Security & Scanning a… · $ risk -a server.agency.gov $ make artifact=system-security-plan -f doc...
Transcript of Security & Scanning a… · $ risk -a server.agency.gov $ make artifact=system-security-plan -f doc...
![Page 1: Security & Scanning a… · $ risk -a server.agency.gov $ make artifact=system-security-plan -f doc FISMA for Happy Developers](https://reader033.fdocuments.net/reader033/viewer/2022050423/5f92b3a323023e07b6622e45/html5/thumbnails/1.jpg)
Security & ScanningAn Open Source Approach
![Page 2: Security & Scanning a… · $ risk -a server.agency.gov $ make artifact=system-security-plan -f doc FISMA for Happy Developers](https://reader033.fdocuments.net/reader033/viewer/2022050423/5f92b3a323023e07b6622e45/html5/thumbnails/2.jpg)
Explaining FISMA
![Page 3: Security & Scanning a… · $ risk -a server.agency.gov $ make artifact=system-security-plan -f doc FISMA for Happy Developers](https://reader033.fdocuments.net/reader033/viewer/2022050423/5f92b3a323023e07b6622e45/html5/thumbnails/3.jpg)
NIST Risk Mgt Framework Takes Months
![Page 4: Security & Scanning a… · $ risk -a server.agency.gov $ make artifact=system-security-plan -f doc FISMA for Happy Developers](https://reader033.fdocuments.net/reader033/viewer/2022050423/5f92b3a323023e07b6622e45/html5/thumbnails/4.jpg)
NIST 800-53 Controls Hurt Your Brain
![Page 5: Security & Scanning a… · $ risk -a server.agency.gov $ make artifact=system-security-plan -f doc FISMA for Happy Developers](https://reader033.fdocuments.net/reader033/viewer/2022050423/5f92b3a323023e07b6622e45/html5/thumbnails/5.jpg)
Time to add compliance!
Software Supply Chain Can Aid Security
![Page 6: Security & Scanning a… · $ risk -a server.agency.gov $ make artifact=system-security-plan -f doc FISMA for Happy Developers](https://reader033.fdocuments.net/reader033/viewer/2022050423/5f92b3a323023e07b6622e45/html5/thumbnails/6.jpg)
$ risk -a server.agency.gov
$ make artifact=system-security-plan -f doc
FISMA for Happy Developers
![Page 7: Security & Scanning a… · $ risk -a server.agency.gov $ make artifact=system-security-plan -f doc FISMA for Happy Developers](https://reader033.fdocuments.net/reader033/viewer/2022050423/5f92b3a323023e07b6622e45/html5/thumbnails/7.jpg)
Scanning as Part of CI
![Page 8: Security & Scanning a… · $ risk -a server.agency.gov $ make artifact=system-security-plan -f doc FISMA for Happy Developers](https://reader033.fdocuments.net/reader033/viewer/2022050423/5f92b3a323023e07b6622e45/html5/thumbnails/8.jpg)
Developers reaction to security scansProblem
![Page 9: Security & Scanning a… · $ risk -a server.agency.gov $ make artifact=system-security-plan -f doc FISMA for Happy Developers](https://reader033.fdocuments.net/reader033/viewer/2022050423/5f92b3a323023e07b6622e45/html5/thumbnails/9.jpg)
Tip #1: Use the Families
![Page 10: Security & Scanning a… · $ risk -a server.agency.gov $ make artifact=system-security-plan -f doc FISMA for Happy Developers](https://reader033.fdocuments.net/reader033/viewer/2022050423/5f92b3a323023e07b6622e45/html5/thumbnails/10.jpg)
Tip #2: Give Control Families Tickets
![Page 11: Security & Scanning a… · $ risk -a server.agency.gov $ make artifact=system-security-plan -f doc FISMA for Happy Developers](https://reader033.fdocuments.net/reader033/viewer/2022050423/5f92b3a323023e07b6622e45/html5/thumbnails/11.jpg)
Tip #3: Use SCAP
SCAP == Shared Unit Testing for Vulnerabilities
Vulnerabilities● Poor configuration● Known exploits
![Page 12: Security & Scanning a… · $ risk -a server.agency.gov $ make artifact=system-security-plan -f doc FISMA for Happy Developers](https://reader033.fdocuments.net/reader033/viewer/2022050423/5f92b3a323023e07b6622e45/html5/thumbnails/12.jpg)
Tip #4: Use OpenSCAP + GovReady
Community created portfolioof tools and content to make
attestations about known vulnerabilities
https://github.com/OpenSCAP
Open source tool that to make OpenSCAP scanning
friendlier to developers
https://github.com/GovReady/govready
![Page 13: Security & Scanning a… · $ risk -a server.agency.gov $ make artifact=system-security-plan -f doc FISMA for Happy Developers](https://reader033.fdocuments.net/reader033/viewer/2022050423/5f92b3a323023e07b6622e45/html5/thumbnails/13.jpg)
OpenSCAP$ oscap xccdf eval --remediate \
--profile stig-rhel6-server-upstream \
--report /root/scan-report.html \
/usr/share/xml/scap/content.xml
GovReady$ govready scan
$ govready fix
$ govready compare
![Page 14: Security & Scanning a… · $ risk -a server.agency.gov $ make artifact=system-security-plan -f doc FISMA for Happy Developers](https://reader033.fdocuments.net/reader033/viewer/2022050423/5f92b3a323023e07b6622e45/html5/thumbnails/14.jpg)
Next steps
● Include more operating systems (Ubuntu, Debian)● Add more tests (bash & drush based)● Create and contribute towards an application baseline:
● Drupal● Apache/Nginx● MySQL/Mariadb
![Page 15: Security & Scanning a… · $ risk -a server.agency.gov $ make artifact=system-security-plan -f doc FISMA for Happy Developers](https://reader033.fdocuments.net/reader033/viewer/2022050423/5f92b3a323023e07b6622e45/html5/thumbnails/15.jpg)
![Page 16: Security & Scanning a… · $ risk -a server.agency.gov $ make artifact=system-security-plan -f doc FISMA for Happy Developers](https://reader033.fdocuments.net/reader033/viewer/2022050423/5f92b3a323023e07b6622e45/html5/thumbnails/16.jpg)
![Page 17: Security & Scanning a… · $ risk -a server.agency.gov $ make artifact=system-security-plan -f doc FISMA for Happy Developers](https://reader033.fdocuments.net/reader033/viewer/2022050423/5f92b3a323023e07b6622e45/html5/thumbnails/17.jpg)
HOW TO ENGAGE
OpenSCAP GitHub:https://github.com/OpenSCAP
OpenSCAP References & Docs:https://github.com/OpenSCAP/scap-security-guide/wiki/Collateral-and-References
SCAP Content Mailing List:https://fedorahosted.org/mailman/listinfo/scap-security-guide
GovReady user-friendly front-end:https://github.com/GovReady/govready
Ansible-SCAP demo. See how it all works on the “drupal” branch - painlessly:https://github.com/openprivacy/ansible-scap
NIST SCAP Website:https://scap.nist.gov