SlideShare une entreprise Scribd logo

Compliance as Code: Shifting Compliance Left in Continuous Delivery

Matt Ray
Matt Ray

July 25, 2017 RSA Singapore presentation.

Technologie
1  sur  56
Télécharger pour lire hors ligne
SESSION ID:SESSION ID: #RSAC Matt Ray Compliance as Code: Shifting Compliance Left in Continuous Delivery Manager/Solutions Architect APJ Chef Software @mattray
#RSAC
#RSAC
#RSAC Continuous Integration Continuous Integration requires developers to integrate code into a shared repository several times a day. Each check-in is then verified by an automated build, allowing teams to detect problems early. By integrating regularly, you can detect errors quickly, and locate them more easily.
#RSAC Continuous Deployment Continuous Integration is the practice of testing each change done to your codebase automatically and as early as possible. Continuous Deployment follows the testing that happens during Continuous Integration and pushes changes to a staging or production system. This makes sure a version of your code is accessible at all times.
#RSAC CI/CD Pipelines
#RSAC Audits and Security Reviews
#RSAC
#RSAC SSH Control “SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.”
#RSAC How will I verify this?
#RSAC A one-liner with grep! grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
#RSAC
#RSAC More grep and sed! grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC C o m p l i a n c e
#RSAC
#RSAC “Two-thirds of organizations did not adequately test the security of all in- scope systems”
#RSAC While individual rule compliance is up, testing of security systems is down Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation. Key Trends
#RSAC
#RSAC Shell Scripts grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
#RSAC Infrastructure Code package 'httpd' do action :install end service 'httpd' do action [ :start, :enable ] end
#RSAC We Have A Communications Problem
#RSAC
#RSAC Security != Compliance
#RSAC Secure Compliant
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC Role of the Compliance Officer Compliance at VelocityManual Compliance Reactive engagement Proactive engagement Checking implementations by hand Expressing policy as testable code Short term compliance Long term process improvement
#RSAC Compliance as Code • Source control • Versioned • Tested • Shared
#RSAC
#RSAC Detect and Correct Scan for Compliance Build & Test Locally Build & Test CI/CD Remediate Verify
#RSAC Accelerated Cycle INFRASTRUCTURE AS CODE POLICY AS CODE PRACTICE AS CODE Separate certification & testing Common language for describing & applying policy Compliance at velocity
#RSAC Turns security and compliance into code
#RSAC Compliance Language
#RSAC One Language • Linux, Windows, BSD, Solaris, AIX, HP-UX, ...
#RSAC Windows
#RSAC One Language • Linux, Windows, BSD, Solaris, AIX, HP-UX, ... • Bare-metal, VMs, Containers • Databases, APIs, Cloud Platforms, ...
#RSAC Databases
#RSAC Cloud Platforms
#RSAC One Language • Linux, Windows, BSD, Solaris, AIX, HP-UX, ... • Bare-metal, VMs, Containers • Databases, APIs, Cloud Platforms, ...
#RSAC Examples of Available Resources apache_conf apt audit_policy auditd_conf auditd_rules command crontab directory etc_group file gem group host inetd_conf interface iptables kernel_module kernel_parameter limits_conf mount mysql_conf mysql_session npm os os_env package parse_config passwd pip port postgres_conf postgres_session powershell processes registry_key security_policy service ssh_config sshd_config user windows_feature yum
#RSAC InSpec > inspec exec test.rb Test a machine remotely via SSH > inspec exec test.rb -i identity.key -t ssh://root@172.17.0.1 Test your machine locally > inspec exec test.rb -t winrm://Admin@192.168.1.2 --password xyz Test Docker Container > inspec exec test.rb -t docker://5cc8837bb6a8 Test a machine remotely via WinRM AGENTLESS
#RSAC Operating System & Application Coverage Microsoft Windows Red Hat Enterprise Linux Ubuntu Linux SUSE Linux Enterprise Server Oracle Enterprise Linux AIX HP-UX Solaris VMware ESXi MySQL Oracle PostgreSQL Tomcat SQL Server IIS HTTP request
#RSAC Open Source Community https://inspec.io Code https://github.com/chef/inspec Profiles https://supermarket.chef.io Tutorials https://learn.chef.io #inspec in https://chefcommunity.slack.com
#RSAC What is it not? IDS / IPS Firewall Antivirus Pentesting tool
#RSAC CONTINUOUS COMPLIANCE AUTOMATIONFIREWALL ANTIVIRUS INTRUSION DETECTION/ PREVENTION PENETRATION TESTING InSpec - Part of your InfoSec toolchain
#RSAC The New DevSecOps The Old Way People working directly on machines SECURITY DEVOPS COMPLIANCE The New Way Shared tooling across organizations
#RSAC Thanks! Matt Ray Manager/Solutions Architect APJ matt@chef.io @mattray
#RSAC Sponsors of DevOps Connect: DevSecOps

Recommandé

SonarQube - The leading platform for Continuous Code Quality
SonarQube - The leading platform for Continuous Code QualitySonarQube - The leading platform for Continuous Code Quality
SonarQube - The leading platform for Continuous Code QualityLarry Nung
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Sonarqube
SonarqubeSonarqube
SonarqubePeerapat Asoktummarungsri
 
Continuous Development Pipeline
Continuous Development PipelineContinuous Development Pipeline
Continuous Development PipelineIzzet Mustafaiev
 
The story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps EngineerThe story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps EngineerManu Pk
 
Static code analysis with sonar qube
Static code analysis with sonar qubeStatic code analysis with sonar qube
Static code analysis with sonar qubeHayi Nukman
 
CI/CD for everyone else
CI/CD for everyone elseCI/CD for everyone else
CI/CD for everyone elseVictor Morales
 
Software development terminology
Software development terminologySoftware development terminology
Software development terminologyjstack
 

Recommandé

SonarQube - The leading platform for Continuous Code Quality
SonarQube - The leading platform for Continuous Code QualitySonarQube - The leading platform for Continuous Code Quality
SonarQube - The leading platform for Continuous Code QualityLarry Nung
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Sonarqube
SonarqubeSonarqube
SonarqubePeerapat Asoktummarungsri
 
Continuous Development Pipeline
Continuous Development PipelineContinuous Development Pipeline
Continuous Development PipelineIzzet Mustafaiev
 
The story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps EngineerThe story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps EngineerManu Pk
 
Static code analysis with sonar qube
Static code analysis with sonar qubeStatic code analysis with sonar qube
Static code analysis with sonar qubeHayi Nukman
 
CI/CD for everyone else
CI/CD for everyone elseCI/CD for everyone else
CI/CD for everyone elseVictor Morales
 
Software development terminology
Software development terminologySoftware development terminology
Software development terminologyjstack
 
Jenkins with SonarQube
Jenkins with SonarQubeJenkins with SonarQube
Jenkins with SonarQubeSomkiat Puisungnoen
 
Embracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetryEmbracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetryCyrille Le Clerc
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
Improving software quality using Continuous Integration
Improving software quality using Continuous IntegrationImproving software quality using Continuous Integration
Improving software quality using Continuous IntegrationWouter Konecny
 
Sonarqube
SonarqubeSonarqube
SonarqubeKalkey
 
Groovy there's a docker in my application pipeline
Groovy there's a docker in my application pipelineGroovy there's a docker in my application pipeline
Groovy there's a docker in my application pipelineKris Buytaert
 
Continuous integration using Jenkins and Sonar
Continuous integration using Jenkins and SonarContinuous integration using Jenkins and Sonar
Continuous integration using Jenkins and SonarPascal Larocque
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSSonatype
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRogue Wave Software
 
Continuous Integration 101
Continuous Integration 101Continuous Integration 101
Continuous Integration 101John Ferguson Smart Limited
 
Under the hood of the particular service platform
Under the hood of the particular service platformUnder the hood of the particular service platform
Under the hood of the particular service platformParticular Software
 
Building a high quality+ products with SCA
Building a high quality+ products with SCABuilding a high quality+ products with SCA
Building a high quality+ products with SCASuman Sourav
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration SecurityDevOps.com
 
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Nagaraju Repala
 
Tests your pipeline might be missing
Tests your pipeline might be missingTests your pipeline might be missing
Tests your pipeline might be missingGene Gotimer
 
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...DevOps.com
 
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOpsYour Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOpsDevOps.com
 
Improve Development Process with Open Source Software
Improve Development Process with Open Source SoftwareImprove Development Process with Open Source Software
Improve Development Process with Open Source Softwareelliando dias
 
Network Security Open Source Software Developer Certification
Network Security Open Source Software Developer CertificationNetwork Security Open Source Software Developer Certification
Network Security Open Source Software Developer CertificationVskills
 
DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)Arjun Comar
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Chef
 

Contenu connexe

Tendances

Embracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetryEmbracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetryCyrille Le Clerc
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
Improving software quality using Continuous Integration
Improving software quality using Continuous IntegrationImproving software quality using Continuous Integration
Improving software quality using Continuous IntegrationWouter Konecny
 
Sonarqube
SonarqubeSonarqube
SonarqubeKalkey
 
Groovy there's a docker in my application pipeline
Groovy there's a docker in my application pipelineGroovy there's a docker in my application pipeline
Groovy there's a docker in my application pipelineKris Buytaert
 
Continuous integration using Jenkins and Sonar
Continuous integration using Jenkins and SonarContinuous integration using Jenkins and Sonar
Continuous integration using Jenkins and SonarPascal Larocque
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSSonatype
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRogue Wave Software
 
Under the hood of the particular service platform
Under the hood of the particular service platformUnder the hood of the particular service platform
Under the hood of the particular service platformParticular Software
 
Building a high quality+ products with SCA
Building a high quality+ products with SCABuilding a high quality+ products with SCA
Building a high quality+ products with SCASuman Sourav
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration SecurityDevOps.com
 
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Nagaraju Repala
 
Tests your pipeline might be missing
Tests your pipeline might be missingTests your pipeline might be missing
Tests your pipeline might be missingGene Gotimer
 
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...DevOps.com
 
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOpsYour Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOpsDevOps.com
 
Improve Development Process with Open Source Software
Improve Development Process with Open Source SoftwareImprove Development Process with Open Source Software
Improve Development Process with Open Source Softwareelliando dias
 
Network Security Open Source Software Developer Certification
Network Security Open Source Software Developer CertificationNetwork Security Open Source Software Developer Certification
Network Security Open Source Software Developer CertificationVskills
 
DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)Arjun Comar
 

Tendances (20)

Jenkins with SonarQube
Jenkins with SonarQubeJenkins with SonarQube
Jenkins with SonarQube
 
Embracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetryEmbracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetry
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 
Improving software quality using Continuous Integration
Improving software quality using Continuous IntegrationImproving software quality using Continuous Integration
Improving software quality using Continuous Integration
 
Sonarqube
SonarqubeSonarqube
Sonarqube
 
Groovy there's a docker in my application pipeline
Groovy there's a docker in my application pipelineGroovy there's a docker in my application pipeline
Groovy there's a docker in my application pipeline
 
Continuous integration using Jenkins and Sonar
Continuous integration using Jenkins and SonarContinuous integration using Jenkins and Sonar
Continuous integration using Jenkins and Sonar
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
 
Continuous Integration 101
Continuous Integration 101Continuous Integration 101
Continuous Integration 101
 
Under the hood of the particular service platform
Under the hood of the particular service platformUnder the hood of the particular service platform
Under the hood of the particular service platform
 
Building a high quality+ products with SCA
Building a high quality+ products with SCABuilding a high quality+ products with SCA
Building a high quality+ products with SCA
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security
 
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)
 
Tests your pipeline might be missing
Tests your pipeline might be missingTests your pipeline might be missing
Tests your pipeline might be missing
 
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
 
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOpsYour Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOps
 
Improve Development Process with Open Source Software
Improve Development Process with Open Source SoftwareImprove Development Process with Open Source Software
Improve Development Process with Open Source Software
 
Network Security Open Source Software Developer Certification
Network Security Open Source Software Developer CertificationNetwork Security Open Source Software Developer Certification
Network Security Open Source Software Developer Certification
 
DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)
 

Similaire à Compliance as Code: Shifting Compliance Left in Continuous Delivery

DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Chef
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityPriyanka Aash
 
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017AgileNZ Conference
 
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeDevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeMatt Ray
 
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPriyanka Aash
 
Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec Matt Ray
 
Practical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityPractical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityKarthik Gaekwad
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Automating Compliance with InSpec - AWS North Sydney
Automating Compliance with InSpec - AWS North SydneyAutomating Compliance with InSpec - AWS North Sydney
Automating Compliance with InSpec - AWS North SydneyMatt Ray
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesPriyanka Aash
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or diePriyanka Aash
 
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpecMelbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpecMatt Ray
 
Compliance as Code Everywhere
Compliance as Code EverywhereCompliance as Code Everywhere
Compliance as Code EverywhereMatt Ray
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 
How Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOpsHow Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOpsAndrew Storms
 
Continuous integration
Continuous integrationContinuous integration
Continuous integrationLior Tal
 
Introduction to Continuous integration
Introduction to Continuous integrationIntroduction to Continuous integration
Introduction to Continuous integrationliortal53
 
Continous integration and delivery for single page applications
Continous integration and delivery for single page applicationsContinous integration and delivery for single page applications
Continous integration and delivery for single page applicationsSunil Dalal
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfacePriyanka Aash
 

Similaire à Compliance as Code: Shifting Compliance Left in Continuous Delivery (20)

DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
 
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
 
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeDevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
 
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPragmatic Security Automation for Cloud
Pragmatic Security Automation for Cloud
 
Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec
 
Practical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityPractical Approaches to Cloud Native Security
Practical Approaches to Cloud Native Security
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
Automating Compliance with InSpec - AWS North Sydney
Automating Compliance with InSpec - AWS North SydneyAutomating Compliance with InSpec - AWS North Sydney
Automating Compliance with InSpec - AWS North Sydney
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security Headaches
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
 
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpecMelbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
 
Compliance as Code Everywhere
Compliance as Code EverywhereCompliance as Code Everywhere
Compliance as Code Everywhere
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 
How Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOpsHow Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOps
 
Continuous integration
Continuous integrationContinuous integration
Continuous integration
 
Introduction to Continuous integration
Introduction to Continuous integrationIntroduction to Continuous integration
Introduction to Continuous integration
 
Continous integration and delivery for single page applications
Continous integration and delivery for single page applicationsContinous integration and delivery for single page applications
Continous integration and delivery for single page applications
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
 

Plus de Matt Ray

Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
SCaLE 20X: Kubernetes Cloud Cost Monitoring with OpenCost & Optimization Stra...
SCaLE 20X: Kubernetes Cloud Cost Monitoring with OpenCost & Optimization Stra...SCaLE 20X: Kubernetes Cloud Cost Monitoring with OpenCost & Optimization Stra...
SCaLE 20X: Kubernetes Cloud Cost Monitoring with OpenCost & Optimization Stra...Matt Ray
 
HashiTalks 2020 - Chef Tools & Terraform: Better Together
HashiTalks 2020 - Chef Tools & Terraform: Better TogetherHashiTalks 2020 - Chef Tools & Terraform: Better Together
HashiTalks 2020 - Chef Tools & Terraform: Better TogetherMatt Ray
 
EmacsConf 2019: Interactive Remote Debugging and Development with TRAMP Mode
EmacsConf 2019: Interactive Remote Debugging and Development with TRAMP ModeEmacsConf 2019: Interactive Remote Debugging and Development with TRAMP Mode
EmacsConf 2019: Interactive Remote Debugging and Development with TRAMP ModeMatt Ray
 
Wellington DevOps: Bringing Your Applications into the Future with Habitat
Wellington DevOps: Bringing Your Applications into the Future with HabitatWellington DevOps: Bringing Your Applications into the Future with Habitat
Wellington DevOps: Bringing Your Applications into the Future with HabitatMatt Ray
 
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...Matt Ray
 
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...Matt Ray
 
DevOpsDays Jakarta: State of DevOps 2018
DevOpsDays Jakarta: State of DevOps 2018DevOpsDays Jakarta: State of DevOps 2018
DevOpsDays Jakarta: State of DevOps 2018Matt Ray
 
DevOps Talks Melbourne 2018: Whales, Cats and Kubernetes
DevOps Talks Melbourne 2018: Whales, Cats and KubernetesDevOps Talks Melbourne 2018: Whales, Cats and Kubernetes
DevOps Talks Melbourne 2018: Whales, Cats and KubernetesMatt Ray
 
Infrastructure and Compliance Delight with Chef Automate
Infrastructure and Compliance Delight with Chef AutomateInfrastructure and Compliance Delight with Chef Automate
Infrastructure and Compliance Delight with Chef AutomateMatt Ray
 
Cooking Up Windows with Chef Automate
Cooking Up Windows with Chef AutomateCooking Up Windows with Chef Automate
Cooking Up Windows with Chef AutomateMatt Ray
 
DevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat IgniteDevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat IgniteMatt Ray
 
Chef Automate - Azure Sydney User Group
Chef Automate - Azure Sydney User GroupChef Automate - Azure Sydney User Group
Chef Automate - Azure Sydney User GroupMatt Ray
 
Automating Applications with Habitat - Sydney Cloud Native Meetup
Automating Applications with Habitat - Sydney Cloud Native MeetupAutomating Applications with Habitat - Sydney Cloud Native Meetup
Automating Applications with Habitat - Sydney Cloud Native MeetupMatt Ray
 
Chef Automate - Infracoders Canberra August 8, 2017
Chef Automate - Infracoders Canberra August 8, 2017Chef Automate - Infracoders Canberra August 8, 2017
Chef Automate - Infracoders Canberra August 8, 2017Matt Ray
 
OpsWorks for Chef Automate - Auckland AWS
OpsWorks for Chef Automate - Auckland AWS OpsWorks for Chef Automate - Auckland AWS
OpsWorks for Chef Automate - Auckland AWS Matt Ray
 
Chef Automate - Wellington DevOps August 2, 2017
Chef Automate - Wellington DevOps August 2, 2017Chef Automate - Wellington DevOps August 2, 2017
Chef Automate - Wellington DevOps August 2, 2017Matt Ray
 
Automating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore MeetupAutomating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore MeetupMatt Ray
 
DevOps Sydney: Chef Automate
DevOps Sydney: Chef AutomateDevOps Sydney: Chef Automate
DevOps Sydney: Chef AutomateMatt Ray
 

Plus de Matt Ray (20)

Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
SCaLE 20X: Kubernetes Cloud Cost Monitoring with OpenCost & Optimization Stra...
SCaLE 20X: Kubernetes Cloud Cost Monitoring with OpenCost & Optimization Stra...SCaLE 20X: Kubernetes Cloud Cost Monitoring with OpenCost & Optimization Stra...
SCaLE 20X: Kubernetes Cloud Cost Monitoring with OpenCost & Optimization Stra...
 
HashiTalks 2020 - Chef Tools & Terraform: Better Together
HashiTalks 2020 - Chef Tools & Terraform: Better TogetherHashiTalks 2020 - Chef Tools & Terraform: Better Together
HashiTalks 2020 - Chef Tools & Terraform: Better Together
 
EmacsConf 2019: Interactive Remote Debugging and Development with TRAMP Mode
EmacsConf 2019: Interactive Remote Debugging and Development with TRAMP ModeEmacsConf 2019: Interactive Remote Debugging and Development with TRAMP Mode
EmacsConf 2019: Interactive Remote Debugging and Development with TRAMP Mode
 
Wellington DevOps: Bringing Your Applications into the Future with Habitat
Wellington DevOps: Bringing Your Applications into the Future with HabitatWellington DevOps: Bringing Your Applications into the Future with Habitat
Wellington DevOps: Bringing Your Applications into the Future with Habitat
 
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...
 
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...
 
DevOpsDays Jakarta: State of DevOps 2018
DevOpsDays Jakarta: State of DevOps 2018DevOpsDays Jakarta: State of DevOps 2018
DevOpsDays Jakarta: State of DevOps 2018
 
DevOps Talks Melbourne 2018: Whales, Cats and Kubernetes
DevOps Talks Melbourne 2018: Whales, Cats and KubernetesDevOps Talks Melbourne 2018: Whales, Cats and Kubernetes
DevOps Talks Melbourne 2018: Whales, Cats and Kubernetes
 
Infrastructure and Compliance Delight with Chef Automate
Infrastructure and Compliance Delight with Chef AutomateInfrastructure and Compliance Delight with Chef Automate
Infrastructure and Compliance Delight with Chef Automate
 
Cooking Up Windows with Chef Automate
Cooking Up Windows with Chef AutomateCooking Up Windows with Chef Automate
Cooking Up Windows with Chef Automate
 
DevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat IgniteDevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat Ignite
 
Chef Automate - Azure Sydney User Group
Chef Automate - Azure Sydney User GroupChef Automate - Azure Sydney User Group
Chef Automate - Azure Sydney User Group
 
Automating Applications with Habitat - Sydney Cloud Native Meetup
Automating Applications with Habitat - Sydney Cloud Native MeetupAutomating Applications with Habitat - Sydney Cloud Native Meetup
Automating Applications with Habitat - Sydney Cloud Native Meetup
 
Chef Automate - Infracoders Canberra August 8, 2017
Chef Automate - Infracoders Canberra August 8, 2017Chef Automate - Infracoders Canberra August 8, 2017
Chef Automate - Infracoders Canberra August 8, 2017
 
OpsWorks for Chef Automate - Auckland AWS
OpsWorks for Chef Automate - Auckland AWS OpsWorks for Chef Automate - Auckland AWS
OpsWorks for Chef Automate - Auckland AWS
 
Chef Automate - Wellington DevOps August 2, 2017
Chef Automate - Wellington DevOps August 2, 2017Chef Automate - Wellington DevOps August 2, 2017
Chef Automate - Wellington DevOps August 2, 2017
 
Automating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore MeetupAutomating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore Meetup
 
DevOps Sydney: Chef Automate
DevOps Sydney: Chef AutomateDevOps Sydney: Chef Automate
DevOps Sydney: Chef Automate
 

Dernier

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 

Dernier (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 

Compliance as Code: Shifting Compliance Left in Continuous Delivery