making strong security easier
TRANSCRIPT
Making StrongSecurity Easier
With FOSS Scanners
or: Building Secure BridgesFen Labalme, CivicActions, Inc.
● 2013-12 Target - 70 million customers affected (Names, mailing addresses, email addresses, phone numbers, credit/debit card information) via third party vendor with authorized access (external javascript libraries, anyone?)
● 2014-11 Home Depot - 56 million credit cards numbers, 53 million email addresses via stolen third party username/password (two-factor authentication would have prevented)
● 2014-11 Sony - Current and former employees & executives via Targeted attack by “Guardians of Peace” group, purported to be from North Korea (don’t be stupid)
● 2015-02 Anthem Blue Cross - 80 million current and former customers, as well as employees (Social Security numbers, birth dates, addresses, emails, employment information, income data) via Targeted attacks to steal network credentials of a few employees with highlevel system access (again, two-factor authentication)
● 2015-06 US Office of Personnel Management (OPM) - 4.2 million current and former employees; 19.7 million individuals whom a Federal background investigation; 1.8 million referenced spouses and relatives (SSN and full background history) via… China?
Recent Major Security Breaches
Explaining FISMAFederal Information Security Management Act of 2002
Some AcronymsThere will be no test
FISMA Federal Information Security Management Act of 2002
NIST National Institute of Standards and Technology
RMF Risk Management Framework
FedRAMP Federal Risk and Authorization Management Program
PCI DSS Payment Card Industry Data Security Standard
STIG Security Technical Implementation Guide
SCAP Security Content Automation Protocol
CI Continuous Integration
NIST Risk Mgt Framework Takes Months
NIST 800-53 Controls Hurt Your Brain
Time to add compliance!
Software Supply Chain Can Aid Security
$ risk -a server.agency.gov$ make artifact=system-security-plan -f doc
FISMA for Happy Developers
Scanning as Part of CI
Developers reaction to security scans
Problem
Tip #1: Use the Families
Tip #2: Give Control Families Tickets
Tip #3: Use SCAPSCAP == Shared Unit Testing for Vulnerabilities
Vulnerabilities● Poor configuration● Known exploits
Tip #4: Use OpenSCAP + GovReady
Community created portfolio
of tools and content to make attestations about
known vulnerabilitieshttps://github.com/
OpenSCAP
Open source tool that to make OpenSCAP
scanning friendlier to developers
https://github.com/GovReady/govready
OpenSCAP$ oscap xccdf eval --remediate \--profile stig-rhel6-server-upstream \--report /root/scan-report.html \/usr/share/xml/scap/content.xml
GovReady$ govready scan$ govready fix$ govready compare
Next steps
● Include more operating systems (Ubuntu, Debian)● Add more tests (bash & drush based)● Create and contribute towards an application baseline:
● Drupal● Apache/Nginx● MySQL/Mariadb
HOW TO ENGAGEOpenSCAP GitHub:https://github.com/OpenSCAP
OpenSCAP References & Docs:https://github.com/OpenSCAP/scap-security-guide/wiki/Collateral-and-References
SCAP Content Mailing List:https://fedorahosted.org/mailman/listinfo/scap-security-guide
GovReady user-friendly front-end:https://github.com/GovReady/govready
Ansible-SCAP demo. See how it all works on the “drupal” branch - painlessly:https://github.com/openprivacy/ansible-scap
NIST SCAP Website:https://scap.nist.gov