SlideShare a Scribd company logo
1 of 30
Download to read offline
1
Akash Mahajan
Founder/Director at Appsecco
ALLDAYDEVOPS 2016
SYSTEM HARDENING
USING ANSIBLE
(APPLICATION DEPLOYMENT + CONFIGURATION
MANAGEMENT + CONTINUOUS SECURITY)
THAT WEB APPLICATION SECURITY GUY
“Start with Why?
- Simon Sinek
THIS IS A STORY ABOUT APPSEC
OWASP TOP 10 - A5 SECURITY MISCONFIGURATION
http://cheezburger.com/4834698752 https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
AM I VULNERABLE TO ‘SECURITY MISCONFIGURATION’?
Is any of your software out of date?
Are there any un-necessary features enabled/installed?
Ports, Services, Accounts, Pages, Privileges
Are default accounts and their passwords enabled/
unchanged?
Are security settings and libraries not set to secure
values?
OWASP TOP 10 - A5 SECURITY MISCONFIGURATION
https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
EXAMPLE ATTACK SCENARIOS
Attacker discovers the standard admin pages are on your server, logs
in with default passwords, and takes over.
Attacker finds due to directory listing and downloads all your
compiled Java classes, which she decompiles and reverse engineers to
get all your custom code. She then finds a serious access control flaw in
your application.
App server configuration allows stack traces to be returned to users,
potentially exposing underlying flaws. Attackers love the extra
information error messages provide.
https://twitter.com/SwiftOnSecurity/status/793976943276265472
OWASP TOP 10 - A5 SECURITY MISCONFIGURATION
https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
PREVENTING SECURITY MISCONFIGURATION
A repeatable hardening process that makes it fast and easy to deploy a
properly locked down environment
Dev/QA/Prod should be configured identically but with different passwords
used
This process should be automated to minimise the effort required to setup a
new secure environment.
A process for deploying all new software updates and patches in a
timely manner to each deployed environment
Consider running scans and doing audits periodically to help detect
future misconfigurations or missing patches.
http://www.failking.com/41473-security-fail.html
OUR SECURITY REQUIREMENTS DERIVED (0/5)
A repeatable hardening process
Dev/QA/Prod should be configured identically but with different passwords used
This process should be automated to minimise the effort required to setup a new
secure environment.
A process for deploying all new software updates and patches in a timely manner
to each deployed environment
Consider running scans and doing audits periodically to help detect future
misconfigurations or missing patches
Basically taken from https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
Deploying software once may not be rocket science,
but doing that repeatedly eliminating human error is
Satellite deploying solar panels - From Wikipedia
HOW DO WE DEPLOY SOFTWARE, APPS & CODE?
CUSTOM BASH SCRIPTS CUSTOM PROGRAMS PROVISIONING TOOLS
➤ rsync
➤ ssh/scp
➤ FTP
➤ curl/wget
Many others as well
PROS AND CONS OF THE APPROACHES
CUSTOM BASH SCRIPTS CUSTOM PROGRAMS PROVISIONING TOOLS
➤ GUI tools discourage
automation
➤ For folks like me custom
scripts are inherently
difficult to
➤ maintain,
➤ track
➤ reuse
➤ Great for programmers and
devs
➤ As custom as it can get
➤ Non-programmers find it
difficult
➤ Overhead of a
programming language and
syntax
➤ Meant for provisioning and
deploying code, software &
applications
➤ Automation is a primary
objective
➤ Allows for repeatability in
deployment
➤ Reduces human errors
WHAT IS SECURITY HARDENING?
Security hardening is the process where we identify insecure default configuration present on a
system and apply changes that will change the configuration to secure values.
The process can be applied to all the layers
Network - Enable firewall/security groups with restrictive rule sets
Transport - Enable TCP wrappers for a service/subnet matching
Application - Enable web server to allow specific IPs to admin panel
Kernel Networking parameters - Enable defences for the networking
stack
WHY USE ANSIBLE FOR SECURITY HARDENING?
➤ playbook by Nick Bluth from the Noun Project
➤ github stargazers, ansible search results
ANSIBLE IS MADE FOR SECURITY AUTOMATION
Attribute Benefit
YAML language
Provides a structured way to define
applications, systems
Modular Makes it deployment friendly
Enables Automation Makes it easy to script, program
Uses SSH for access
Secure by default with encrypted
transmission and host authentication
Python FOSS Easy to integrate and get started
Community Driven
Lots of helpful samples and
documentation available
ANSIBLE PLAYBOOK + IDEMPOTENT == WIN
Ansible uses playbooks to execute a series of commands/modules
on the target
An Ansible playbook is written in YAML which makes it machine
readable and provides structure
Ansible follows the concept of idempotent, which translates into
describing the state that we would like the system to be in
All we need to do is express our security assertions in the YAML
format in a playbook and we get a codified security document
ANSIBLE PLAYBOOK CAN BE A CODIFIED SECURITY DOCUMENT
ANSIBLE PLAYBOOK SNIPPET - MYSQL HARDENING
1. Delete anonymous MySQL user 2. Change MySQL root user password 3. Remove test database
1
2
3
The concept that change commands should only
be applied when they need to be applied, and
that it is better to describe the desired state of a
system than the process of how to get to that
state
THE CONCEPT OF IDEMPOTENCY
OUR JOB IS NOW TO ENSURE THAT WE NEED TO DEFINE WHAT CONSTITUTES A SECURE
AND HARDENED SYSTEM
http://docs.ansible.com/ansible/glossary.html#term-idempotency
All playbooks are written in YAML providing us with
structure that we can learn and train on
Since playbooks are text files, we can use Git to do version
control on them
By using Git or another version control software, managing
the playbooks is just like managing any software project.
Therefore infrastructure as code but for security
STRUCTURED MANUALS (PLAYBOOKS) + GIT == WIN
help by Viktor Vorobyev from the Noun Project
repository by Nick Bluth from the Noun Project
secure document by Creative Stall from the Noun Project
VARIABLES ALLOW FOR CREATING GENERIC INSTRUCTION MANUALS
OUR SECURITY REQUIREMENTS DERIVED (2/5)
A repeatable hardening process
Dev/QA/Prod should be configured identically but with different passwords used
This process should be automated to minimise the effort required to setup a new
secure environment.
A process for deploying all new software updates and patches in a timely manner
to each deployed environment
Consider running scans and doing audits periodically to help detect future
misconfigurations or missing patches
Basically taken from https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
Various organisations publish best practices
CIS Benchmarks
DISA-STIG
NIST Guidelines
Linux Distribution specific guidelines
Application security specific guidelines
HOW DO WE CREATE SECURITY BEST PRACTICES?
YOU DON’T NEED TO, BEST PRACTICES HAVE ALREADY BEEN CREATED
Dahi Handi by Ramnath Bhat under CC2.0 license
https://www.flickr.com/photos/ramnath1971/7943196628
Ansible Roles are the moving parts of a playbook
Roles are how we should be organising a playbook
Grouping content by roles allows easy sharing of roles with
other users
By using roles_path configuration variable, roles can be
downloaded from git, Ansible Galaxy and stored in one
location, to use with multiple playbooks
ANSIBLE PLAYBOOK IS MADE UP OF ROLES
ROLES CAN EASILY BE ADDED TO A PLAYBOOK FOR MAXIMUM FLEXIBILITY
Notable projects to get started with, right now
Hardening Framework - Server Hardening Framework
Ansible role for DISA STIG
OpenStack-Ansible - Host Security Hardening
CIS Ansible Role against CentOS/RHEL
Linux Security Hardening with OpenSCAP and Ansible
First Five Minutes on a Server with Ansible
WHERE DO WE FIND REFERENCE ANSIBLE PLAYBOOKS
GREAT NEWS IS THAT THERE ARE MANY HARDENING PROJECTS ALREADY
Dahi Handi by Ramnath Bhat under CC2.0 license
https://www.flickr.com/photos/ramnath1971/7943196628
ANSIBLE GALAXY IS LIKE GITHUB BUT FOR ROLES
GALAXY IS NOW OSS, SO THAT YOU CAN SETUP PRIVATE GALAXY SERVERS
$ ansible-galaxy 
search hardening
$ ansible-galaxy 
install
username.rolename
Galaxy is an online tool to manage Ansible roles
Using the CLI client, roles can be searched for and
installed with just one command
Galaxy is like the central repository information for roles
Galaxy offers automated testing of roles as well
OUR SECURITY REQUIREMENTS DERIVED (3/5)
A repeatable hardening process
Dev/QA/Prod should be configured identically but with different passwords used
This process should be automated to minimise the effort required to setup a new
secure environment.
A process for deploying all new software updates and patches in a timely manner
to each deployed environment
Consider running scans and doing audits periodically to help detect future
misconfigurations or missing patches
Basically taken from https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
CONTINUOUS MONITORING FOR SECURITY
ANSIBLE CAN BECOME PART OF YOUR CI/CD WORKFLOW
Integrate with your favourite CI/CD tool
Schedule regular runs against the targets as specified
Get information on when your run (build) failed and why
Get granular control to secure credentials and secrets and
get Role Based Access Control (RBAC) as well
Jenkins logo from https://jenkins.io/ Go.cd logo from https://go.cd
Ansible Tower logo from https://ansible.com Rundeck logo from https://xebialabs.com
OUR SECURITY REQUIREMENTS DERIVED (5/5)
A repeatable hardening process
Dev/QA/Prod should be configured identically but with different passwords used
This process should be automated to minimise the effort required to setup a new
secure environment.
A process for deploying all new software updates and patches in a timely manner
to each deployed environment
Consider running scans and doing audits periodically to help detect future
misconfigurations or missing patches
Basically taken from https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
TAKEAWAYS AND CONCLUSION
1. Using Ansible (and others) we can build a security automation workflow
2. Since the security part is codified in documents, we can do version control
3. A lot of work has already been done in finding out the best practices
4. For Ansible, using the above mentioned best practices, there are already
multitude of playbooks and roles available on github and Ansible Galaxy
5. Using CI/CD tools like Jenkins/Go.cd or specialised software like Ansible Tower/
Rundeck we can repeatedly schedule Ansible playbooks and monitor their outcome
BONUS TAKEAWAY - FREE EBOOK
https://github.com/appsecco/alldaydevops-shua
Ebook in PDF/Mobi/Epub format
Will keep it updated and add more integrations
Available with the presentation and other
materials at the above mentioned github repo
System Hardening Using Ansible
System Hardening Using Ansible
QUESTIONS
@makash | https://linkd.in/webappsecguy | akash@appsecco.com

More Related Content

What's hot

DevSecOps and the CI/CD Pipeline
 DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationSuresh Kumar
 
CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes Adnan Rashid
 
Red hat ansible automation technical deck
Red hat ansible automation technical deckRed hat ansible automation technical deck
Red hat ansible automation technical deckJuraj Hantak
 
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...Andrejs Prokopjevs
 
A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices Nebulaworks
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire
 
Introduction to OpenStack
Introduction to OpenStackIntroduction to OpenStack
Introduction to OpenStackEdureka!
 
Ansible with Jenkins in a CI/CD Process
Ansible with Jenkins in a CI/CD ProcessAnsible with Jenkins in a CI/CD Process
Ansible with Jenkins in a CI/CD ProcessKhairul Zebua
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security -  API Security top 10 - Erez YalonCheckmarx meetup API Security -  API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
Container Orchestration
Container OrchestrationContainer Orchestration
Container Orchestrationdfilppi
 
셸 스크립트를 이용한 클라우드 시스템 운영
셸 스크립트를 이용한 클라우드 시스템 운영셸 스크립트를 이용한 클라우드 시스템 운영
셸 스크립트를 이용한 클라우드 시스템 운영Nalee Jang
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to AnsibleKnoldus Inc.
 
Azure Key Vault - Getting Started
Azure Key Vault - Getting StartedAzure Key Vault - Getting Started
Azure Key Vault - Getting StartedTaswar Bhatti
 
3. parti firma risklerinden nasıl korunulur?
3. parti firma risklerinden nasıl korunulur?3. parti firma risklerinden nasıl korunulur?
3. parti firma risklerinden nasıl korunulur?BGA Cyber Security
 

What's hot (20)

DevSecOps and the CI/CD Pipeline
 DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
 
CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes
 
Red hat ansible automation technical deck
Red hat ansible automation technical deckRed hat ansible automation technical deck
Red hat ansible automation technical deck
 
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
 
DevOps and AWS
DevOps and AWSDevOps and AWS
DevOps and AWS
 
A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
 
Introduction to OpenStack
Introduction to OpenStackIntroduction to OpenStack
Introduction to OpenStack
 
Ansible with Jenkins in a CI/CD Process
Ansible with Jenkins in a CI/CD ProcessAnsible with Jenkins in a CI/CD Process
Ansible with Jenkins in a CI/CD Process
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security -  API Security top 10 - Erez YalonCheckmarx meetup API Security -  API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
Container Orchestration
Container OrchestrationContainer Orchestration
Container Orchestration
 
셸 스크립트를 이용한 클라우드 시스템 운영
셸 스크립트를 이용한 클라우드 시스템 운영셸 스크립트를 이용한 클라우드 시스템 운영
셸 스크립트를 이용한 클라우드 시스템 운영
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to Ansible
 
Azure Key Vault - Getting Started
Azure Key Vault - Getting StartedAzure Key Vault - Getting Started
Azure Key Vault - Getting Started
 
3. parti firma risklerinden nasıl korunulur?
3. parti firma risklerinden nasıl korunulur?3. parti firma risklerinden nasıl korunulur?
3. parti firma risklerinden nasıl korunulur?
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Web uygulama açıklıklarından faydalanarak sistem ele geçirme
Web uygulama açıklıklarından faydalanarak sistem ele geçirmeWeb uygulama açıklıklarından faydalanarak sistem ele geçirme
Web uygulama açıklıklarından faydalanarak sistem ele geçirme
 

Similar to System Hardening Using Ansible

AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
Salt conf 2014 - Using SaltStack in high availability environments
Salt conf 2014 - Using SaltStack in high availability environmentsSalt conf 2014 - Using SaltStack in high availability environments
Salt conf 2014 - Using SaltStack in high availability environmentsBenjamin Cane
 
Anatomy of a Build Pipeline
Anatomy of a Build PipelineAnatomy of a Build Pipeline
Anatomy of a Build PipelineSamuel Brown
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World42Crunch
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Product! - The road to production deployment
Product! - The road to production deploymentProduct! - The road to production deployment
Product! - The road to production deploymentFilippo Zanella
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedJason Chan
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
Cloud-powered Continuous Integration and Deployment architectures - Jinesh Varia
Cloud-powered Continuous Integration and Deployment architectures - Jinesh VariaCloud-powered Continuous Integration and Deployment architectures - Jinesh Varia
Cloud-powered Continuous Integration and Deployment architectures - Jinesh VariaAmazon Web Services
 
From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
From 0 to Secure in 1 Minute - Securing laaS - Nir ValtmanFrom 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
From 0 to Secure in 1 Minute - Securing laaS - Nir ValtmanEC-Council
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 

Similar to System Hardening Using Ansible (20)

AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Salt conf 2014 - Using SaltStack in high availability environments
Salt conf 2014 - Using SaltStack in high availability environmentsSalt conf 2014 - Using SaltStack in high availability environments
Salt conf 2014 - Using SaltStack in high availability environments
 
Anatomy of a Build Pipeline
Anatomy of a Build PipelineAnatomy of a Build Pipeline
Anatomy of a Build Pipeline
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Rapidly deploying software
Rapidly deploying softwareRapidly deploying software
Rapidly deploying software
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
Ansible
AnsibleAnsible
Ansible
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Product! - The road to production deployment
Product! - The road to production deploymentProduct! - The road to production deployment
Product! - The road to production deployment
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Cloud-powered Continuous Integration and Deployment architectures - Jinesh Varia
Cloud-powered Continuous Integration and Deployment architectures - Jinesh VariaCloud-powered Continuous Integration and Deployment architectures - Jinesh Varia
Cloud-powered Continuous Integration and Deployment architectures - Jinesh Varia
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
From 0 to Secure in 1 Minute - Securing laaS - Nir ValtmanFrom 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 

More from Sonatype

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019Sonatype
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxSonatype
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOpsSonatype
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps SurveySonatype
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseSonatype
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesSonatype
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandSonatype
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealSonatype
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way ForwardSonatype
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizSonatype
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanSonatype
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsSonatype
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsSonatype
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSSonatype
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureSonatype
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsSonatype
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure AutomationSonatype
 
Continuous Everyone: Engaging People Across the Continuous Pipeline
Continuous Everyone: Engaging People Across the Continuous PipelineContinuous Everyone: Engaging People Across the Continuous Pipeline
Continuous Everyone: Engaging People Across the Continuous PipelineSonatype
 

More from Sonatype (20)

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way Forward
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure Automation
 
Continuous Everyone: Engaging People Across the Continuous Pipeline
Continuous Everyone: Engaging People Across the Continuous PipelineContinuous Everyone: Engaging People Across the Continuous Pipeline
Continuous Everyone: Engaging People Across the Continuous Pipeline
 

Recently uploaded

Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native BuildpacksVish Abrams
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageDista
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilVICTOR MAESTRE RAMIREZ
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Jaydeep Chhasatia
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIIvo Andreev
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptkinjal48
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024Mind IT Systems
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfTobias Schneck
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?AmeliaSmith90
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesSoftwareMill
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntelliSource Technologies
 
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.Sharon Liu
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxAutus Cyber Tech
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxJoão Esperancinha
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdfMeon Technology
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampVICTOR MAESTRE RAMIREZ
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmonyelliciumsolutionspun
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Incrobinwilliams8624
 

Recently uploaded (20)

Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native Buildpacks
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-Council
 
Salesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptxSalesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptx
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AI
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.ppt
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retries
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptx
 
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptx
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptx
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdf
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - Datacamp
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Inc
 

System Hardening Using Ansible

  • 1. 1 Akash Mahajan Founder/Director at Appsecco ALLDAYDEVOPS 2016 SYSTEM HARDENING USING ANSIBLE (APPLICATION DEPLOYMENT + CONFIGURATION MANAGEMENT + CONTINUOUS SECURITY)
  • 2. THAT WEB APPLICATION SECURITY GUY
  • 3. “Start with Why? - Simon Sinek
  • 4. THIS IS A STORY ABOUT APPSEC
  • 5. OWASP TOP 10 - A5 SECURITY MISCONFIGURATION http://cheezburger.com/4834698752 https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration AM I VULNERABLE TO ‘SECURITY MISCONFIGURATION’? Is any of your software out of date? Are there any un-necessary features enabled/installed? Ports, Services, Accounts, Pages, Privileges Are default accounts and their passwords enabled/ unchanged? Are security settings and libraries not set to secure values?
  • 6. OWASP TOP 10 - A5 SECURITY MISCONFIGURATION https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration EXAMPLE ATTACK SCENARIOS Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over. Attacker finds due to directory listing and downloads all your compiled Java classes, which she decompiles and reverse engineers to get all your custom code. She then finds a serious access control flaw in your application. App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws. Attackers love the extra information error messages provide. https://twitter.com/SwiftOnSecurity/status/793976943276265472
  • 7. OWASP TOP 10 - A5 SECURITY MISCONFIGURATION https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration PREVENTING SECURITY MISCONFIGURATION A repeatable hardening process that makes it fast and easy to deploy a properly locked down environment Dev/QA/Prod should be configured identically but with different passwords used This process should be automated to minimise the effort required to setup a new secure environment. A process for deploying all new software updates and patches in a timely manner to each deployed environment Consider running scans and doing audits periodically to help detect future misconfigurations or missing patches. http://www.failking.com/41473-security-fail.html
  • 8. OUR SECURITY REQUIREMENTS DERIVED (0/5) A repeatable hardening process Dev/QA/Prod should be configured identically but with different passwords used This process should be automated to minimise the effort required to setup a new secure environment. A process for deploying all new software updates and patches in a timely manner to each deployed environment Consider running scans and doing audits periodically to help detect future misconfigurations or missing patches Basically taken from https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
  • 9. Deploying software once may not be rocket science, but doing that repeatedly eliminating human error is Satellite deploying solar panels - From Wikipedia
  • 10. HOW DO WE DEPLOY SOFTWARE, APPS & CODE? CUSTOM BASH SCRIPTS CUSTOM PROGRAMS PROVISIONING TOOLS ➤ rsync ➤ ssh/scp ➤ FTP ➤ curl/wget Many others as well
  • 11. PROS AND CONS OF THE APPROACHES CUSTOM BASH SCRIPTS CUSTOM PROGRAMS PROVISIONING TOOLS ➤ GUI tools discourage automation ➤ For folks like me custom scripts are inherently difficult to ➤ maintain, ➤ track ➤ reuse ➤ Great for programmers and devs ➤ As custom as it can get ➤ Non-programmers find it difficult ➤ Overhead of a programming language and syntax ➤ Meant for provisioning and deploying code, software & applications ➤ Automation is a primary objective ➤ Allows for repeatability in deployment ➤ Reduces human errors
  • 12. WHAT IS SECURITY HARDENING? Security hardening is the process where we identify insecure default configuration present on a system and apply changes that will change the configuration to secure values. The process can be applied to all the layers Network - Enable firewall/security groups with restrictive rule sets Transport - Enable TCP wrappers for a service/subnet matching Application - Enable web server to allow specific IPs to admin panel Kernel Networking parameters - Enable defences for the networking stack
  • 13. WHY USE ANSIBLE FOR SECURITY HARDENING? ➤ playbook by Nick Bluth from the Noun Project ➤ github stargazers, ansible search results ANSIBLE IS MADE FOR SECURITY AUTOMATION Attribute Benefit YAML language Provides a structured way to define applications, systems Modular Makes it deployment friendly Enables Automation Makes it easy to script, program Uses SSH for access Secure by default with encrypted transmission and host authentication Python FOSS Easy to integrate and get started Community Driven Lots of helpful samples and documentation available
  • 14. ANSIBLE PLAYBOOK + IDEMPOTENT == WIN Ansible uses playbooks to execute a series of commands/modules on the target An Ansible playbook is written in YAML which makes it machine readable and provides structure Ansible follows the concept of idempotent, which translates into describing the state that we would like the system to be in All we need to do is express our security assertions in the YAML format in a playbook and we get a codified security document ANSIBLE PLAYBOOK CAN BE A CODIFIED SECURITY DOCUMENT
  • 15. ANSIBLE PLAYBOOK SNIPPET - MYSQL HARDENING 1. Delete anonymous MySQL user 2. Change MySQL root user password 3. Remove test database 1 2 3
  • 16. The concept that change commands should only be applied when they need to be applied, and that it is better to describe the desired state of a system than the process of how to get to that state THE CONCEPT OF IDEMPOTENCY OUR JOB IS NOW TO ENSURE THAT WE NEED TO DEFINE WHAT CONSTITUTES A SECURE AND HARDENED SYSTEM http://docs.ansible.com/ansible/glossary.html#term-idempotency
  • 17. All playbooks are written in YAML providing us with structure that we can learn and train on Since playbooks are text files, we can use Git to do version control on them By using Git or another version control software, managing the playbooks is just like managing any software project. Therefore infrastructure as code but for security STRUCTURED MANUALS (PLAYBOOKS) + GIT == WIN help by Viktor Vorobyev from the Noun Project repository by Nick Bluth from the Noun Project secure document by Creative Stall from the Noun Project VARIABLES ALLOW FOR CREATING GENERIC INSTRUCTION MANUALS
  • 18. OUR SECURITY REQUIREMENTS DERIVED (2/5) A repeatable hardening process Dev/QA/Prod should be configured identically but with different passwords used This process should be automated to minimise the effort required to setup a new secure environment. A process for deploying all new software updates and patches in a timely manner to each deployed environment Consider running scans and doing audits periodically to help detect future misconfigurations or missing patches Basically taken from https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
  • 19. Various organisations publish best practices CIS Benchmarks DISA-STIG NIST Guidelines Linux Distribution specific guidelines Application security specific guidelines HOW DO WE CREATE SECURITY BEST PRACTICES? YOU DON’T NEED TO, BEST PRACTICES HAVE ALREADY BEEN CREATED Dahi Handi by Ramnath Bhat under CC2.0 license https://www.flickr.com/photos/ramnath1971/7943196628
  • 20. Ansible Roles are the moving parts of a playbook Roles are how we should be organising a playbook Grouping content by roles allows easy sharing of roles with other users By using roles_path configuration variable, roles can be downloaded from git, Ansible Galaxy and stored in one location, to use with multiple playbooks ANSIBLE PLAYBOOK IS MADE UP OF ROLES ROLES CAN EASILY BE ADDED TO A PLAYBOOK FOR MAXIMUM FLEXIBILITY
  • 21. Notable projects to get started with, right now Hardening Framework - Server Hardening Framework Ansible role for DISA STIG OpenStack-Ansible - Host Security Hardening CIS Ansible Role against CentOS/RHEL Linux Security Hardening with OpenSCAP and Ansible First Five Minutes on a Server with Ansible WHERE DO WE FIND REFERENCE ANSIBLE PLAYBOOKS GREAT NEWS IS THAT THERE ARE MANY HARDENING PROJECTS ALREADY Dahi Handi by Ramnath Bhat under CC2.0 license https://www.flickr.com/photos/ramnath1971/7943196628
  • 22. ANSIBLE GALAXY IS LIKE GITHUB BUT FOR ROLES GALAXY IS NOW OSS, SO THAT YOU CAN SETUP PRIVATE GALAXY SERVERS $ ansible-galaxy search hardening $ ansible-galaxy install username.rolename Galaxy is an online tool to manage Ansible roles Using the CLI client, roles can be searched for and installed with just one command Galaxy is like the central repository information for roles Galaxy offers automated testing of roles as well
  • 23. OUR SECURITY REQUIREMENTS DERIVED (3/5) A repeatable hardening process Dev/QA/Prod should be configured identically but with different passwords used This process should be automated to minimise the effort required to setup a new secure environment. A process for deploying all new software updates and patches in a timely manner to each deployed environment Consider running scans and doing audits periodically to help detect future misconfigurations or missing patches Basically taken from https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
  • 24. CONTINUOUS MONITORING FOR SECURITY ANSIBLE CAN BECOME PART OF YOUR CI/CD WORKFLOW Integrate with your favourite CI/CD tool Schedule regular runs against the targets as specified Get information on when your run (build) failed and why Get granular control to secure credentials and secrets and get Role Based Access Control (RBAC) as well Jenkins logo from https://jenkins.io/ Go.cd logo from https://go.cd Ansible Tower logo from https://ansible.com Rundeck logo from https://xebialabs.com
  • 25. OUR SECURITY REQUIREMENTS DERIVED (5/5) A repeatable hardening process Dev/QA/Prod should be configured identically but with different passwords used This process should be automated to minimise the effort required to setup a new secure environment. A process for deploying all new software updates and patches in a timely manner to each deployed environment Consider running scans and doing audits periodically to help detect future misconfigurations or missing patches Basically taken from https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
  • 26. TAKEAWAYS AND CONCLUSION 1. Using Ansible (and others) we can build a security automation workflow 2. Since the security part is codified in documents, we can do version control 3. A lot of work has already been done in finding out the best practices 4. For Ansible, using the above mentioned best practices, there are already multitude of playbooks and roles available on github and Ansible Galaxy 5. Using CI/CD tools like Jenkins/Go.cd or specialised software like Ansible Tower/ Rundeck we can repeatedly schedule Ansible playbooks and monitor their outcome
  • 27. BONUS TAKEAWAY - FREE EBOOK https://github.com/appsecco/alldaydevops-shua Ebook in PDF/Mobi/Epub format Will keep it updated and add more integrations Available with the presentation and other materials at the above mentioned github repo