Skip to Content
View all events

Hands-on Policy as Code

Published by O'Reilly Media, Inc.

Intermediate content levelIntermediate

Build security and compliance into your development lifecycle

If you’re responsible for building infrastructure, you might ask yourself if it’s secure to add a firewall rule allowing traffic from everywhere or enable public access to an object store. How do you know your application and infrastructure configurations adhere to compliance and security standards? The answer: policy as code—a set of rules and checks that automatically verify the security and compliance of your configurations as part of your development lifecycle.

As more organizations adopt DevOps and public cloud, policy as code is an increasingly valuable method of scaling the communication of security rules and compliance standards—and a lower friction method of teaching security practices. Without policy as code, you might find yourself accidentally applying a configuration for an open storage bucket, unencrypted queue, or unrestricted access control. At worst, these misconfigurations can be exploited by bad actors. At best, they get duplicated across an organization without anyone knowing better, leading to overly complex systems that are painful to manage.

Join expert Rosemary Wang to explore policy as code and see how to best apply it to communicate and scale security policies. You’ll learn how policy as code tools examine infrastructure configurations (such those produced by Terraform), how to add security tests to your continuous delivery pipelines, how to write a policy with both a behavior-driven development tool and a domain-specific language, and more.

What you’ll learn and how you can apply it

By the end of this live online course, you’ll understand:

  • Policy as code concepts
  • Where policy as code can be applied
  • How to use it to communicate and scale security policies
  • How policy as code tools examine infrastructure configurations, such those produced by Terraform

And you’ll be able to:

  • Decide what configurations to test in infrastructure as code
  • Add security tests to continuous delivery pipelines
  • Write a policy with a behavior-driven development tool (such as terraform-compliance)
  • Write a policy with a domain-specific language (such as Open Policy Agent)

This live event is for you because...

  • You work with public cloud infrastructure.
  • You want to become a security-aware senior developer or engineer.
  • You’re an architect looking to scale policy, security, and compliance.

Prerequisites

  • A working knowledge of one or more public cloud providers
  • Familiarity with security best practices and principles (e.g., secrets, access control, and least privilege)

Schedule

The time frames are only estimates and may vary according to how the class is progressing.

What is policy as code? (20 minutes)

  • Presentation: What is policy as code, and why does it matter for infrastructure?
  • Group discussion: What policies do you check in your infrastructure that you want to automate?

How do policy as code tools work? (20 minutes)

  • Presentation: Deep dive into policy as code tools; how they parse infrastructure state or configuration
  • Hands-on exercise: Write an infrastructure configuration for a policy test to pass
  • Q&A

Where does it fit into my infrastructure development lifecycle? (15 minutes)

  • Presentation: Running policy as code before deploying infrastructure to production
  • Group discussion: Where can you insert policy tests into an infrastructure deployment pipeline?

Break (5 minutes)

What policies should I be using: special benchmarks or my own? (20 minutes)

  • Presentation: Where to find prewritten policy sets such as CIS benchmarks
  • Hands-on exercise: Search for a prewritten policy set with rules for Google Cloud
  • Group discussion: What if you need to add custom policies to industry benchmarks?

Writing policies with behavior-driven development frameworks (20 minutes)

  • Presentation: Using behavior-driven development frameworks like terraform-compliance
  • Hands-on exercise: Write a policy with terraform-compliance
  • Q&A

Writing policies with domain-specific languages (20 minutes)

  • Presentation: Using domain-specific languages for policy as code
  • Hands-on exercise: Write a policy with Open Policy Agent
  • Q&A

Your Instructor

  • Rosemary Wang

    Rosemary Wang works to bridge the technical and cultural barriers between infrastructure, security, and application development. She has a fascination for solving intractable problems as a contributor and advocate of open source infrastructure tools. Recently, Rosemary’s been working on her upcoming book, Essential Infrastructure as Code. She also valiantly attempts to hack stacks of various infrastructure systems on her laptop while watering houseplants.

    linkedinXlinksearch

Skill covered

Policy as Code (PaC)