book

DevOpsSec

by Jim Bird

June 2016

Intermediate to advanced

85 pages

1h 50m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Introduction
Speed: The Velocity of DeliveryWhere’s the Design?Eliminating Waste and DelaysIt’s in the CloudMicroservicesContainersSeparation of Duties in DevOpsChange Control
Shift Security LeftOWASP Proactive ControlsSecure by DefaultMaking Security Self-ServiceUsing Infrastructure as CodeIterative, Incremental Change to Contain RisksUse the Speed of Continuous Delivery to Your AdvantageThe Honeymoon Effect
Continuous DeliveryContinuous Delivery at London Multi-Asset ExchangeInjecting Security into Continuous DeliveryPrecommitCommit Stage (Continuous Integration)Acceptance StageProduction Deployment and Post-DeploymentSecure Design in DevOpsRisk Assessments and Lightweight Threat ModelingSecuring Your Software Supply ChainWriting Secure Code in Continuous DeliveryUsing Code Reviews for SecurityWhat About Pair Programming?SAST: in IDE, in Continuous Integration/Continuous DeliverySecurity Testing in Continuous DeliveryDynamic Scanning (DAST)Fuzzing and Continuous DeliverySecurity in Unit and Integration TestingAutomated AttacksPen Testing and Bug BountiesVulnerability ManagementSecuring the InfrastructureAutomated Configuration ManagementSecuring Your Continuous Delivery PipelineSecurity in ProductionRuntime Checks and MonkeysSituational Awareness and Attack-Driven DefenseRuntime DefenseLearning from Failure: Game Days, Red Teaming, and Blameless PostmortemsSecurity at Netflix
Defining Policies UpfrontAutomated Gates and ChecksManaging Changes in Continuous DeliverySeparation of Duties in the DevOps Audit ToolkitUsing the Audit Defense ToolkitCode Instead of Paperwork

Content preview from DevOpsSec

Chapter 5. Compliance as Code

DevOps can be followed to achieve what Justin Arbuckle at Chef calls “Compliance as Code”: building compliance into development and operations, and wiring compliance policies and checks and auditing into Continuous Delivery so that regulatory compliance becomes an integral part of how DevOps teams work on a day-to-day basis.

Chef Compliance

Chef Compliance is a tool from Chef that scans infrastructure and reports on compliance issues, security risks, and outdated software. It provides a centrally managed way to continuously and automatically check and enforce security and compliance policies.

Compliance profiles are defined in code to validate that systems are configured correctly, using InSpec, an open source testing framework for specifying compliance, security, and policy requirements.

You can use InSpec to write high-level, documented tests/assertions to check things such as password complexity rules, database configuration, whether packages are installed, and so on. Chef Compliance comes with a set of predefined profiles for Linux and Windows environments as well as common packages like Apache, MySQL, and Postgres.

When variances are detected, they are reported to a central dashboard and can be automatically remediated using Chef.

A way to achieve Compliance as Code is described in the “DevOps Audit Defense Toolkit”, a free, community-built process framework written by James DeLuccia, IV, Jeff Gallimore, Gene Kim, and Byron Miller.¹ The Toolkit ...