SlideShare a Scribd company logo

Philly security shell meetup

N
Nicole Johnson

Bolting compliance and security onto an application after it’s been deployed is an easy way to ensure those applications are vulnerable to attack and violate your organizations policy. Yet, that is often the approach that is taken. Developers must shift compliance to the early phases of the process. With InSpec, verifying compliance and security controls is just as easy as running unit tests.

1 of 32
Download to read offline
Including Compliance & Security Checks in the Delivery Pipeline Clinton Wolfe | Chef - Sr. Software Engineer Nicole Johnson | Chef - Manager, Solutions Architects East
Chef is... ● An automation framework that enables Infrastructure as Code ● A robust set of tooling for testing Chef code ● A large library of reusable patterns (supermarket.chef.io) ● Available for Linux variants, Unix variants, and Windows, all as first class citizens. CHEF IS INFRASTRUCTURE AS CODE Programmatically provision and configure components Treat like any other code base Reconstruct business from code repository, data backup, and compute resources
Chef ▪ Manages deployment and on-going automation ▪ Define reusable resources and infrastructure state as code ▪ Scale elegantly from one to tens of thousands of managed nodes across multiple complex environments ▪ Community, Certified Partner, and Chef supported content available for all common automation tasks Infrastructure automation and delivery at scale windows_feature ‘IIS-WebServerRole’ do action :install end windows_feature ‘IIS-ASPNET’ do action :install end iis_pool FooBarPool do runtime_version “4.0” action :add end package "apache" do action :install end template “/etc/httpd/https.conf” do source “httpd.conf.erb” mode 0075 owner “root” group “root” end service “apache2” do action :start end
PART OF A PROCESS OF CONTINUOUS COMPLIANCE Scan for Compliance Build & Test Locally Build & Test CI/CD Remediate Verify A SIMPLE EXAMPLE OF AN INSPEC CIS RULE InSpec ▪ Translate compliance into Code ▪ Clearly express statements of policy ▪ Move risk to build/test from runtime ▪ Find issues early ▪ Write code quickly ▪ Run code anywhere ▪ Inspect machines, data and APIs Turn security and compliance into code control ‘cis-1.4.1’ do title ‘1.4.1 Enable SELinux in /etc/grub.conf’ desc ‘ Do not disable SELinux and enforcing in your GRUB configuration. These are important security features that prevent attackers from escalating their access to your systems. For reference see … ‘ impact 1.0 expect(grub_conf.param ‘selinux’).to_not eq ‘0’ expect(grub_conf.param ‘enforcing’).to_not eq ‘0’ end
InSpec Compliance as Code
The Old Way People working directly on machines InSpec - Security meets Operations The Modern Way People automating machines using code DEVOPS SECURITY DEVOPS COMPLIANCE The New Way Shared tooling across organizations
Differences in verifying compliance policy > grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' 2 DOCUMENTATION SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. describe sshd_config do its('Protocol') { should eq 2 } end control 'ssh-1234' do impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore... " describe sshd_config do its('Protocol') { should eq 2 } end end SCRIPTING TOOLS TESTING LANGUAGE COMPLIANCE LANGUAGE
ONE LANGUAGE InSpec InSpec on Windows Example control 'windows-base-201' do impact 1.0 title 'Strong Windows NTLMv2 Authentication Enabled; Weak LM Disabled' desc ' @link: http://support.microsoft.com/en-us/kb/823659 ' describe registry_key ('HKLMSystemCurrentControlSetControlLsa') do it { should exist } its('LmCompatibilityLevel') { should eq 4 } end end
InSpec ● Baremetal ● VMs ● Containers ONE LANGUAGE > inspec exec test.rb Test a machine remotely via SSH > inspec exec test.rb -i identity.key -t ssh://root@172.17.0.1 Test your machine locally > inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super Test Docker Container > inspec exec test.rb -t docker://5cc8837bb6a8 Test a machine remotely via WinRM AGENTLESS
InSpec Database Testing describe mysql_session.query("SELECT user,host FROM mysql.user WHERE host = '%'") do its(:stdout) { should be empty } end Cloud Provider Testing security_groups.each do |security_group| describe security_group do it { should_not have_inbound_rule().with_source('0.0.0.0/0') } end end ONE LANGUAGE ● Databases ● API endpoints (e.g. cloud) ● Baremetal ● VMs ● Containers
Jumpstart your compliance test coverage Compliance in production Amazon Linux 2014.09 / 2015.03 CentOS 6 / 7 HP UX 11i IBM AIX 5.3 / 6.1 / 7.1 RHEL 6 / 7 SLES 11 / 12 Ubuntu Server 12.04 / 14.04 Windows 7 / 8 / 10 / 2012 / 2012R2 Chef Automate ships with profiles for:
● Write some code ● Write and run some unit tests ● Go to pre-production ● Run some integration/acceptance tests ● Go to production ● Lowered chance of production failure Test Driven Development Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
Detect Correct Continuous Workflow
InSpec for Platforms chef/inspec-vmwarechef/inspec-azure chef/inspec-aws
InSpec for AWS describe aws_iam_user(’iam_user') do its('has_mfa_enabled?') { should be false } its('has_console_password?') { should be false } end
InSpec for Azure describe azure_virtual_machine(name: 'Linux-Internal-VM', resource_group: 'Inspec-Azure') do its('sku') { should eq '16.04.0-LTS' } its('publisher') { should eq 'Canonical' } its('offer') { should eq 'UbuntuServer' } its('size') { should eq 'Standard_DS2_v2' } its('location') { should eq 'westeurope' } its('admin_username') { should eq 'azure' } end
InSpec for VmWare control 'vmware-7.3.3' do impact 0.7 title 'Ensure that the vSwitch Promiscuous Mode policy is set to reject.' describe vmhost_vswitch(datacenter: 'vm001', host: 'localhost.localdomain',vswitch: 'vSwitch0') do its('allowPromiscuous') { should be false } end end
Chef Automate One platform that delivers DevOps workflow, automated compliance, and end-to-end pipeline visibility
The Chef Automate Platform Continuous Automation for High Velocity IT Workflow • Local development • Integration • Tooling (APIs & SDKs) COLLABORATE ▪ Package ▪ Test ▪ Approve BUILD ▪ Provision ▪ Configure ▪ Execute ▪ Update DEPLOY ▪ Secure ▪ Comply ▪ Audit ▪ Measure ▪ Log MANAGE Infrastructure Automation Compliance AutomationApplication Automation OSS AUTOMATION ENGINES Increase Speed ▪ Package infrastructure and app configuration as code ▪ Continuously automate infrastructure and app updates Improve Efficiency ▪ Define and execute standard workflows and automation ▪ Audit and measure effectiveness of automation Decrease Risk ▪ Define compliance rules as code ▪ Deliver continuous compliance as part of standard workflow
Appendix
● Programmatically provision and configure components ● Declarative DSL with the flexibility ● Built on Ruby ● Extensible through Ruby The Chef DSL (domain specific language)
Core Chef Concepts Cookbooks Recipes Resources
package 'httpd' do action :install end windows_feature 'IIS-WebServerRole' do action :install end ● A Resource is a system state you define ○ Example: Package installed, state of a service, configuration file existing ● You declare what the state of the resource is ○ Chef automatically determine HOW that state is achieved Building Blocks: What is a Resource?
● A recipe is a collection of Resources ● Resources are executed in the order they are listed Building Blocks: What is a Recipe? On Linux based OSes: windows_feature 'IIS-WebServerRole' do action :install end template 'c:inetpubwwwrootDefault.htm' do source 'Default.htm.erb' rights :read, 'Everyone' end service 'w3svc' do action [ :enable, :start ] end package 'httpd' do action :install end template '/var/www/index.html' do source 'index.html.erb' mode '0644' end service 'httpd' do action [ :enable, :start ] end
● A cookbook is a set of recipes ● A cookbook is a defined set of items and different outcomes that you expect to address ○ A cookbook could have a recipe to install apache2/httpd but also another set of recipes to activate modules required. Building Blocks: What is a Cookbook? ./attributes ./attributes/default.rb ./CHANGELOG.md ./metadata.rb ./README.md ./recipes ./recipes/application.rb ./recipes/balancer.rb ./recipes/database.rb ./recipes/default.rb ./recipes/webserver.rb ./templates ./templates/default ./templates/default/mysite.conf.erb
Environments More Chef Concepts Roles Cookbooks Recipes Resources
Review: Detect ➔ Inspec Profiles • provide definitions of standards and expectations. • Validate systems against those standards ➔ Chef Client • Executes a run list, consisting of configurations defined in cookbooks. • Reports results back to Chef Automate ➔ Chef Automate • Provides pre-loaded inspec profiles • Stores user-generated inspec profiles • Creates compliance reports when chef client is run with the Audit cookbook.
Software Testing and Why it Matters quantity lesstimemoretime manual tests automated GUI tests integration tests unit tests quantity lesstimemoretime manual session based tests automated GUI tests automated API tests automated unit testsautomated integration tests automated component tests Testing builds safety through feedback loops Inexpensive experiments to provide validation Reduces risk Optimize Testing: Do more of the inexpensive testing first!
● Write some code ● Write and run some unit tests ● Go to pre-production ● Run some integration/acceptance tests ● Go to production ● Lowered chance of production failure Test Driven Development Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
Chef DK - The Chef Development Kit ▪ Validate your Chef code against Chef best practices ▪ Extend with rules to enforce organizational Chef development best practices ▪ Enforce compliance & security practices Foodcritic Test Your “Chef Style” ▪ Validate your Chef code against Ruby best practices ▪ Identify potential Ruby errors ○ Unclosed strings, etc. ▪ Identify style/convention that helps write better code ○ Single quotes vs. double quotes CookStyle Validate your Ruby ▪ Validate your Chef code will run ▪ Testing for more Chef advanced use cases ▪ Useful for regression testing ChefSpec Simulate Chef ▪ Executes your Chef code on an instance or container ▪ Integrates with Cloud and Virtualization providers ▪ Validate your Chef code locally before sharing ▪ Speed development of Chef Cookbooks Test Kitchen Let’s do this (almost) for real ▪ Assert the intention of your Chef code ▪ Verify on live systems that your Chef code produced the correct result ▪ Confirm your Chef code didn’t not produce compliance drift InSpec Verify automation results & ensure compliance FAST INEXPENSIVE TESTING DEEP INTEGRATION TESTING Definitive tooling for local development of Chef code & Infrastructure as Code development
Chef Infrastructure as Code ● The chef-client is an agent that runs on our nodes to apply configuration changes, and report results to Chef Automate ● The Chef Supermarket provides pre-written cookbooks to get you started. ● The audit cookbook allows us to run inspec scans on a regular basis.
Philly security shell meetup

Recommended

2019 Chef InSpec Jumpstart Part 2 of 2
2019 Chef InSpec Jumpstart Part 2 of 22019 Chef InSpec Jumpstart Part 2 of 2
2019 Chef InSpec Jumpstart Part 2 of 2
Larry Eichenbaum
 
Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next Frontier
Carlos Sanchez
 
2019 Chef InSpec Jumpstart Part 1 of 2
2019 Chef InSpec Jumpstart Part 1 of 22019 Chef InSpec Jumpstart Part 1 of 2
2019 Chef InSpec Jumpstart Part 1 of 2
Larry Eichenbaum
 
Compliance as Code
Compliance as CodeCompliance as Code
Compliance as Code
Matt Ray
 
BuildStuff.LT 2018 InSpec Workshop
BuildStuff.LT 2018 InSpec WorkshopBuildStuff.LT 2018 InSpec Workshop
BuildStuff.LT 2018 InSpec Workshop
Mandi Walls
 
Antons Kranga Building Agile Infrastructures
Antons Kranga Building Agile InfrastructuresAntons Kranga Building Agile Infrastructures
Antons Kranga Building Agile Infrastructures
Antons Kranga
 
Enhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsEnhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical Deployments
DevOps.com
 
Consul - service discovery and others
Consul - service discovery and othersConsul - service discovery and others
Consul - service discovery and others
Walter Liu
 
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013
Carlos Sanchez
 
From Dev to DevOps - Codemotion ES 2012
From Dev to DevOps - Codemotion ES 2012From Dev to DevOps - Codemotion ES 2012
From Dev to DevOps - Codemotion ES 2012
Carlos Sanchez
 
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
Омские ИТ-субботники
 
Artem Zhurbila - docker clusters (solit 2015)
Artem Zhurbila - docker clusters (solit 2015)Artem Zhurbila - docker clusters (solit 2015)
Artem Zhurbila - docker clusters (solit 2015)
Artem Zhurbila
 
How to Develop Puppet Modules: From Source to the Forge With Zero Clicks
How to Develop Puppet Modules: From Source to the Forge With Zero ClicksHow to Develop Puppet Modules: From Source to the Forge With Zero Clicks
How to Develop Puppet Modules: From Source to the Forge With Zero Clicks
Carlos Sanchez
 
Test Driven Infrastructure with Docker, Test Kitchen and Serverspec
Test Driven Infrastructure with Docker, Test Kitchen and ServerspecTest Driven Infrastructure with Docker, Test Kitchen and Serverspec
Test Driven Infrastructure with Docker, Test Kitchen and Serverspec
Yury Tsarev
 
Application Automation with Habitat
Application Automation with HabitatApplication Automation with Habitat
Application Automation with Habitat
Chef
 
Testable Infrastructure with Chef, Test Kitchen, and Docker
Testable Infrastructure with Chef, Test Kitchen, and DockerTestable Infrastructure with Chef, Test Kitchen, and Docker
Testable Infrastructure with Chef, Test Kitchen, and Docker
Mandi Walls
 
DEVIEW - 오픈소스를 활용한 분산아키텍처 구현기술
DEVIEW - 오픈소스를 활용한 분산아키텍처 구현기술DEVIEW - 오픈소스를 활용한 분산아키텍처 구현기술
DEVIEW - 오픈소스를 활용한 분산아키텍처 구현기술
John Kim
 
Deploying VMware vCloud Hybrid Service with Puppet - PuppetConf 2013
Deploying VMware vCloud Hybrid Service with Puppet - PuppetConf 2013Deploying VMware vCloud Hybrid Service with Puppet - PuppetConf 2013
Deploying VMware vCloud Hybrid Service with Puppet - PuppetConf 2013
Puppet
 
Test driven infrastructure
Test driven infrastructureTest driven infrastructure
Test driven infrastructure
XPeppers
 
Herd your chickens: Ansible for DB2 configuration management
Herd your chickens: Ansible for DB2 configuration managementHerd your chickens: Ansible for DB2 configuration management
Herd your chickens: Ansible for DB2 configuration management
Frederik Engelen
 
Omaha (Google Update) server
Omaha (Google Update) serverOmaha (Google Update) server
Omaha (Google Update) server
Dmitry Lyfar
 
InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018
Mandi Walls
 
Amazon EC2 Container Service in Action
Amazon EC2 Container Service in ActionAmazon EC2 Container Service in Action
Amazon EC2 Container Service in Action
Remotty
 
Orchestration? You Don't Need Orchestration. What You Want is Choreography.
Orchestration? You Don't Need Orchestration. What You Want is Choreography.Orchestration? You Don't Need Orchestration. What You Want is Choreography.
Orchestration? You Don't Need Orchestration. What You Want is Choreography.
Julian Dunn
 
Containerizing a Web Application with Vue.js and Java
Containerizing a Web Application with Vue.js and JavaContainerizing a Web Application with Vue.js and Java
Containerizing a Web Application with Vue.js and Java
Jadson Santos
 
Leveraging Ansible for CI/CD
Leveraging Ansible for CI/CDLeveraging Ansible for CI/CD
Leveraging Ansible for CI/CD
Shippable
 
Infrastructure Deployment with Docker & Ansible
Infrastructure Deployment with Docker & AnsibleInfrastructure Deployment with Docker & Ansible
Infrastructure Deployment with Docker & Ansible
Robert Reiz
 
Distributed fun with etcd
Distributed fun with etcdDistributed fun with etcd
Distributed fun with etcd
Abdulaziz AlMalki
 
Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2
Chef
 
[MDBCI] Mariadb continuous integration tool
[MDBCI] Mariadb continuous integration tool[MDBCI] Mariadb continuous integration tool
[MDBCI] Mariadb continuous integration tool
OSLL
 

More Related Content

What's hot (20)

Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013
Carlos Sanchez
 
From Dev to DevOps - Codemotion ES 2012
From Dev to DevOps - Codemotion ES 2012From Dev to DevOps - Codemotion ES 2012
From Dev to DevOps - Codemotion ES 2012
Carlos Sanchez
 
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
Омские ИТ-субботники
 
Artem Zhurbila - docker clusters (solit 2015)
Artem Zhurbila - docker clusters (solit 2015)Artem Zhurbila - docker clusters (solit 2015)
Artem Zhurbila - docker clusters (solit 2015)
Artem Zhurbila
 
How to Develop Puppet Modules: From Source to the Forge With Zero Clicks
How to Develop Puppet Modules: From Source to the Forge With Zero ClicksHow to Develop Puppet Modules: From Source to the Forge With Zero Clicks
How to Develop Puppet Modules: From Source to the Forge With Zero Clicks
Carlos Sanchez
 
Test Driven Infrastructure with Docker, Test Kitchen and Serverspec
Test Driven Infrastructure with Docker, Test Kitchen and ServerspecTest Driven Infrastructure with Docker, Test Kitchen and Serverspec
Test Driven Infrastructure with Docker, Test Kitchen and Serverspec
Yury Tsarev
 
Application Automation with Habitat
Application Automation with HabitatApplication Automation with Habitat
Application Automation with Habitat
Chef
 
Testable Infrastructure with Chef, Test Kitchen, and Docker
Testable Infrastructure with Chef, Test Kitchen, and DockerTestable Infrastructure with Chef, Test Kitchen, and Docker
Testable Infrastructure with Chef, Test Kitchen, and Docker
Mandi Walls
 
DEVIEW - 오픈소스를 활용한 분산아키텍처 구현기술
DEVIEW - 오픈소스를 활용한 분산아키텍처 구현기술DEVIEW - 오픈소스를 활용한 분산아키텍처 구현기술
DEVIEW - 오픈소스를 활용한 분산아키텍처 구현기술
John Kim
 
Deploying VMware vCloud Hybrid Service with Puppet - PuppetConf 2013
Deploying VMware vCloud Hybrid Service with Puppet - PuppetConf 2013Deploying VMware vCloud Hybrid Service with Puppet - PuppetConf 2013
Deploying VMware vCloud Hybrid Service with Puppet - PuppetConf 2013
Puppet
 
Test driven infrastructure
Test driven infrastructureTest driven infrastructure
Test driven infrastructure
XPeppers
 
Herd your chickens: Ansible for DB2 configuration management
Herd your chickens: Ansible for DB2 configuration managementHerd your chickens: Ansible for DB2 configuration management
Herd your chickens: Ansible for DB2 configuration management
Frederik Engelen
 
Omaha (Google Update) server
Omaha (Google Update) serverOmaha (Google Update) server
Omaha (Google Update) server
Dmitry Lyfar
 
InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018
Mandi Walls
 
Amazon EC2 Container Service in Action
Amazon EC2 Container Service in ActionAmazon EC2 Container Service in Action
Amazon EC2 Container Service in Action
Remotty
 
Orchestration? You Don't Need Orchestration. What You Want is Choreography.
Orchestration? You Don't Need Orchestration. What You Want is Choreography.Orchestration? You Don't Need Orchestration. What You Want is Choreography.
Orchestration? You Don't Need Orchestration. What You Want is Choreography.
Julian Dunn
 
Containerizing a Web Application with Vue.js and Java
Containerizing a Web Application with Vue.js and JavaContainerizing a Web Application with Vue.js and Java
Containerizing a Web Application with Vue.js and Java
Jadson Santos
 
Leveraging Ansible for CI/CD
Leveraging Ansible for CI/CDLeveraging Ansible for CI/CD
Leveraging Ansible for CI/CD
Shippable
 
Infrastructure Deployment with Docker & Ansible
Infrastructure Deployment with Docker & AnsibleInfrastructure Deployment with Docker & Ansible
Infrastructure Deployment with Docker & Ansible
Robert Reiz
 
Distributed fun with etcd
Distributed fun with etcdDistributed fun with etcd
Distributed fun with etcd
Abdulaziz AlMalki
 
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013
Carlos Sanchez
 
From Dev to DevOps - Codemotion ES 2012
From Dev to DevOps - Codemotion ES 2012From Dev to DevOps - Codemotion ES 2012
From Dev to DevOps - Codemotion ES 2012
Carlos Sanchez
 
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
Омские ИТ-субботники
 
Artem Zhurbila - docker clusters (solit 2015)
Artem Zhurbila - docker clusters (solit 2015)Artem Zhurbila - docker clusters (solit 2015)
Artem Zhurbila - docker clusters (solit 2015)
Artem Zhurbila
 
How to Develop Puppet Modules: From Source to the Forge With Zero Clicks
How to Develop Puppet Modules: From Source to the Forge With Zero ClicksHow to Develop Puppet Modules: From Source to the Forge With Zero Clicks
How to Develop Puppet Modules: From Source to the Forge With Zero Clicks
Carlos Sanchez
 
Test Driven Infrastructure with Docker, Test Kitchen and Serverspec
Test Driven Infrastructure with Docker, Test Kitchen and ServerspecTest Driven Infrastructure with Docker, Test Kitchen and Serverspec
Test Driven Infrastructure with Docker, Test Kitchen and Serverspec
Yury Tsarev
 
Application Automation with Habitat
Application Automation with HabitatApplication Automation with Habitat
Application Automation with Habitat
Chef
 
Testable Infrastructure with Chef, Test Kitchen, and Docker
Testable Infrastructure with Chef, Test Kitchen, and DockerTestable Infrastructure with Chef, Test Kitchen, and Docker
Testable Infrastructure with Chef, Test Kitchen, and Docker
Mandi Walls
 
DEVIEW - 오픈소스를 활용한 분산아키텍처 구현기술
DEVIEW - 오픈소스를 활용한 분산아키텍처 구현기술DEVIEW - 오픈소스를 활용한 분산아키텍처 구현기술
DEVIEW - 오픈소스를 활용한 분산아키텍처 구현기술
John Kim
 
Deploying VMware vCloud Hybrid Service with Puppet - PuppetConf 2013
Deploying VMware vCloud Hybrid Service with Puppet - PuppetConf 2013Deploying VMware vCloud Hybrid Service with Puppet - PuppetConf 2013
Deploying VMware vCloud Hybrid Service with Puppet - PuppetConf 2013
Puppet
 
Test driven infrastructure
Test driven infrastructureTest driven infrastructure
Test driven infrastructure
XPeppers
 
Herd your chickens: Ansible for DB2 configuration management
Herd your chickens: Ansible for DB2 configuration managementHerd your chickens: Ansible for DB2 configuration management
Herd your chickens: Ansible for DB2 configuration management
Frederik Engelen
 
Omaha (Google Update) server
Omaha (Google Update) serverOmaha (Google Update) server
Omaha (Google Update) server
Dmitry Lyfar
 
InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018
Mandi Walls
 
Amazon EC2 Container Service in Action
Amazon EC2 Container Service in ActionAmazon EC2 Container Service in Action
Amazon EC2 Container Service in Action
Remotty
 
Orchestration? You Don't Need Orchestration. What You Want is Choreography.
Orchestration? You Don't Need Orchestration. What You Want is Choreography.Orchestration? You Don't Need Orchestration. What You Want is Choreography.
Orchestration? You Don't Need Orchestration. What You Want is Choreography.
Julian Dunn
 
Containerizing a Web Application with Vue.js and Java
Containerizing a Web Application with Vue.js and JavaContainerizing a Web Application with Vue.js and Java
Containerizing a Web Application with Vue.js and Java
Jadson Santos
 
Leveraging Ansible for CI/CD
Leveraging Ansible for CI/CDLeveraging Ansible for CI/CD
Leveraging Ansible for CI/CD
Shippable
 
Infrastructure Deployment with Docker & Ansible
Infrastructure Deployment with Docker & AnsibleInfrastructure Deployment with Docker & Ansible
Infrastructure Deployment with Docker & Ansible
Robert Reiz
 
Distributed fun with etcd
Distributed fun with etcdDistributed fun with etcd
Distributed fun with etcd
Abdulaziz AlMalki
 

Similar to Philly security shell meetup (20)

Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2
Chef
 
[MDBCI] Mariadb continuous integration tool
[MDBCI] Mariadb continuous integration tool[MDBCI] Mariadb continuous integration tool
[MDBCI] Mariadb continuous integration tool
OSLL
 
InSpec Keynote at ChefConf
InSpec Keynote at ChefConfInSpec Keynote at ChefConf
InSpec Keynote at ChefConf
Christoph Hartmann
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, ChefCompliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Alert Logic
 
Automação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOpsAutomação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOps
Raul Leite
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and Chef
Matt Ray
 
Automation day red hat ansible
Automation day red hat ansible Automation day red hat ansible
Automation day red hat ansible
Rodrigo Missiaggia
 
Gr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Gr8conf EU 2018 - Bring you infrastructure under control with InfrastructorGr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Gr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Stanislav Tiurikov
 
Bay Area Chef Meetup February
Bay Area Chef Meetup FebruaryBay Area Chef Meetup February
Bay Area Chef Meetup February
Jessica DeVita
 
NGINX Can Do That? Test Drive Your Config File!
NGINX Can Do That? Test Drive Your Config File!NGINX Can Do That? Test Drive Your Config File!
NGINX Can Do That? Test Drive Your Config File!
Jeff Anderson
 
Bring your infrastructure under control with Infrastructor
Bring your infrastructure under control with InfrastructorBring your infrastructure under control with Infrastructor
Bring your infrastructure under control with Infrastructor
Stanislav Tiurikov
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
Alessandro Arrichiello
 
Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec
Matt Ray
 
Making Spinnaker Go @ Stitch Fix
Making Spinnaker Go @ Stitch FixMaking Spinnaker Go @ Stitch Fix
Making Spinnaker Go @ Stitch Fix
Diana Tkachenko
 
Software Defined Datacenter
Software Defined DatacenterSoftware Defined Datacenter
Software Defined Datacenter
NETWAYS
 
Harmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and PuppetHarmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and Puppet
Achieve Internet
 
Configuring Your First Hadoop Cluster On EC2
Configuring Your First Hadoop Cluster On EC2Configuring Your First Hadoop Cluster On EC2
Configuring Your First Hadoop Cluster On EC2
benjaminwootton
 
Melbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpecMelbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpec
Matt Ray
 
Deploying OpenStack with Chef
Deploying OpenStack with ChefDeploying OpenStack with Chef
Deploying OpenStack with Chef
Matt Ray
 
Amazon AWS Workspace Howto
Amazon AWS Workspace HowtoAmazon AWS Workspace Howto
Amazon AWS Workspace Howto
mailbhargav
 
Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2
Chef
 
[MDBCI] Mariadb continuous integration tool
[MDBCI] Mariadb continuous integration tool[MDBCI] Mariadb continuous integration tool
[MDBCI] Mariadb continuous integration tool
OSLL
 
InSpec Keynote at ChefConf
InSpec Keynote at ChefConfInSpec Keynote at ChefConf
InSpec Keynote at ChefConf
Christoph Hartmann
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, ChefCompliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Alert Logic
 
Automação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOpsAutomação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOps
Raul Leite
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and Chef
Matt Ray
 
Automation day red hat ansible
Automation day red hat ansible Automation day red hat ansible
Automation day red hat ansible
Rodrigo Missiaggia
 
Gr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Gr8conf EU 2018 - Bring you infrastructure under control with InfrastructorGr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Gr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Stanislav Tiurikov
 
Bay Area Chef Meetup February
Bay Area Chef Meetup FebruaryBay Area Chef Meetup February
Bay Area Chef Meetup February
Jessica DeVita
 
NGINX Can Do That? Test Drive Your Config File!
NGINX Can Do That? Test Drive Your Config File!NGINX Can Do That? Test Drive Your Config File!
NGINX Can Do That? Test Drive Your Config File!
Jeff Anderson
 
Bring your infrastructure under control with Infrastructor
Bring your infrastructure under control with InfrastructorBring your infrastructure under control with Infrastructor
Bring your infrastructure under control with Infrastructor
Stanislav Tiurikov
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
Alessandro Arrichiello
 
Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec
Matt Ray
 
Making Spinnaker Go @ Stitch Fix
Making Spinnaker Go @ Stitch FixMaking Spinnaker Go @ Stitch Fix
Making Spinnaker Go @ Stitch Fix
Diana Tkachenko
 
Software Defined Datacenter
Software Defined DatacenterSoftware Defined Datacenter
Software Defined Datacenter
NETWAYS
 
Harmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and PuppetHarmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and Puppet
Achieve Internet
 
Configuring Your First Hadoop Cluster On EC2
Configuring Your First Hadoop Cluster On EC2Configuring Your First Hadoop Cluster On EC2
Configuring Your First Hadoop Cluster On EC2
benjaminwootton
 
Melbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpecMelbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpec
Matt Ray
 
Deploying OpenStack with Chef
Deploying OpenStack with ChefDeploying OpenStack with Chef
Deploying OpenStack with Chef
Matt Ray
 
Amazon AWS Workspace Howto
Amazon AWS Workspace HowtoAmazon AWS Workspace Howto
Amazon AWS Workspace Howto
mailbhargav
 

Recently uploaded (20)

Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 

Philly security shell meetup

  • 1. Including Compliance & Security Checks in the Delivery Pipeline Clinton Wolfe | Chef - Sr. Software Engineer Nicole Johnson | Chef - Manager, Solutions Architects East
  • 2. Chef is... ● An automation framework that enables Infrastructure as Code ● A robust set of tooling for testing Chef code ● A large library of reusable patterns (supermarket.chef.io) ● Available for Linux variants, Unix variants, and Windows, all as first class citizens. CHEF IS INFRASTRUCTURE AS CODE Programmatically provision and configure components Treat like any other code base Reconstruct business from code repository, data backup, and compute resources
  • 3. Chef ▪ Manages deployment and on-going automation ▪ Define reusable resources and infrastructure state as code ▪ Scale elegantly from one to tens of thousands of managed nodes across multiple complex environments ▪ Community, Certified Partner, and Chef supported content available for all common automation tasks Infrastructure automation and delivery at scale windows_feature ‘IIS-WebServerRole’ do action :install end windows_feature ‘IIS-ASPNET’ do action :install end iis_pool FooBarPool do runtime_version “4.0” action :add end package "apache" do action :install end template “/etc/httpd/https.conf” do source “httpd.conf.erb” mode 0075 owner “root” group “root” end service “apache2” do action :start end
  • 4. PART OF A PROCESS OF CONTINUOUS COMPLIANCE Scan for Compliance Build & Test Locally Build & Test CI/CD Remediate Verify A SIMPLE EXAMPLE OF AN INSPEC CIS RULE InSpec ▪ Translate compliance into Code ▪ Clearly express statements of policy ▪ Move risk to build/test from runtime ▪ Find issues early ▪ Write code quickly ▪ Run code anywhere ▪ Inspect machines, data and APIs Turn security and compliance into code control ‘cis-1.4.1’ do title ‘1.4.1 Enable SELinux in /etc/grub.conf’ desc ‘ Do not disable SELinux and enforcing in your GRUB configuration. These are important security features that prevent attackers from escalating their access to your systems. For reference see … ‘ impact 1.0 expect(grub_conf.param ‘selinux’).to_not eq ‘0’ expect(grub_conf.param ‘enforcing’).to_not eq ‘0’ end
  • 6. The Old Way People working directly on machines InSpec - Security meets Operations The Modern Way People automating machines using code DEVOPS SECURITY DEVOPS COMPLIANCE The New Way Shared tooling across organizations
  • 7. Differences in verifying compliance policy > grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' 2 DOCUMENTATION SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. describe sshd_config do its('Protocol') { should eq 2 } end control 'ssh-1234' do impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore... " describe sshd_config do its('Protocol') { should eq 2 } end end SCRIPTING TOOLS TESTING LANGUAGE COMPLIANCE LANGUAGE
  • 8. ONE LANGUAGE InSpec InSpec on Windows Example control 'windows-base-201' do impact 1.0 title 'Strong Windows NTLMv2 Authentication Enabled; Weak LM Disabled' desc ' @link: http://support.microsoft.com/en-us/kb/823659 ' describe registry_key ('HKLMSystemCurrentControlSetControlLsa') do it { should exist } its('LmCompatibilityLevel') { should eq 4 } end end
  • 9. InSpec ● Baremetal ● VMs ● Containers ONE LANGUAGE > inspec exec test.rb Test a machine remotely via SSH > inspec exec test.rb -i identity.key -t ssh://[email protected] Test your machine locally > inspec exec test.rb -t winrm://[email protected] --password super Test Docker Container > inspec exec test.rb -t docker://5cc8837bb6a8 Test a machine remotely via WinRM AGENTLESS
  • 10. InSpec Database Testing describe mysql_session.query("SELECT user,host FROM mysql.user WHERE host = '%'") do its(:stdout) { should be empty } end Cloud Provider Testing security_groups.each do |security_group| describe security_group do it { should_not have_inbound_rule().with_source('0.0.0.0/0') } end end ONE LANGUAGE ● Databases ● API endpoints (e.g. cloud) ● Baremetal ● VMs ● Containers
  • 11. Jumpstart your compliance test coverage Compliance in production Amazon Linux 2014.09 / 2015.03 CentOS 6 / 7 HP UX 11i IBM AIX 5.3 / 6.1 / 7.1 RHEL 6 / 7 SLES 11 / 12 Ubuntu Server 12.04 / 14.04 Windows 7 / 8 / 10 / 2012 / 2012R2 Chef Automate ships with profiles for:
  • 12. ● Write some code ● Write and run some unit tests ● Go to pre-production ● Run some integration/acceptance tests ● Go to production ● Lowered chance of production failure Test Driven Development Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
  • 15. InSpec for AWS describe aws_iam_user(’iam_user') do its('has_mfa_enabled?') { should be false } its('has_console_password?') { should be false } end
  • 16. InSpec for Azure describe azure_virtual_machine(name: 'Linux-Internal-VM', resource_group: 'Inspec-Azure') do its('sku') { should eq '16.04.0-LTS' } its('publisher') { should eq 'Canonical' } its('offer') { should eq 'UbuntuServer' } its('size') { should eq 'Standard_DS2_v2' } its('location') { should eq 'westeurope' } its('admin_username') { should eq 'azure' } end
  • 17. InSpec for VmWare control 'vmware-7.3.3' do impact 0.7 title 'Ensure that the vSwitch Promiscuous Mode policy is set to reject.' describe vmhost_vswitch(datacenter: 'vm001', host: 'localhost.localdomain',vswitch: 'vSwitch0') do its('allowPromiscuous') { should be false } end end
  • 18. Chef Automate One platform that delivers DevOps workflow, automated compliance, and end-to-end pipeline visibility
  • 19. The Chef Automate Platform Continuous Automation for High Velocity IT Workflow • Local development • Integration • Tooling (APIs & SDKs) COLLABORATE ▪ Package ▪ Test ▪ Approve BUILD ▪ Provision ▪ Configure ▪ Execute ▪ Update DEPLOY ▪ Secure ▪ Comply ▪ Audit ▪ Measure ▪ Log MANAGE Infrastructure Automation Compliance AutomationApplication Automation OSS AUTOMATION ENGINES Increase Speed ▪ Package infrastructure and app configuration as code ▪ Continuously automate infrastructure and app updates Improve Efficiency ▪ Define and execute standard workflows and automation ▪ Audit and measure effectiveness of automation Decrease Risk ▪ Define compliance rules as code ▪ Deliver continuous compliance as part of standard workflow
  • 21. ● Programmatically provision and configure components ● Declarative DSL with the flexibility ● Built on Ruby ● Extensible through Ruby The Chef DSL (domain specific language)
  • 23. package 'httpd' do action :install end windows_feature 'IIS-WebServerRole' do action :install end ● A Resource is a system state you define ○ Example: Package installed, state of a service, configuration file existing ● You declare what the state of the resource is ○ Chef automatically determine HOW that state is achieved Building Blocks: What is a Resource?
  • 24. ● A recipe is a collection of Resources ● Resources are executed in the order they are listed Building Blocks: What is a Recipe? On Linux based OSes: windows_feature 'IIS-WebServerRole' do action :install end template 'c:inetpubwwwrootDefault.htm' do source 'Default.htm.erb' rights :read, 'Everyone' end service 'w3svc' do action [ :enable, :start ] end package 'httpd' do action :install end template '/var/www/index.html' do source 'index.html.erb' mode '0644' end service 'httpd' do action [ :enable, :start ] end
  • 25. ● A cookbook is a set of recipes ● A cookbook is a defined set of items and different outcomes that you expect to address ○ A cookbook could have a recipe to install apache2/httpd but also another set of recipes to activate modules required. Building Blocks: What is a Cookbook? ./attributes ./attributes/default.rb ./CHANGELOG.md ./metadata.rb ./README.md ./recipes ./recipes/application.rb ./recipes/balancer.rb ./recipes/database.rb ./recipes/default.rb ./recipes/webserver.rb ./templates ./templates/default ./templates/default/mysite.conf.erb
  • 27. Review: Detect ➔ Inspec Profiles • provide definitions of standards and expectations. • Validate systems against those standards ➔ Chef Client • Executes a run list, consisting of configurations defined in cookbooks. • Reports results back to Chef Automate ➔ Chef Automate • Provides pre-loaded inspec profiles • Stores user-generated inspec profiles • Creates compliance reports when chef client is run with the Audit cookbook.
  • 28. Software Testing and Why it Matters quantity lesstimemoretime manual tests automated GUI tests integration tests unit tests quantity lesstimemoretime manual session based tests automated GUI tests automated API tests automated unit testsautomated integration tests automated component tests Testing builds safety through feedback loops Inexpensive experiments to provide validation Reduces risk Optimize Testing: Do more of the inexpensive testing first!
  • 29. ● Write some code ● Write and run some unit tests ● Go to pre-production ● Run some integration/acceptance tests ● Go to production ● Lowered chance of production failure Test Driven Development Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
  • 30. Chef DK - The Chef Development Kit ▪ Validate your Chef code against Chef best practices ▪ Extend with rules to enforce organizational Chef development best practices ▪ Enforce compliance & security practices Foodcritic Test Your “Chef Style” ▪ Validate your Chef code against Ruby best practices ▪ Identify potential Ruby errors ○ Unclosed strings, etc. ▪ Identify style/convention that helps write better code ○ Single quotes vs. double quotes CookStyle Validate your Ruby ▪ Validate your Chef code will run ▪ Testing for more Chef advanced use cases ▪ Useful for regression testing ChefSpec Simulate Chef ▪ Executes your Chef code on an instance or container ▪ Integrates with Cloud and Virtualization providers ▪ Validate your Chef code locally before sharing ▪ Speed development of Chef Cookbooks Test Kitchen Let’s do this (almost) for real ▪ Assert the intention of your Chef code ▪ Verify on live systems that your Chef code produced the correct result ▪ Confirm your Chef code didn’t not produce compliance drift InSpec Verify automation results & ensure compliance FAST INEXPENSIVE TESTING DEEP INTEGRATION TESTING Definitive tooling for local development of Chef code & Infrastructure as Code development
  • 31. Chef Infrastructure as Code ● The chef-client is an agent that runs on our nodes to apply configuration changes, and report results to Chef Automate ● The Chef Supermarket provides pre-written cookbooks to get you started. ● The audit cookbook allows us to run inspec scans on a regular basis.