Baking Safety into Infrastructure Testing
-
Upload
jessica-devita -
Category
Technology
-
view
165 -
download
0
Transcript of Baking Safety into Infrastructure Testing
![Page 1: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/1.jpg)
JessicaDeVitaTechnicalEvangelistChefSoftware@ubergeekgirl
Baking Safety Into Infrastructure Testing
![Page 2: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/2.jpg)
What the heck is an evangelist?
![Page 3: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/3.jpg)
![Page 4: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/4.jpg)
![Page 5: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/5.jpg)
![Page 6: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/6.jpg)
• Software
• Safety
• Common ground
• Compliance as code
![Page 7: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/7.jpg)
Software is everywhere!
![Page 8: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/8.jpg)
Motorcycles
![Page 9: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/9.jpg)
![Page 10: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/10.jpg)
Medical Devices
![Page 11: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/11.jpg)
Pre-DevOps
![Page 12: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/12.jpg)
DevOps to the rescue!
![Page 13: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/13.jpg)
![Page 14: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/14.jpg)
Why does safety matter?
![Page 15: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/15.jpg)
![Page 16: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/16.jpg)
What about Security?
![Page 17: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/17.jpg)
Dev
QA
SecurityReview
Staging
Prod
![Page 18: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/18.jpg)
Patching
![Page 19: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/19.jpg)
I loveworkingwithoursecurityteam,Saidno oneever
![Page 20: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/20.jpg)
Regulations!OFAC USAPATRIOTAct Gramm-Leach-BlileyAct RedFlagsRule
BankSecrecyAct Sarbanes-Oxley RegulationE Dodd-Frank
FalseClaimsAct HIPAA EuropeanCentralBankregulations
PrudentialRegulationAuthority
FinancialConductAuthority HITECH PCIDSS
![Page 21: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/21.jpg)
![Page 22: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/22.jpg)
![Page 23: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/23.jpg)
"Society's ability to regulate industries effectively is limited by it's ability to access and understand code, as we saw with the VW emissions scandal." @richardjpope
![Page 24: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/24.jpg)
Fear-based culture
@TobiasMayer
![Page 25: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/25.jpg)
![Page 26: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/26.jpg)
![Page 27: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/27.jpg)
Safety can be predicted by organizational culture
Ron Westrum
![Page 28: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/28.jpg)
Psychological Safety is the most powerful predictor of successful teams
![Page 29: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/29.jpg)
John AllspawPDF Club
![Page 30: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/30.jpg)
Common Groundand Coordinationin Joint Activity
Intention
• Phases• Signaling• Coordination
devices & costs
• Interpredictability• Common Ground• Directability
![Page 31: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/31.jpg)
CommonGroundinJointActivity
• Intention• Signalsandcues• Conversation,effectiveCoordination• Inter-predictability• CommonGround• Whoknowswhat• Taskwork vs.teamwork• Jointactionladder
![Page 32: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/32.jpg)
Intention
![Page 33: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/33.jpg)
Interdependence
![Page 34: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/34.jpg)
Common ground isNot a "thing"Not a state
Instead, it is a process
an ongoing action: grounding
http://www.stefanomastrogiacomo.info/wp-content/uploads/2012/11/Common-Ground.png
![Page 35: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/35.jpg)
Choreography
Choreography
![Page 36: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/36.jpg)
Communication proceeds on two tracks:
Task Work
Team Work
![Page 37: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/37.jpg)
Signaling
![Page 38: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/38.jpg)
Signaling carries a responsibility to judge the interrupt-ability of
the other person
http://corgibytes.com/blog/2016/04/15/inception-layers/
![Page 39: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/39.jpg)
ChatOps?
![Page 40: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/40.jpg)
All communication is done through the board
![Page 41: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/41.jpg)
Coordination: managing dependencies between activities
![Page 42: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/42.jpg)
Coordination cannot be manufactured through procedures
and explicit guidelines.
![Page 43: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/43.jpg)
Common Ground is Not: everyone having the same knowledge
![Page 44: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/44.jpg)
![Page 45: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/45.jpg)
Interpredictability
Common Ground
Pertinent Mutual Knowledge, Beliefs, and Assumptions
![Page 46: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/46.jpg)
roles and functionsroutinesskills and competenciesgoals and commitmentstance:
perceptions of time pressurefatiguecompeting priorities
Most important types: Pertinent Mutual Knowledge,
Beliefs, and Assumptions
![Page 47: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/47.jpg)
common ground is created or lost during handoffs.
https://www.flickr.com/photos/53370644@N06/4976497160
![Page 48: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/48.jpg)
Whydoteamslosecommonground?• No experience working together
• Access to different data• No clear rationale for the directives• Ignorance of different stances• Unexpected loss of communications and unskilled
at repairing the disruption• Failure to monitor confirmation of messages• Confusion over who knows what – fundamental
common ground breakdown
![Page 49: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/49.jpg)
3.UnderstandUnderstanding
Acting
The Joint Action Ladder
4.Act
2.Perceive
1.Attend
![Page 50: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/50.jpg)
Fundamental Common Ground Breakdown:
![Page 51: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/51.jpg)
Common ground is not binary!
Teams engage in activities to support common ground• structuring preparations(establish routines)• sustaining (clarifications, reminders)• updating others about changes
• monitoring other team members• detecting (anomalies, signals of loss of ground)
repairing the loss
![Page 52: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/52.jpg)
"No matter how much care is taken, breakdowns in common ground are inevitable. No amount of procedure
or documentation can totally prevent them."
![Page 53: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/53.jpg)
High reliability organizations are marked by a continual mindfulness, a continual searching for
indications of a loss of common ground
![Page 54: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/54.jpg)
Safetyisconveyedthroughactions
• actionscanbecode• actionscanbeconversations
![Page 55: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/55.jpg)
Making automation a team player
https://tctechcrunch2011.files.wordpress.com/2015/06/robotdap-e1433960740130.jpg
![Page 56: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/56.jpg)
![Page 57: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/57.jpg)
InSpec is compliance as code – a human-readable language for
automating the continuous testing and compliance auditing of your entire
infrastructure.
![Page 58: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/58.jpg)
SSHControlSSHsupportstwodifferentprotocolversions.Theoriginalversion,SSHv1,wassubjecttoanumberofsecurityissues.PleaseuseSSHv2insteadto
avoidthese.
![Page 59: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/59.jpg)
MappingCompliancetoInSpeccontrol 'ssh-6.2.1' do
title 'Set SSH Protocol to 2'
end
![Page 60: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/60.jpg)
MappingCompliancetoInSpeccontrol 'ssh-6.2.1' do
title 'Set SSH Protocol to 2'
desc "
SSH supports two different ...
"
end
![Page 61: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/61.jpg)
MappingCompliancetoInSpeccontrol 'ssh-6.2.1' do
title 'Set SSH Protocol to 2'
desc "
SSH supports two different ...
"
describe sshd_config do
its('Protocol') { should cmp('2') }
end
end
![Page 62: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/62.jpg)
MappingCompliancetoInSpeccontrol 'ssh-6.2.1' do
impact 1.0
title 'Set SSH Protocol to 2'
desc "
SSH supports two different ...
"
describe sshd_config do
its('Protocol') { should cmp('2') }
end
end
![Page 63: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/63.jpg)
Test Any Target
inspec exec test.rb
inspec exec test.rb -i ~/.aws/mandi_eu.pem -t ssh://[email protected]
inspec exec test.rb -t winrm://[email protected] --password super
inspec exec test.rb -t docker://3dda08e75838
![Page 64: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/64.jpg)
its.... should...
•it { should exist } •it { should be_installed }•it { should be_enabled }•its('max_log_file') { should cmp 6 }•its('exit_status') { should eq 0 }•its('gid') { should eq 0 }
![Page 65: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/65.jpg)
InSpec Profilesinclude_controls 'os-hardening' doskip_control 'os-06'
control 'os-02' do impact 0.7 end end
include_controls 'ssh-hardening'
![Page 66: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/66.jpg)
describe security_policy doits('PasswordComplexity') { should eq 1 }enddescribe sshd_config doits('Port') { should eq('22') }Enddescribe iis_site('Default Web Site') doit { shouldhave_app_pool('DefaultAppPool') }it { should have_binding('http *:80:') }end
![Page 67: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/67.jpg)
67
![Page 68: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/68.jpg)
![Page 69: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/69.jpg)
![Page 70: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/70.jpg)
![Page 71: Baking Safety into Infrastructure Testing](https://reader036.fdocuments.us/reader036/viewer/2022062400/586f7e3d1a28ab10258b81c1/html5/thumbnails/71.jpg)
Truth can only be found in one place:
the code.
Only the code can truly tell you what it does. It is the only
source of truly accurate
information.