WEBVTT 1 00:00:00.040 --> 00:00:04.960 All right, diving deep today, folks into security automation and 2 00:00:04.960 --> 00:00:08.400 our guide Ansable. We're going through excerpts from the Security 3 00:00:08.400 --> 00:00:11.400 Automation with Ansable too. I got to say this book 4 00:00:11.439 --> 00:00:12.359 is pretty fascinating. 5 00:00:12.560 --> 00:00:14.080 You know. One of the things that really struck me 6 00:00:14.119 --> 00:00:19.239 is how ansable lets you essentially define your security processes 7 00:00:19.320 --> 00:00:19.920 as code. 8 00:00:20.039 --> 00:00:21.359 Yeah. I was going to say that sounds a little 9 00:00:21.359 --> 00:00:22.320 intimidating at first. 10 00:00:22.320 --> 00:00:26.000 Oh, I know, but ansable uses this language called yaml. Okay, 11 00:00:26.160 --> 00:00:31.960 and it's actually surprisingly human readable, almost like writing a 12 00:00:32.039 --> 00:00:34.679 clear step by step recipe for how you want your 13 00:00:35.000 --> 00:00:35.840 security setup. 14 00:00:36.079 --> 00:00:38.840 Makes sense. So these these recipes, they're what the book 15 00:00:38.880 --> 00:00:40.479 calls playbooks, right exactly. 16 00:00:40.520 --> 00:00:43.560 And those playbooks they use modules, which are these pre 17 00:00:43.640 --> 00:00:45.520 built components for different tasks. 18 00:00:45.719 --> 00:00:49.880 Okay, so you're basically breaking down complex actions into these 19 00:00:50.799 --> 00:00:52.079 manageable modules. 20 00:00:51.799 --> 00:00:54.679 Yeah, exactly. Think of it this way. You could, you know, 21 00:00:54.840 --> 00:00:58.159 deploy a whole web server, like a fully functional web server, 22 00:00:58.679 --> 00:01:03.560 but already locked down against common attacks, all with a 23 00:01:03.600 --> 00:01:04.239 single command. 24 00:01:04.280 --> 00:01:05.120 Wow. That's impressive. 25 00:01:05.359 --> 00:01:07.719 That's that's the power that ansable can give you, even 26 00:01:07.799 --> 00:01:12.079 for even for complex setups like a like like a 27 00:01:12.159 --> 00:01:13.599 limmy piece stack right. 28 00:01:13.599 --> 00:01:16.519 Right, so much more efficient than doing everything manually step 29 00:01:16.519 --> 00:01:17.159 by step. Yeah. 30 00:01:17.200 --> 00:01:17.760 Absolutely. 31 00:01:18.280 --> 00:01:22.560 Now. The book also talks about uh Ansible Tower, which 32 00:01:22.799 --> 00:01:25.799 seems to be like a like a central control panel 33 00:01:25.840 --> 00:01:28.840 almost for managing all these playbooks precisely. 34 00:01:29.120 --> 00:01:32.519 You can schedule playbooks to run automatically, so you. 35 00:01:32.439 --> 00:01:35.359 Could set it to say, run vulnerability scans every. 36 00:01:35.280 --> 00:01:37.840 Night exactly, and then receive notifications in the morning. 37 00:01:37.920 --> 00:01:40.000 Oh nice if anything pops up. 38 00:01:40.120 --> 00:01:42.400 Yeah, so you don't have to rely on you know, 39 00:01:42.599 --> 00:01:44.640 memory or sticky notes anymore. 40 00:01:44.680 --> 00:01:48.079 Work smarter, not harder. Absolutely. Now. The book also mentions 41 00:01:49.159 --> 00:01:51.799 Jenkins in run Deck. Yeah, are those are those similar 42 00:01:51.840 --> 00:01:52.920 tools to ansible Tower. 43 00:01:53.079 --> 00:01:56.680 They're all under this sort of automation umbrella, but each 44 00:01:56.719 --> 00:01:59.920 one kind of has has its own, its own strengths. 45 00:02:00.079 --> 00:02:04.599 So Jenkins, you're probably familiar with. It's popular for continuous 46 00:02:04.680 --> 00:02:08.000 integration and delivery. So imagine this. Every time you update 47 00:02:08.000 --> 00:02:11.560 your website, Jenkins automatically runs a bunch of security tests 48 00:02:12.039 --> 00:02:15.599 so you're not accidentally introducing you know, vulnerabilities. 49 00:02:15.680 --> 00:02:19.680 So it's like a security guard. It's constantly checking your work. 50 00:02:20.240 --> 00:02:21.520 Yeah, keeping an eye on things. 51 00:02:21.719 --> 00:02:25.360 Okay, what about rendeck then, so run Dick. 52 00:02:25.240 --> 00:02:29.719 Is really good at orchestrating these complex workflows. So it's 53 00:02:29.800 --> 00:02:34.039 kind of like a conductor leading an orchestra of ansable playbooks, 54 00:02:34.080 --> 00:02:37.599 so you can manage multiple playbooks, chain them together, you know, 55 00:02:37.719 --> 00:02:40.639 control that the whole flow of your automated processes. And 56 00:02:40.680 --> 00:02:44.560 that's really helpful for larger organizations or those those intricate 57 00:02:44.599 --> 00:02:45.560 security setups. 58 00:02:46.039 --> 00:02:48.400 Right, so we've kind of laid out the basic tools here. 59 00:02:48.719 --> 00:02:52.240 Now let's get into into some real world applications. Yeah, 60 00:02:52.319 --> 00:02:56.080 the book highlights this example of building a secure WordPress 61 00:02:56.080 --> 00:02:58.879 site right from scratch using antsable. 62 00:02:59.000 --> 00:03:01.000 You know, building a website. If you're not careful, it 63 00:03:01.039 --> 00:03:04.479 can be a security nightmare. Oh absolutely, But with antsable 64 00:03:04.800 --> 00:03:08.759 you can basically automate that whole process. So everything from 65 00:03:08.840 --> 00:03:13.080 setting up your web server, to configuring firewalls, to hardening 66 00:03:13.240 --> 00:03:19.120 SSH access, even setting up encrypted backups to know the cloud. 67 00:03:19.280 --> 00:03:23.560 Then the book even mentions automating those those pesky WordPress updates, which, 68 00:03:23.639 --> 00:03:27.319 let's be honest, nobody likes doing those, but they're so. 69 00:03:27.599 --> 00:03:30.479 Essential, absolutely crucial, and antsable can just take care of 70 00:03:30.479 --> 00:03:31.159 that for you. 71 00:03:31.199 --> 00:03:34.000 No more security headaches from those outdated plugins. Then. All right, 72 00:03:34.039 --> 00:03:38.400 so we've talked about websites what other real world security 73 00:03:38.400 --> 00:03:41.439 automation examples does the book dive into. 74 00:03:41.759 --> 00:03:46.080 So one really fascinating area is log monitoring, log monitoring okay, 75 00:03:46.120 --> 00:03:47.400 and automated defense. 76 00:03:47.919 --> 00:03:48.360 Interesting. 77 00:03:48.439 --> 00:03:50.599 So antsple can help you set up a system that 78 00:03:50.759 --> 00:03:54.840 automatically collects logs from all your servers, analyzes them for 79 00:03:54.879 --> 00:03:57.800 suspicious activity okay, and it can even take action to 80 00:03:57.840 --> 00:04:00.439 block attacks in real time. 81 00:04:00.520 --> 00:04:03.599 Wow, that sounds incredibly advanced. It is how does that 82 00:04:03.639 --> 00:04:04.120 even work? 83 00:04:04.280 --> 00:04:06.439 So the book does does a great job of breaking 84 00:04:06.439 --> 00:04:08.879 this down. But let's say you're using the elastic. 85 00:04:08.560 --> 00:04:11.120 Stack okay for your for your log analysis. So this 86 00:04:11.280 --> 00:04:15.599 elastic search, log stash, Cabana and beats. Antsible can deploy 87 00:04:15.639 --> 00:04:18.480 that whole stag for you, configure it, get it all 88 00:04:18.519 --> 00:04:23.240 set up, and then imagine your logs detect an SSH 89 00:04:23.279 --> 00:04:28.560 broot force attack. Antsible can actually trigger a serverless function 90 00:04:29.319 --> 00:04:33.000 in AWS Lambda so automatically block that attacker's IP address. 91 00:04:33.399 --> 00:04:35.839 So it's like it's like having a security guard who 92 00:04:36.000 --> 00:04:38.720 not only sees the threat but also knows how to 93 00:04:38.720 --> 00:04:41.319 shut the door before the intruder can even get in. 94 00:04:41.560 --> 00:04:42.959 Exactly. It's proactive defense. 95 00:04:43.040 --> 00:04:47.160 That's amazing. Yeah, what other kind of uh, defensive moves 96 00:04:47.160 --> 00:04:48.560 can can Ansible handle. 97 00:04:48.839 --> 00:04:52.360 Another great example is a web application security testing. So 98 00:04:52.399 --> 00:04:56.240 you're probably familiar with os zaph, which is, you know, 99 00:04:56.319 --> 00:05:00.000 a very powerful open source security scanner. So now imagine 100 00:05:00.199 --> 00:05:05.120 integrating those ZAP scans into your automated build process. Okay, 101 00:05:05.120 --> 00:05:07.560 so answell can make that completely seamless. You're constantly catching 102 00:05:07.639 --> 00:05:11.639 vulnerabilities before they even reach production. That's a that's a 103 00:05:11.680 --> 00:05:14.439 game changer for sure. I'm starting to see how how 104 00:05:14.560 --> 00:05:17.639 versatile Ansable can be for for security. 105 00:05:17.680 --> 00:05:19.800 Yeah, and we're just we're just scratching the surface here. 106 00:05:20.319 --> 00:05:24.600 The book also covers advanced security hardening based on these 107 00:05:24.720 --> 00:05:29.839 industry standard guidelines like c I DRESS benchmarks and STIGs. 108 00:05:29.959 --> 00:05:33.120 Yeah, those are like the rule books for for security best. 109 00:05:32.920 --> 00:05:36.040 Practices exactly, and Ansable make sure that you're you're following 110 00:05:36.040 --> 00:05:36.519 them to a t. 111 00:05:36.959 --> 00:05:39.680 So Ansle's like that that friend who's always on top 112 00:05:39.720 --> 00:05:43.199 of their security game, always reminding you to update your 113 00:05:43.199 --> 00:05:47.399 passwords and install the latest patches. But in this case, Ansible. 114 00:05:47.040 --> 00:05:49.199 Actually does it for you exactly. It takes care of it. 115 00:05:49.519 --> 00:05:54.120 Now, what about cloud environments like uh like AWS? Does 116 00:05:54.199 --> 00:05:56.639 Ansible handle handle hardening in those as well? 117 00:05:56.839 --> 00:06:00.720 Absolutely, it can automate that process as well. Okay, so 118 00:06:00.920 --> 00:06:03.839 making sure your cloud infrastructure is just as secure as 119 00:06:03.959 --> 00:06:06.079 as your on premise system, got it. And it can 120 00:06:06.120 --> 00:06:09.519 even handle those those continuous security practices you know, like 121 00:06:09.800 --> 00:06:13.120 automated vulnerability assessments and security patch audits. 122 00:06:13.480 --> 00:06:15.879 Right, So it's it's really covering all the bases. Yeah, 123 00:06:15.920 --> 00:06:19.879 now what about container security. Yeah, everybody's talking about doctor 124 00:06:19.879 --> 00:06:20.959 and Kupernetes these days. 125 00:06:20.959 --> 00:06:24.920 Absolutely, container security is crucial these days, and antsable is 126 00:06:24.959 --> 00:06:27.920 ready for the challenge. The book really dives into this 127 00:06:27.959 --> 00:06:33.279 whole area of automating vulnerability assessments for Docker containers using 128 00:06:33.319 --> 00:06:37.600 tools like Docker bench for Security, Claire Anchor Engine, and Trivia. 129 00:06:37.800 --> 00:06:40.600 So think of it like having a security scanner that's 130 00:06:40.600 --> 00:06:44.000 specifically designed for this containerized world. 131 00:06:44.360 --> 00:06:47.439 So antible is making sure that no stowaways are sneaking 132 00:06:47.480 --> 00:06:49.040 onto our container ships. 133 00:06:48.759 --> 00:06:50.720 Exactly, catching those vulnerabilities early. 134 00:06:51.120 --> 00:06:54.720 Right. So this all sounds incredibly hands off. Yeah, but 135 00:06:55.160 --> 00:06:59.439 what happens when something does go wrong? How does ansable 136 00:06:59.439 --> 00:07:02.319 help with things like incident response and forensics? 137 00:07:02.399 --> 00:07:05.399 That's where things get really interesting. Ancible can automate tasks 138 00:07:05.560 --> 00:07:09.959 like collecting forensic artifacts and setting up those malware analysis 139 00:07:10.000 --> 00:07:14.519 environments using tools like like Cuckoo, Sandbox and mi sp 140 00:07:14.879 --> 00:07:17.800 So it's like having a specialized team that not only 141 00:07:17.800 --> 00:07:21.480 secured the perimeter, but also knows how to swiftly investigate 142 00:07:21.839 --> 00:07:22.639 a crime scene. 143 00:07:22.759 --> 00:07:25.519 Impressive. But what about for those of us who want 144 00:07:25.519 --> 00:07:28.439 to kind of take our our automation skills to the 145 00:07:28.480 --> 00:07:32.800 next level. Can we actually create our own ansable modules 146 00:07:33.680 --> 00:07:35.360 for specific security tasks? 147 00:07:35.439 --> 00:07:39.040 You absolutely can. The book actually walks you through creating 148 00:07:39.439 --> 00:07:44.240 a custom ansable module for security testing. And that's perfect 149 00:07:44.240 --> 00:07:48.000 for those who who want to really tailor antsable to 150 00:07:48.120 --> 00:07:52.360 their their unique needs, adding that extra layer of power 151 00:07:52.360 --> 00:07:55.759 and flexibility to their to their security automation toolkit. 152 00:07:55.839 --> 00:07:57.920 So you're saying we can essentially build our own security 153 00:07:57.920 --> 00:07:59.680 gadgets and tools with. 154 00:07:59.680 --> 00:08:02.240 Answer in a way. Yeah, you can get really creative 155 00:08:02.279 --> 00:08:02.560 with it. 156 00:08:02.639 --> 00:08:04.720 I love it. Now before we all go full on 157 00:08:04.800 --> 00:08:08.839 cue from James Bond. The book also mentions antsible vault, yes, 158 00:08:09.040 --> 00:08:12.560 for managing you know, all those important secrets securely. 159 00:08:12.639 --> 00:08:14.560 Absolutely, that's crucial, right because. 160 00:08:14.319 --> 00:08:17.759 You don't want those sensitive credentials just line around it. 161 00:08:17.759 --> 00:08:20.240 So it's like having a separate, locked vault for all 162 00:08:20.240 --> 00:08:22.560 your most sensitive information exactly. 163 00:08:22.639 --> 00:08:25.759 Ansable Vault make sure that your secrets are kept safe 164 00:08:25.759 --> 00:08:26.920 and encrypted perfect. 165 00:08:27.399 --> 00:08:28.959 And then there's also ansible Galaxy. 166 00:08:29.079 --> 00:08:31.000 Ah yes, ansable Galaxy. 167 00:08:30.680 --> 00:08:33.639 Which sounds like a treasure trove of pre built ansable 168 00:08:33.679 --> 00:08:34.559 roles in modules. 169 00:08:34.679 --> 00:08:37.480 It is. It is a game change, you said, Oh yeah, 170 00:08:37.120 --> 00:08:42.919 it's a public repository where the antsible community creates and 171 00:08:43.000 --> 00:08:46.840 shares roles and modules. So think of it like an 172 00:08:47.399 --> 00:08:51.200 open source app store for security automation. You have access 173 00:08:51.200 --> 00:08:55.679 to these pre built solutions for everything from hardening operating 174 00:08:55.759 --> 00:08:58.960 systems to setting up entire security framework. 175 00:08:59.080 --> 00:09:02.080 So it's like having a team of security consultants at 176 00:09:02.080 --> 00:09:04.480 your fingertips right freely sharing their expertise. 177 00:09:04.600 --> 00:09:06.759 That's the beauty of the open source community. 178 00:09:07.279 --> 00:09:09.840 Now, the book also mentions a couple of open source 179 00:09:09.840 --> 00:09:12.840 answable projects that that sound particularly useful. Yeah, can you 180 00:09:12.840 --> 00:09:13.960 tell us a bit more about those. 181 00:09:14.279 --> 00:09:17.039 Yeah, there are some some fantastic projects out there, so 182 00:09:17.240 --> 00:09:20.200 d bops for example. Okay, it's like it's like a 183 00:09:20.240 --> 00:09:25.080 blueprint for building a secure Debian based data center. It's 184 00:09:25.120 --> 00:09:29.759 this collection of antswable roles that covers everything from from 185 00:09:29.840 --> 00:09:35.080 basic system configuration to setting up complex services like email, 186 00:09:35.120 --> 00:09:36.200 servers and databases. 187 00:09:36.240 --> 00:09:39.240 So you're basically getting a pre made security foundation for 188 00:09:39.320 --> 00:09:41.120 your entire infrastructure exactly. 189 00:09:41.320 --> 00:09:43.000 Saves you a ton of time and effort. 190 00:09:43.159 --> 00:09:46.320 That's that's incredible. And what was the other project? 191 00:09:46.440 --> 00:09:50.240 The other project is is algo, and that one focuses on, uh, 192 00:09:50.600 --> 00:09:54.759 setting up a personal ip SEC VPN in the cloud. Okay, interesting, 193 00:09:54.879 --> 00:09:58.080 So if you're if you're concerned about privacy and security, 194 00:09:58.120 --> 00:10:00.960 you know, while you're browsing the web, Algo can help 195 00:10:01.000 --> 00:10:04.759 you create this, uh, this secure tunnel for your your 196 00:10:04.759 --> 00:10:05.519 internet traffic. 197 00:10:05.840 --> 00:10:08.399 So it's like it's like having your own personal security 198 00:10:08.440 --> 00:10:12.360 detail exactly for your online activity. I'm seeing a pattern here. 199 00:10:12.399 --> 00:10:15.720 Ansable seems to be all about empowering you to take 200 00:10:15.720 --> 00:10:18.120 control of your own security, whether it's for your servers, 201 00:10:18.159 --> 00:10:21.279 your network, or even your your personal browsing habits. 202 00:10:21.480 --> 00:10:23.240 You hit the nail on the head. Ansable gives you 203 00:10:23.279 --> 00:10:27.360 those tools and the flexibility to really address a wide 204 00:10:27.480 --> 00:10:31.120 range of security concerns, from those you know, large scale 205 00:10:31.240 --> 00:10:35.159 enterprise deployments to individual privacy needs. 206 00:10:35.320 --> 00:10:37.120 And the best part is you don't need to be 207 00:10:37.200 --> 00:10:38.519 a coding expert. 208 00:10:38.159 --> 00:10:42.080 To use it, right rights uh anles Yamel syntax is 209 00:10:42.120 --> 00:10:45.360 designed to be human readable, right, easy to understand. It's 210 00:10:45.360 --> 00:10:49.480 about making security automation accessible to a wider audience, not 211 00:10:49.559 --> 00:10:53.279 just those you know, system administrators or security specialists. 212 00:10:53.399 --> 00:10:59.399 Speaking of system administrators, though, the book stresses the importance 213 00:10:59.440 --> 00:11:02.080 of secure the ansable controller itself. 214 00:11:02.279 --> 00:11:03.759 Yes, absolutely, Why. 215 00:11:03.720 --> 00:11:06.080 Why is that so crucial? I mean, if we're using 216 00:11:06.120 --> 00:11:09.720 antsable to automate all these security tasks, shouldn't it just 217 00:11:09.759 --> 00:11:11.039 be secure by default? 218 00:11:11.200 --> 00:11:13.840 That's a that's a great point, and it really highlights 219 00:11:13.879 --> 00:11:16.759 a crucial, crucial thing. The answable controller. It's the brain 220 00:11:16.799 --> 00:11:19.919 of your your automation operations, right. It's the machine that 221 00:11:19.960 --> 00:11:22.960 stores your playbooks, it manages your inventory of systems, it 222 00:11:23.039 --> 00:11:27.639 executes your commands. So if the controller is compromised, uh, 223 00:11:28.080 --> 00:11:32.279 attackers could potentially gain control over you know, your whole infrastructure. 224 00:11:32.399 --> 00:11:34.799 Well that's that's a scary thought. So it's like it's 225 00:11:34.840 --> 00:11:39.360 like protecting the control room of your your security fortress exactly. Yeah. 226 00:11:39.360 --> 00:11:42.120 What kind of uh, what kind of hardening measures does 227 00:11:42.200 --> 00:11:44.679 the does the book recommend for the controller? 228 00:11:44.919 --> 00:11:50.320 It really emphasizes following you know, those industry standard security practices. 229 00:11:50.360 --> 00:11:54.159 So we're talking about things like like hardening the operating system, 230 00:11:54.279 --> 00:11:58.440 restricting access to only authorized users using strong passwords or 231 00:11:58.960 --> 00:12:01.240 or SSH keys for authentication. 232 00:12:01.480 --> 00:12:04.039 So basically, all the things that we've been talking about 233 00:12:04.080 --> 00:12:07.320 for for our servers and applications should also be applied 234 00:12:07.320 --> 00:12:11.159 to the the ansible controller itself. Absolutely, practice what you're preach. 235 00:12:11.000 --> 00:12:14.759 Right, right, and the book even uh even provides a 236 00:12:14.799 --> 00:12:18.360 sample antsable playbook for hardening the controller, which is a 237 00:12:18.399 --> 00:12:19.799 great a great starting point. 238 00:12:19.840 --> 00:12:20.799 Oh that's very helpful. 239 00:12:21.039 --> 00:12:25.000 Yeah, but remember security, it's it's a continuous process. It's 240 00:12:25.000 --> 00:12:26.679 not just a one time thing. 241 00:12:26.799 --> 00:12:28.519 Right, It's not to set it and forget it kind 242 00:12:28.559 --> 00:12:28.879 of deal. 243 00:12:29.080 --> 00:12:33.200 Exactly. You need to regularly review and update, you know, 244 00:12:33.360 --> 00:12:37.840 your security measures as new threats emerge, as vulnerabilities are discovered. 245 00:12:37.440 --> 00:12:39.679 So you need to stay vigilant, stay proactive. 246 00:12:39.799 --> 00:12:43.360 Right. Antsable is a it's a powerful tool, but it's 247 00:12:43.399 --> 00:12:46.240 it's only as effective as the as a person using it. 248 00:12:46.399 --> 00:12:46.559 Right. 249 00:12:46.600 --> 00:12:48.720 You need to stay informed, you need to keep your 250 00:12:48.840 --> 00:12:51.200 your playbooks up to date. You need to be prepared 251 00:12:51.240 --> 00:12:55.639 to adapt to the ever changing security landscape. 252 00:12:55.840 --> 00:12:58.559 So it's like it's like having a self driving car. 253 00:12:58.799 --> 00:13:00.440 Oh yeah, you know, it can take you where you 254 00:13:00.519 --> 00:13:02.279 want to go, but you still need to pay attention 255 00:13:02.320 --> 00:13:04.919 to the road, right and be ready to take the 256 00:13:04.960 --> 00:13:10.000 wheel if necessary. Exact automation can can enhance your security efforts, 257 00:13:10.080 --> 00:13:14.440 but you can't replace human judgment and expertise absolutely. 258 00:13:15.000 --> 00:13:18.600 And speaking of expertise, the book also touches upon Ansable's 259 00:13:18.679 --> 00:13:20.799 role in continuous security practices. 260 00:13:21.200 --> 00:13:24.799 Continuous security. That sounds that sounds like a very proactive approach. 261 00:13:24.799 --> 00:13:26.000 Can you tell us a bit more about that? 262 00:13:26.200 --> 00:13:29.320 Yeah, So continuous security is all about integrating security into 263 00:13:29.360 --> 00:13:34.240 every single stage of the software development life cycle. Okay, 264 00:13:34.360 --> 00:13:38.120 So it's not just about you know, testing for vulnerabilities 265 00:13:38.159 --> 00:13:40.679 at the end. It's about building security into the process 266 00:13:40.840 --> 00:13:42.279 from from the very beginning. 267 00:13:42.519 --> 00:13:46.159 So it's like having a security consultant embedded in your 268 00:13:46.159 --> 00:13:51.559 development team exactly constantly reminding everyone about security best practices. Right. 269 00:13:51.600 --> 00:13:55.240 So security is never an afterthought, it's baked into the process. 270 00:13:55.399 --> 00:13:58.720 Okay, So where does where does ansable fit into this? Then? 271 00:13:59.039 --> 00:14:01.799 So ansable cann act actually play a key role in 272 00:14:01.879 --> 00:14:06.919 automating a lot of these continuous security tasks. For example, 273 00:14:06.960 --> 00:14:11.120 you could use ansable to automatically run static code analysis 274 00:14:11.120 --> 00:14:16.039 tools okay, to identify potential vulnerabilities in your code base, so. 275 00:14:16.000 --> 00:14:19.559 It's like having a code reviewer who's specifically looking for 276 00:14:19.600 --> 00:14:21.000 security flaws exactly. 277 00:14:21.120 --> 00:14:24.000 And you can also use ansable to automate security testing 278 00:14:24.320 --> 00:14:28.960 as part of your continuous integration and continuous delivery pipeline. 279 00:14:29.519 --> 00:14:32.720 So imagine, you know, automatically running security tests every time 280 00:14:32.759 --> 00:14:35.679 you make a change to your cod ensuring that you're 281 00:14:35.720 --> 00:14:38.919 not accidentally introducing new vulnerabilities. 282 00:14:38.960 --> 00:14:40.919 So it's like having a security guard at the entrance 283 00:14:40.919 --> 00:14:44.759 to your your code repository, checking every single commit for 284 00:14:45.039 --> 00:14:47.639 potential threats. That's that's pretty cool. Yeah, but what about 285 00:14:47.679 --> 00:14:53.279 vulnerabilities that are already already present in third party libraries 286 00:14:53.360 --> 00:14:56.279 or dependencies. Can can ansable help with those as well? 287 00:14:56.399 --> 00:14:59.039 It actually can. The book talks about using antsable with 288 00:14:59.120 --> 00:15:03.399 tools like UH like o WASP dependency check to automatically 289 00:15:03.440 --> 00:15:07.759 scan your applications for known vulnerabilities in third party components. 290 00:15:07.840 --> 00:15:11.279 That's amazing. So antsible can also automate the process of 291 00:15:11.440 --> 00:15:14.720 patching those vulnerabilities once they're they're identified, right. 292 00:15:14.519 --> 00:15:16.639 Absolutely, you can think of it as having this this 293 00:15:16.799 --> 00:15:21.159 automated security medic that can that can quickly UH triage 294 00:15:21.200 --> 00:15:23.639 and treat any any security wounds. 295 00:15:23.840 --> 00:15:27.360 Interesting before they become serious infections. I'm really starting to 296 00:15:27.440 --> 00:15:35.480 appreciate the uh, the depth and breadth of of Antsible's capabilities. Yeah, 297 00:15:35.519 --> 00:15:36.519 in continuous security. 298 00:15:36.600 --> 00:15:38.799 It's it's pretty impressive, and we're really just scratching the 299 00:15:38.840 --> 00:15:41.559 surface here. There's a there's a whole world of continuous 300 00:15:41.559 --> 00:15:44.440 security practices that that ansable can help automate. 301 00:15:44.559 --> 00:15:48.080 Wow. So it's like it's like ansible provides a framework 302 00:15:48.120 --> 00:15:53.000 almost for building a security conscious culture yea within your 303 00:15:53.120 --> 00:15:58.480 organization where security is everyone's responsibility and automation is the 304 00:15:58.559 --> 00:16:02.200 key to making it happen efficiently and effectively. 305 00:16:02.279 --> 00:16:03.840 That's that's a great way to put it. It's about 306 00:16:03.879 --> 00:16:08.039 shifting from from a reactive security mindset to a proactive 307 00:16:08.080 --> 00:16:12.440 one where security is baked into into every process and 308 00:16:12.440 --> 00:16:15.399 and automation helps you helps you stay ahead of the curve. 309 00:16:15.480 --> 00:16:17.559 It's definitely a security journey we should all, uh, we 310 00:16:17.600 --> 00:16:19.720 should all be on. We've covered a lot of ground already, 311 00:16:19.960 --> 00:16:24.279 from ansable basics to to real world security automation examples 312 00:16:24.320 --> 00:16:28.320 an simble Galaxy securing the ansable controller continuous security. But 313 00:16:28.360 --> 00:16:32.000 there's one more area that I'm I'm really excited to explore. 314 00:16:32.879 --> 00:16:36.720 Docker security the world's going container crazy, and I'm I'm 315 00:16:36.759 --> 00:16:40.480 eager to learn how how antsable can help us secure 316 00:16:40.559 --> 00:16:42.440 those those containerized environments. 317 00:16:42.600 --> 00:16:46.000 You're right, Docker security is it's a hot topic these days. 318 00:16:46.000 --> 00:16:49.000 It's only going to become more critical as as containers 319 00:16:49.039 --> 00:16:54.559 become the standard for deploying applications. And luckily antsable is 320 00:16:55.279 --> 00:16:59.279 well equipped to tackle these challenges of container security. And 321 00:16:59.320 --> 00:17:00.559 we'll dive into the details. 322 00:17:00.559 --> 00:17:02.200 Hold on, you're about to say, after the break, won't 323 00:17:02.240 --> 00:17:04.200 you got you? We don't do brakes in these in 324 00:17:04.240 --> 00:17:05.400 these deep dives, right. 325 00:17:05.279 --> 00:17:07.000 Of course, Sorry about that, So let's. 326 00:17:06.839 --> 00:17:09.759 Jump right into this container security discussion. 327 00:17:09.960 --> 00:17:12.279 Sounds good. You know, it's easy to get caught up 328 00:17:12.319 --> 00:17:15.720 in the in the speed and agility of deploying applications 329 00:17:15.720 --> 00:17:19.000 with Docker, but sometimes security can feel like an afterthought. 330 00:17:19.119 --> 00:17:21.279 It's like building a super fast race car and forgetting 331 00:17:21.279 --> 00:17:23.039 to install seatbelts exactly. 332 00:17:23.440 --> 00:17:26.720 But luckily antsable can help us integrate security into our 333 00:17:26.759 --> 00:17:28.880 Docker workflows from the from the ground up. 334 00:17:29.160 --> 00:17:31.759 So it's like having a pit crew that's that's not 335 00:17:31.799 --> 00:17:34.440 only focused on speed, but also on making sure that 336 00:17:34.480 --> 00:17:37.359 the car is safe to drive. Right of good analogy, 337 00:17:37.519 --> 00:17:40.279 what kind of what kind of security checks can Ansable 338 00:17:40.279 --> 00:17:42.240 perform on Docker containers. 339 00:17:42.319 --> 00:17:45.559 Well, the book mentions using Antsable with tools like Docker 340 00:17:45.599 --> 00:17:48.960 bench for Security, which is basically a script that checks 341 00:17:49.000 --> 00:17:52.160 your Docker environment against a set of of security best 342 00:17:52.200 --> 00:17:56.200 practices okay, defined by the Center for Internet Security CIS. 343 00:17:56.240 --> 00:17:59.799 So it's like having a certified safety inspector examine our 344 00:18:00.359 --> 00:18:03.200 our race car to make sure it meets. 345 00:18:03.000 --> 00:18:06.440 All the regulations exactly, checking for those potential vulnerabilities. 346 00:18:06.480 --> 00:18:08.759 What sort of things does does doctor Bitch for Security 347 00:18:08.759 --> 00:18:09.079 look for? 348 00:18:09.400 --> 00:18:12.240 It covers a really wide range of areas from from 349 00:18:12.319 --> 00:18:16.160 host configuration and doctor demon settings to UH to container 350 00:18:16.160 --> 00:18:19.440 image security and run time options. Okay, so for example, 351 00:18:19.480 --> 00:18:22.880 it checks things like whether your doctor demon is running 352 00:18:22.920 --> 00:18:26.359 with with proper user permissions, right if your if your 353 00:18:26.359 --> 00:18:29.839 container images are are signed and from you know, trusted sources, 354 00:18:30.160 --> 00:18:34.000 and whether you're whether you're running containers with UH with 355 00:18:34.160 --> 00:18:35.279 unnecessary privileges. 356 00:18:35.400 --> 00:18:38.240 So it's like checking for everything from from loose bolts 357 00:18:38.519 --> 00:18:43.720 and faulty wiring to to making sure the driver's wearing 358 00:18:43.720 --> 00:18:44.160 a helmet. 359 00:18:44.240 --> 00:18:45.839 That's a that's a great way to put it, and 360 00:18:45.839 --> 00:18:48.359 and ansable can automate all of these checks so you 361 00:18:48.359 --> 00:18:50.920 can run them regularly as part of your you know, 362 00:18:50.960 --> 00:18:53.440 your continuous integration and delivery pipeline, so you. 363 00:18:53.440 --> 00:18:57.880 Can catch those those security issues early on before they 364 00:18:57.960 --> 00:19:01.640 become a major problem. It's like having a continuous uh 365 00:19:02.000 --> 00:19:05.480 ceasty inspection throughout the race, not just not just at 366 00:19:05.480 --> 00:19:07.960 the starting line, but what about vulnerabilities that might be 367 00:19:08.039 --> 00:19:11.759 lurking within the within the container images themselves. How can 368 00:19:12.000 --> 00:19:13.599 how can ansible help with that? 369 00:19:13.599 --> 00:19:16.279 That's where tools like like Claire come in. It's a 370 00:19:16.440 --> 00:19:20.440 it's a powerful open source project that analyzes container images 371 00:19:20.519 --> 00:19:22.519 for for known security vulnerabilities. 372 00:19:22.559 --> 00:19:24.680 It's like having an X ray machine that can scan 373 00:19:24.880 --> 00:19:28.359 the contents of your container right and identify any hidden 374 00:19:28.440 --> 00:19:29.880 dangers exactly. 375 00:19:30.039 --> 00:19:33.880 And ansable can actually integrate with uh with Claire okay 376 00:19:34.079 --> 00:19:38.319 to automate the process of scanning your container images before 377 00:19:38.319 --> 00:19:39.000 you deploy them. 378 00:19:39.039 --> 00:19:42.759 So it's like having a security checkpoint at the container 379 00:19:42.799 --> 00:19:46.440 port making sure that no uh no dangerous goods are 380 00:19:46.440 --> 00:19:50.160 allowed in exactly. Now, if if Claire finds any vulnerabilities, 381 00:19:50.200 --> 00:19:53.160 can can Ansible help with with patching those containers? 382 00:19:53.160 --> 00:19:56.519 Absolutely? Ansable can even help you automate the process of 383 00:19:56.920 --> 00:20:00.480 patching those containers, so you can very quickly room mediate 384 00:20:00.559 --> 00:20:02.079 those those security risks. 385 00:20:02.359 --> 00:20:04.359 So it's like having a container repair shop. Yeah, that 386 00:20:04.440 --> 00:20:07.519 can quickly fix any any security holes right before they 387 00:20:07.519 --> 00:20:09.960 can be exploited. Are there are there any other tools 388 00:20:09.960 --> 00:20:13.440 besides Claire that they can help with with this vulnerability scanning? 389 00:20:13.519 --> 00:20:15.519 Claire is great, but it's it's not the only option. 390 00:20:15.559 --> 00:20:19.799 The book also mentions anchor Engine and Trivia, which both 391 00:20:19.839 --> 00:20:24.240 offer similar vulnerability scanning capabilities for Docker containers. 392 00:20:24.519 --> 00:20:27.079 So we've got multiple tools to choose from, each with 393 00:20:27.160 --> 00:20:30.440 its its own its own strengths and specialties. It's like 394 00:20:30.480 --> 00:20:33.359 having a whole team of of container security experts at 395 00:20:33.400 --> 00:20:36.920 our disposal. Right exactly, how does how does ansable help 396 00:20:37.000 --> 00:20:38.519 us manage all of these different tools? 397 00:20:38.839 --> 00:20:43.039 So antsable can it can orchestrate these tools and integrating 398 00:20:43.039 --> 00:20:46.160 them seamlessly into your your existing workflows. It's like having 399 00:20:46.200 --> 00:20:50.519 a container security command center that oversees all the security 400 00:20:50.559 --> 00:20:53.559 operations for your your docrized applications. 401 00:20:53.920 --> 00:20:56.960