SlideShare ist ein Scribd-Unternehmen logo
1 von 51
DevSec Delight with Compliance as Code
Matt Ray
Manager/Solutions Architect APJ
Chef
Matt Ray
Manager/Solutions Architect – APJ
Chef Software
matt@chef.io
@mattray
Software Defined Talk
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
SSH Control
"SSH supports two different protocol versions. The
original version, SSHv1, was subject to a number of
security issues. Please use SSHv2 instead to avoid
these."
How will I verify this?
Whip up a one-liner!
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
Apache Server Information Leakage
• Description
• This Directive Controls wheather Server response field is sent back to clients includes a description of
Generic OS Type of the Server.
• This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as
security vulnerabilities are dependent upon specific software versions.
• How to Test
• In order to test for ServerToken configuration, one should check the Apache configuration file.
• Misconfiguration
• ServerTokens Full
• Remediation
• Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells
Apache to only return "Apache" in the Server header, returned on every page request.
• ServerTokens Prod
• or
• ServerTokens ProductOnly
https://www.owasp.org/index.php/SCG_WS_Apache
More grep and sed!
grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
Passed the Audit
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
C
o
m
p
l
i
a
n
c
e
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
“Two-thirds of organizations
did not adequately test the
security of all in-scope
systems”
Key Trends
• While individual rule
compliance is up,
testing of security
systems is down
• Sustainability is low.
Fewer than a third of
companies were found
to be still fully
compliant less than a
year after successful
validation.
Security != Compliance
Security Theatre
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
Shell Scripts
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
Infrastructure Code
package 'httpd' do
action :install
end
service 'httpd' do
action [ :start, :enable ]
end
We Have A Communications Problem
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
Compliance Language
One Language
Linux, Windows
Windows
One Language
Linux, Windows, MacOS, Solaris, AIX, ...
Examples of Available Resources
apache_conf
apt
audit_policy
auditd_conf
auditd_rules
bond
bridge
command
crontab
directory
etc_group
file
gem
group
host
inetd_conf
interface
iptables
kernel_module
kernel_parameter
limits_conf
login_defs
mount
mysql_conf
mysql_session
npm
ntp_conf
oneget
os
os_env
package
parse_config
parse_config_file
passwd
pip
port
postgres_conf
postgres_session
powershell
processes
registry_key
security_policy
service
ssh_config
sshd_config
user
windows_feature
yum
What is it not?
• IDS / IPS
• Firewall
• Antivirus
• Pentesting tool
One Language
Linux, Windows, MacOS, Solaris, AIX, ...
Bare-metal, VMs, Containers
Nodes, Databases
DB Testing
One Language
Linux, Windows, MacOS, Solaris, AIX, ...
Bare-metal, VMs, Containers
Nodes, Databases, APIs
Cloud Testing
InSpec
> inspec exec test.rb
Test a machine remotely via SSH
> inspec exec test.rb -i identity.key -t ssh://root@172.17.0.1
Test your machine locally
> inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super
Test Docker Container
> inspec exec test.rb -t docker://5cc8837bb6a8
Test a machine remotely via WinRM
AGENTLESS
One Language
Linux, Windows, MacOS, Solaris, AIX, ...
Bare-metal, VMs, Containers
Nodes, Databases, APIs, Cloud Platforms, ...
Open Source Community
•https://inspec.io
•https://github.com/chef/inspec
•https://supermarket.chef.io
•https://learn.chef.io
•#inspec in https://chefcommunity.slack.com
55%
Step one: Detect
Gain visibility into current status to satisfy audits and drive decision-making
of organizations do compliance assessments inconsistently or not at all.
Apply policies and gain a
complete view across the fleet
▪ Accurately assess risk
▪ Prioritize remediation actions
▪ Maintain audit readiness
▪ Create and adjust policies
”
Continuous visibility means that you enter into audits knowing the outcome.
Jon Williams, NIU
? ? ? ?
? ? ? ?
? ? ? ?
? ? ? ?
Step two: Correct
Remediate issues to improve performance and security
▪ Prioritize actions based on impact
▪ Improve application performance
▪ Close security holes
▪ Prove policy compliance
Web &
Media Giant
Can patch 250,000 nodes within 6 hours of a patch being made available
Develop, test, and deploy remediation
to address issues across the fleet
of organizations need days or longer to remediate issues.58%
59%
Step three: Automate
Deploy applications faster and manage risk continuously
▪ Increase speed while reducing
risk
▪ Improve software change
efficiency
▪ Maintain security and compliance
▪ Align DevOps and InfoSec
Every resource and app in HPC environment automatically qualified as
compliant with FDA standards before deployment
of organizations do not assess for compliance until code is running in production.
Deploy applications with
confidence
The journey to continuous compliance
Detect
Correct
Automate
1. Detect
Gain visibility and develop baselines
2. Correct
Remediate priority issues
3. Automate
Continuously detect & correct
Chef Automate enables the entire journey
Detect
▪ Test against industry benchmarks
▪ Report and address audit needs
Correct
▪ Close detect/correct loop in one platform
▪ Develop baselines for automation
Automate
▪ Detect and correct before production
▪ Single language across DevOps, InfoSec
Chef Automate is a single platform to support the entire journey
Dig into the new way of learning about
Chef, Automation, and DevOps.
Self-paced training on Linux and Windows and much more!
learn.chef.io
Thanks for listening

Weitere ähnliche Inhalte

Was ist angesagt?

Security Implications for a DevOps Transformation
Security Implications for a DevOps TransformationSecurity Implications for a DevOps Transformation
Security Implications for a DevOps TransformationDeborah Schalm
 
Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...
Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...
Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...Serena Software
 
Where Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOpsWhere Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOpsQASymphony
 
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...Serena Software
 
Fail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins World
Fail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins WorldFail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins World
Fail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins WorldCA Technologies
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecurePuppet
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Deborah Schalm
 
Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?QASource
 
Secure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart waySecure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart wayEficode
 
Site (Service) Reliability Engineering
Site (Service) Reliability EngineeringSite (Service) Reliability Engineering
Site (Service) Reliability EngineeringMark Underwood
 
A beginners guide to scaling DevOps
A beginners guide to scaling DevOpsA beginners guide to scaling DevOps
A beginners guide to scaling DevOpsEficode
 
Continuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a TimeContinuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a TimeGene Gotimer
 
Why Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityWhy Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityEficode
 
Observability at Scale
Observability at Scale Observability at Scale
Observability at Scale Knoldus Inc.
 
Critical Considerations for Continuous Delivery 04.09.2018
Critical Considerations for Continuous Delivery 04.09.2018Critical Considerations for Continuous Delivery 04.09.2018
Critical Considerations for Continuous Delivery 04.09.2018Claire Priester Papas
 
Building Production-Ready Microservices: DevopsExchangeSF
Building Production-Ready Microservices: DevopsExchangeSFBuilding Production-Ready Microservices: DevopsExchangeSF
Building Production-Ready Microservices: DevopsExchangeSFMichael Kehoe
 
Site Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Site Reliability Engineering (SRE) - Tech Talk by Keet SugathadasaSite Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Site Reliability Engineering (SRE) - Tech Talk by Keet SugathadasaKeet Sugathadasa
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24
 

Was ist angesagt? (20)

Security Implications for a DevOps Transformation
Security Implications for a DevOps TransformationSecurity Implications for a DevOps Transformation
Security Implications for a DevOps Transformation
 
Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...
Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...
Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...
 
Where Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOpsWhere Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOps
 
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
 
Fail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins World
Fail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins WorldFail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins World
Fail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins World
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?
 
Secure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart waySecure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart way
 
Site (Service) Reliability Engineering
Site (Service) Reliability EngineeringSite (Service) Reliability Engineering
Site (Service) Reliability Engineering
 
A beginners guide to scaling DevOps
A beginners guide to scaling DevOpsA beginners guide to scaling DevOps
A beginners guide to scaling DevOps
 
Continuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a TimeContinuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a Time
 
Why Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityWhy Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and Observability
 
DevOps not a Toolbox
DevOps not a ToolboxDevOps not a Toolbox
DevOps not a Toolbox
 
Observability at Scale
Observability at Scale Observability at Scale
Observability at Scale
 
Critical Considerations for Continuous Delivery 04.09.2018
Critical Considerations for Continuous Delivery 04.09.2018Critical Considerations for Continuous Delivery 04.09.2018
Critical Considerations for Continuous Delivery 04.09.2018
 
Building Production-Ready Microservices: DevopsExchangeSF
Building Production-Ready Microservices: DevopsExchangeSFBuilding Production-Ready Microservices: DevopsExchangeSF
Building Production-Ready Microservices: DevopsExchangeSF
 
Site Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Site Reliability Engineering (SRE) - Tech Talk by Keet SugathadasaSite Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Site Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...
 

Andere mochten auch

Build for Speed - Gareth Evans - AgileNZ 2017
Build for Speed - Gareth Evans - AgileNZ 2017Build for Speed - Gareth Evans - AgileNZ 2017
Build for Speed - Gareth Evans - AgileNZ 2017AgileNZ Conference
 
Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...
Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...
Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...AgileNZ Conference
 
Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj...
 Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj... Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj...
Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj...AgileNZ Conference
 
The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017
The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017
The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017AgileNZ Conference
 
Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017
Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017
Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017AgileNZ Conference
 
Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017
Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017
Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017AgileNZ Conference
 
Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...
Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...
Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...AgileNZ Conference
 
Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017
Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017
Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017AgileNZ Conference
 
Born to Learn - Aurelien Beraud - AgileNZ 2017
Born to Learn - Aurelien Beraud - AgileNZ 2017Born to Learn - Aurelien Beraud - AgileNZ 2017
Born to Learn - Aurelien Beraud - AgileNZ 2017AgileNZ Conference
 
Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017
Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017
Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017AgileNZ Conference
 
Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017
Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017
Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017AgileNZ Conference
 
Security Certification or How I Learned to Stop Worrying & Love Stories - And...
Security Certification or How I Learned to Stop Worrying & Love Stories - And...Security Certification or How I Learned to Stop Worrying & Love Stories - And...
Security Certification or How I Learned to Stop Worrying & Love Stories - And...AgileNZ Conference
 
Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...
Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...
Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...AgileNZ Conference
 
Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...
Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...
Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...AgileNZ Conference
 
Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017
Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017
Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017AgileNZ Conference
 
Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017
Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017
Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017AgileNZ Conference
 
The Foundations of Business Agility - Shane Hastie - AgileNZ 2017
The Foundations of Business Agility - Shane Hastie - AgileNZ 2017The Foundations of Business Agility - Shane Hastie - AgileNZ 2017
The Foundations of Business Agility - Shane Hastie - AgileNZ 2017AgileNZ Conference
 
The Art of Building a Roadmap - Sherif Mansour
The Art of Building a Roadmap - Sherif MansourThe Art of Building a Roadmap - Sherif Mansour
The Art of Building a Roadmap - Sherif MansourAgileNZ Conference
 
Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017
Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017
Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017AgileNZ Conference
 

Andere mochten auch (20)

Build for Speed - Gareth Evans - AgileNZ 2017
Build for Speed - Gareth Evans - AgileNZ 2017Build for Speed - Gareth Evans - AgileNZ 2017
Build for Speed - Gareth Evans - AgileNZ 2017
 
Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...
Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...
Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...
 
Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj...
 Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj... Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj...
Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj...
 
The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017
The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017
The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017
 
Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017
Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017
Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017
 
Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017
Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017
Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017
 
Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...
Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...
Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...
 
Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017
Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017
Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017
 
Born to Learn - Aurelien Beraud - AgileNZ 2017
Born to Learn - Aurelien Beraud - AgileNZ 2017Born to Learn - Aurelien Beraud - AgileNZ 2017
Born to Learn - Aurelien Beraud - AgileNZ 2017
 
Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017
Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017
Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017
 
Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017
Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017
Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017
 
Security Certification or How I Learned to Stop Worrying & Love Stories - And...
Security Certification or How I Learned to Stop Worrying & Love Stories - And...Security Certification or How I Learned to Stop Worrying & Love Stories - And...
Security Certification or How I Learned to Stop Worrying & Love Stories - And...
 
Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...
Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...
Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...
 
Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...
Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...
Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...
 
Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017
Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017
Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017
 
Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017
Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017
Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017
 
The Foundations of Business Agility - Shane Hastie - AgileNZ 2017
The Foundations of Business Agility - Shane Hastie - AgileNZ 2017The Foundations of Business Agility - Shane Hastie - AgileNZ 2017
The Foundations of Business Agility - Shane Hastie - AgileNZ 2017
 
The Art of Building a Roadmap - Sherif Mansour
The Art of Building a Roadmap - Sherif MansourThe Art of Building a Roadmap - Sherif Mansour
The Art of Building a Roadmap - Sherif Mansour
 
Sandy Mamoli (Nomad8)
Sandy Mamoli (Nomad8)Sandy Mamoli (Nomad8)
Sandy Mamoli (Nomad8)
 
Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017
Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017
Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017
 

Ähnlich wie DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017

DevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeDevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeMatt Ray
 
Automating Compliance with InSpec - AWS North Sydney
Automating Compliance with InSpec - AWS North SydneyAutomating Compliance with InSpec - AWS North Sydney
Automating Compliance with InSpec - AWS North SydneyMatt Ray
 
Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec Matt Ray
 
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpecMelbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpecMatt Ray
 
Melbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpecMelbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpecMatt Ray
 
Compliance as Code Everywhere
Compliance as Code EverywhereCompliance as Code Everywhere
Compliance as Code EverywhereMatt Ray
 
Bay Area Chef Meetup February
Bay Area Chef Meetup FebruaryBay Area Chef Meetup February
Bay Area Chef Meetup FebruaryJessica DeVita
 
Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Chef
 
Achieving DevOps Success with Chef Automate
Achieving DevOps Success with Chef AutomateAchieving DevOps Success with Chef Automate
Achieving DevOps Success with Chef AutomateChef
 
Anatomy of a Build Pipeline
Anatomy of a Build PipelineAnatomy of a Build Pipeline
Anatomy of a Build PipelineSamuel Brown
 
Joomla Code Quality Control and Automation Testing
Joomla Code Quality Control and Automation TestingJoomla Code Quality Control and Automation Testing
Joomla Code Quality Control and Automation TestingShyam Sunder Verma
 
Infrastructure and Compliance Delight with Chef Automate
Infrastructure and Compliance Delight with Chef AutomateInfrastructure and Compliance Delight with Chef Automate
Infrastructure and Compliance Delight with Chef AutomateMatt Ray
 
devops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptxdevops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptxDeepakgupta273447
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, ChefCompliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, ChefAlert Logic
 
Transforming Software Development
Transforming Software DevelopmentTransforming Software Development
Transforming Software DevelopmentAmazon Web Services
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecMandi Walls
 
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetingsSlides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings10n Software, LLC
 
AWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for DevelopersAWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for DevelopersAmazon Web Services
 
AWS CodeDeploy: Manage Deployment Complexity
AWS CodeDeploy: Manage Deployment ComplexityAWS CodeDeploy: Manage Deployment Complexity
AWS CodeDeploy: Manage Deployment ComplexityAmazon Web Services
 
Twelve-Factor App: Software Application Architecture
Twelve-Factor App: Software Application ArchitectureTwelve-Factor App: Software Application Architecture
Twelve-Factor App: Software Application ArchitectureSigfred Balatan Jr.
 

Ähnlich wie DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017 (20)

DevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeDevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
 
Automating Compliance with InSpec - AWS North Sydney
Automating Compliance with InSpec - AWS North SydneyAutomating Compliance with InSpec - AWS North Sydney
Automating Compliance with InSpec - AWS North Sydney
 
Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec
 
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpecMelbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
 
Melbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpecMelbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpec
 
Compliance as Code Everywhere
Compliance as Code EverywhereCompliance as Code Everywhere
Compliance as Code Everywhere
 
Bay Area Chef Meetup February
Bay Area Chef Meetup FebruaryBay Area Chef Meetup February
Bay Area Chef Meetup February
 
Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2
 
Achieving DevOps Success with Chef Automate
Achieving DevOps Success with Chef AutomateAchieving DevOps Success with Chef Automate
Achieving DevOps Success with Chef Automate
 
Anatomy of a Build Pipeline
Anatomy of a Build PipelineAnatomy of a Build Pipeline
Anatomy of a Build Pipeline
 
Joomla Code Quality Control and Automation Testing
Joomla Code Quality Control and Automation TestingJoomla Code Quality Control and Automation Testing
Joomla Code Quality Control and Automation Testing
 
Infrastructure and Compliance Delight with Chef Automate
Infrastructure and Compliance Delight with Chef AutomateInfrastructure and Compliance Delight with Chef Automate
Infrastructure and Compliance Delight with Chef Automate
 
devops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptxdevops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptx
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, ChefCompliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
 
Transforming Software Development
Transforming Software DevelopmentTransforming Software Development
Transforming Software Development
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpec
 
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetingsSlides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings
 
AWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for DevelopersAWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for Developers
 
AWS CodeDeploy: Manage Deployment Complexity
AWS CodeDeploy: Manage Deployment ComplexityAWS CodeDeploy: Manage Deployment Complexity
AWS CodeDeploy: Manage Deployment Complexity
 
Twelve-Factor App: Software Application Architecture
Twelve-Factor App: Software Application ArchitectureTwelve-Factor App: Software Application Architecture
Twelve-Factor App: Software Application Architecture
 

Mehr von AgileNZ Conference

Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017
Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017
Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017AgileNZ Conference
 
Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017
Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017
Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017AgileNZ Conference
 
Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017
Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017
Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017AgileNZ Conference
 
A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...
A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...
A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...AgileNZ Conference
 
Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017
Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017
Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017AgileNZ Conference
 
Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017
Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017
Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017AgileNZ Conference
 
Claire Jaycock & Ant Boobier (BNZ)
Claire Jaycock & Ant Boobier (BNZ)Claire Jaycock & Ant Boobier (BNZ)
Claire Jaycock & Ant Boobier (BNZ)AgileNZ Conference
 

Mehr von AgileNZ Conference (10)

Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017
Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017
Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017
 
Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017
Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017
Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017
 
Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017
Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017
Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017
 
A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...
A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...
A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...
 
Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017
Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017
Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017
 
Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017
Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017
Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017
 
Gavin Coughlan (Boost)
Gavin Coughlan (Boost)Gavin Coughlan (Boost)
Gavin Coughlan (Boost)
 
Claire Jaycock & Ant Boobier (BNZ)
Claire Jaycock & Ant Boobier (BNZ)Claire Jaycock & Ant Boobier (BNZ)
Claire Jaycock & Ant Boobier (BNZ)
 
Ahmed Sidky (ICAgile)
Ahmed Sidky (ICAgile)Ahmed Sidky (ICAgile)
Ahmed Sidky (ICAgile)
 
Anthony Marter (Orion Health)
Anthony Marter (Orion Health)Anthony Marter (Orion Health)
Anthony Marter (Orion Health)
 

Kürzlich hochgeladen

Burning Issue presentation of Zhazgul N. , Cycle 54
Burning Issue presentation of Zhazgul N. , Cycle 54Burning Issue presentation of Zhazgul N. , Cycle 54
Burning Issue presentation of Zhazgul N. , Cycle 54ZhazgulNurdinova
 
Machine learning workshop, CZU Prague 2024
Machine learning workshop, CZU Prague 2024Machine learning workshop, CZU Prague 2024
Machine learning workshop, CZU Prague 2024Gokulks007
 
Juan Pablo Sugiura - eCommerce Day Bolivia 2024
Juan Pablo Sugiura - eCommerce Day Bolivia 2024Juan Pablo Sugiura - eCommerce Day Bolivia 2024
Juan Pablo Sugiura - eCommerce Day Bolivia 2024eCommerce Institute
 
The Real Story Of Project Manager/Scrum Master From Where It Came?!
The Real Story Of Project Manager/Scrum Master From Where It Came?!The Real Story Of Project Manager/Scrum Master From Where It Came?!
The Real Story Of Project Manager/Scrum Master From Where It Came?!Loay Mohamed Ibrahim Aly
 
Communication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxCommunication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxkb31670
 
Making AI Behave: Using Knowledge Domains to Produce Useful, Trustworthy Results
Making AI Behave: Using Knowledge Domains to Produce Useful, Trustworthy ResultsMaking AI Behave: Using Knowledge Domains to Produce Useful, Trustworthy Results
Making AI Behave: Using Knowledge Domains to Produce Useful, Trustworthy ResultsAccess Innovations, Inc.
 
Communication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxCommunication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxkb31670
 
IPO OFFERINGS by mint hindustantimes.pdf
IPO OFFERINGS by mint hindustantimes.pdfIPO OFFERINGS by mint hindustantimes.pdf
IPO OFFERINGS by mint hindustantimes.pdfratnasehgal888
 
Circle Of Life Civics Presentation Burning Issue
Circle Of Life Civics Presentation Burning IssueCircle Of Life Civics Presentation Burning Issue
Circle Of Life Civics Presentation Burning Issuebdavis22
 
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8Access Innovations, Inc.
 

Kürzlich hochgeladen (10)

Burning Issue presentation of Zhazgul N. , Cycle 54
Burning Issue presentation of Zhazgul N. , Cycle 54Burning Issue presentation of Zhazgul N. , Cycle 54
Burning Issue presentation of Zhazgul N. , Cycle 54
 
Machine learning workshop, CZU Prague 2024
Machine learning workshop, CZU Prague 2024Machine learning workshop, CZU Prague 2024
Machine learning workshop, CZU Prague 2024
 
Juan Pablo Sugiura - eCommerce Day Bolivia 2024
Juan Pablo Sugiura - eCommerce Day Bolivia 2024Juan Pablo Sugiura - eCommerce Day Bolivia 2024
Juan Pablo Sugiura - eCommerce Day Bolivia 2024
 
The Real Story Of Project Manager/Scrum Master From Where It Came?!
The Real Story Of Project Manager/Scrum Master From Where It Came?!The Real Story Of Project Manager/Scrum Master From Where It Came?!
The Real Story Of Project Manager/Scrum Master From Where It Came?!
 
Communication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxCommunication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptx
 
Making AI Behave: Using Knowledge Domains to Produce Useful, Trustworthy Results
Making AI Behave: Using Knowledge Domains to Produce Useful, Trustworthy ResultsMaking AI Behave: Using Knowledge Domains to Produce Useful, Trustworthy Results
Making AI Behave: Using Knowledge Domains to Produce Useful, Trustworthy Results
 
Communication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxCommunication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptx
 
IPO OFFERINGS by mint hindustantimes.pdf
IPO OFFERINGS by mint hindustantimes.pdfIPO OFFERINGS by mint hindustantimes.pdf
IPO OFFERINGS by mint hindustantimes.pdf
 
Circle Of Life Civics Presentation Burning Issue
Circle Of Life Civics Presentation Burning IssueCircle Of Life Civics Presentation Burning Issue
Circle Of Life Civics Presentation Burning Issue
 
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8
 

DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017

  • 1. DevSec Delight with Compliance as Code Matt Ray Manager/Solutions Architect APJ Chef
  • 2. Matt Ray Manager/Solutions Architect – APJ Chef Software matt@chef.io @mattray Software Defined Talk
  • 6. SSH Control "SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these."
  • 7. How will I verify this?
  • 8. Whip up a one-liner! grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
  • 9. Apache Server Information Leakage • Description • This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server. • This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions. • How to Test • In order to test for ServerToken configuration, one should check the Apache configuration file. • Misconfiguration • ServerTokens Full • Remediation • Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request. • ServerTokens Prod • or • ServerTokens ProductOnly https://www.owasp.org/index.php/SCG_WS_Apache
  • 10. More grep and sed! grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
  • 20. “Two-thirds of organizations did not adequately test the security of all in-scope systems”
  • 21. Key Trends • While individual rule compliance is up, testing of security systems is down • Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.
  • 24. Shell Scripts grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
  • 25. Infrastructure Code package 'httpd' do action :install end service 'httpd' do action [ :start, :enable ] end
  • 26. We Have A Communications Problem
  • 35. One Language Linux, Windows, MacOS, Solaris, AIX, ...
  • 36. Examples of Available Resources apache_conf apt audit_policy auditd_conf auditd_rules bond bridge command crontab directory etc_group file gem group host inetd_conf interface iptables kernel_module kernel_parameter limits_conf login_defs mount mysql_conf mysql_session npm ntp_conf oneget os os_env package parse_config parse_config_file passwd pip port postgres_conf postgres_session powershell processes registry_key security_policy service ssh_config sshd_config user windows_feature yum
  • 37. What is it not? • IDS / IPS • Firewall • Antivirus • Pentesting tool
  • 38. One Language Linux, Windows, MacOS, Solaris, AIX, ... Bare-metal, VMs, Containers Nodes, Databases
  • 40. One Language Linux, Windows, MacOS, Solaris, AIX, ... Bare-metal, VMs, Containers Nodes, Databases, APIs
  • 42. InSpec > inspec exec test.rb Test a machine remotely via SSH > inspec exec test.rb -i identity.key -t ssh://root@172.17.0.1 Test your machine locally > inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super Test Docker Container > inspec exec test.rb -t docker://5cc8837bb6a8 Test a machine remotely via WinRM AGENTLESS
  • 43. One Language Linux, Windows, MacOS, Solaris, AIX, ... Bare-metal, VMs, Containers Nodes, Databases, APIs, Cloud Platforms, ...
  • 45. 55% Step one: Detect Gain visibility into current status to satisfy audits and drive decision-making of organizations do compliance assessments inconsistently or not at all. Apply policies and gain a complete view across the fleet ▪ Accurately assess risk ▪ Prioritize remediation actions ▪ Maintain audit readiness ▪ Create and adjust policies ” Continuous visibility means that you enter into audits knowing the outcome. Jon Williams, NIU ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
  • 46. Step two: Correct Remediate issues to improve performance and security ▪ Prioritize actions based on impact ▪ Improve application performance ▪ Close security holes ▪ Prove policy compliance Web & Media Giant Can patch 250,000 nodes within 6 hours of a patch being made available Develop, test, and deploy remediation to address issues across the fleet of organizations need days or longer to remediate issues.58%
  • 47. 59% Step three: Automate Deploy applications faster and manage risk continuously ▪ Increase speed while reducing risk ▪ Improve software change efficiency ▪ Maintain security and compliance ▪ Align DevOps and InfoSec Every resource and app in HPC environment automatically qualified as compliant with FDA standards before deployment of organizations do not assess for compliance until code is running in production. Deploy applications with confidence
  • 48. The journey to continuous compliance Detect Correct Automate 1. Detect Gain visibility and develop baselines 2. Correct Remediate priority issues 3. Automate Continuously detect & correct
  • 49. Chef Automate enables the entire journey Detect ▪ Test against industry benchmarks ▪ Report and address audit needs Correct ▪ Close detect/correct loop in one platform ▪ Develop baselines for automation Automate ▪ Detect and correct before production ▪ Single language across DevOps, InfoSec Chef Automate is a single platform to support the entire journey
  • 50. Dig into the new way of learning about Chef, Automation, and DevOps. Self-paced training on Linux and Windows and much more! learn.chef.io