Making StrongSecurity Easier

With FOSS Scanners

or: Building Secure BridgesFen Labalme, CivicActions, Inc.

● 2013-12 Target - 70 million customers affected (Names, mailing addresses, email addresses, phone numbers, credit/debit card information) via third party vendor with authorized access (external javascript libraries, anyone?)

● 2014-11 Home Depot - 56 million credit cards numbers, 53 million email addresses via stolen third party username/password (two-factor authentication would have prevented)

● 2014-11 Sony - Current and former employees & executives via Targeted attack by “Guardians of Peace” group, purported to be from North Korea (don’t be stupid)

● 2015-02 Anthem Blue Cross - 80 million current and former customers, as well as employees (Social Security numbers, birth dates, addresses, emails, employment information, income data) via Targeted attacks to steal network credentials of a few employees with highlevel system access (again, two-factor authentication)

● 2015-06 US Office of Personnel Management (OPM) - 4.2 million current and former employees; 19.7 million individuals whom a Federal background investigation; 1.8 million referenced spouses and relatives (SSN and full background history) via… China?

Recent Major Security Breaches

Explaining FISMAFederal Information Security Management Act of 2002

Some AcronymsThere will be no test

FISMA Federal Information Security Management Act of 2002

NIST National Institute of Standards and Technology

RMF Risk Management Framework

FedRAMP Federal Risk and Authorization Management Program

PCI DSS Payment Card Industry Data Security Standard

STIG Security Technical Implementation Guide

SCAP Security Content Automation Protocol

CI Continuous Integration

NIST Risk Mgt Framework Takes Months

NIST 800-53 Controls Hurt Your Brain

Time to add compliance!

Software Supply Chain Can Aid Security

$ risk -a server.agency.gov$ make artifact=system-security-plan -f doc

FISMA for Happy Developers

Scanning as Part of CI

Developers reaction to security scans

Problem

Tip #1: Use the Families

Tip #2: Give Control Families Tickets

Tip #3: Use SCAPSCAP == Shared Unit Testing for Vulnerabilities

Vulnerabilities● Poor configuration● Known exploits

Tip #4: Use OpenSCAP + GovReady

Community created portfolio

of tools and content to make attestations about

known vulnerabilitieshttps://github.com/

OpenSCAP

Open source tool that to make OpenSCAP

scanning friendlier to developers

https://github.com/GovReady/govready

OpenSCAP$ oscap xccdf eval --remediate \--profile stig-rhel6-server-upstream \--report /root/scan-report.html \/usr/share/xml/scap/content.xml

GovReady$ govready scan$ govready fix$ govready compare

Next steps

● Include more operating systems (Ubuntu, Debian)● Add more tests (bash & drush based)● Create and contribute towards an application baseline:

● Drupal● Apache/Nginx● MySQL/Mariadb

HOW TO ENGAGEOpenSCAP GitHub:https://github.com/OpenSCAP

OpenSCAP References & Docs:https://github.com/OpenSCAP/scap-security-guide/wiki/Collateral-and-References

SCAP Content Mailing List:https://fedorahosted.org/mailman/listinfo/scap-security-guide

GovReady user-friendly front-end:https://github.com/GovReady/govready

Ansible-SCAP demo. See how it all works on the “drupal” branch - painlessly:https://github.com/openprivacy/ansible-scap

NIST SCAP Website:https://scap.nist.gov

CONTACT INFO

Fen Labalmefen@civicactions.c

om412-996-4113

Shameless plug:We’re hiring !