Alone in the Dark DevOps Primer for INFOSEC

WE’VE HEARD THE STORIES … . • Mean time between deployments: 11.6s (310/hour) • Max number of deployments in an hour: 1,079 • Mean number of hosts receiving a deployment: 10,000

WE’VE HEARD THE STORIES … . • 2013: • March 2014: • April 2014: 30+ deploys/day 50+ deploys/day 80-90+/day

WE’VE HEARD DEV/OPS PROCESS …

Meanwhile, in Government …

MEANWHILE, IN GOVERNMENT …

MEANWHILE, IN GOVERNMENT … CATEGORIZE (FIPS 199 / SP 800-60)

MEANWHILE, IN GOVERNMENT … CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200 / SP 800-53)

MEANWHILE, IN GOVERNMENT … CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200 / SP 800-53) IMPLEMENT CONTROLS (SP 800-70)

MEANWHILE, IN GOVERNMENT … CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200 / SP 800-53) IMPLEMENT CONTROLS (SP 800-70) ASSESS CONTROLS (SP 800-53A)

MEANWHILE, IN GOVERNMENT … CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200 / SP 800-53) AUTHORIZE (SP 800-37) IMPLEMENT CONTROLS (SP 800-70) ASSESS CONTROLS (SP 800-53A)

MEANWHILE, IN GOVERNMENT … CATEGORIZE (FIPS 199 / SP 800-60) MONITOR (SP 800-37 / SP 800-53A) SELECT CONTROLS (FIPS 200 / SP 800-53) AUTHORIZE (SP 800-37) IMPLEMENT CONTROLS (SP 800-70) ASSESS CONTROLS (SP 800-53A)

INITIATIVE #1: STANDARDIZE CONTROLS + CONFIGURATION BASELINES INITIATIVE #2: AUTOMATE ASSESSMENT

INITIATIVE #1: STANDARDIZE CONTROLS + CONFIGURATION BASELINES - Common Criteria modernization, driven by NSA and NIST

Consolidate DoD STIG, USGCB into one baseline

Operating System controls >500 (RHEL6), now ~20 (RHEL7)

INITIATIVE #2: AUTOMATE ASSESSMENT

Everyone knows that SCAP is a suite of XML standards for creating automated checklists for configuration and vulnerability scans!

Community created portfolio of tools and content to make attestations about known vulnerabilities https://github.com/OpenSCAP

HOW TO ENGAGE OpenSCAP GitHub: https://github.com/OpenSCAP NIST SCAP Website: https://scap.nist.gov OpenSCAP References & Docs: https://github.com/OpenSCAP/scap-security-guide/wiki/Collateral-and-References SCAP Content Mailing List: https://fedorahosted.org/mailman/listinfo/scap-security-guide Ansible-SCAP (+ Vagrant) demo. See how it all works - painlessly: https://github.com/openprivacy/ansible-scap

CONTACT INFO Shawn Wells Director, Innovation Programs Red Hat Public Sector shawn@redhat.com 443-534-0130