SlideShare ist ein Scribd-Unternehmen logo
1 von 41
Downloaden Sie, um offline zu lesen
Consumer to Collaborator
Re-Imagining the Government’s role
in Open Source
EXPLAIN YOUR FISMA PROCESS
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
OR, EMBED INTO KICKSTART:
$ oscap xccdf eval 
--remediate 
--profile stig-rhel6-server-upstream 
--report /root/scan-report.html 
/usr/share/xml/scap/content.xml
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
Miracle at
Willow Run
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
FIRST USE OF
CONTAINERS?
Mode 1 Mode 2
Mode 1 Mode 2
TRADITIONAL
Mode 1 Mode 2
TRADITIONAL EXPLORATORY
YOU ARE NOT AN
IT CRAFTSMAN
YOU ARE A
BI-MODAL IT MANUFACTURER
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
CATEGORIZE
(FIPS 199 / SP 800-60)
CATEGORIZE
(FIPS 199 / SP 800-60)
SELECT CONTROLS
(FIPS 200 / SP 800-53)
CATEGORIZE
(FIPS 199 / SP 800-60)
SELECT CONTROLS
(FIPS 200 / SP 800-53)
IMPLEMENT CONTROLS
(SP 800-70)
CATEGORIZE
(FIPS 199 / SP 800-60)
SELECT CONTROLS
(FIPS 200 / SP 800-53)
IMPLEMENT CONTROLS
(SP 800-70)
ACCESS CONTROLS
(SP 800-53A)
CATEGORIZE
(FIPS 199 / SP 800-60)
SELECT CONTROLS
(FIPS 200 / SP 800-53)
IMPLEMENT CONTROLS
(SP 800-70)
ACCESS CONTROLS
(SP 800-53A)
AUTHORIZE
(SP 800-37)
CATEGORIZE
(FIPS 199 / SP 800-60)
SELECT CONTROLS
(FIPS 200 / SP 800-53)
IMPLEMENT CONTROLS
(SP 800-70)
ACCESS CONTROLS
(SP 800-53A)
MONITOR
(SP 800-37 / SP 800-53A)
AUTHORIZE
(SP 800-37)
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
Everyone knows that
SCAP is a suite of XML
standards for creating
automated checklists for
configuration and
vulnerability scans!
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
Features
Risk?
Risk?
Risk?
Units of ___________
Growth
Community created portfolio
of tools and content to make attestations
about known vulnerabilities
https://github.com/OpenSCAP
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
$ govready scan
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
HOW TO ENGAGE
OpenSCAP GitHub:
https://github.com/OpenSCAP
OpenSCAP References & Docs:
https://github.com/OpenSCAP/scap-security-guide/wiki/Collateral-and-References
SCAP Content Mailing List:
https://fedorahosted.org/mailman/listinfo/scap-security-guide
GovReady user-friendly front-end:
https://github.com/GovReady/govready
Ansible-SCAP (+ Vagrant) demo. See how it all works - painlessly:
https://github.com/openprivacy/ansible-scap
NIST SCAP Website:
https://scap.nist.gov
Shawn Wells
shawn@redhat.com
443-534-0130
CONTACT INFO
Greg Elin
gregelin@gitmachines.com
917-304-3488
Fen Labalme
fen@civicactions.com
412-996-4113

Weitere ähnliche Inhalte

Andere mochten auch

Presentación normatividad
Presentación normatividadPresentación normatividad
Presentación normatividadGeovanni Garzon
 
Self inflating-tyre-systems
Self inflating-tyre-systemsSelf inflating-tyre-systems
Self inflating-tyre-systemsSamandeep Singh
 
8 Essential Elements of an Annual New Business Plan
8 Essential Elements of an Annual New Business Plan8 Essential Elements of an Annual New Business Plan
8 Essential Elements of an Annual New Business PlanJody Sutter
 
週刊Webサイトのアーキテクチャ
週刊Webサイトのアーキテクチャ週刊Webサイトのアーキテクチャ
週刊WebサイトのアーキテクチャYoshitaka Kawashima
 
B3. Réussir sa démarche de développement économique
B3. Réussir sa démarche de développement économiqueB3. Réussir sa démarche de développement économique
B3. Réussir sa démarche de développement économiqueCap'Com
 
5. pre production
5. pre production5. pre production
5. pre productionJack Bevens
 
Italy 2017 OECD Economic Survey Reforms are paying off, but challenges remain
Italy 2017 OECD Economic Survey Reforms are paying off, but challenges remainItaly 2017 OECD Economic Survey Reforms are paying off, but challenges remain
Italy 2017 OECD Economic Survey Reforms are paying off, but challenges remainOECD, Economics Department
 

Andere mochten auch (8)

Presentación normatividad
Presentación normatividadPresentación normatividad
Presentación normatividad
 
Self inflating-tyre-systems
Self inflating-tyre-systemsSelf inflating-tyre-systems
Self inflating-tyre-systems
 
8 Essential Elements of an Annual New Business Plan
8 Essential Elements of an Annual New Business Plan8 Essential Elements of an Annual New Business Plan
8 Essential Elements of an Annual New Business Plan
 
週刊Webサイトのアーキテクチャ
週刊Webサイトのアーキテクチャ週刊Webサイトのアーキテクチャ
週刊Webサイトのアーキテクチャ
 
B3. Réussir sa démarche de développement économique
B3. Réussir sa démarche de développement économiqueB3. Réussir sa démarche de développement économique
B3. Réussir sa démarche de développement économique
 
Plastic info
Plastic infoPlastic info
Plastic info
 
5. pre production
5. pre production5. pre production
5. pre production
 
Italy 2017 OECD Economic Survey Reforms are paying off, but challenges remain
Italy 2017 OECD Economic Survey Reforms are paying off, but challenges remainItaly 2017 OECD Economic Survey Reforms are paying off, but challenges remain
Italy 2017 OECD Economic Survey Reforms are paying off, but challenges remain
 

Ähnlich wie 2015 06-12 DevOpsDC 2015 - Consumer to Collaborator

LIMS_DOCUMENTATION
LIMS_DOCUMENTATIONLIMS_DOCUMENTATION
LIMS_DOCUMENTATIONRAHUL KUMAR
 
ReadyNow: Azul's Unconventional "AOT"
ReadyNow: Azul's Unconventional "AOT"ReadyNow: Azul's Unconventional "AOT"
ReadyNow: Azul's Unconventional "AOT"Doug Hawkins
 
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made EasyShawn Wells
 
eece237lab2EECE237Lab2.uvproj 1.1 ### uVision .docx
eece237lab2EECE237Lab2.uvproj    1.1   ### uVision .docxeece237lab2EECE237Lab2.uvproj    1.1   ### uVision .docx
eece237lab2EECE237Lab2.uvproj 1.1 ### uVision .docxSALU18
 
Debugging Istio Networking
Debugging Istio NetworkingDebugging Istio Networking
Debugging Istio NetworkingLiam White
 
Instrucciones de instalación de PLC Micrologix 1200
Instrucciones de instalación de PLC Micrologix 1200Instrucciones de instalación de PLC Micrologix 1200
Instrucciones de instalación de PLC Micrologix 1200SANTIAGO PABLO ALBERTO
 
Compact logix1769l32 l35-
Compact logix1769l32 l35-Compact logix1769l32 l35-
Compact logix1769l32 l35-Steven Qi
 
DEF CON 27- SHEILA A BERTA - backdooring hardware devices by injecting malici...
DEF CON 27- SHEILA A BERTA - backdooring hardware devices by injecting malici...DEF CON 27- SHEILA A BERTA - backdooring hardware devices by injecting malici...
DEF CON 27- SHEILA A BERTA - backdooring hardware devices by injecting malici...Felipe Prado
 
The road to continuous deployment (DomCode September 2016)
The road to continuous deployment (DomCode September 2016)The road to continuous deployment (DomCode September 2016)
The road to continuous deployment (DomCode September 2016)Michiel Rook
 
Designing Modern Streaming Data Applications
Designing Modern Streaming Data ApplicationsDesigning Modern Streaming Data Applications
Designing Modern Streaming Data ApplicationsArun Kejariwal
 
Advanced CA Endevor® Software Change Manager Processor Coding Techniques: Pra...
Advanced CA Endevor® Software Change Manager Processor Coding Techniques: Pra...Advanced CA Endevor® Software Change Manager Processor Coding Techniques: Pra...
Advanced CA Endevor® Software Change Manager Processor Coding Techniques: Pra...CA Technologies
 
gsp-315-frameworkDebugAIShip.objgsp-315-frameworkDebugcl.docx
gsp-315-frameworkDebugAIShip.objgsp-315-frameworkDebugcl.docxgsp-315-frameworkDebugAIShip.objgsp-315-frameworkDebugcl.docx
gsp-315-frameworkDebugAIShip.objgsp-315-frameworkDebugcl.docxbenjaminjames21681
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptxssuserb4d806
 
Storage Benchmarks - Voodoo oder Wissenschaft? – data://disrupted® 2020
Storage Benchmarks - Voodoo oder Wissenschaft? – data://disrupted® 2020Storage Benchmarks - Voodoo oder Wissenschaft? – data://disrupted® 2020
Storage Benchmarks - Voodoo oder Wissenschaft? – data://disrupted® 2020data://disrupted®
 
The GNU Debugger GDB for the benefit of Embedded Engineering
The GNU Debugger GDB for the benefit of Embedded EngineeringThe GNU Debugger GDB for the benefit of Embedded Engineering
The GNU Debugger GDB for the benefit of Embedded EngineeringJulio Guerra
 
OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...
OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...
OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...Pôle Systematic Paris-Region
 
Krzysztof Mazepa - IOS XR - IP Fast Convergence
Krzysztof Mazepa - IOS XR - IP Fast ConvergenceKrzysztof Mazepa - IOS XR - IP Fast Convergence
Krzysztof Mazepa - IOS XR - IP Fast ConvergencePROIDEA
 
USB 4-8 Channel Relay Board
USB 4-8 Channel  Relay BoardUSB 4-8 Channel  Relay Board
USB 4-8 Channel Relay BoardRaghav Shetty
 

Ähnlich wie 2015 06-12 DevOpsDC 2015 - Consumer to Collaborator (20)

LIMS_DOCUMENTATION
LIMS_DOCUMENTATIONLIMS_DOCUMENTATION
LIMS_DOCUMENTATION
 
ReadyNow: Azul's Unconventional "AOT"
ReadyNow: Azul's Unconventional "AOT"ReadyNow: Azul's Unconventional "AOT"
ReadyNow: Azul's Unconventional "AOT"
 
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
 
Load demo-oct2016
Load demo-oct2016Load demo-oct2016
Load demo-oct2016
 
eece237lab2EECE237Lab2.uvproj 1.1 ### uVision .docx
eece237lab2EECE237Lab2.uvproj    1.1   ### uVision .docxeece237lab2EECE237Lab2.uvproj    1.1   ### uVision .docx
eece237lab2EECE237Lab2.uvproj 1.1 ### uVision .docx
 
PROYECTO VLANS
PROYECTO VLANSPROYECTO VLANS
PROYECTO VLANS
 
Debugging Istio Networking
Debugging Istio NetworkingDebugging Istio Networking
Debugging Istio Networking
 
Instrucciones de instalación de PLC Micrologix 1200
Instrucciones de instalación de PLC Micrologix 1200Instrucciones de instalación de PLC Micrologix 1200
Instrucciones de instalación de PLC Micrologix 1200
 
Compact logix1769l32 l35-
Compact logix1769l32 l35-Compact logix1769l32 l35-
Compact logix1769l32 l35-
 
DEF CON 27- SHEILA A BERTA - backdooring hardware devices by injecting malici...
DEF CON 27- SHEILA A BERTA - backdooring hardware devices by injecting malici...DEF CON 27- SHEILA A BERTA - backdooring hardware devices by injecting malici...
DEF CON 27- SHEILA A BERTA - backdooring hardware devices by injecting malici...
 
The road to continuous deployment (DomCode September 2016)
The road to continuous deployment (DomCode September 2016)The road to continuous deployment (DomCode September 2016)
The road to continuous deployment (DomCode September 2016)
 
Designing Modern Streaming Data Applications
Designing Modern Streaming Data ApplicationsDesigning Modern Streaming Data Applications
Designing Modern Streaming Data Applications
 
Advanced CA Endevor® Software Change Manager Processor Coding Techniques: Pra...
Advanced CA Endevor® Software Change Manager Processor Coding Techniques: Pra...Advanced CA Endevor® Software Change Manager Processor Coding Techniques: Pra...
Advanced CA Endevor® Software Change Manager Processor Coding Techniques: Pra...
 
gsp-315-frameworkDebugAIShip.objgsp-315-frameworkDebugcl.docx
gsp-315-frameworkDebugAIShip.objgsp-315-frameworkDebugcl.docxgsp-315-frameworkDebugAIShip.objgsp-315-frameworkDebugcl.docx
gsp-315-frameworkDebugAIShip.objgsp-315-frameworkDebugcl.docx
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptx
 
Storage Benchmarks - Voodoo oder Wissenschaft? – data://disrupted® 2020
Storage Benchmarks - Voodoo oder Wissenschaft? – data://disrupted® 2020Storage Benchmarks - Voodoo oder Wissenschaft? – data://disrupted® 2020
Storage Benchmarks - Voodoo oder Wissenschaft? – data://disrupted® 2020
 
The GNU Debugger GDB for the benefit of Embedded Engineering
The GNU Debugger GDB for the benefit of Embedded EngineeringThe GNU Debugger GDB for the benefit of Embedded Engineering
The GNU Debugger GDB for the benefit of Embedded Engineering
 
OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...
OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...
OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...
 
Krzysztof Mazepa - IOS XR - IP Fast Convergence
Krzysztof Mazepa - IOS XR - IP Fast ConvergenceKrzysztof Mazepa - IOS XR - IP Fast Convergence
Krzysztof Mazepa - IOS XR - IP Fast Convergence
 
USB 4-8 Channel Relay Board
USB 4-8 Channel  Relay BoardUSB 4-8 Channel  Relay Board
USB 4-8 Channel Relay Board
 

Mehr von Shawn Wells

2017-10-10 AUSA 2017: Repeatable DCO Platforms
2017-10-10 AUSA 2017: Repeatable DCO Platforms2017-10-10 AUSA 2017: Repeatable DCO Platforms
2017-10-10 AUSA 2017: Repeatable DCO PlatformsShawn Wells
 
2017-07-12 GovLoop: New Era of Digital Security
2017-07-12 GovLoop: New Era of Digital Security2017-07-12 GovLoop: New Era of Digital Security
2017-07-12 GovLoop: New Era of Digital SecurityShawn Wells
 
2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...
2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...
2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...Shawn Wells
 
2017 02-17 rsac 2017 tech-f02
2017 02-17 rsac 2017 tech-f022017 02-17 rsac 2017 tech-f02
2017 02-17 rsac 2017 tech-f02Shawn Wells
 
2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pi...
2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pi...2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pi...
2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pi...Shawn Wells
 
2016 -11-18 OpenSCAP Workshop Coursebook
2016 -11-18 OpenSCAP Workshop Coursebook2016 -11-18 OpenSCAP Workshop Coursebook
2016 -11-18 OpenSCAP Workshop CoursebookShawn Wells
 
2016-08-29 AFITC Security Automation
2016-08-29 AFITC Security Automation2016-08-29 AFITC Security Automation
2016-08-29 AFITC Security AutomationShawn Wells
 
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...Shawn Wells
 
2016-08-18 Red Hat Partner Security Update
2016-08-18 Red Hat Partner Security Update2016-08-18 Red Hat Partner Security Update
2016-08-18 Red Hat Partner Security UpdateShawn Wells
 
2015-11-15 - Supercomputing 2015 - Applied Cross Domain
2015-11-15 - Supercomputing 2015 - Applied Cross Domain2015-11-15 - Supercomputing 2015 - Applied Cross Domain
2015-11-15 - Supercomputing 2015 - Applied Cross DomainShawn Wells
 
2015-10-05 Fermilabs DevOps Alone in the Dark
2015-10-05 Fermilabs DevOps Alone in the Dark2015-10-05 Fermilabs DevOps Alone in the Dark
2015-10-05 Fermilabs DevOps Alone in the DarkShawn Wells
 
2015-01-27 ssa opening remarks
2015-01-27 ssa opening remarks2015-01-27 ssa opening remarks
2015-01-27 ssa opening remarksShawn Wells
 
2014-12-16 defense news - shutdown the hackers
2014-12-16  defense news - shutdown the hackers2014-12-16  defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackersShawn Wells
 
2014-07-31 customer convergence applied scap
2014-07-31 customer convergence applied scap2014-07-31 customer convergence applied scap
2014-07-31 customer convergence applied scapShawn Wells
 
2014-07-30 defense in depth scap workbook
2014-07-30 defense in depth scap workbook2014-07-30 defense in depth scap workbook
2014-07-30 defense in depth scap workbookShawn Wells
 
2014-05-08 IT Craftsmanship to IT Manufacturing
2014-05-08 IT Craftsmanship to IT Manufacturing2014-05-08 IT Craftsmanship to IT Manufacturing
2014-05-08 IT Craftsmanship to IT ManufacturingShawn Wells
 
2014-04-28 cloud security frameworks and enforcement
2014-04-28 cloud security frameworks and enforcement2014-04-28 cloud security frameworks and enforcement
2014-04-28 cloud security frameworks and enforcementShawn Wells
 
2014 04-17 Applied SCAP, Red Hat Summit 2014
2014 04-17 Applied SCAP, Red Hat Summit 20142014 04-17 Applied SCAP, Red Hat Summit 2014
2014 04-17 Applied SCAP, Red Hat Summit 2014Shawn Wells
 
2014 04-03 xyratex event
2014 04-03 xyratex event2014 04-03 xyratex event
2014 04-03 xyratex eventShawn Wells
 
2013-08-22 NSA System Security & Management
2013-08-22 NSA System Security & Management2013-08-22 NSA System Security & Management
2013-08-22 NSA System Security & ManagementShawn Wells
 

Mehr von Shawn Wells (20)

2017-10-10 AUSA 2017: Repeatable DCO Platforms
2017-10-10 AUSA 2017: Repeatable DCO Platforms2017-10-10 AUSA 2017: Repeatable DCO Platforms
2017-10-10 AUSA 2017: Repeatable DCO Platforms
 
2017-07-12 GovLoop: New Era of Digital Security
2017-07-12 GovLoop: New Era of Digital Security2017-07-12 GovLoop: New Era of Digital Security
2017-07-12 GovLoop: New Era of Digital Security
 
2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...
2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...
2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...
 
2017 02-17 rsac 2017 tech-f02
2017 02-17 rsac 2017 tech-f022017 02-17 rsac 2017 tech-f02
2017 02-17 rsac 2017 tech-f02
 
2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pi...
2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pi...2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pi...
2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pi...
 
2016 -11-18 OpenSCAP Workshop Coursebook
2016 -11-18 OpenSCAP Workshop Coursebook2016 -11-18 OpenSCAP Workshop Coursebook
2016 -11-18 OpenSCAP Workshop Coursebook
 
2016-08-29 AFITC Security Automation
2016-08-29 AFITC Security Automation2016-08-29 AFITC Security Automation
2016-08-29 AFITC Security Automation
 
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
 
2016-08-18 Red Hat Partner Security Update
2016-08-18 Red Hat Partner Security Update2016-08-18 Red Hat Partner Security Update
2016-08-18 Red Hat Partner Security Update
 
2015-11-15 - Supercomputing 2015 - Applied Cross Domain
2015-11-15 - Supercomputing 2015 - Applied Cross Domain2015-11-15 - Supercomputing 2015 - Applied Cross Domain
2015-11-15 - Supercomputing 2015 - Applied Cross Domain
 
2015-10-05 Fermilabs DevOps Alone in the Dark
2015-10-05 Fermilabs DevOps Alone in the Dark2015-10-05 Fermilabs DevOps Alone in the Dark
2015-10-05 Fermilabs DevOps Alone in the Dark
 
2015-01-27 ssa opening remarks
2015-01-27 ssa opening remarks2015-01-27 ssa opening remarks
2015-01-27 ssa opening remarks
 
2014-12-16 defense news - shutdown the hackers
2014-12-16  defense news - shutdown the hackers2014-12-16  defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers
 
2014-07-31 customer convergence applied scap
2014-07-31 customer convergence applied scap2014-07-31 customer convergence applied scap
2014-07-31 customer convergence applied scap
 
2014-07-30 defense in depth scap workbook
2014-07-30 defense in depth scap workbook2014-07-30 defense in depth scap workbook
2014-07-30 defense in depth scap workbook
 
2014-05-08 IT Craftsmanship to IT Manufacturing
2014-05-08 IT Craftsmanship to IT Manufacturing2014-05-08 IT Craftsmanship to IT Manufacturing
2014-05-08 IT Craftsmanship to IT Manufacturing
 
2014-04-28 cloud security frameworks and enforcement
2014-04-28 cloud security frameworks and enforcement2014-04-28 cloud security frameworks and enforcement
2014-04-28 cloud security frameworks and enforcement
 
2014 04-17 Applied SCAP, Red Hat Summit 2014
2014 04-17 Applied SCAP, Red Hat Summit 20142014 04-17 Applied SCAP, Red Hat Summit 2014
2014 04-17 Applied SCAP, Red Hat Summit 2014
 
2014 04-03 xyratex event
2014 04-03 xyratex event2014 04-03 xyratex event
2014 04-03 xyratex event
 
2013-08-22 NSA System Security & Management
2013-08-22 NSA System Security & Management2013-08-22 NSA System Security & Management
2013-08-22 NSA System Security & Management
 

Kürzlich hochgeladen

Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampVICTOR MAESTRE RAMIREZ
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024Mind IT Systems
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Jaydeep Chhasatia
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?AmeliaSmith90
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyRaymond Okyere-Forson
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIIvo Andreev
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptkinjal48
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsJaydeep Chhasatia
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesSoftwareMill
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...OnePlan Solutions
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxJoão Esperancinha
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilVICTOR MAESTRE RAMIREZ
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionsNirav Modi
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdfMeon Technology
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntelliSource Technologies
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfBrain Inventory
 
Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native BuildpacksVish Abrams
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadIvo Andreev
 

Kürzlich hochgeladen (20)

Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - Datacamp
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?
 
Salesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptxSalesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptx
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human Beauty
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AI
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.ppt
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retries
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptx
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-Council
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspections
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdf
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptx
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdf
 
Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native Buildpacks
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and Bad
 

2015 06-12 DevOpsDC 2015 - Consumer to Collaborator

Hinweis der Redaktion

  1. GREG: If you’re talking FISMA, FedRamp, DoD STIG, or PCI, security is feels as procedural encumbrance when it comes to DevOps. Greg: Anyone doing it experiences this burden. Greg: We’re going to tell you a story about an emerging practice that’s changing our relationship to security and compliance from 3 perspectives that span the software development. SHAWN: The guy who writes the policies like DoD STIG and NIST. Maintains machine automation. Cares about compliance. Source of your pain! :) GREG: The guy who wants to consume innovation and new technology. Doesn’t fully understand C&A. My default position is that security is somone’s else’s job. FEN: I’m doing ops and I have to deal with people like Shawn and their inscrutable policies, and people like Greg who’s wants new functionality that adds vulnerabilities. To make things worse, 6 months ago I was introduced to FISMA and got saddled with this painful compliance process and checklists that gets in the way of doing real security. FEN: But two months ago, I discovered OpenSCAP and my perspective changed.
  2. FEN: I can now harden and run security scans on new servers with a single ansible command. The security process is automated, does everything - and more - that I used to do manually. Not only do I satisfy compliance, I have greater confidence in the security of my servers. With about 100 lines of Ansible and Vagrant I can spin up and harden a server -- and provide attestation that it meets the compliance regs. (This ansible script displays the provisioning rvoles that add OpenSCAP and hardening to all machines and creates a “dashboard” for running the scans.)
  3. Or, I can embed a single line of kickstart that will remediate my server to official baseline during the initial configuration. (( fade to Shawn ))
  4. Planes were getting shot down faster than we could make them
  5. SHAWN: Artisanally crafted war planes Custom parts Static build systems: One at a time. Waterfall. (( fade to Greg for FCC story )) GREG FCC STORY: In addition to the familiar artisanal/pet vs cattle story, there is a queueing problem Had a funded $200,000 project that was idled for months waiting for a server to get set according to policy - and conracts and budget made it impossible to use any of those funds to improve the primary constraint of configuring a baseline server and network.
  6. You go through that entire process, and then someone wants polka dots. So you repeat the entire process. Plane still in official in “development”, but not “fielded”: NO MAINTENANCE Antiquated before gets to the warfighter
  7. … and because no maintenance, they’d go back into the build system and then the security system and then gets in the way of everything else! Again, this is the queueing problem.
  8. In January of 1940, America was being drawn into the growing war and our military was woefully unprepared. The Roosevelt administration asked Ford Motor Company to manufacture components for the B-24 Liberator bomber. Charles Sorensen, Vice-President of Production for Ford traveled to San Diego to observe Consolidated Aircraft's operations. He conceived to update the Willow Run bomber plant, eventually manufacturing 8,800 of these aircraft. Willow Run was the physical embodiment of the Ford Production system which was later transformed by Toyota into "Just In Time" and Lean manufacturing. This is where it all started. BTW, The book, Miracle at Willow Run is Sorenson’s autobiography -- and he never says why they wanted polkadots on the planes.
  9. Willow Run was the physical embodiment of the Ford Production system which was later transformed by Toyota into "Just In Time" and Lean manufacturing. This is where it all started. BTW, The book, Miracle at Willow Run is Sorenson’s autobiography -- and he never says why they wanted polkadots on the planes.
  10. First, break the plane's design into essential units and make a separate production layout for each unit. Next, build as many units as are required, then deliver each unit in its proper sequence to the assembly line to make one whole unit~ finished plane. Revamped production system. Now delivering one B52 per hour.
  11. The two modes of building planes equates two
  12. Elastic, Agile GARTNER
  13. SHAWN: Do you think Google security accredits every server by hand? Do they spend months building the perfect system, or selecting the perfect vendor? No.They spend time on how they use the products: A/B testing, quick iterations, etc. The difference between a regular IT shop and the Googles of the world is the difference between a village cobbler and a tennis shoe factory. DevOps has been silod to Dev and Ops… what about security? (it’s been a tertiary, waterfall process) (( FADE TO GREG )) GREG: This is why we can’t accredit Mode 2 IT with the Mode 1 processes.
  14. GREG: NIST Risk Management Framework literally defines a waterfall process for compliance determination.
  15. Step 1: Categorize the system
  16. Step 2. Select all the controls (e.g., define the requirements). Sometimes this is done for you, like FedRAMP or FISMA.
  17. Step 3. Implement all the controls (e.g., develop)
  18. Step 4. Assess the controls (e.g., QA after all requirements implemented) Configuration Management vs Security Attestation/Assessments Compliance (w/SCAP) is the ability to perform attestation at scale
  19. Step 5: Authorize (e.g., deploy the accreditation) You can’t deploy without authorization. If you find out at authorization that you need polkadots, you have go back into the queue. Kg Or you get a waiver and fly knowing you have warped parts. And no matter the velocity of our CI pipeline, the authorization is still a one-off manual process.
  20. Step 6. Finally continuously monitoring comes into play in classic mode 1 life cycle management. Fen: and devops goes… <click>
  21. Fen...
  22. GREG: But to be fair, it’s not like NIST, the authors of the RMF, didn’t anticipate this issue. They knew that automation would be essential to applying the catalog security controls widely.
  23. So, after 5 years of work with MITRE, NIST releases the Security Content Automation Protocol, a suite of 8 easy to understand XML-based standards for expressing, testing, checklisting, tracking, and remediating security content.
  24. GREG: Why SCAP anyway when we have idempotent infrastructure with CFEngine, Puppet, Chef, Ansible, etc? Because Security and Compliance are larger than the the Information System and its components. Security has been practices as tertiary manual process for an actual reason Because we have to connect tactical risk at the component level with organizational strategic risk management In fact, if you look at the 18 families of security controls in NIST 800-53 catalog of security controls, most are operational or management. Config tools silent about vulnerability And the Risk Management Framework is a whole organizational activity. The goal of SCAP is to aggregate vulnerability info to assess environmental risks
  25. GREG: Why SCAP anyway when we have idempotent infrastructure with CFEngine, Puppet, Chef, Ansible, etc? Because Security and Compliance are larger than the the Information System and its components. Security has been practices as tertiary manual process for an actual reason Because we have to connect tactical risk at the component level with organizational strategic risk management In fact, if you look at the 18 families of security controls in NIST 800-53 catalog of security controls, most are operational or management. Config tools silent about vulnerability And the Risk Management Framework is a whole organizational activity. The goal of SCAP is to aggregate vulnerability info to assess environmental risks
  26. SHAWN: Misperception that SCAP isn’t DevOps relevant, however: SCAP allows you to build a weather model: End point sensor monitoring Continuous Standardized data TURNING PRIMARY CONSTRAINT of C&A INTO AN OPEN SOURCE PROJECT The selection of security controls from NIST’s RMF is called a baseline Open sourcing primary constraint of baseline development NSA declassifies build DISA FSO, NIST Extend infrastructure as code to include security automation AND organizational attestation Where OpenSCAP exists, you can now integrate security into continuous delivery Tie organizational workflows with technical component delivery OpenSCAP reflects portfolio of tools + content
  27. We get lost in the technical controls (password length, crypto algorithms) What we want is security policy and implementations to Security must scale across technologies, policies, and processes Trust and attestation scale differently than traffic and features Cultural differences Shared problem. We get lost in the technical controls (password length, crypto algorithms) Favorite scripts
  28. It’s not just Red Hat. New apps and operating system (Drupal, Ubuntu and AWS Linux on the way) baselines are being added.
  29. The code is CopyLeft - use and share.
  30. ...And it’s being forked and extended to work in multiple environments.
  31. A standard vulnerability scan produces a human readable report...
  32. ...with detailed text describing the tests, links to the NIST Vulnerability Database (NVD), and even remediation scripts that can be employed to resolve the discovered issue.
  33. Greg: I wanted condensed command line output so I created a “quick reports” filter on the scan results.
  34. This shows an example run using Foreman.
  35. It’s an open standard - it can do a lot now - and it can do even more as a F/OSS platform for encapsulating, communicating and providing attestations about known vulnerabilities in the systems you build.
  36. We’d love to see you on the mailing lists.
  37. Thanks.