forked from CMSgov/saf
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathresources.json
71 lines (70 loc) · 6.21 KB
/
resources.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
{
"items": [
{
"name" : "Quick Start Steps",
"desc" : "<h4 class=\"mb-2\">Step 1: What are you creating?</h4><p class=\"ml-4\">Which component types are being used to build your system? Consider types of Cloud Services, Virtualization Platforms, Operating Systems, Databases, Application Logic, and Web Servers.</p><h4 class=\"mb-2\"> Step 2: What can be hardened using CMS SAF?</h4><p class=\"ml-4\">See our <a href=\"https://saf.cms.gov/#/implementation\"> CMS SAF Implementation/Hardening page</a> for scripts to automatically harden the system components you identified in Step 1 every time you build or fix them.</p><h4 class=\"mb-2\">Step 3: What can be validated using CMS SAF?</h4><p class=\"ml-4\">See our <a href=\"https://saf.cms.gov/#/validation\" target=\"_blank\">CMS SAF Validation page</a> for scripts to automatically validate the security of your system components identified in Step 1 every time you build or fix them.</p><h4 class=\"mb-2\">Step 4: Decide how to integrate the hardening and validation runners into your specific workflow.</h4><p class=\"ml-4\">Depending on how you develop and operate your system, be it traditional administrative servers or DevOps orchestration pipelines, you can decide where it makes the most sense to stage the hardening (Kitchen, Ansible, Terraform, Puppet, etc) and validation (InSpec) runners for the scripts identified in Steps 2 and 3 (See graphic below on the many ways InSpec can be installed).<p><h4 class=\"mb-2\">Step 5: What Static and Dynamic Code Analysis Tools are you using?</h4><p class=\"ml-4\">See our <a href=\"https://saf.cms.gov/#/faq#tools\" target=\"_blank\">Heimdall_tools page</a> to find code to convert the output from common Static and Dynamic Code Analysis Tools into the CMS ISPG standard Heimdall Data Format (HDF). HDF security validation data can be visualized for analysis using Heimdall Lite or Heimdall Server (more on those in Step 6!).</p><h4 class=\"mb-2\">Step 6: Visualize and start fixing!</h4><p class=\"ml-4\">Use <a href=\"https://heimdall-lite.mitre.org/\" target=\"_blank\">Heimdall Lite</a> or your own <a href=\"https://heimdall.mitre.org/\" target=\"_blank\">Heimdall Server</a> to visualize and identify remediation steps in the output from InSpec (Step 3 Validation) and Heimdall_tools (Step 5). <a href=\"https://heimdall-lite.mitre.org/\" target=\"_blank\">Heimdall Lite</a> is a single-page browser-based solution, while <a href=\"https://heimdall.mitre.org/\" target=\"_blank\">Heimdall Server</a> provides your team with its own back-end database for storing security validation data and more! Both allow the user to ingest security validation data via a GUI, the API, Splunk, or S3!</p><h4 class=\"mb-2\">Step 7: Give us feedback!</h4><p class=\"ml-4\">If you don’t see a hardening script, validation script, or security tool converter you need here, click on the \"Give Us Feedback\" button in the header above and let us know your interest!</p><p class=\"ml-4\">Want more context? The steps above embrace the best practices cited below. We also provide more perspective below on InSpec, the core CMS SAF tool for automated security configuration validation.</p>"
},
{
"name": "Mature DevSecOps Best Practices",
"desc": "DevSecOps is a software development framework that stresses automation and rapid user feedback to deliver quality, secure software quickly. A DevSecOps pipline is a collection of tools and practices that can automate as much of development as possible, from testing to change management to deployment.",
"values" : [
{
"name" : "DevSecOps Checklist",
"desc" : "",
"download_link" : "DevSecOps-Checklist-07022020.pdf"
},
{
"name" : "DevSecOps Best Practices Guide",
"desc" : "",
"download_link" : "CMS-SAF-DevSecOps_Best_Practices_Guide_Jan_2021.pdf"
},
{
"name" : "InSpec Profile Lifecycle SOP",
"desc" : "",
"download_link" : "CMS_InSpec_Profile_Lifecycle_SOP_v1.0_20190702.pdf"
}
]
},
{
"name": "InSpec",
"desc": "InSpec is a free and open-source Chef framework for testing and auditing applications and infrastructure. InSpec is designed to integrate very easily into existing DevSecOps pipelines. CMS has partnered with the open-source community to create a growing number of baseline testing profiles to make it easy for developers to jump right in.",
"values": [
{
"name": "InSpec Documentation",
"desc": "InSpec's main webpage containing all written documentation and walkthroughs of the tool",
"link": "https://www.inspec.io/docs/"
},
{
"name": "InSpec Profile Resources Reference",
"desc": "List of the existing systems InSpec available for the user to search through (known as InSpec \"resources\")",
"link": "https://www.inspec.io/docs/reference/resources/"
},
{
"name": "Introduction to InSpec Video Courses",
"desc": "Video tutorials demonstrating and explaining how InSpec operates",
"link": "https://www.youtube.com/playlist?list=PLSZbtIlMt5rcbXOpMRucKzRMXR7HX7awy"
},
{
"name": "InSpec Profile Developers Course",
"desc": "Reviews the basics on how to write and run tests",
"link": "https://mitre-inspec-developer.netlify.com/"
},
{
"name": "InSpec Advanced Developer Course",
"desc": "In depth explaination of some of the higher functionalities provided by InSpec",
"link": "https://mitre-inspec-advanced-developer.netlify.com/"
},
{
"name": "InSpec Tools and Utilization",
"desc": "Guide to installation of InSpec Tools",
"link": "https://mitre.github.io/inspec_tools/"
}
]
},
{
"name": "How is InSpec deployed?",
"desc": "It is intended and recommended that InSpec be installed on a \"runner\" host (such as a DevOps orchestration server, an administrative management system, or a developer's workstation/laptop) and run against the target remotely. However, InSpec may be deployed in various ways depending on the needs of the user:",
"image": "inspec-runner"
}
]
}