Soumettre la recherche
Mettre en ligne
Compliance as Code: Shifting Compliance Left in Continuous Delivery
•
2 j'aime
•
516 vues
Matt Ray
Suivre
July 25, 2017 RSA Singapore presentation.
Lire moins
Lire la suite
Technologie
Signaler
Partager
Signaler
Partager
1 sur 56
Télécharger maintenant
Télécharger pour lire hors ligne
Recommandé
SonarQube - The leading platform for Continuous Code Quality
SonarQube - The leading platform for Continuous Code Quality
Larry Nung
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
Sonarqube
Sonarqube
Peerapat Asoktummarungsri
Continuous Development Pipeline
Continuous Development Pipeline
Izzet Mustafaiev
The story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps Engineer
Manu Pk
Static code analysis with sonar qube
Static code analysis with sonar qube
Hayi Nukman
CI/CD for everyone else
CI/CD for everyone else
Victor Morales
Software development terminology
Software development terminology
jstack
Recommandé
SonarQube - The leading platform for Continuous Code Quality
SonarQube - The leading platform for Continuous Code Quality
Larry Nung
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
Sonarqube
Sonarqube
Peerapat Asoktummarungsri
Continuous Development Pipeline
Continuous Development Pipeline
Izzet Mustafaiev
The story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps Engineer
Manu Pk
Static code analysis with sonar qube
Static code analysis with sonar qube
Hayi Nukman
CI/CD for everyone else
CI/CD for everyone else
Victor Morales
Software development terminology
Software development terminology
jstack
Jenkins with SonarQube
Jenkins with SonarQube
Somkiat Puisungnoen
Embracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetry
Cyrille Le Clerc
DevOps & Security: Here & Now
DevOps & Security: Here & Now
Checkmarx
Improving software quality using Continuous Integration
Improving software quality using Continuous Integration
Wouter Konecny
Sonarqube
Sonarqube
Kalkey
Groovy there's a docker in my application pipeline
Groovy there's a docker in my application pipeline
Kris Buytaert
Continuous integration using Jenkins and Sonar
Continuous integration using Jenkins and Sonar
Pascal Larocque
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
Rogue Wave Software
Continuous Integration 101
Continuous Integration 101
John Ferguson Smart Limited
Under the hood of the particular service platform
Under the hood of the particular service platform
Particular Software
Building a high quality+ products with SCA
Building a high quality+ products with SCA
Suman Sourav
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security
DevOps.com
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)
Nagaraju Repala
Tests your pipeline might be missing
Tests your pipeline might be missing
Gene Gotimer
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
DevOps.com
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOps
DevOps.com
Improve Development Process with Open Source Software
Improve Development Process with Open Source Software
elliando dias
Network Security Open Source Software Developer Certification
Network Security Open Source Software Developer Certification
Vskills
DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)
Arjun Comar
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2
Chef
Contenu connexe
Tendances
Jenkins with SonarQube
Jenkins with SonarQube
Somkiat Puisungnoen
Embracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetry
Cyrille Le Clerc
DevOps & Security: Here & Now
DevOps & Security: Here & Now
Checkmarx
Improving software quality using Continuous Integration
Improving software quality using Continuous Integration
Wouter Konecny
Sonarqube
Sonarqube
Kalkey
Groovy there's a docker in my application pipeline
Groovy there's a docker in my application pipeline
Kris Buytaert
Continuous integration using Jenkins and Sonar
Continuous integration using Jenkins and Sonar
Pascal Larocque
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
Rogue Wave Software
Continuous Integration 101
Continuous Integration 101
John Ferguson Smart Limited
Under the hood of the particular service platform
Under the hood of the particular service platform
Particular Software
Building a high quality+ products with SCA
Building a high quality+ products with SCA
Suman Sourav
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security
DevOps.com
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)
Nagaraju Repala
Tests your pipeline might be missing
Tests your pipeline might be missing
Gene Gotimer
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
DevOps.com
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOps
DevOps.com
Improve Development Process with Open Source Software
Improve Development Process with Open Source Software
elliando dias
Network Security Open Source Software Developer Certification
Network Security Open Source Software Developer Certification
Vskills
DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)
Arjun Comar
Tendances
(20)
Jenkins with SonarQube
Jenkins with SonarQube
Embracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetry
DevOps & Security: Here & Now
DevOps & Security: Here & Now
Improving software quality using Continuous Integration
Improving software quality using Continuous Integration
Sonarqube
Sonarqube
Groovy there's a docker in my application pipeline
Groovy there's a docker in my application pipeline
Continuous integration using Jenkins and Sonar
Continuous integration using Jenkins and Sonar
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
Continuous Integration 101
Continuous Integration 101
Under the hood of the particular service platform
Under the hood of the particular service platform
Building a high quality+ products with SCA
Building a high quality+ products with SCA
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)
Tests your pipeline might be missing
Tests your pipeline might be missing
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOps
Improve Development Process with Open Source Software
Improve Development Process with Open Source Software
Network Security Open Source Software Developer Certification
Network Security Open Source Software Developer Certification
DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)
Similaire à Compliance as Code: Shifting Compliance Left in Continuous Delivery
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2
Chef
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
Priyanka Aash
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
AgileNZ Conference
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
Matt Ray
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for Cloud
Priyanka Aash
Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec
Matt Ray
Practical Approaches to Cloud Native Security
Practical Approaches to Cloud Native Security
Karthik Gaekwad
DevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Rubal Jain
Automating Compliance with InSpec - AWS North Sydney
Automating Compliance with InSpec - AWS North Sydney
Matt Ray
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Priyanka Aash
Cloud security : Automate or die
Cloud security : Automate or die
Priyanka Aash
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Matt Ray
Compliance as Code Everywhere
Compliance as Code Everywhere
Matt Ray
Security Process in DevSecOps
Security Process in DevSecOps
Opsta
How Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOps
Andrew Storms
Continuous integration
Continuous integration
Lior Tal
Introduction to Continuous integration
Introduction to Continuous integration
liortal53
Continous integration and delivery for single page applications
Continous integration and delivery for single page applications
Sunil Dalal
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
Priyanka Aash
Similaire à Compliance as Code: Shifting Compliance Left in Continuous Delivery
(20)
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for Cloud
Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec
Practical Approaches to Cloud Native Security
Practical Approaches to Cloud Native Security
DevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Automating Compliance with InSpec - AWS North Sydney
Automating Compliance with InSpec - AWS North Sydney
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Cloud security : Automate or die
Cloud security : Automate or die
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Compliance as Code Everywhere
Compliance as Code Everywhere
Security Process in DevSecOps
Security Process in DevSecOps
How Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOps
Continuous integration
Continuous integration
Introduction to Continuous integration
Introduction to Continuous integration
Continous integration and delivery for single page applications
Continous integration and delivery for single page applications
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
Plus de Matt Ray
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Matt Ray
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
Matt Ray
SCaLE 20X: Kubernetes Cloud Cost Monitoring with OpenCost & Optimization Stra...
SCaLE 20X: Kubernetes Cloud Cost Monitoring with OpenCost & Optimization Stra...
Matt Ray
HashiTalks 2020 - Chef Tools & Terraform: Better Together
HashiTalks 2020 - Chef Tools & Terraform: Better Together
Matt Ray
EmacsConf 2019: Interactive Remote Debugging and Development with TRAMP Mode
EmacsConf 2019: Interactive Remote Debugging and Development with TRAMP Mode
Matt Ray
Wellington DevOps: Bringing Your Applications into the Future with Habitat
Wellington DevOps: Bringing Your Applications into the Future with Habitat
Matt Ray
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...
Matt Ray
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...
Matt Ray
DevOpsDays Jakarta: State of DevOps 2018
DevOpsDays Jakarta: State of DevOps 2018
Matt Ray
DevOps Talks Melbourne 2018: Whales, Cats and Kubernetes
DevOps Talks Melbourne 2018: Whales, Cats and Kubernetes
Matt Ray
Infrastructure and Compliance Delight with Chef Automate
Infrastructure and Compliance Delight with Chef Automate
Matt Ray
Cooking Up Windows with Chef Automate
Cooking Up Windows with Chef Automate
Matt Ray
DevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat Ignite
Matt Ray
Chef Automate - Azure Sydney User Group
Chef Automate - Azure Sydney User Group
Matt Ray
Automating Applications with Habitat - Sydney Cloud Native Meetup
Automating Applications with Habitat - Sydney Cloud Native Meetup
Matt Ray
Chef Automate - Infracoders Canberra August 8, 2017
Chef Automate - Infracoders Canberra August 8, 2017
Matt Ray
OpsWorks for Chef Automate - Auckland AWS
OpsWorks for Chef Automate - Auckland AWS
Matt Ray
Chef Automate - Wellington DevOps August 2, 2017
Chef Automate - Wellington DevOps August 2, 2017
Matt Ray
Automating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore Meetup
Matt Ray
DevOps Sydney: Chef Automate
DevOps Sydney: Chef Automate
Matt Ray
Plus de Matt Ray
(20)
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
SCaLE 20X: Kubernetes Cloud Cost Monitoring with OpenCost & Optimization Stra...
SCaLE 20X: Kubernetes Cloud Cost Monitoring with OpenCost & Optimization Stra...
HashiTalks 2020 - Chef Tools & Terraform: Better Together
HashiTalks 2020 - Chef Tools & Terraform: Better Together
EmacsConf 2019: Interactive Remote Debugging and Development with TRAMP Mode
EmacsConf 2019: Interactive Remote Debugging and Development with TRAMP Mode
Wellington DevOps: Bringing Your Applications into the Future with Habitat
Wellington DevOps: Bringing Your Applications into the Future with Habitat
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...
DevOpsDays Jakarta: State of DevOps 2018
DevOpsDays Jakarta: State of DevOps 2018
DevOps Talks Melbourne 2018: Whales, Cats and Kubernetes
DevOps Talks Melbourne 2018: Whales, Cats and Kubernetes
Infrastructure and Compliance Delight with Chef Automate
Infrastructure and Compliance Delight with Chef Automate
Cooking Up Windows with Chef Automate
Cooking Up Windows with Chef Automate
DevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat Ignite
Chef Automate - Azure Sydney User Group
Chef Automate - Azure Sydney User Group
Automating Applications with Habitat - Sydney Cloud Native Meetup
Automating Applications with Habitat - Sydney Cloud Native Meetup
Chef Automate - Infracoders Canberra August 8, 2017
Chef Automate - Infracoders Canberra August 8, 2017
OpsWorks for Chef Automate - Auckland AWS
OpsWorks for Chef Automate - Auckland AWS
Chef Automate - Wellington DevOps August 2, 2017
Chef Automate - Wellington DevOps August 2, 2017
Automating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore Meetup
DevOps Sydney: Chef Automate
DevOps Sydney: Chef Automate
Dernier
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
DianaGray10
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
charlottematthew16
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
Kalema Edgar
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
comworks
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
Alan Dix
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
null - The Open Security Community
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
LoriGlavin3
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
Commit University
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Zilliz
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Mark Simos
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
gvaughan
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
Dilum Bandara
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
Manik S Magar
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Lorenzo Miniero
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
Hervé Boutemy
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
2toLead Limited
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
Lars Bell
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Fwdays
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
Mattias Andersson
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
Miki Katsuragi
Dernier
(20)
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
Compliance as Code: Shifting Compliance Left in Continuous Delivery
1.
SESSION ID:SESSION ID: #RSAC Matt Ray Compliance as Code: Shifting Compliance Left in Continuous Delivery Manager/Solutions Architect APJ Chef Software @mattray
2.
#RSAC
3.
#RSAC
4.
#RSAC Continuous Integration Continuous Integration requires developers to integrate code into a shared repository several times a day. Each check-in is then verified by an automated build, allowing teams to detect problems early. By integrating regularly, you can detect errors quickly, and locate them more easily.
5.
#RSAC Continuous Deployment Continuous Integration is the practice of testing each change done to your codebase automatically and as early as possible. Continuous Deployment follows the testing that happens during Continuous Integration and pushes changes to a staging or production system. This makes sure a version of your code is accessible at all times.
6.
#RSAC CI/CD Pipelines
7.
#RSAC Audits and Security Reviews
8.
#RSAC
9.
#RSAC SSH Control “SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.”
10.
#RSAC How will I verify this?
11.
#RSAC A one-liner with grep! grep "^Protocol" /etc/ssh/sshd_config
| sed 's/Protocol //'
12.
#RSAC
13.
#RSAC More grep and sed! grep "^ServerTokens" /etc/httpd/conf/httpd.conf
| sed 's/ServerTokens //'
14.
#RSAC
15.
#RSAC
16.
#RSAC
17.
#RSAC
18.
#RSAC
19.
#RSAC C o m p l i a n c e
20.
#RSAC
21.
#RSAC “Two-thirds of organizations did not adequately test the security of all in- scope systems”
22.
#RSAC While individual rule compliance is up, testing of security systems is down Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation. Key Trends
23.
#RSAC
24.
#RSAC Shell Scripts grep "^Protocol" /etc/ssh/sshd_config
| sed 's/Protocol //' grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
25.
#RSAC Infrastructure Code package 'httpd' do action
:install end service 'httpd' do action [ :start, :enable ] end
26.
#RSAC We Have A Communications Problem
27.
#RSAC
28.
#RSAC Security != Compliance
29.
#RSAC Secure Compliant
30.
#RSAC
31.
#RSAC
32.
#RSAC
33.
#RSAC
34.
#RSAC
35.
#RSAC Role of the Compliance Officer Compliance at VelocityManual Compliance Reactive engagement Proactive engagement Checking implementations by hand Expressing policy as testable code Short term compliance Long term process improvement
36.
#RSAC Compliance as Code • Source control • Versioned •
Tested • Shared
37.
#RSAC
38.
#RSAC Detect and Correct Scan for Compliance Build & Test Locally Build & Test CI/CD Remediate Verify
39.
#RSAC Accelerated Cycle INFRASTRUCTURE AS CODE POLICY AS CODE PRACTICE AS CODE Separate certification & testing Common language for describing & applying policy Compliance at velocity
40.
#RSAC Turns security and compliance into code
41.
#RSAC Compliance Language
42.
#RSAC One Language • Linux, Windows, BSD, Solaris, AIX, HP-UX, ...
43.
#RSAC Windows
44.
#RSAC One Language • Linux, Windows, BSD, Solaris, AIX, HP-UX, ... • Bare-metal, VMs, Containers •
Databases, APIs, Cloud Platforms, ...
45.
#RSAC Databases
46.
#RSAC Cloud Platforms
47.
#RSAC One Language • Linux, Windows, BSD, Solaris, AIX, HP-UX, ... • Bare-metal, VMs, Containers •
Databases, APIs, Cloud Platforms, ...
48.
#RSAC Examples of Available Resources apache_conf apt audit_policy auditd_conf auditd_rules command crontab directory etc_group file gem group host inetd_conf interface iptables kernel_module kernel_parameter limits_conf mount mysql_conf mysql_session npm os os_env package parse_config passwd pip port postgres_conf postgres_session powershell processes registry_key security_policy service ssh_config sshd_config user windows_feature yum
49.
#RSAC InSpec > inspec exec
test.rb Test a machine remotely via SSH > inspec exec test.rb -i identity.key -t ssh://root@172.17.0.1 Test your machine locally > inspec exec test.rb -t winrm://Admin@192.168.1.2 --password xyz Test Docker Container > inspec exec test.rb -t docker://5cc8837bb6a8 Test a machine remotely via WinRM AGENTLESS
50.
#RSAC Operating System & Application Coverage Microsoft Windows Red Hat Enterprise Linux Ubuntu Linux SUSE Linux Enterprise Server Oracle Enterprise Linux AIX HP-UX Solaris VMware ESXi MySQL Oracle PostgreSQL Tomcat SQL Server IIS HTTP request
51.
#RSAC Open Source Community https://inspec.io Code https://github.com/chef/inspec Profiles https://supermarket.chef.io Tutorials https://learn.chef.io #inspec in https://chefcommunity.slack.com
52.
#RSAC What is it not? IDS / IPS Firewall Antivirus Pentesting tool
53.
#RSAC CONTINUOUS COMPLIANCE AUTOMATIONFIREWALL ANTIVIRUS INTRUSION DETECTION/ PREVENTION PENETRATION TESTING InSpec -
Part of your InfoSec toolchain
54.
#RSAC The New DevSecOps The Old Way People working directly on machines SECURITY DEVOPS COMPLIANCE The New Way Shared tooling across organizations
55.
#RSAC Thanks! Matt Ray Manager/Solutions Architect APJ matt@chef.io @mattray
56.
#RSAC Sponsors of DevOps Connect: DevSecOps
Télécharger maintenant