For too long, audits and security reviews have been seen as resistant to the frequent release of software. Auditors require access to static systems and environments, which would seem to make continuous delivery impossible. Too frequently audits are a fire drill sampling of the current state and temporary fixes are put in place to appease the compliance audit without being integrated into future releases.
About Matt Ray:
Matt Ray is the Manager and Solutions Architect for Asia Pacific and Japan for Chef. He has worked in large enterprise software companies and founded his own startups in a wide variety of industries including banking, retail and government.
He has been active in open source communities for over two decades and has spoken at, and helped organise, many conferences and Meetups. He currently resides in Sydney, Australia after relocating from Austin, Texas. He podcasts at SoftwareDefinedTalk.com, blogs at LeastResistance.net and is @mattray on Twitter, IRC, GitHub and too many Slacks.
6. SSH Control
"SSH supports two different protocol versions. The
original version, SSHv1, was subject to a number of
security issues. Please use SSHv2 instead to avoid
these."
8. Whip up a one-liner!
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
9. Apache Server Information Leakage
• Description
• This Directive Controls wheather Server response field is sent back to clients includes a description of
Generic OS Type of the Server.
• This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as
security vulnerabilities are dependent upon specific software versions.
• How to Test
• In order to test for ServerToken configuration, one should check the Apache configuration file.
• Misconfiguration
• ServerTokens Full
• Remediation
• Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells
Apache to only return "Apache" in the Server header, returned on every page request.
• ServerTokens Prod
• or
• ServerTokens ProductOnly
https://www.owasp.org/index.php/SCG_WS_Apache
10. More grep and sed!
grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
21. Key Trends
• While individual rule
compliance is up,
testing of security
systems is down
• Sustainability is low.
Fewer than a third of
companies were found
to be still fully
compliant less than a
year after successful
validation.
42. InSpec
> inspec exec test.rb
Test a machine remotely via SSH
> inspec exec test.rb -i identity.key -t ssh://root@172.17.0.1
Test your machine locally
> inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super
Test Docker Container
> inspec exec test.rb -t docker://5cc8837bb6a8
Test a machine remotely via WinRM
AGENTLESS
43. One Language
Linux, Windows, MacOS, Solaris, AIX, ...
Bare-metal, VMs, Containers
Nodes, Databases, APIs, Cloud Platforms, ...
45. 55%
Step one: Detect
Gain visibility into current status to satisfy audits and drive decision-making
of organizations do compliance assessments inconsistently or not at all.
Apply policies and gain a
complete view across the fleet
▪ Accurately assess risk
▪ Prioritize remediation actions
▪ Maintain audit readiness
▪ Create and adjust policies
”
Continuous visibility means that you enter into audits knowing the outcome.
Jon Williams, NIU
? ? ? ?
? ? ? ?
? ? ? ?
? ? ? ?
46. Step two: Correct
Remediate issues to improve performance and security
▪ Prioritize actions based on impact
▪ Improve application performance
▪ Close security holes
▪ Prove policy compliance
Web &
Media Giant
Can patch 250,000 nodes within 6 hours of a patch being made available
Develop, test, and deploy remediation
to address issues across the fleet
of organizations need days or longer to remediate issues.58%
47. 59%
Step three: Automate
Deploy applications faster and manage risk continuously
▪ Increase speed while reducing
risk
▪ Improve software change
efficiency
▪ Maintain security and compliance
▪ Align DevOps and InfoSec
Every resource and app in HPC environment automatically qualified as
compliant with FDA standards before deployment
of organizations do not assess for compliance until code is running in production.
Deploy applications with
confidence
48. The journey to continuous compliance
Detect
Correct
Automate
1. Detect
Gain visibility and develop baselines
2. Correct
Remediate priority issues
3. Automate
Continuously detect & correct
49. Chef Automate enables the entire journey
Detect
▪ Test against industry benchmarks
▪ Report and address audit needs
Correct
▪ Close detect/correct loop in one platform
▪ Develop baselines for automation
Automate
▪ Detect and correct before production
▪ Single language across DevOps, InfoSec
Chef Automate is a single platform to support the entire journey
50. Dig into the new way of learning about
Chef, Automation, and DevOps.
Self-paced training on Linux and Windows and much more!
learn.chef.io