Baking Safety into Infrastructure Testing
2 likes420 views
Jessica DeVita discusses how infrastructure testing and compliance can be automated through the use of tools like InSpec. She explains how InSpec allows organizations to define compliance controls and security policies as code. This enables automated continuous testing of infrastructure to ensure compliance and safety. DeVita emphasizes that common ground, communication, and understanding between teams is important for safety. Automating compliance testing helps promote safety by conveying security policies through code and actions.
Baking Safety into Infrastructure Testing
- 1. Jessica DeVita Technical Evangelist Chef Software @ubergeekgirl Baking Safety Into Infrastructure Testing
- 2. What the heck is an evangelist?
- 6. • Software • Safety • Common ground • Compliance as code
- 8. Motorcycles
- 10. Medical Devices
- 11. Pre-DevOps
- 12. DevOps to the rescue!
- 14. Why does safety matter?
- 18. Patching
- 20. Regulations! OFAC USA PATRIOT Act Gramm-Leach-Bliley Act Red Flags Rule Bank Secrecy Act Sarbanes-Oxley Regulation E Dodd-Frank False Claims Act HIPAA European Central Bank regulations Prudential Regulation Authority Financial Conduct Authority HITECH PCI DSS
- 23. "Society's ability to regulate industries effectively is limited by it's ability to access and understand code, as we saw with the VW emissions scandal." @richardjpope
- 27. Safety can be predicted by organizational culture RonWestrum
- 28. Psychological Safety is the most powerful predictor of successful teams
- 30. Common Ground and Coordination in Joint Activity Intention • Phases • Signaling • Coordination devices & costs • Interpredictability • Common Ground • Directability
- 31. Common Ground in Joint Activity • Intention • Signals and cues • Conversation, effective Coordination • Inter-predictability • Common Ground • Who knows what • Taskwork vs. teamwork • Joint action ladder
- 32. Intention
- 33. Interdependence
- 34. Common ground is Not a "thing" Not a state Instead, it is a process an ongoing action: grounding http://www.stefanomastrogiacomo.info/wp-content/uploads/2012/11/Common-Ground.png
- 37. Signaling
- 38. Signaling carries a responsibility to judge the interrupt-ability of the other person http://corgibytes.com/blog/2016/04/15/inception-layers/
- 39. ChatOps?
- 40. All communication is done through the board
- 41. Coordination: managing dependencies between activities
- 42. Coordination cannot be manufactured through procedures and explicit guidelines.
- 43. Common Ground is Not: everyone having the same knowledge
- 45. Interpredictability Common Ground Pertinent Mutual Knowledge, Beliefs, and Assumptions
- 46. roles and functions routines skills and competencies goals and commitment stance: perceptions of time pressure fatigue competing priorities Most important types: Pertinent Mutual Knowledge, Beliefs, and Assumptions
- 47. common ground is created or lost during handoffs. https://www.flickr.com/photos/53370644@N06/4976497160
- 48. Why do teams lose common ground? • No experience working together • Access to different data • No clear rationale for the directives • Ignorance of different stances • Unexpected loss of communications and unskilled at repairing the disruption • Failure to monitor confirmation of messages • Confusion over who knows what – fundamental common ground breakdown
- 49. 3. Understand Understanding Acting The Joint Action Ladder 4. Act 2. Perceive 1. Attend
- 51. Common ground is not binary! Teams engage in activities to support common ground • structuring preparations(establish routines) • sustaining (clarifications, reminders) • updating others about changes • monitoring other team members • detecting (anomalies, signals of loss of ground) repairing the loss
- 52. "No matter how much care is taken, breakdowns in common ground are inevitable. No amount of procedure or documentation can totally prevent them."
- 53. High reliability organizations are marked by a continual mindfulness, a continual searching for indications of a loss of common ground
- 55. Making automation a team player https://tctechcrunch2011.files.wordpress.com/2015/06/robotdap-e1433960740130.jpg
- 57. InSpec is compliance as code – a human-readable language for automating the continuous testing and compliance auditing of your entire infrastructure.
- 59. Mapping Compliance to InSpec control 'ssh-6.2.1' do title 'Set SSH Protocol to 2' end
- 60. Mapping Compliance to InSpec control 'ssh-6.2.1' do title 'Set SSH Protocol to 2' desc " SSH supports two different ... " end
- 61. Mapping Compliance to InSpec control 'ssh-6.2.1' do title 'Set SSH Protocol to 2' desc " SSH supports two different ... " describe sshd_config do its('Protocol') { should cmp('2') } end end
- 62. Mapping Compliance to InSpec control 'ssh-6.2.1' do impact 1.0 title 'Set SSH Protocol to 2' desc " SSH supports two different ... " describe sshd_config do its('Protocol') { should cmp('2') } end end
- 63. Test Any Target inspec exec test.rb inspec exec test.rb -i ~/.aws/mandi_eu.pem -t ssh://ec2- user@54.152.7.203 inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super inspec exec test.rb -t docker://3dda08e75838
- 64. its.... should... •it { should exist } •it { should be_installed } •it { should be_enabled } •its('max_log_file') { should cmp 6 } •its('exit_status') { should eq 0 } •its('gid') { should eq 0 }
- 65. InSpec Profiles include_controls 'os-hardening' do skip_control 'os-06' control 'os-02' do impact 0.7 end end include_controls 'ssh-hardening'
- 66. describe security_policy do its('PasswordComplexity') { should eq 1 } end describe sshd_config do its('Port') { should eq('22') } End describe iis_site('Default Web Site') do it { should have_app_pool('DefaultAppPool') } it { should have_binding('http *:80:') } end
- 67. 67
- 71. Truth can only be found in one place: the code. Only the code can truly tell you what it does. It is the only source of truly accurate information.