Testing

Compliance as code using Ansible

Posted on by  
Jasper Bogers

Most companies have security compliance requirements that you need to take into account when creating your software. Similarly to how you can express infrastructure and tests as code, you can shift left security compliance concerns into your development team. This blog shows how a team I worked in used Ansible in a (GitLab) delivery pipeline to create compliant Amazon Machine Images (AMI) containing our application.

There are institutions that have taken it upon themselves to come up with security benchmarks that companies can start from. For example:

  • The Center for Internet Security (CIS) offers benchmarks for oft-used applications and operations systems.

  • The Defense Information Systems Agency (DISA) offers “technical guidance to lock down information systems/software that might otherwise be vulnerable to a malicious computer attack“ through their Security Technical Implementation Guides (STIGs).

Both contain builds of compliant operating systems that you could use as the basis of your machine image. The company I worked for required CentOS 7, and I went and looked for a CIS benchmark for that. The CIS website has a list of hardened images, but I took a different route for several reasons.

  1. We had to pick from a predefined list of (hardened) in-company images.

  2. I wanted to understand the CIS benchmark and be able to deviate where desirable, for example, if required in order for a COTS application to run.

  3. We had to make sure that once our development team was done making changes, the resulting image could be checked once more for CIS compliance. This was part of the compliance requirement for autonomy, meaning that if your team can prove it can manage compliance, it gets the seal of approval.

Continue reading →

shadow-left