not a "thing"
Not a state
Instead, it is a process
an ongoing action: grounding
http://www.stefanomastrog...
Choreography
Choreography
Communication
proceeds on
two tracks:
Task
Work
Team
Work
Signaling
Signaling carries a responsibility
to judge the interrupt-ability of
the other person
http://corgibytes.com/blog/2016/04/1...
ChatOps?
All communication
is done through the board
Coordination: managing dependencies
between activities
Coordination cannot be
manufactured through procedures
and explicit guidelines.
Common Ground is Not:
everyone having the same knowledge
Interpredictability
Common Ground
Pertinent Mutual Knowledge,
Beliefs, and Assumptions
roles and functions
routines
skills and competencies
goals and commitment
stance:
perceptions of time pressure
fatigue
com...
common ground is created or
lost during handoffs.
https://www.flickr.com/photos/53370644@N06/4976497160
Why	do	teams	lose	common	
ground?
• No experience working together
• Access to different data
• No clear rationale for the...
3.	Understand
Understanding
Acting
The Joint Action Ladder
4.	Act
2.	Perceive
1.	Attend
Fundamental Common
Ground Breakdown:
Common ground is not binary!
Teams engage in activities to support common
ground
• structuring preparations(establish rout...
"No matter how much care is taken,
breakdowns in common ground are
inevitable. No amount of procedure
or documentation can...
High reliability organizations are marked by a
continual mindfulness, a continual searching for
indications of a loss of c...
Safety	is	conveyed	through	actions
• actions	can	be	code
• actions	can	be	conversations
Making automation a team player
https://tctechcrunch2011.files.wordpress.com/2015/06/robotdap-e1433960740130.jpg
InSpec is compliance as code – a
human-readable language for
automating the continuous testing and
compliance auditing of ...
SSH	Control
SSH	supports	two	different	protocol	
versions.	The	original	version,	SSHv1,	
was	subject	to	a	number	of	securi...
Mapping	Compliance	to	InSpec
control 'ssh-6.2.1' do
title 'Set SSH Protocol to 2'
end
Mapping	Compliance	to	InSpec
control 'ssh-6.2.1' do
title 'Set SSH Protocol to 2'
desc "
SSH supports two different ...
"
...
Mapping	Compliance	to	InSpec
control 'ssh-6.2.1' do
title 'Set SSH Protocol to 2'
desc "
SSH supports two different ...
"
...
Mapping	Compliance	to	InSpec
control 'ssh-6.2.1' do
impact 1.0
title 'Set SSH Protocol to 2'
desc "
SSH supports two diffe...
Test Any Target
inspec exec test.rb
inspec exec test.rb -i ~/.aws/mandi_eu.pem -t ssh://ec2-
user@54.152.7.203
inspec exec...
its.... should...
•it { should exist }
•it { should be_installed }
•it { should be_enabled }
•its('max_log_file') { should...
InSpec Profiles
include_controls 'os-hardening' do
skip_control 'os-06'
control 'os-02' do
impact 0.7
end
end
include_cont...
describe security_policy do
its('PasswordComplexity') { should eq 1 }
end
describe sshd_config do
its('Port') { should eq(...
67
Truth can only be
found in one place:
the code.
Only the code can
truly tell you what it
does. It is the only
source of tr...
jessica@chef.io
@UberGeekGirl
Baking Safety into Infrastructure Testing
Baking Safety into Infrastructure Testing
Baking Safety into Infrastructure Testing
Baking Safety into Infrastructure Testing
Baking Safety into Infrastructure Testing
Baking Safety into Infrastructure Testing
Baking Safety into Infrastructure Testing
Baking Safety into Infrastructure Testing
Baking Safety into Infrastructure Testing
Baking Safety into Infrastructure Testing
Baking Safety into Infrastructure Testing
Baking Safety into Infrastructure Testing
Baking Safety into Infrastructure Testing
Baking Safety into Infrastructure Testing
Baking Safety into Infrastructure Testing
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
TechEd North America Speaker Idol Heat Presentation
Next
Upcoming SlideShare
TechEd North America Speaker Idol Heat Presentation
Next
Download to read offline and view in fullscreen.

Share

Baking Safety into Infrastructure Testing

Download to read offline

A conversation about safety, code, common ground and the power of InSpec to bring teams together.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Baking Safety into Infrastructure Testing

  1. 1. Jessica DeVita Technical Evangelist Chef Software @ubergeekgirl Baking Safety Into Infrastructure Testing
  2. 2. What the heck is an evangelist?
  3. 3. • Software • Safety • Common ground • Compliance as code
  4. 4. Software is everywhere!
  5. 5. Motorcycles
  6. 6. Medical Devices
  7. 7. Pre-DevOps
  8. 8. DevOps to the rescue!
  9. 9. Why does safety matter?
  10. 10. What about Security?
  11. 11. Dev QA Security Review Staging Prod
  12. 12. Patching
  13. 13. I love working with our security team, Said no one ever
  14. 14. Regulations! OFAC USA PATRIOT Act Gramm-Leach-Bliley Act Red Flags Rule Bank Secrecy Act Sarbanes-Oxley Regulation E Dodd-Frank False Claims Act HIPAA European Central Bank regulations Prudential Regulation Authority Financial Conduct Authority HITECH PCI DSS
  15. 15. "Society's ability to regulate industries effectively is limited by it's ability to access and understand code, as we saw with the VW emissions scandal." @richardjpope
  16. 16. Fear-based culture
  17. 17. Safety can be predicted by organizational culture RonWestrum
  18. 18. Psychological Safety is the most powerful predictor of successful teams
  19. 19. John Allspaw PDF Club
  20. 20. Common Ground and Coordination in Joint Activity Intention • Phases • Signaling • Coordination devices & costs • Interpredictability • Common Ground • Directability
  21. 21. Common Ground in Joint Activity • Intention • Signals and cues • Conversation, effective Coordination • Inter-predictability • Common Ground • Who knows what • Taskwork vs. teamwork • Joint action ladder
  22. 22. Intention
  23. 23. Interdependence
  24. 24. Common ground is Not a "thing" Not a state Instead, it is a process an ongoing action: grounding http://www.stefanomastrogiacomo.info/wp-content/uploads/2012/11/Common-Ground.png
  25. 25. Choreography Choreography
  26. 26. Communication proceeds on two tracks: Task Work Team Work
  27. 27. Signaling
  28. 28. Signaling carries a responsibility to judge the interrupt-ability of the other person http://corgibytes.com/blog/2016/04/15/inception-layers/
  29. 29. ChatOps?
  30. 30. All communication is done through the board
  31. 31. Coordination: managing dependencies between activities
  32. 32. Coordination cannot be manufactured through procedures and explicit guidelines.
  33. 33. Common Ground is Not: everyone having the same knowledge
  34. 34. Interpredictability Common Ground Pertinent Mutual Knowledge, Beliefs, and Assumptions
  35. 35. roles and functions routines skills and competencies goals and commitment stance: perceptions of time pressure fatigue competing priorities Most important types: Pertinent Mutual Knowledge, Beliefs, and Assumptions
  36. 36. common ground is created or lost during handoffs. https://www.flickr.com/photos/53370644@N06/4976497160
  37. 37. Why do teams lose common ground? • No experience working together • Access to different data • No clear rationale for the directives • Ignorance of different stances • Unexpected loss of communications and unskilled at repairing the disruption • Failure to monitor confirmation of messages • Confusion over who knows what – fundamental common ground breakdown
  38. 38. 3. Understand Understanding Acting The Joint Action Ladder 4. Act 2. Perceive 1. Attend
  39. 39. Fundamental Common Ground Breakdown:
  40. 40. Common ground is not binary! Teams engage in activities to support common ground • structuring preparations(establish routines) • sustaining (clarifications, reminders) • updating others about changes • monitoring other team members • detecting (anomalies, signals of loss of ground) repairing the loss
  41. 41. "No matter how much care is taken, breakdowns in common ground are inevitable. No amount of procedure or documentation can totally prevent them."
  42. 42. High reliability organizations are marked by a continual mindfulness, a continual searching for indications of a loss of common ground
  43. 43. Safety is conveyed through actions • actions can be code • actions can be conversations
  44. 44. Making automation a team player https://tctechcrunch2011.files.wordpress.com/2015/06/robotdap-e1433960740130.jpg
  45. 45. InSpec is compliance as code – a human-readable language for automating the continuous testing and compliance auditing of your entire infrastructure.
  46. 46. SSH Control SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.
  47. 47. Mapping Compliance to InSpec control 'ssh-6.2.1' do title 'Set SSH Protocol to 2' end
  48. 48. Mapping Compliance to InSpec control 'ssh-6.2.1' do title 'Set SSH Protocol to 2' desc " SSH supports two different ... " end
  49. 49. Mapping Compliance to InSpec control 'ssh-6.2.1' do title 'Set SSH Protocol to 2' desc " SSH supports two different ... " describe sshd_config do its('Protocol') { should cmp('2') } end end
  50. 50. Mapping Compliance to InSpec control 'ssh-6.2.1' do impact 1.0 title 'Set SSH Protocol to 2' desc " SSH supports two different ... " describe sshd_config do its('Protocol') { should cmp('2') } end end
  51. 51. Test Any Target inspec exec test.rb inspec exec test.rb -i ~/.aws/mandi_eu.pem -t ssh://ec2- user@54.152.7.203 inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super inspec exec test.rb -t docker://3dda08e75838
  52. 52. its.... should... •it { should exist } •it { should be_installed } •it { should be_enabled } •its('max_log_file') { should cmp 6 } •its('exit_status') { should eq 0 } •its('gid') { should eq 0 }
  53. 53. InSpec Profiles include_controls 'os-hardening' do skip_control 'os-06' control 'os-02' do impact 0.7 end end include_controls 'ssh-hardening'
  54. 54. describe security_policy do its('PasswordComplexity') { should eq 1 } end describe sshd_config do its('Port') { should eq('22') } End describe iis_site('Default Web Site') do it { should have_app_pool('DefaultAppPool') } it { should have_binding('http *:80:') } end
  55. 55. 67
  56. 56. Truth can only be found in one place: the code. Only the code can truly tell you what it does. It is the only source of truly accurate information.
  57. 57. jessica@chef.io @UberGeekGirl
  • JulieRoseCBAP

    Sep. 29, 2019
  • williammdavis

    Jan. 20, 2017

A conversation about safety, code, common ground and the power of InSpec to bring teams together.

Views

Total views

384

On Slideshare

0

From embeds

0

Number of embeds

3

Actions

Downloads

6

Shares

0

Comments

0

Likes

2

×