Consumer to Collaborator: Re-imaging the US Government’s role in Open Source

A presentation at DevOpsDays DC in June 2015 in Washington, DC, USA by Shawn Wells

Slide 1

Slide 1

Consumer to Collaborator Re-Imagining the Government’s role in Open Source

Slide 2

Slide 2

EXPLAIN YOUR FISMA PROCESS

Slide 3

Slide 3

Slide 4

Slide 4

OR, EMBED INTO KICKSTART: $ oscap xccdf eval \ —remediate \ —profile stig-rhel6-server-upstream \ —report /root/scan-report.html \ /usr/share/xml/scap/content.xml

Slide 5

Slide 5

Slide 6

Slide 6

Slide 7

Slide 7

Slide 8

Slide 8

Slide 9

Slide 9

Slide 10

Slide 10

Miracle at Willow Run

Slide 11

Slide 11

Slide 12

Slide 12

Slide 13

Slide 13

FIRST USE OF CONTAINERS?

Slide 14

Slide 14

Mode 1 Mode 2

Slide 15

Slide 15

Mode 1 TRADITIONAL Mode 2

Slide 16

Slide 16

Mode 1 TRADITIONAL Mode 2 EXPLORATORY

Slide 17

Slide 17

YOU ARE NOT AN IT CRAFTSMAN YOU ARE A BI-MODAL IT MANUFACTURER

Slide 18

Slide 18

Slide 19

Slide 19

CATEGORIZE (FIPS 199 / SP 800-60)

Slide 20

Slide 20

CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200 / SP 800-53)

Slide 21

Slide 21

CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200 / SP 800-53) IMPLEMENT CONTROLS (SP 800-70)

Slide 22

Slide 22

CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200 / SP 800-53) IMPLEMENT CONTROLS (SP 800-70) ACCESS CONTROLS (SP 800-53A)

Slide 23

Slide 23

CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200 / SP 800-53) AUTHORIZE (SP 800-37) IMPLEMENT CONTROLS (SP 800-70) ACCESS CONTROLS (SP 800-53A)

Slide 24

Slide 24

CATEGORIZE (FIPS 199 / SP 800-60) MONITOR (SP 800-37 / SP 800-53A) SELECT CONTROLS (FIPS 200 / SP 800-53) AUTHORIZE (SP 800-37) IMPLEMENT CONTROLS (SP 800-70) ACCESS CONTROLS (SP 800-53A)

Slide 25

Slide 25

… s e o g s p O … v e D d n a

Slide 26

Slide 26

Slide 27

Slide 27

Everyone knows that SCAP is a suite of XML standards for creating automated checklists for configuration and vulnerability scans!

Slide 28

Slide 28

Slide 29

Slide 29

Risk? Risk? Deployment Growth Risk? Units of ___________

Slide 30

Slide 30

Community created portfolio of tools and content to make attestations about known vulnerabilities https://github.com/OpenSCAP

Slide 31

Slide 31

Slide 32

Slide 32

Slide 33

Slide 33

Slide 34

Slide 34

Slide 35

Slide 35

Slide 36

Slide 36

Slide 37

Slide 37

$ govready scan

Slide 38

Slide 38

Slide 39

Slide 39

Slide 40

Slide 40

HOW TO ENGAGE OpenSCAP GitHub: https://github.com/OpenSCAP NIST SCAP Website: https://scap.nist.gov OpenSCAP References & Docs: https://github.com/OpenSCAP/scap-security-guide/wiki/Collateral-and-References SCAP Content Mailing List: https://fedorahosted.org/mailman/listinfo/scap-security-guide GovReady user-friendly front-end: https://github.com/GovReady/govready Ansible-SCAP (+ Vagrant) demo. See how it all works - painlessly: https://github.com/openprivacy/ansible-scap

Slide 41

Slide 41

CONTACT INFO Shawn Wells shawn@redhat.com 443-534-0130 Greg Elin gregelin@gitmachines.com 917-304-3488 Fen Labalme fen@civicactions.com 412-996-4113