Bestand wählen
Merken

Compliance Slowing You Down? How to Achieve Compliance at DevOps Speed?

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
good afternoon everyone of half on our way from the and the shaft comes kind of sad so this is the 1st time I've been here it's been a wonderful time ago liner conferences and not many of them have a toxic talk-show style keynote and like really day in that that kind of style and everyone having 2 times of apart kind of like that this is the point where your mind is like completely butter don't know where you are anymore you dreading drinking more alcohol and planning getting back into your own deadly this week right again promise the hydrate that's the key right this is compliance laid them achieved compliance a DevOps on only IMO Chief Technologist and Chief Technology Officer a thoughtful and on the Chief Technologist at Booz Allen Hamilton on that show hands who knows who breakdowns OK so for those who don't know these owners were large system integrator on IT consulting shops are the primary focus is on government our clients and you can find me I get home and on Twitter and normal faults and also darker captain this is not a doctor talk so I don't like really publicize it that much but if you have darker questions or anything like that I can help as well so what is compliance that it's the meeting where someone says no just before you knew application it's ago production right accepting the orders do once a year and it causes a huge panic and organization who's who is like certain relate with you it's Excel spreadsheets the vulnerability Report ports the false positive identification and the mediation steps right and it's like missed something or Stig something anyone here know it's stages are had it but not not the top-tier state that's not the state of dogma and stayed 1 of that stuff that break search application servers but we'll firewall under in we install fill the band were cool right like is this set is this kind of like what you think of compliance for now so that these things right the so what is it you know you have you have your ITU you're that you're the IT De heroes and organization of his UHF coffin and go back in and like every you evangelized elapsed and you think men compliance is like that thing that's slowing down it's just like speedy incident BIG that's the whole entire senones utopia fewer children pricing I don't have children but seems to be like 6 times and we like that but it but if you do have to leave I see like 30 times on that the whole entire scene I it's in the trailers it's not spoiler it's like a perfect analogy for how compliance feels like like going to the compliance process you know you're you're that DevOps hero return get like to boil production like 20 times a day and I'll send you get that 1 peep that that step and it's a bunch of slots sorry compliance people that sponsor slots and there they're doing their job they're doing it well but it's like you just used having your toes awaiting right so this is about what happens
when when you're compliance organization or a whole hided compliance is like that so what happens is you have some regulation after compliance is coming from some regulation right ends because a slow you down you go through this death spiral and it starts with you you know you wanna get your stuff and production you wanna get your stuff out there see find a loophole In the complied in the regulations and then because you that loophole some elite hacker you know identifying with this thing on my shirt right now exploits and also in you lose like you know 25 million dollar of 25 million users records and whatever and then you get a scandal in your but you know on the front of the newspaper or the internet and it's because of that loophole that you you know exploited and then because of that it's your from the newspaper that I. T. security team comes in and where you get you get more regulation hey let's make sure that never happens again so close that local but if you keep going to this process what ends up happening because the regulation you believe talent you know all the folks here who's who were hitting that wall time you wanna work there anymore and it sucks all the energy of the innovation To bleeding talent & innovation and this is borrowed from a chef talk that Julian does around of compliance as well but it's very I have seen like this is the world I live in all the time and it's very much what happens on this is essentially why it's hard for the government to succeed in delivering IT because they are bleeding what time invasion and were here to try to inject that back so what really
is compliance so step back away from like those analogies I had before but this compliance is really the discipline of verification at scale it's not really like security and just like 1 of those is the it's about the technique to verify the safety of the system's right it's the what at the compliance is really about trying to make sure your environment 6 and it's it's not really a thing it's a set of practices and it applying a set of practices to your systems to get confidence in how they're like they're they're performing the way they're supposed and uh and there's also a blog can barely read it here but when the ship the sides come out it's some compliance a velocity dissension I think there's some shit folks on there but there's a blog post from Greg Elon who's the gov ready guy but and it's about how compliance is not just security compliance actually scales of security in organization it's about the set of practices don't regulations or the processes that help your organisation scale out insecure your systems and so she you can have to change your mind so it's not something that's there to stop you from doing things is just there so that the organization can scale out the best practices so what is security that
security is actually a subset of compliance and it's it's mutually exclusive right on amateurs because of but it's misleading mutually inclusive so you can be secure but you that's not necessary means you're complied and I that that's most the time which you facing there's a was about a soft stuff the T-Lite auditing and you know making sure that you've check boxes and stuff that's not necessarily you know protecting get top leader something but it's still for compliance because it's the processes that you're trying to scale out to make sure your systems as secure
but what do you see into the born izations and responses to compliance is that you know they don't you're not thinking about how to bring the security teams in the compliance teams into your DevOps workflow so these are some of the questions I asked uh you know some were clients and content understand why why the heavens has to be difficult and I want to take this back to your organization of in problem like these questions and start entering them so can you Dolev developer C 1 ability ports in real time you know at almost every organization and gone to the NASA's tool is there's no log for the developers to NASA's right it's like this thing that happened somewhere about the manager gets the report they don't even get a report it's like once a month once a quarter now how do you expect your developers who words you're telling them hey when you start doing this demobs thing we're going to deploy like once a week if they don't even know what the great it's like you to take a test you know what you're getting graded against right you'd task you developers to start developing but you have they have no idea what the getting gradients straight so high expected them to hiking Pienaar blame them for having 1 all code really would have access to the thing that's time and that's horrible right so 1st thing in your organization can do to speed that up is start opening up of the data and if you can create and if if you have a tool that exposes an API that even better but expose their data to developers immediately it should be a party you build pipeline that you can automate the NASA scans are of those scans and expose the data that they don't need they don't need write access to it this the we don't you know read access and if you really good maybe can interact and here see ICT tools and you're read persian rebo as comments right like if you can you got get you in terms of in terms to make a chat-bot or slack part that does this right so that's what that's intermediate thing you guys in area teams can do so on anyone here expose their vulnerability scans reports to the developers directly this is a help minute yeah exactly is it no it's not red is the 1 to do stowed static code analysis and I'm hoping a lot of folks here do do that but a lot organizations I worked with they haven't got to that point in your intestine right so you again how you expecting these automated tools you can this it's very inexpensive start doing that who also engages the security team too late in the process right it's like right right last year so that's another thing on the on we spent a lot of time with clients on and on projects resolving the of secure is a huge thing in our government clients if it's federal or deity or whatever and they spent a lot of time going through those processing so we pride ourselves on engaging those teams early on on a new project in early on in the development process but oftentimes security teams are not used to working and they're used to working at the end of the process so you know create a welcoming home environment and get them into your agile Lean process is early on have them beyond the slack teams have them be engaged in a version control system happier educate them on what you're doing and higher order testing early on and that can provide proved to be the most beneficial thing because they both start to realize that they their own team needs to start working in a more on high-velocity fashion and adopting and forcing the market to respond and making security tools that can be integrated into those pipelines that's a big gap area right now I see a lot of security tools that don't have API eyes can be automated don't integrate into any kind of process and automatic fashion and the only way that's going to change is if you go back and force that to happen and send that signal to the security market societies security market n and then take tools that should do have those features and I really hope we get today where all the security tools are just just as unamenable as you know you're Jenkins pipeline order delivery pipeline stuff Segundo things throwing over the fence I don't you know I'm sure everyone seen gene can talk about them out and all that stuff this is not a good idea Don Ford over France bring them into the conversation have a conversation and then the
next thing to do to break this spiral right at the beginning of it of the right where regulation happens in low compliance kind of documents are being created you have to inject innovation there to stop from going through the loop on this this spot I think this can make sense so what is that innovation well redshift path so the innovation is
infrastructures on I 2 took me a little while to find a good definition of infrastructures code on there was arrested Dev Ops who we're listens arrested about spiders last but they hadn't that episode on infrastructures code and it was a chef person a public person and inTable person and I talk to Memphis searches code in a neutral way which is really awesome and and these are the 2 quotes out of that that best captured what I thought the definitions and um it's you know you can reconstruct a business as long as you have access to version control data backups and compute resources if you can say that in coffins for now you probably know top-shelf customer and understeer I don't even know where here prior like way ahead of most of us but if you if you don't know how to do this in you knock in that statement that's what you're trying to achieve when we talk about infrastructures makes sense right on another is if your entire infrastructures destroyed by some natural disaster or if you're like in my MCO or whatever the name of a company is for book Mungo it and that if you don't if researcher code properly you'll be able to rebuild a new place using just the contents of reversion repository and forced affects make sense right so if you need to convince your higher-ups in simpler language take a to slide you know putting on presentation and centered it up there because this is this is how you convince them that that's a good idea these are the kind of benefits of infrastructures can you get to test infrastructure in a manner that you test your application code and that's where I come from they go if compliance rate you decide to test your environment just the way it the same way has to have you're using version control infrastructure she can see changes over time over stuff and you try to mitigate day is is not equal to production issues and we see that's why doctors so popular in containers popular repeatability is a huge thing compliance is almost all about repeatability and making sure that you know things are being done in an environment essentially on self-monitoring healing self documenting and then there's also an audit trail and that's a huge balloon for your security and you say you say the word audit trail on a wide open and that's what we want right but right now additional have knowledge on infrastructure right you may have a C C B team that has like some loss in like notes about the meeting or you might have some pieces of confirmation script in different places but it's not really communicated outside your you're your team um what I mean about audit trail here is you have a full understanding of what's happening in your arm and how changing and your security and compliance teams have access to those that stream information just like your developers has a knack for your opstim as an axis formation right bring them and if they have read access is no big deal they can see what's going on so at each this so so 1 way in in in a on example project we've done this is what we do want to these kind of step so use a cookbook policy richer user cookbook to figure DOS to meet the security guidelines right so take a stab at that and at the end I'll explain more about how we as a community we don't need to repeat that but I take a stab at that and use but a base a role where uh base cookbook to remediate all the compliance of just all the stuff right off the bat you know but FIL password attempts that kind of stuff right on down we use on a project because it took a long time to boot up on instances and run but once if you have like a lot of compliance structures are a lot of fun but controls to put on a server can take old like 30 40 minutes to go through the book but because you know it's changing almost every file on harboring system to be compliant obviously don't do that over and over again but there's a big debate between bake forces just do it every time I did that is a half way where you can bake just the base server comply image right and so user use factor to bacon image and then that's a starting point and what we did is on or based server cookbook role is in our pipeline and the pipeline itself run of will do a package of and I'll send slack message and time it updates an API that are provisioning system uses to find out what the latest in minus and so anytime anyone does anything on the base a cookbook maybe adds a new Pacha vulnerability control on their ill automatically start you know within about 20 minutes will bake new image and that will be the new image going forward for any new provisions systems plus because you up in the cookbook time all the other clients do Chevron will get those updates to so kind of hidden both at the same time someone more organizations start to create compliance and researchers could assets we can start sharing noses community a common configurations the compliance these control groups like CIS not they don't change that frequently and as a community here each of coffin and in the world we don't need to repeat trading the same recipe or infrastructures code for every can can control of separately from each other we should as agreed to at once you know it's
a best practice way to tackle that problem and then share it I mean there's no reason to hide that from check out of ready and that sort of place that they're trying to collect some of those recipes to for common configuration in the blinds or architectures I'll talk a little bit more about that a little bit later I'm using analytics on which is now glycolysis change as of like yesterday morning so scan old but using analytics to automate alert and take action on compliance division events now on another insights which is even better hooks into it but you can you once you start using if researchers code then you can actually do hooks into your other systems like your modeling systems you're logging systems your your pay you know pager duty or whatever that that alerts and tries to remediate you know whatever everyone abilities are out of compliance nodes you see and and that that's if you start mentioning that to your security teams that's kind of like the nirvana they wanna like have that they're doing that on a manual basis prior now quarterly once a year if you're doing this every time there's a change in environment that's like but take holy grail for those folks so start doing that and then the other thing is say are in the process of rolling out chef but most your nodes or only certain nodes are being controlled by shaft what you do it all the other stuff but to inspect comes in on and we hear knows about inspect a lot of you know where the user should be a pure explaining that but anyways but so did the cool thing but inspectors that suffer from Sheffield need chef to run inspect in so you can use Inspec against your existing on manage nodes to make sure that to see kind what state the and on that's great if you if you're the cool Dev Ops team your like doing chef and you know containers a and also your boss is like a by the way the old legacy team is it you were merging those 2 those folks are common in with the servers will you do you know that this is what you do you start taking your inspect tested you were written for your pocket for your infrastructure and start applying it to those servers and seeing where they're at with respect to compliance you can quickly understand and get an idea of what that environment looks like and how badly patch to the user what 1 abilities it's missing or controls it's missing and then you can quickly assess what you know critical servers in you start tackling input putting base a workable plan make sense pelican ordered there used to be this thing call out mode and that's kind of being replaced by inspect essentially so do in due mode to inspect again John mentions yeah OK so and I we see the tool to do this when the chef world is compliance on who years running compliant right now how possible at that not many of you so this is this'll give you the reason why but if you're paying chef customer your priority paying for it make check check on that but and it's a very lightweight server that is you stand up and it provides so basically you I for all the results of inspect runs in managing inspect runs against your environment on inspect should prior discovered inspectors worse so inspect is a command line tool it's part of chef decay so priority have on laptops now update diversion cause up it's quite frequently and what it does is you define unit tests for lack of better term in a Ruby like language and it'll SSH into the box and run those against that box and give you a report on whether those unit test pasta failed and they are and their did the the language described like and say a web server port 80 should be listening right that's like and inspect kind of language and then I'll go on that server run that rule and also you know look for core 80 of its listening if not I'll say failed and if it's if 48 is listening then it passes so that kind of gives you it's like the unit test for the the state of your server and to check it out of spec and it's very easy to write it's very powerful language it's not just ports in like processes at all kinds of stuff you can check the contents of files you can but make sure files exist on exist you can do all kinds of stuff in there we're running quicker so what compliance is is a out of the box gigantic set of inspect rules based off of CIS and the stadium and there's some other compliance from works out of the box plus some base ones that they've built in plus of the ability bring your own such is the URI with all those rules already built on the box on inspect the team it shaft they actually created a translator that takes gap definitions on IP turns them into these inspect of rules and profiles and that's pretty amazing because you can take a scatter definition updates know frequently and automatically turn that into unit tests for your server essentially which is really amazing so show that real quick
it is really cold in here none of my fingers on work right so can everyone see the
screen then that so what I've got here is of and also web service and so this is the star kilobase she'll control micro-services right and I can see that you wonder had area since Starkiller base because she'll control now you can turn on the shield here Rachel Don the of gray gray old school web service because it's like the 1st order rate it and so on were gonna were we have chefs you know the the 1st order is going to be a Dev Ops organization kind of going there and and were in a run a quick scan so this stuff compliance of TSE that would unite to make a bigger because of the with so a scan we can see here that we have the imperial compliance profile and so we need apply that because my you know i . pledges produce to snoop Estonia do that right and would do some some rel 7 year first-order runs on rail the of that so we can see here that and yeah were compliance that's the so I don't know why it's the only ones but you can see here you get a nice report of all the controls that skin so much a wide skip that but usually all show up for the again just a 2nd anyway but but I think I've been running this every hour and you so this is something like where what it usually looks like so you're you know your environments all below because you guys are also everything's ing appliance right but these are these are kind of some the controls of looking for and um what are those controls what they would do they actually look like well they look like inspect and roles the and so you can actually open it up and much check it check 1 out this is what a control looks like so on this random 1 is looking for of file system option character on special devices are now on the home directory and that's it that's actually a testable logical items just like riding a unit test for a code so this is at box it's full these kind of things let's take a look at our imperial compliance profile there's 2 here to make sure that there's a temp directory and make shouldn't rebels have no access right so we what we don't want rebels gone so it's at it's checking for our and the rebels were here file should exist so now and unbeknownst to the 1st order the star kilobase servers hats um the city where that put those files it so you know there's there's insider threats in the person of you can see that it it that the rebel scum got in and it they got a cookbook in there that's gonna like subvert pointers system right and so this will this cookbook create a new file call route roles are here right and so you know your the the what the first order compliance team they're running a scans regularly and what should show up almost immediately is so we get a critical issue here so rather compliance circuit to a threat of 10 so the other thing that I'm inspect does is it allows you to side a point value to every control and so it gives you a quick way to make sure that you know you have don't have critical vulnerabilities in there it's you can get your own compliance regime you can give a different point values to different things critical minor after a critical things like that and and that can kind of help you way what systems need to be you know prepared or and should be of the main focus so this 1 obviously needs to be a main focus and so how do we repair that well we need to fix all are a cookbook to make sure it's compliant so let's go a cookbook here the um recipes public that there's a rebel in there chronic so it's a through that and then 0 so let's let's make sure that that that hack never happens again so let's add this to or base you know our clients the book the in chart like a good first-order organization um we run everything which have 0 right but the so we're now fixing you know I get the order from the from Kyle ran to fix this thing that the rebels outta here has a lot delicate the recipes now for from now on you know the the rebels can get elements delete that cookbooks so you have to know how they got in here so it starts to remove and now the next time we you know that the first-order compliance team comes around you see what is gun should be back in compliance yeah yeah a I'm back in compliance rebels regard mean pH so I don't if you noticed but it runs superfast I'm not sure why that other profiles not running but on there's certain tests that inspect runs better actually faster than using like native libraries and by the way I've done it before you leave Dominic factor say hello you going skip that he's the guy could inspect so if you see him and have any questions about it tackle him the it happened that so so that's a that's a demo and in an making sense so far pretty easy right it's easy but there's like complexity
behind the you don't have to write all the things I have to test windows rel boom to wear that file is if there's content of file that salting care by inspect right and for example if you wanna know if reports on or not it's different but in rel to find that out that it is and when that's right to make sure the ports listening inspect of Inspector on them and as I think of putting it but I meant another flavor Linux or your Unix a dust of perfect Boston so so that is all extracted when inspectors awesome it's basically just like chef but the opposite side of it it's like the smoke test for Shefford's the unit test for your system on a and I found this out from demarcated by yesterday it can run against running containers to docker containers you can you can run Inspec against containers of bare metal whatever but OK so this is so these inspect rules and your cup in a compliance cookbooks that's the innovation where you were you in your compliance and security and have a conversation around how to be better compliance and how to speed up the process that's the kind that's the point where you actually have that that joint conversation around the the regulation and policy and to ensure that you're not going to have people try to create loopholes and I'm going to that spot right so you're executives you regulatory regulatory authorities so this would be snooker this be ran right and these are like the the Plebes on the stock the base and so 2 that's where you can have these conversations you should be storing note that the result of those conversations In inspect files inversion neutral in recipes on marine patrol they should have all visibility into that your security teams should be the ones committing to there's you know there's a new thing that they want test to make sure that TLS connection is 1 . 3 with this type of crypto sweet inspect and test that they should be the ones putting that in as a rule in compliance profile and it should automatically go into your process of when you're going to delivery pipelines or CI pipelines at the end when everyone to problem beginning actually check the server against that they're the ones making those decisions but you can see him as a people be accounted for in terms of making sure services running and their accountable for making sure they're writing the rules to test an automated I make sense that's really the powerless very simple concept I don't know why we've not been doing it for a long time but we should start doing because everyone's involved in here you remove a loophole this is where the innovations so you decrease the
time for security review right I mean I just ran like 3 compliance reports and lessened like 5 minutes right so service infrastructure changes and so that means that now because you're running those tests again to infrastructure people can start changing infrastructure you can have more confidence in improved customer service as centric services decreased under value all that up stuff right then you have less 1 abilities and adopt so some lessons learned adopt approval process instead of reinventing your own so pick up chef delivery if you don't have a process any you need integration tests are critical inspectors unit tests and why at my colleague do just of demo on how to do depends a testing for Marcus services that you're integration tests aim for tested driven development for infrastructures right maybe start with the inspector from on ah in ah teams we have a template generator that on make the creates template cookbooks so if you want to start a new service and in there is inspect file with an example test in there and the test is check to listen for port 23 is open OK and get open and that will fail like the test we put in their sales by default because it forces are developers to actually write like go into the file and fix it and then that file then the odds are against are actually writing the actual service that they need to test against rapid and so we put failing inspects results in there as a kind of small test to make sure that actually looked at and start actually writing test right I might go even further than that but focus on incremental improvement versus captain along environment 1 go and don't have to tackle world just tackle services that are critical now you keep chewing through version trolls important policy and on and you can do automated OpenStep so every anyone here know it opens of but this gap is a open Source tool by from rel from yet for all that runs the step definitions and can remediate compliance is kind of analogous to that to an extent and use the tools Open Source run it against environment you could weak EEG eradicable to run it on your notes to get another compliance report need to don't you chef roles who here is using shaft and using roles OK so does anyone know why but don't use frozen prior to the price hit the 1 issue that we have which is that the roles don't have version of versioning and so you can update a whole uh without destroying everything so what we do now base of recommendations from Shaphan while working so you get at it and use role cookbooks instead because it's basis same thing you just put the include recipe whatever other while kabuki had but that's inversion entity inch in the shaft world and then you can roll forward with the roles which is important amuse inspect for compliance test up against a base server neural cookbooks that should be pi owned by the ops team mainly on and then use packet debate images so when you learned we learn we should repeat the process of creating infrastructures code from other compliance regimes and there's only 1 PCI DSS is only once you have but there's only 1 state like me I've spent almost a decade repeating writing the tests for those things we need to do a once as an industry it should be published in open source manner and we can all benefit from that so we need to share the best practices share co-chair defense securing compliance are no longer solitary things were all very much interconnected you get hacked we all get hacked you know you defend we all get the facts right that makes sense and were all in this together so when you thrive
with right you can see I have to do this from this morning so let's build more secure in compliance systems together it's too and this this is where benefits all of us right so let's build more secure in compliance systems together not scary word and if you write a compliance recipe open-source licenses and shared somewhere and I'm hoping some the chef people here that the you know to be leaders may we can find a place on chef on supermarket we can start collecting inspect controls tests and the recipes to mediate them we don't need every repeating writing these it's kind of like a waste of time and spends a lot energy on there and if we're going to what a world of enough enough less a lot of them are relevant anymore so we need a really thick figure out which ones we need and more but also present I should put that on here so we wanna make speedy happy right but this is summer links to the
things I've done in the past and some stuff around compliance and security check them out I take up under comp sys digital and bought I 0 if you're interested in views on what we do and how we can help you and if force interested in helping the Government changing being more efficient for all of us taxpayers and everyone else and then the most important question
does ready for this Honey book heavy furniture from the if you might you found 10 man that and so I
know the from Booz Allen and I hope you don't stop it your
Tabellenkalkulation
Server
Punkt
Prozess <Physik>
Firewall
Selbst organisierendes System
Automatische Handlungsplanung
Kartesische Koordinaten
Inzidenzalgebra
Demoszene <Programmierung>
Client
Gruppe <Mathematik>
Ganze Funktion
Analogieschluss
Siedepunkt
Güte der Anpassung
Systemidentifikation
Systemintegration
Biprodukt
Fokalpunkt
Weltformel
Office-Paket
Twitter <Softwareplattform>
Menge
Verbandstheorie
Tabellenkalkulation
Rechter Winkel
Softwareschwachstelle
Server
Normalvektor
Ordnung <Mathematik>
Verkehrsinformation
Aggregatzustand
Geschwindigkeit
Prozess <Physik>
Web log
Selbst organisierendes System
Programmverifikation
Internetworking
Physikalisches System
Systemprogrammierung
Datensatz
Skalierbarkeit
Maßstab
Bereichsschätzung
Spirale
Computersicherheit
Hacker
Regulator <Mathematik>
Analogieschluss
Zentrische Streckung
Computersicherheit
Programmverifikation
Physikalisches System
Biprodukt
Energiedichte
Menge
Rechter Winkel
Programmierumgebung
Hydrostatik
Umsetzung <Informatik>
Punkt
Prozess <Physik>
Quader
Selbst organisierendes System
Versionsverwaltung
Term
Analysis
Code
Gradient
Task
Chatbot
Hydrostatik
Client
Datenmanagement
Code
Endogene Variable
Computersicherheit
Softwareschwachstelle
Softwareentwickler
Hilfesystem
Analysis
Softwaretest
Softwareentwickler
Prozess <Informatik>
Computersicherheit
Güte der Anpassung
Disjunktion <Logik>
Arithmetisches Mittel
Teilmenge
Echtzeitsystem
Flächeninhalt
Softwareschwachstelle
Rechter Winkel
Mereologie
Wort <Informatik>
Projektive Ebene
Ordnung <Mathematik>
Programmierumgebung
Portscanner
Verkehrsinformation
Lesen <Datenverarbeitung>
Einfügungsdämpfung
Punkt
Weg <Topologie>
Dokumentenserver
Formale Sprache
Versionsverwaltung
Kartesische Koordinaten
Computerunterstütztes Verfahren
Datensicherung
Spezialrechner
Streaming <Kommunikationstechnik>
Client
Softwaretest
PCMCIA
Reverse Engineering
Code
Computersicherheit
Skript <Programm>
Regulator <Mathematik>
Nichtlinearer Operator
Befehl <Informatik>
Dokumentenserver
Computersicherheit
Güte der Anpassung
Biprodukt
Bitrate
Knotenmenge
Teilbarkeit
Gruppenoperation
Verbandstheorie
Forcing
Rechter Winkel
Server
Dateiformat
Projektive Ebene
Information
Versionsverwaltung
Programmierumgebung
Message-Passing
Subtraktion
Kontrollstruktur
Selbst organisierendes System
Gruppenoperation
Mathematisierung
Content <Internet>
Kombinatorische Gruppentheorie
Datensicherung
Code
Zustandsdichte
Physikalisches System
Loop
Weg <Topologie>
Spirale
Passwort
Booten
Inhalt <Mathematik>
Datenstruktur
Softwareentwickler
Ereignishorizont
Konfigurationsraum
Bildgebendes Verfahren
Transinformation
Booten
Konfigurationsraum
Physikalisches System
Elektronische Publikation
Softwareschwachstelle
Gamecontroller
Wort <Informatik>
Resultante
Bit
Prozess <Physik>
Komponententest
Formale Sprache
Eins
Spezialrechner
PCMCIA
Code
Computersicherheit
Translation <Mathematik>
ATM
Nichtlinearer Operator
Physikalischer Effekt
Computersicherheit
Profil <Aerodynamik>
Ein-Ausgabe
Knotenmenge
Ereignishorizont
Gruppenoperation
Menge
Rechter Winkel
Benutzerschnittstellenverwaltungssystem
Server
Programmierumgebung
Aggregatzustand
Quader
Hyperbelverfahren
Gruppenoperation
Mathematisierung
Automatische Handlungsplanung
Analytische Menge
Term
Division
Benutzerbeteiligung
Knotenmenge
Notebook-Computer
Modelltheorie
Inhalt <Mathematik>
Booten
Konfigurationsraum
Ereignishorizont
Transinformation
Streuung
Konfigurationsraum
Schlussregel
Physikalisches System
Elektronische Publikation
Quick-Sort
Patch <Software>
Mereologie
Basisvektor
Speicherabzug
Computerarchitektur
Resultante
Umsetzung <Informatik>
Prozess <Physik>
Punkt
Komponententest
Element <Mathematik>
Komplex <Algebra>
Eins
Client
Web Services
Perfekte Gruppe
Kryptologie
Bildschirmfenster
Dateiverwaltung
Umkehrung <Mathematik>
Regulator <Mathematik>
Softwaretest
Nichtlinearer Operator
Computersicherheit
Güte der Anpassung
Profil <Aerodynamik>
Systemaufruf
Bitrate
Teilbarkeit
Entscheidungstheorie
Konfiguration <Informatik>
Rechter Winkel
Server
Ordnung <Mathematik>
Verzeichnisdienst
Programmierumgebung
Portscanner
Subtraktion
Quader
Selbst organisierendes System
Baum <Mathematik>
Term
Code
Magnettrommelspeicher
Datentyp
Inhalt <Mathematik>
Zeiger <Informatik>
Hilfesystem
Touchscreen
Einfach zusammenhängender Raum
Autorisierung
sinc-Funktion
Routing
Schlussregel
Physikalisches System
Elektronische Publikation
Fokalpunkt
Flächeninhalt
Softwareschwachstelle
Digitaltechnik
Gamecontroller
Prädikatenlogik erster Stufe
Verkehrsinformation
Resultante
Demo <Programm>
Prozess <Physik>
Komponententest
Desintegration <Mathematik>
Versionsverwaltung
Eins
Spezialrechner
Softwaretest
Code
Computersicherheit
Umkehrung <Mathematik>
Default
Figurierte Zahl
Softwaretest
Nichtlinearer Operator
Prozess <Informatik>
Computersicherheit
Programmierumgebung
Forcing
Rechter Winkel
Einheit <Mathematik>
Server
Programmierumgebung
Versionsverwaltung
Prozessautomation
Aggregatzustand
Server
Kontrollstruktur
Mathematisierung
Dienst <Informatik>
Isolation <Informatik>
Code
Systemprogrammierung
Bereichsschätzung
Fokalpunkt
Ordnungsreduktion
Softwareentwickler
Operations Research
Bildgebendes Verfahren
Open Source
Physikalisches System
Elektronische Publikation
Binder <Informatik>
Integral
Energiedichte
Basisvektor
Gamecontroller
Brennen <Datenverarbeitung>
Verkehrsinformation
Digitalsignal
Sichtenkonzept
Code
Computersicherheit
Digitalisierer
Computersicherheit
Sampler <Musikinstrument>
Metropolitan area network
Hamilton-Operator

Metadaten

Formale Metadaten

Titel Compliance Slowing You Down? How to Achieve Compliance at DevOps Speed?
Serientitel ChefConf 2016
Autor Mehta, Nirmal
Lizenz CC-Namensnennung - Weitergabe unter gleichen Bedingungen 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen und nicht-kommerziellen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen und das Werk bzw. diesen Inhalt auch in veränderter Form nur unter den Bedingungen dieser Lizenz weitergeben.
DOI 10.5446/34625
Herausgeber Confreaks, LLC
Erscheinungsjahr 2016
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract This session is a call to action for organizations to embrace Infrastructure as Code to achieve compliance and vulnerability remediation without slowing down the DevOps process. As an industry, we are now capturing most commercial and government compliance frameworks as standardized Chef cookbooks. This not only enables an organization to quickly roll out server compliance to meet various regulations (CIS, PCI, NIST) but also enables the rapid testing of server configurations. In this session I will demonstrate how Booz Allen has used Chef Compliance and Chef Delivery to enable quick response to remediating vulnerabilities, testing the compliance checks, and delivering those changes quickly. I will also present a call to action for our DevOps practitioners to embrace govready.org, open sourced compliance cookbooks and to participate in the compliance community to enable organizations of all sizes to take advantage of Infrastructure as Code and improve the compliance posture of the IT industry.

Ähnliche Filme

Loading...
Feedback