Compliance as Code
•
1 like•239 views
As presented at Wellington Code Camp. DevOps is not just about deploying software, it’s about reducing bottlenecks and bringing value to the business. By utilizing DevOps techniques we can build a strong security practice that everybody is invested in, even your Developers and Operations Teams!
Report
Share
Compliance as Code
- 1. © Copyright 2018 Pivotal Software, Inc. All rights Reserved. Version 1.0 Paul Czarkowski @pczarkowski Compliance as Code
- 2. © Copyright 2018 Pivotal Software, Inc. All rights Reserved. Version 1.0 Paul Czarkowski @pczarkowski Ugh, not another devops talk
- 3. Paul Czarkowski Developer Advocate at Pivotal Software ● Systems Administrator ● DevOps Practitioner ● Open Source Contributor
- 4. Cover w/ Image Agenda ■ Who I Am ■ What is Compliance? ■ What is DevOps ? ■ Compliance as Code ■ Q+A
- 5. What is Compliance ?
- 6. What is Compliance ? Self Imposed ● CIS Controls / Benchmarks ● Security Technical Implementation Guide (STIG) ● Allowed opensource licenses Regulatory ● PCI (US) ● HIPAA (US) ● Sarbanes-Oxley (US) ● EU GDPR ● NZ Information Security Manual (NZISM)
- 7. Verification Validation of compliance based on Controls in place. ● Checklists ● External Auditors Checklists Practice, Policy or Procedure established to meet compliance requirements. ● Spreadsheets ● Checklists ● Sharepoint Pages Specifications Documentation of requirements that need to be met in order to be compliant. ● PDFs ● Verbose Compliance Controls Audit
- 8. Example of Compliance Specifications
- 9. Example of Compliance Specifications
- 12. Cover w/ Image Agenda ■ Who I Am ■ What is Compliance? ■ What is DevOps ? ■ Compliance as Code ■ Q+A
- 13. What is DevOps ?
- 18. LEAN
- 23. Cover w/ Image Agenda ■ Who I Am ■ What is Compliance? ■ What is DevOps ? ■ Compliance as Code ■ Q+A
- 25. Embedded OS (Windows & Linux) NSX-T CPI (15 methods) v1 v2 v3 ... CVEs Product Updates Java | .NET | NodeJS Pivotal Application Service (PAS) Application Code & Frameworks Buildpacks | Spring Boot | Spring Cloud | Steeltoe Elastic | Packaged Software | Spark Pivotal Container Service (PKS) >cf push >kubectl run YOU build the containerWE build the container vSphere Azure & Azure StackGoogle CloudAWSOpenstack Pivotal Network “3Rs” Github Concourse Concourse Pivotal Services Marketplace Pivotal and Partner Products Continuous delivery Public Cloud Services Customer Managed Services OpenServiceBrokerAPI Repair — CVEs Repave Rotate — Credhub
- 26. PIVOTAL CLOUD FOUNDRY OPS Powered by BOSH BOSH is an open source tool for release engineering, deployment, lifecycle management, and monitoring of distributed systems. BOSH Packaging w/ embedded OS Server provisioning on any IaaS Software deployment across availability zones Health monitoring (server AND processes) Self-healing w/ Resurrector Storage management Rolling upgrades via canaries Easy scaling of clusters
- 27. PIVOTAL CLOUD FOUNDRY OPS Powered by BOSH BOSH is an open source tool for release engineering, deployment, lifecycle management, and monitoring of distributed systems. BOSH Packaging w/ embedded OS Server provisioning on any IaaS Software deployment across availability zones Health monitoring (server AND processes) Self-healing w/ Resurrector Storage management Rolling upgrades via canaries Easy scaling of clusters
- 28. PIVOTAL CLOUD FOUNDRY OPS Powered by BOSH BOSH is an open source tool for release engineering, deployment, lifecycle management, and monitoring of distributed systems. BOSH Packaging w/ embedded OS Server provisioning on any IaaS Software deployment across availability zones Health monitoring (server AND processes) Self-healing w/ Resurrector Storage management Rolling upgrades via canaries Easy scaling of clusters
- 36. Culture
- 38. Adopting a DevOps culture Despite varying approaches to describing high-performance teams there is a set of common characteristics that are recognised to lead to success. ● Participative leadership – using a democratic leadership style that involves and engages team members ● Effective decision-making – using a blend of rational and intuitive decision making methods, depending on that nature of the decision task ● Open and clear communication – ensuring that the team mutually constructs shared meaning, using effective communication methods and channels ● Valued diversity – valuing a diversity of experience and background in team, contributing to a diversity of viewpoints, leading to better decision making and solutions ● Mutual trust – trusting in other team members and trusting in the team as an entity ● Clear goals – goals that are developed using SMART criteria; also each goal must have personal meaning and resonance for each team member, building commitment and engagement ● Defined roles and responsibilities – each team member understands what they must do (and what they must not do) to demonstrate their commitment to the team and to support team success ● Positive atmosphere – an overall team culture that is open, transparent, positive, future-focused and able to deliver success https://en.wikipedia.org/wiki/High-performance_teams
- 39. Lean
- 42. Mappable Processes that include Security / Compliance Application Release ● Vulnerability Scanning ● Security Scanning (sql injection etc) ● License Scanning ● Attribution Compliance Audits ● Vulnerability Scanning ● Security Scanning (sql injection etc) ● Package updates ● OS inspection Infrastructure Provisioning ● OS Hardening ● Firewalling ● User Management ● Remote logging and auditing ● Intrusion Detection ● Vulnerability Scanning
- 43. Value Stream map for Provisioning a New Server Current State Prepare Request Network / VLANs Launch VM / Install OS Test Compliance Deliver 1-5 days 1-5 days 1-5 days 1-5 days 1-2 days 1-2 days 1-2 days 1-2 days
- 44. Value Stream map for Provisioning a New Server Future State Deploy VM Configure VM Test Compliance Deliver 1-5 days 1-5 days 1-5 days 1-2 hours 1-2 hours 1-2 Hours
- 45. Value Stream map for Provisioning a New Server Future State
- 47. Automation
- 49. ● Implements STIG controls via Ansible playbooks ● Opensource project started at Rackspace ● Plays well with existing config management ● Easily override problematic controls ● Extends RSPEC for Compliance testing ● Similar to Serverspec, but better. ● Easy to go from serverspec to inspec ● Inspec-STIG is all of STIG already written into inspec tests.
- 51. Example of Compliance Specifications
- 60. Measurement
- 63. Sharing
- 65. What’s Next ?
- 66. LEAN
- 68. Other Security / Compliance tools ● Gauntlt ( Security Testing Framework ) ● Metasploit ( Penetration Testing) ● Syntribos ( API security testing) ● Pivotal LicenseFinder ( Scanning licenses of dependencies ) ● Snort ( Intrusion Detection ) ● Fossology ( license compliance ) ● OpenVAS ( vulnerability scanning ) ● OSSEC ( Intrustion Detection )
- 69. Questions ?
- 70. Transforming How The World Builds Software © Copyright 2018 Pivotal Software, Inc. All rights Reserved.