Bay Area Chef Meetup February

The Quest to Make Testing and Security part of DevOps

Jessica DeVitaEvangelist @ubergeekgirl

Agenda

Infrastructure as Code & Test-driven Development

Compliance as Code

Demonstration

Q & A

The Chef Automate PlatformContinuous Automation for High Velocity IT

Workflow • Local development • Integration • Tooling (APIs & SDKs)

COLLABORATE

▪ Package▪ Test▪ Approve

BUILD

▪ Provision▪ Configure▪ Execute▪ Update

DEPLOY

▪ Secure▪ Comply▪ Audit▪ Measure▪ Log

MANAGE

Infrastructure Automation Compliance AutomationApplication Automation

OSS AUTOMATION ENGINES

Increase Speed

▪ Package infrastructure and app configuration as code

▪ Continuously automate infrastructure and app updates

Improve Efficiency

▪ Define and execute standard workflows and automation

▪ Audit and measure effectiveness of automation

Decrease Risk

▪ Define compliance rules as code

▪ Deliver continuous compliance as part of standard workflow

CHEF AUTOMATE: Jumpstart your automation● A complete suite of enterprise

capabilities for workflow, visibility and compliance

● Workflow: A pipeline for continuous delivery of infrastructure and applications

● Compliance: Customizable analytics to identify compliance issues, security risks and outdated software

● Visibility: Gives you views into operational, compliance and workflow process events

Velocity: time from idea to ship

Software success metricsQuantifying outcomes to deliver software at speed

Deployment frequency

Time fromcommit to deploy

Mean timeto resolve

Time deploying remediation

Change failurerate

SPEEDMeasure of rate

of software change

EFFICIENCYMeasure of effectiveness

of software change

RISKMeasure of qualityof software change

Compliance testing coverage

Idea Ship

Standard Bank pushes ideas from commit to deploy in 18 minutes with Chef

Focus on SpeedMeasuring the rate of software change

HIGH ITPERFORMERS

MEDIUM IT PERFORMERS

LOW ITPERFORMERS

On-demand Week - MonthMonth – 6

Month

< 1 Hour Week - Month Month - 6 month

USE CASES INCLUDE:▪ Application Delivery

▪ Build Pipelines

DEPLOYMENT FREQUENCY

TIME FROM COMMIT TO DEPLOY

Intuit reduced change failure rate by 90% with Chef

Focus on EfficiencyMeasuring the effectiveness of software change

HIGH ITPERFORMERS


LOW ITPERFORMERS

0-15% 16-30% 31-45%

< 1 Hour < 1 Day < 1 Day

USE CASES INCLUDE:▪ Configuration Management

▪ Server Drift

CHANGE FAILURE RATE

MEAN TIME TO RESOLVE

Equifax easily scans and maintains security policies with Chef

Focus on RiskMeasuring the quality of software change

HIGH ITPERFORMERS


LOW ITPERFORMERS

95%+ 25%-95% 0-25%

< 1 Hour Week - Month Month - 6 Months

USE CASES INCLUDE:▪ Compliance Automation

▪ Compliance Coverage

COMPLIANCE TESTING COVERAGE

TIME DEPLOYING REMEDIATION

Chef

▪ Manages deployment and on-going automation

▪ Define reusable resources and infrastructure state as code

▪ Scale elegantly from one to tens of thousands of managed nodes across multiple complex environments

▪ Community, Certified Partner, and Chef supported content available for all common automation tasks

Infrastructure automation and delivery at scale

windows_feature ‘IIS-WebServerRole’ doaction :install

end

windows_feature ‘IIS-ASPNET’ doaction :install

end

iis_pool FooBarPool doruntime_version “4.0”action :add

end

package "apache" doaction :install

end

template “/etc/httpd/https.conf” dosource “httpd.conf.erb”mode 0075owner “root”group “root”

end

service “apache2” doaction :start

end

Habitat

▪ Ease the burden of managing microservice apps and bring benefits of apps architected for microservices to traditional applications

▪ Gain consistent management of new and traditional applications across their lifecycle

▪ Provides application portability for new and traditional apps

▪ Autonomous nodes self-manage runtime state of application based upon policy you define

▪ APIs expose application behaviors as data for better management

▪ Works in tandem with infrastructure automation

▪ Makes applications running on containers, PaaS, virtual machines, bare metal, … better

Automation that travels with the app

PART OF A PROCESS OF CONTINUOUS COMPLIANCE

Scan for Compliance

Build & Test Locally

Build & Test CI/CD Remediate Verify

A SIMPLE EXAMPLE OF AN INSPEC CIS RULE

InSpec

▪ Translate compliance into Code

▪ Clearly express statements of policy

▪ Move risk to build/test from runtime

▪ Find issues early

▪ Write code quickly

▪ Run code anywhere

▪ Inspect machines, data and APIs

Turn security and compliance into code

control ‘cis-1.4.1’ dotitle ‘1.4.1 Enable SELinux in /etc/grub.conf’desc ‘

Do not disable SELinux and enforcing in your GRUB configuration. These are important security features that prevent attackers from escalating their access to your systems. For reference see …

‘impact 1.0expect(grub_conf.param ‘selinux’).to_not eq ‘0’expect(grub_conf.param ‘enforcing’).to_not eq ‘0’

end

Deliver on ComplianceReduce risk through automation of security and compliance management

COMPLIANCE TEST COVERAGE

▪ Package compliance as Code

▪ Automate compliance testing

▪ Log and audit policy failures for compliance remediation

Workflow • Local development • Integration • Tooling (APIs & SDKs)

COLLABORATE

▪ Package▪ Test▪ Approve

BUILD

▪ Provision▪ Configure▪ Execute▪ Update

DEPLOY

▪ Secure▪ Comply▪ Audit▪ Measure▪ Log

MANAGE

Infrastructure Automation Compliance AutomationApplication Automation

OSS AUTOMATION ENGINES

Success example: Web & Media Giant

Success example: Top five global bank

Compliance as CodeROLE OF THE COMPLIANCE OFFICERACCELERATED CYCLE

INFRASTRUCTURE AS CODE

POLICY AS CODE

PRACTICE AS CODE

Separate certification

& testing

Common language for describing &

applying policy

Compliance at velocity

Compliance at VelocityManual Compliance

Reactive engagement

Proactive engagement

Checking implementations by hand

Expressing policy as testable code

Short term compliance

Long term process improvement

One language, One workflow

InSpec - Security meets Operations

Each team uses separate tools

SECURITY

DEVOPS

COMPLIANCE

Unified language

SECURITY DEVOPS

COMPLIANCE

REGULATORY COMPLIANCE

PCI-DSS Gramm-Leach-Bliley Act HIPAA

Dodd-Frank ISO Sarbanes-Oxley

HITECH Grundschutz European Central Bank Regulations

Security != Compliance

Chef Compliance ships with profiles for:

Amazon Linux2014.09 / 2015.03

CentOS6 / 7

HP UX11i

IBM AIX5.3 / 6.1 / 7.1

RHEL6 / 7

SLES11 / 12

Ubuntu Server12.04 / 14.04

Windows2012 R2

SSH Control

SSH supports two different protocol versions. The original

version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.

How will I verify this?

Whip up a one-liner!

grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'

Whip up a one-liner!grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

Whip up a two-liner!

TARGET=2

grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' > /dev/null && echo $TARGET

Shell Scriptsgrep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'

grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

Differences in verifying compliance policy

> grep "^Protocol"

/etc/ssh/sshd_config | sed

's/Protocol //'

2

DOCUMENTATIONSSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.

describe sshd_config do

its('Protocol') { should eq 2 }

end

control 'ssh-1234' do impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore... "

describe sshd_config do its('Protocol') { should eq 2 } endend

SCRIPTING TOOLS

COMPLIANCE LANGUAGE

COMPLIANCE LANGUAGE

ONE LANGUAGE

InSpec

InSpec for Windows

control 'windows-base-201' do impact 1.0 title 'Strong Windows NTLMv2 Authentication Enabled; Weak LM

Disabled' desc ' @link: http://support.microsoft.com/en-us/kb/823659 '

describe registry_key('HKLM\System\CurrentControlSet\Control\Lsa') do

it { should exist } its('LmCompatibilityLevel') { should eq 4 } endend

Mapping Compliance Document to InSpeccontrol 'ssh-6.2.1' do

title 'Set SSH Protocol to 2'

end



desc "

SSH supports two different ...

"

end



desc "


"


its('Protocol') { should cmp('2') }

end

end


impact 1.0


desc "


"


its('Protocol') { should cmp('2') }

end

end

CONTINUOUS COMPLIANCE AUTOMATION

InSpec - Part of your InfoSec toolchain

FIREWALL ANTIVIRUS

INTRUSION DETECTION/PREVENTION

PENETRATIONTESTING

What InSpec is not

• Intrusion Detection System• Intrusion Prevention System• Firewall• Antivirus• Penetration Testing Tool

InSpec

● Baremetal● VMs● Containers

ONE LANGUAGE > inspec exec test.rb

Test a machine remotely via SSH

> inspec exec test.rb -i identity.key -t ssh://[email protected]

Test your machine locally

> inspec exec test.rb -t winrm://[email protected] --password super

Test Docker Container

> inspec exec test.rb -t docker://5cc8837bb6a8

Test a machine remotely via WinRM AG

EN

TL

ES

S

InSpec

Database Testing

describe mysql_session.query("SELECT user,host FROM mysql.user WHERE host = '%'") do its(:stdout) { should be empty }end

Cloud Provider Testing

security_groups.each do |security_group| describe security_group do it { should_not have_inbound_rule().with_source('0.0.0.0/0') } endend

ONE LANGUAGE

● Databases ● API endpoints

(e.g. cloud)● Baremetal● VMs● Containers

InSpec

● Baremetal● VMs● Containers

ONE LANGUAGE

Infrastructure policies need testing

↳ Linting ↳ Static Analysis ↳ Unit Testing ↳ Integration Testing↳ Compliance Testing

Remember…

“Infrastructure as Code” should be tested like ANY other codebase.

● Write a unit test, watch it fail

● Write some code

● Write and run more unit tests

● Run some integration/acceptance tests

● Code review

● Delivery pipeline to production

● Lowered chance of production failure

Test-Driven Development

Add a test

Run the tests

Make a little change

Run the tests

pass[development continues]fail

fail

pass

pass[development stops]

Chef DK - The Chef Development Kit

▪ Validate your Chef code against Chef best practices

▪ Extend with rules to enforce organizational Chef development best practices

▪ Enforce compliance & security practices

FoodcriticTest Your “Chef Style”

▪ Validate your Chef code against Ruby best practices

▪ Identify potential Ruby errorsUnclosed strings, etc.

▪ Identify style/convention that helps write better code

Single quotes vs. double quotes

CookStyleValidate your Ruby

▪ Validate your Chef code will run

▪ Testing for more Chef advanced use cases

▪ Useful for regression testing

ChefSpecSimulate Chef

▪ Executes your Chef code on an instance or container

▪ Integrates with Cloud and Virtualization providers

▪ Validate your Chef code locally before sharing

▪ Speed development of Chef Cookbooks

Test KitchenLet’s do this (almost) for real

▪ Assert the intention of your Chef code

▪ Verify on live systems that your Chef code produced the correct result

▪ Confirm your Chef code didn’t not produce compliance drift

InSpecVerify automation results & ensure compliance

FAST INEXPENSIVE TESTING

DEEP INTEGRATION TESTING

Definitive tooling for local development of Chef code & Infrastructure as Code development

Integration Testing – Add tests

describe package 'httpd' do

it { should be_installed }

end

describe service 'httpd' do

it { should be_running }

it { should be_enabled }

end

describe port(80) do

it { should be_listening }

end

Add a test

Run the tests


Run the tests


fail

pass


Integration Testing - Run the tests

Add a test

Run the tests


Run the tests


fail

pass


Integration Testing – Make a change

package 'httpd' do action :installend

service 'httpd' do action [ :start, :enable ]end

Add a test

Run the tests


Run the tests


fail

pass


Integration Testing – Apply the change

Add a test

Run the tests


Run the tests


fail

pass


Integration Testing – Run the tests

Add a test

Run the tests


Run the tests


fail

pass


Continuous Workflow

CorrectDetect

GL: Adding a Node to Scan

1. From your Chef Compliance Dashboard, click Add Node.

GL: Adding a Node

2. From the resulting page, enter the node's FQDN or IP address.

3. Leave environment blank. A ‘default’ environment will be used

4. Accept the default SSH Access configuration

5. Type chef in the username field.

6. Click the password link as shown in this illustration.

Compliance Profiles Used in ScansThis image shows the default Compliance Profiles as accessed from the Scan Nodes page.

You should be thoughtful with which profiles choose.

Notice how you can also choose to run a scan on demand or schedule a scan.

Scan Results

A Compliance Report should now display and your scan results should be similar to that shown here.

Notice how in the upper Summary section in this example, 10 tests were compliant and 6 tests show critical issues with ssh.

Compliance Profile Severity Mapping

The table below shows the current mapping of Compliance Profile impact numberingto severity.

Impact Numbering Severity Designation

0.7 - 1.0 Critical Issues0.4 - <0.7 Major Issues0 - <0.4 Minor Issues

https://nvd.nist.gov/cvss.cfm



MAKE ADJUSTMENTS

My CIS L1(inspec overlay)

CIS Lvl1(xml base profile)

SPREAD TO OTHER ENVIRONMENTS

Dev

Production

Test

My CIS L1(inspec overlay)

CIS Lvl1(xml base profile)

Bay Area Chef Meetup February

Technology

Transcript of Bay Area Chef Meetup February