►
Description
2:08 - Program Start
3:17 - Introductions
5:19 - What is MITRE SAF? Security Automation Framework
6:50 - Four essential components to the framework
9:14 - STIG, compliance and hardening points
14:03 - An end-to-end implementation with GitHub Actions
19:12 - The test matrix
23:55 - Use in safety critical systems
24:35 - Communicating outputs visually to users
29:35 - Integration of artifacts into the full system
32:28 - Integration with other tools
35:28 - InspecTools and changes to STIG
37:43 - Heimdall tools and GitHub Actions
47:32 - How to run Heimdall
53:02 - Managing package updates
56:17 - A live fork of SAF
A core component of a successful infrastructure-as-code strategy is an automated security and compliance workflow that encompasses both your application and system-level artifacts. In this session, Robert Clark and Aaron Lippold help us learn how MITRE is using GitHub Actions to develop it’s Security Automation Framework (SAF), a package of tools and best practices that help users identify applicable security and privacy requirements, assess development best practices guidance and implement relevant security hardening scripts.
https://saf.mitre.org/
A
A
B
Hello,
everyone
and
welcome
to
demo
days
happy
friday
to
you
all
nice
to
see
you
happy
saturday
to
those
who
are
staying
up
late.
It's
awesome
to
see
everyone
from
uae
kurdistan
minnesota,
turkey,
chile,
we've
got
a
nice
worldwide
audience
today
and
a
very
exciting
demo
days.
Today
we
have
the
next
piece
in
our
discussion
of
infrastructures
code.
We
started
off
by
talking
about
infrastructures,
code
from
first
principles
and
then
jurgen
took
us
through
how
github
uses
ise
to
deploy,
and
today
we're
going
to
get
even
more
specific
and
talk
about
security
automation.
B
So
if
you
find
this
demo
day
useful
and
want
to
talk
about
it
in
your
company's
specific
context,
please
feel
free
to
use
the
qr
code
in
the
corner
and
book
a
meeting
with
us.
So
today,
I'm
going
to
introduce
you
all
to
andrew
weiss
field,
solutions,
engineer
at
github
and
our
special
guest
for
today,
aaron
lippold
and
robert
clark
from
mitre,
who
will
be
talking
about
security
and
compliance,
automation,
andrew.
C
Hey
thanks
so
much
aj.
Thank
you
all
for
joining
today.
So,
as
aj
said,
this
is
really
a
continuation
in
our
series
on
infrastructure
as
code,
and
you
know
today,
we
really
want
to
dive
in
and
take
a
closer
look
at
how
we
can
apply
security
approaches
and
best
practices
to
our
infrastructure,
and
I'm
really
excited
today
to
have
both
robert
and
aaron
here
as
guests
of
ours,
with
mitre
and
I'll.
C
Today,
it's
really
all
about
how
we
can
apply
these
infrastructures
code
principles
and
apply
them
to
automation
at
scale,
and
so
aaron
and
robert
are
going
to
take
a
really
nice
look
at
this
automation
framework,
this
safe
framework
and
talk
about
how
you
can
harden
infrastructure
and
combine
those
infrastructures
code
resources
with
some
of
the
best
practices
that
we
see
across
industry
today.
So
without
further
ado,
robert
aaron,
you
guys
want
to
introduce
yourselves
to
the
audience
here
today.
E
C
Awesome
thanks
so
much
gentlemen,
so
this
staff
that
we're
talking
about
here
this
security
automation
framework,
in
short-
and
I
think,
robert
you
have
some
information
about
this-
that
you
want
to
share
for
the
audience
today.
You
know
I've
heard
a
little
bit
about
this.
I've
heard
some
individuals
that
I
work
with.
I
do
a
lot
of
work
in
the
security
community
as
well,
and
they
talked
about
this
framework
before
and
you
know
I
myself
have
dabbled
in
security
automation
tools.
C
I
think
there's
this
awesome
open
source
project
out
there,
like
inspect
from
the
chef
community
and
some
other
automation
tools.
Could
you
describe
a
little
bit
more
about
this
framework?
What
it
is
specifically
I'm
on
your
website
here,
staff.miner.org
but
robert.
If
you
want
to
give
us
a
quick
little
intro
about
this
framework
and
some
of
the
backing
behind
it.
D
C
You
know
we've
talked
about
previously
on
our
our
channel
here.
You
know
mentioned
terraform
and
chef,
and
you
know
it
sounds
like
this
framework
is
totally
you
know,
tooling,
agnostic,
really
it's
it's
more
kind
of
an
overlay.
You
know,
regardless
of
the
tools
you
want
to
use.
Of
course
it's
standards
based.
You
know,
based
on
the
site
here,
but
if
you
talk
a
little
bit
more
about
the
framework,
provides
kind
of
an
end-to-end.
You
know
framework
life
cycle
here.
D
D
So
in
order
to
validate
content,
what
we
do
is
we
utilize,
the
miter
or
sorry,
the
chef
in
spec
or
we
utilize
chef,
inspect
chef
inspect,
is
a
compliance's
code,
a
domain
specific
language,
so
we
write
all
of
our
hardening
in
inspect.
The
thing
is:
when
we're
writing
writing
hardening
content.
We
need
to
actually
be
able
to
take
it
and
test
it.
So
I'm
sorry
when
we're
writing
validation
content,
we
need
to
actually
be
able
to
test
against
something.
D
C
And
can
you
talk
more
for
folks
that
may
be
unfamiliar
with
just
general
hardening
techniques
from
an
infrastructure
perspective?
What
exactly
are
these
profiles
doing
to
the
operating
system?
Here
you
know,
I
imagine
that
they're
locking
certain
aspects
of
the
operating
system
down
or
configuring
in
such
a
way
that
it
meets
these
requirements.
C
D
D
Of
course
yeah
I
mean
I
can
I
can
do
it
too,
not
a
problem
sure.
So
there's
a
lot
of
this
content.
A
lot
of
this
content
is
coming
from
the
well
a
lot
of
it.
A
lot
of
the
content
that
we
work
at
least
comes
from
stigs
right,
so
security,
technical
implementation
guides.
These
are
published
by
disa
and
basically
some
of
the
examples
of
these
controls
could
just
be
something
as
simple
as
you
have.
You
have
to
lock
your
screen
automatically
when
you
step
away
right.
D
C
C
Industries,
we
have
some
folks
from
around
the
world
here,
so
maybe
you're
working
with
different
regulatory
standards
like
iso
or
healthcare
compliance
and
basically
they
define
all
these
control
requirements
and
you
map
those-
and
you
turn
those
into
these
as
code
quote-
unquote
specifications
right,
so
you
take
that
security
guide
and
you
apply
them
as
specification.
That's
what
I'm
looking
at
here
right
these
these
profile
baselines,
correct,
yeah,.
D
These
profile
baselines
are
taking
in
this
example
right,
it's
a
stig
baseline,
so
that's
based
off
the
just
a
security
technology,
implementation
guide
right
and
we
go
ahead
and
map
those.
Yes,
basically,
two
or
we
rewrite
these
into
inspect
code,
instead
of
so
they
provide
like
so,
for
example,
the
state
generally
provides
an
example
of
oh.
This
is
what
you
need
to
check
right.
D
E
E
You
could
also
write
these
security
profiles
using
these
same
the
same
compliance
framework
to
say:
well,
my
organization
is
defined
some
standards
or
the
application
that
I'm
building
has
a
set
of
ports,
protocols,
users,
applications
packages
and
I
could
align
those
to
the
relevant
security
controls
like
the
fact
that
I'm
managing
my
users
at
my
application
level
right
manages
part
of
my
ac
controls.
My
access
control
requirements
as
part
of
the
nist
or
cis
is
access
control
requirement
and
you
can
tag
those
tests
for
the
functional
and
unit
tests
in
your
application.
E
E
The
developed
application
is
all
wonderful
and
all
of
its
application
capabilities
are
great
right.
Innovation,
innovation
right,
but
I
can't
bring
that
innovation
to
bear
unless
I
pass
for
the
gates
of
security
and
the
operators
that
are
responsible
for
maintaining
all
your
networks
right.
You
have
to
play
with
that
part
of
the
community
as
well,
and
this
gives
you
a
mechanism
to
communicate
that
you
did
what
they
needed
to
do,
so
they
can
be
supportive
of
making
you
successful.
C
Gotcha
yeah,
that
makes
a
little
sense,
so
it
sounds
like
validation,
is
it's
kind
of
an
attestation
as
code
mechanism
for
all
different
teams,
because
you
know
you
made
a
good
point:
it's
not
just
the
developers!
Writing
software
day-to-day!
You
know
it's
all
about
the
operations
personnel
that
are
operating
this
infrastructure.
Writing
these
infrastructures
code
artifacts,
the
security
compliance
and
risk
teams
that
are
ensuring
that
the
deployment
or
the
declarative
deployment
is
as
what
we
wanted
it
to
be,
and,
of
course,
we
can
attest
to
that.
C
So
with
that
being
said,
you
know
robert.
Can
you
maybe
go
through
like
an
end-to-end
flow
with
the
saf?
You
know
you
give
us
some
sneak
peek
on
how
to
use
or
how
you're
using
github,
but
I
guess
what's
a
common
workflow
that
you
all
employ
with
the
staff
framework
and
how
you
use
github
or
highlight
how
you
use
github
more
for
that.
D
So
I'd.
Actually,
I'm
gonna
go
back
to
the
example.
I
had
up
before
the
red
hat
enterprise.
Seven
stick
baseline
this
profile
when
we're
doing
basically
when
we're
doing
development
and
testing
on
it.
One
of
the
important
things
for
us
is
that
we
can
actually
stand
up
a
clean
box
and
actually
make
sure
that
when
we
harden
that
box
and
when
we
validate
against
that
box,
that
it
is
basically
that
you
know
it's
not
just
some
system
that
we've
been
messing
with
and
doing
manual
changes
on.
D
C
If
that's
something
yeah,
could
you
could
you
maybe
go
into
that,
because
it's
really
cool
that
you're
using
so
you're
using
github
actions
which
has
its
own
infrastructure
and
then
you're
deploying
other
infrastructure
with
vagrant,
and
that
infrastructure
is
really
representative
of
your?
You
know:
production
infrastructure
that
has
to
be
secured
and
has
to
be
tested
to
yeah.
Please
do
dive
deeper
into
kind
of
what
workflows
you're
using
and
how
you've
crafted
these
actions.
E
A
B
E
Kitchen
to
talk
to
various
vagrant
or
ec2
amazon,
aws
the
cli
right
to
deploy
infrastructure
on
amazon
or
deployed
on
vapor
and
order
deployed
on
docker
right.
So
we've
got
like
three
levels
of
abstraction
all
built
in
here
such
that
I
can
replicate
this
workflow
process
locally
through
kitchen
via
vagrant,
or
I
can
do
it
remotely
on
a
cloud
instance
right.
I
can
go
call
out
to
ec2
and
say
I
also
want
you
to
replicate
the
same
workflow
on
an
ec2
box
in
aws.
E
Oh,
and
I
also
want
you
to
do
it
on
a
docker
container
running
on
a
docker
swarm
somewhere
right.
So
I'm
shifting
the
context
to
my
deployment
location
and
my
find
my
testing
all
in
an
automated
continuous
fashion.
So
if
I
say
I'm
supporting
local
boxes
cloud
instances,
docker
containers
right,
I
can
replicate
that
whole
ecosystem
in
this
workflow,
using
the
github
actions
test
kitchen
and
some
of
the
technologies
bringing
all
these
things
pieces
together.
C
A
C
E
E
B
E
More
with
this,
so
we
completely
bent
it
on
its
side
and
said
we're
gonna
really
use
this
to
be
our
orchestration
platform
that
we
can
hold
in
code
right
and
then
I'm
using
your
orchestration
platform
to
execute
my
orchestration
platform
to
do
all
the
stuff.
So
anyway,
I'll
let
robert
go
from
there.
D
All
right
thanks,
aaron
yeah,
so
yes,
we're
using
a
test
kitchen
at
one
layer.
Test
kitchen
is
actually
a
wrapper
around
vagrant,
which
is
another
tool
that
one's
by
hashicorp
that
basically
orchestrates
virtual
machines
and
then
from
there
we
can
execute
commands
as
part
of
the
kitchen
scripts
to
actually
run
inspect
as
well.
It's
actually
pretty
natively
integrated
since
chef
builds
both
inspect
and
test
kitchen,
and
so
this
is
kind
of
the
overall
workflow
and
the
same
test.
Kitchen
actually
is,
I
guess,
runner
or
a
runner
agnostic.
D
D
So
this
is
kind
of
the
overview
diving
into
the
actual
code,
where
I'm
most
comfortable
right
is
basically
basically
what
we
do
is
we
go
ahead
and
set
up
a
test,
matrix,
a
vanilla
and
a
hardened
test
matrix,
and
then
in
this
case
this
is
the
vagrant
executor.
But
we
set
up
the
vanilla
hardened
test
matrix.
Then
we
go
ahead
and
use
kitchen
with
just
one
command
to
go
ahead
and
deploy
either
the
hardened
or
vanilla.
D
We
tell
it
basically
to
deploy
the
hardware
vanilla
matrix
and
then
we
go
ahead
and
use
a
tool
that
we
build
called
inspec
tools.
Inspect
tools
is
actually
useful
for
has
a
couple
useful
things
built
into
it
for
validating
that
you're
actually
complying
to
a
specific
level
either.
Compliance
or
summary
are
the
two
tools
we're
going
to
be
using
here
and
I'll
talk
a
little
bit
more
about.
Why
that's
necessary
in
a
second,
but
we
go
ahead
and
actually
use
that
to
go
ahead
and
check
whether
we
meet
the.
D
Go
either
the
vanilla
or
hardened
threshold,
the
threshold
files
are
quite
simple,
they're,
just
a
thing,
a
file
that
says
what
how
many
errors
am
I
allowed
to
have
in
this
profile
run
well
we're
the
developers.
We
don't
want
there
to
be
any
errors
right.
That
means
that
the
test
actually
failed
to
execute.
We
don't
want
any
of
those
in
either
vanilla
or
the
hardened
profile
and
the
vanilla
profile.
We
don't
really
care
about
compliance,
because
it's
just
an
unhardened
box.
D
E
C
A
good
point
is
like
when
you're
doing,
security
and
compliance
there's
no
way
to
be
100.
Risk-Free,
there's,
there's
always
a
little
bit
of
risk.
You
have
to
assume.
So
there
is
a
little
bit
of
a
buffer
in
your
threshold.
You
know
things
are
going
to
break.
You
know
certain
things
you
know
may
potentially
be
vulnerable
there.
So
it's
all
about
you
know
assuming
acceptable
level
of
risk
for
the
organization
you
know,
pursuant
to
your
regulatory
requirements.
C
Again,
you
know
it's
not
just
you
know:
u.s
federal
or
u.s
regulatory
requirements,
maybe
international
requirements,
so
some
some
interesting
taxes
that
you
all
are
taking
there.
You
know
in
order
to
set
those
thresholds
because
it's
all
about
you
know
conveying
that
risk
to
those
organizations.
Absolutely.
E
If
I
have
accounted
for
that,
you
can
do
an
overlay
to
basically
put
in
adjust
justification
and
say
I'm
going
to
set
the
impact
of
this
to
zero.
It's
not
applicable
here
is
the
caveat
or
the
justification
as
to
why
my
security
team
has
said
it's
okay
for
us
to
pass
or
fail
this
test
or
whatever,
and
I've
accounted
for
that.
E
So
now
it's
not
noise
in
your
system
right
and
then
you
could
even
articulate
that
in
your
threshold
file
to
say
I
expect
80
compliant
with
10
items
that
I've
denoted
as
not
applicable
right
and
no
errors
right.
And
then,
if
you
push
up
a
pr
that
basically
says,
oh
I'm
able
to
resolve
this
now,
I'm
able
to
fix
it.
You
remove
that
non-applicable
right!
You
just
take
it
out
of
that
pattern.
E
You
go
well,
let's
look
and
see
in
the
last
pr
build
yep
last
pr
build
is
ready
to
go
and
it's
meeting
the
threshold.
We
can
go
right
now
if
you
want.
Let's
push
the
button
right,
because
continuous
deployment
right
or
ongoing
deployment
right
is
nice,
but
in
real
world
operational
systems,
right
there's
always
a
decision
point.
That
basically
says
did
I
pass
all
my
tests?
E
Is
everybody
okay
with
where
we're
at
all
right
now
make
a
decision
right,
because
on
mission,
critical
systems
that
are
life
critical
right,
you
can't
just
push
right
out
to
production
right.
Somebody
has
to
take
accountability
for
that,
and
this
helps
you
articulate
that.
So
I
can
take
that
decision
down
to
yep
all
my
numbers.
We
met
our
agreements,
we're
good
to
go
and
that's
really
what
we're
trying
to
help
the
community
build
as
a
workflow
pattern.
C
Yeah
aaron,
you
bring
up
some
really
good
points.
I
mean
it
really
makes
the
pull
request
even
that
much
more
powerful
in
terms
of
you
know,
obviously
driving
collaboration.
But
when
you
talk
about
you
know,
mission,
critical
systems
or
safety,
critical
systems
building,
you
know
software
for
airbags
in
a
car
right
or
any
sort
of
you
know
safety,
critical
systems.
C
You
know
this
is
really
an
attestation
mechanism
to
really
kind
of
accelerate
that,
but
in
such
a
way
that
you
don't,
you
know,
assume
more
risk
for
the
organization,
so
I
I
think
he
made
some
good
points
there.
I
want
to
shift
gears
a
little
bit
too.
So
you
know
we've
got
the
workflows,
but
if
I'm
you
know,
operations,
personnel
or
compliance
personnel,
I
may
not
know
anything
about
github
actions
right.
I
may
not
be
working
in
github
so
robert.
How
does
this?
C
How
do
we
go
from
this
to
kind
of
the
rest
of
the
workflow
you
described?
I,
you
know.
I
saw
this
tool
that
you
all
built
in
open
source,
which
looks
really
cool
this
heimdall
tool
as
well.
I
guess
kind
of
going
with
the
rest
of
your
flow.
How
does
that
fit
in
and
how
do
you
convey
some
of
these
compliance
requirements
and
these
outputs-
you
know
visually
to
these
users.
D
Yeah,
it's
actually
the
next
thing
I
was
going
to
talk
about,
so
thank
you
andrew.
So
the
thing
about
the
output
of
inspect
right
is
it.
It
comes
out
in
a
format
that
is
not
really
it's
json
right,
so
that's
not
really
human
readable.
For
the
most
part
I
mean
it's
human
readable,
but
it's
not
the
thing
that
most
humans
would
prefer
to
read
right.
D
So
that's
the
advantage
to
our
inspect
tool
summary
command
here
it
can
actually
read
in
that
inspect
json
and
actually
knows
how
to
use
that
to
or
knows
how
to
read
that
and
translate
the
threshold
file
plus
that
to
an
actual
proper
output.
But
that's
really
only
useful
for
our
ci
runs
like
because
our
ci
runs
care
about
pass
fail.
Humans
need
a
little
bit
more
data
than
that,
especially
if
they're
doing
development.
D
So
what
we
actually
also
do
is,
as
part
of
our
actions
runs,
we
go
ahead
and
attach
with
every
pr
we
attach
an
artifact
and
that
artifact
actually
contains
the
json
output
and
that
json
output.
If
I
go
ahead
and
download
it-
which
I
actually
think
I
already
have
downloaded
here-
can
actually
be
loaded
up
into
a
tool
that
we
write
called
heimdall.
D
D
I
believe
this
run
was
run
a
day
or
two
ago
or
last
week,
so
you
can
see
in
this
run
if
we
look
at
just
one
or
just
or
actually,
if
we
just
use
our
comparison
view
that
we
have
built
in,
we
can
see
the
difference
between
what
what
failed
in
the
vanilla
version
and
what
actually
we
fixed
in
the
hardened
version,
and
if
I
actually
go
ahead
and
expand
one
of
these,
the
powerful
thing
about
heimdall.
Is
it
actually
lets
you
go
all
the
way
from
this
is
a
this.
D
Is
the
the
test
id
it
lets?
You
go
away
from
that
test,
id
all
the
way
down
to
what
specific
code
caused
that
pass
or
fail,
and
also
any
like
which,
which
specific
checks
passed
or
failed,
and
all
the
details
as
well
about
every
every
single
thing
you
could
possibly
care
about
about
this
specific
test
and
so
that
that's
actually
more
for
the
human
and
developer
side
right
that
allows
those
people
to
actually
figure
out
okay.
Why
is
this
failing?
E
And
then
you
can
start
to
layer
all
those
different
levels
of
security
for
your
system
that
you're
looking
at
together
into
a
common
view,
and
you
could
pass
that
over
to
your
developer,
your
security
official
right.
All
they
have
to
do
is
load
the
jsons
look
at
it
and
heimdill
and
say
are
the
red
ones.
Okay,
am
I
comfortable
with
these
red
ones
to
give
you
a
yes
right,
because
that's
really
what
all
this
is
about
right,
the
high
red
ones,
the
right!
E
Are
we
good
with
that
right
because
all
the
green
ones
and
all
the
non-applicables
and
all
the
you
know
other
ones
right?
You
guys
have
already
agreed
to
right.
So
how
do
you
sort
all
this
down
to
say?
What
do
we
really
need
to
talk
about
today
to
get
a
go
no-go
decision
right
and
that's
what
we're
trying
to
do
here
so.
C
I
was
gonna
say
too
so
you're
bringing
in
static
code
results
too,
and
you
know
I
recently
saw
in
the
heimdall
repo
there's
new
integration
with
the
sara
format,
the
static
analysis,
interchange
format,
which
is
what
we
integrate
with
directly
in
github
and
github
advanced
security.
So
you're
saying
you
can
combine
static
analysis
results
from
really
any
tool
with
the
compliance
scan
results
from
the
infrastructure
in
which
those
applications
are
running.
On
with
the
rest
of
the
system,
I
mean,
I
think,
that's
pretty
awesome,
it's
pretty
powerful
capability.
C
I
mean
you
get
full
traceability
from
the
lines
of
code,
all
the
way
through
the
actual
runtime
infrastructure,
with
full
verification
checks
and
so
forth,
and
so
how
does
the
so?
We
talk
about
infrastructures
code
like
how
the
tools
like
terraform
kind
of
fit
into
that
as
well,
because
I
think
we're
still
we're
still
talking
about.
You
know
one
single
instance
like
one,
you
know
virtual
machine
that
you've
been
testing
against,
but
how
do
you
fit
in
the
rest
of
the
infrastructure
artifacts
into
this
as
well?
Well,
one.
E
If
you
wanted
to
all
the
way
down
to
your
fabric
level
and
say
yep,
I
got
all
green
on
my
terraform,
so
everything
built
as
I
expected
it's
built
my
configuration
management
hardened
it
as
I
expected
it
to
harden
it.
My
code
passed
the
sniff
test
in
terms
of
linting
and
static
analysis,
and
when
I
ran
my
selenium
or
my
dynamic
analysis
stuff
all
that
you
know
passed
or
gave
me
the
results
that
I
am
comfortable
with,
and
I
converted
all
that
to
a
common
data
format.
E
E
Who
needs
to
fix?
What
well
heimdall
makes
that
pretty
easy
because
it
tells
you
which,
which
set
of
data
right
each
of
those
failed
tests
is
related
to
is
this
part
of
the
terraform
code?
Is
this
part
of
the
static
analysis?
Is
this
part
of
the
compliance
stuff
right?
You
know
what
teams
they
are.
You
could
pass
those
files
back
to
that
team
member
say
see,
you've
got
some
red,
go
fix,
it
go
rerun
the
profile
make
it
go
green
right
and
look
at
it
again.
You
don't
even
have
to
interact
with
me.
E
You
can
run
these
two
things.
Convert
them
load
them
into
heimdall.
Look
at
it!
I
want
it
to
go
from
red
to
green
right,
then
tell
me
it
is
submit
a
pr
submit
those
artifacts
as
proof
right
now.
You
have
evidence
and
attestation
that
is
linked.
All
the
way
back
to
the
open
issue,
to
the
pr,
the
evidence,
artifacts
and
right
back
to
your
system
of
record,
so
it's
a
pretty
complete
workflow.
I
think.
C
Yeah,
that's
I
mean
that's,
that's
pretty
awesome
and
I
think
you
know
a
lot
of
organizations.
They
face
a
lot
of
those
challenges
today
to
kind
of
really
connect
these
dots
and
do
this
at
scale
and
there's
a
lot
of
you
know:
paperwork
involved
in
manual
processes
and
oftentimes
monotonous
tasks,
and
you
know
I
definitely
see
this
as
really
helping
to
accelerate
that
one
quick
question
for
my
own
personal
interests
here.
So
how
does
so
you
integrate
with
terraform
and
the
work
that
you
did
sounds
like
with
chef
is
pretty
cool?
C
How
do
you
all?
How
does
that
differ
with
other
tools
out
there?
I
think
we
mentioned
on
a
previous
demo
days
like
a
tsac
and
terraform
compliance,
which
are
basically
behavior-driven
development
tools
that
can
check
the
specifications.
How
do
you
guys
interact
with
those?
Are
they
kind
of
complementary?
Are
you
familiar
with
those
tools?
There's
a
couple
of
open
source
projects
that
I
think
are
pretty
popular
out.
There.
E
E
You
know,
so
we
don't
have
everything
under
the
sun.
We
don't
have
the
solution
for
everything,
but
pr's
welcome
right.
We've
had
multiple
community
members
say:
hey
here
is
a
converter
for
this,
because
I
like
your
stuff,
but
we
were
also
running
this
tool,
so
it
was
useful.
Here's
a
converter
right
because
nine
times
out
of
ten
we've
got
four
or
five,
maybe
two
or
three
actual
data
formats
right.
E
We
have
xml
json
text
file
right
spreadsheet,
that's
what
we
got
and
we've
got
a
converter
example
that
does
all
those
data
types
and
moves
it
into
the
hdf
format.
So
we
even
have
work
working
reference
examples
that
people
have
used.
Other
examples
that
you
know
the
community
has
contributed
to
is
fixing
bugs.
You
know
in
various
types
of
data
formats,
or
you
know,
even
contributions
to
heimdall
itself
right
so.
E
So
one
of
the
things
that
we
do
in
a
lot
of
hdf
conversions
is
tag
it
with
the
853
control
that
normally
those
vendors
don't
actually
align
to,
but
those
853
controls
are
usually
the
foundation
for
every
compliance
thing
that
you
might
do
be
it
fisma,
be
it
pci,
be
it
nist,
be
it
stig,
dod,
even
back
to
cis
right,
aligning
it
back
to
that
compliance
foundation
actually
makes
all
those
tests
that
are
normally
just
developer
noise
into
an
actual
business
metric
that
you
can
build
into
the
workflow.
So.
C
Yeah
and
that's
and
that's
super
important
business
metrics
at
the
end
of
the
day
are
going
to
be
critical
to
you
know
the
excess
of
the
success
of
a
particular
project
and
obviously
a
direct
impact
on
financials
and
so
forth.
So
I
think
that's
super
helpful
robert.
I
want
to
go
back
to
you
too,
because
I
think
there's
more,
you
know
to
the
end-to-end
workflow
that
you
wanted
to
highlight
here.
C
You
know
we
talked
about
some
of
the
integrations
and
the
visual
displays,
and
you
know
that
we
want
to
get
rid
of
the
reds
right.
You
know
the
reds
aren't
good.
The
greens
are
better
here,
ultimately,
to
you
know,
assume
a
better
risk
posture
robert,
I
think
there's
more
you
wanted
to
highlight
too,
in
terms
of
you
know
how
to
use
github
for
some
of
these
workflows.
D
D
Summary
I've
also
got
a
lot
of
other
tools
that
make
it
very
easy
to
take
the
output
of
the
like
a
basically
the
an
xccdf
file
that
is
provided
with
a
stig
right
that
we
can
then
convert
to
a
shell
inspect
profile
so
like
for
handling
upgrades
between
versions
right,
we
don't
really
want
to
have
to
manually,
go
through
every
time
an
update
to
a
stick
comes
out.
We
don't
have
to
go
through
manually
and
figure
out
what
exactly
changed.
D
Absolutely
yeah,
if
we
actually
have
time
at
the
end,
I
do
have
a
full
action
that
will
take
that
I
kind
of
wanted
to
walk
through
quickly,
building
that
we'll
use
our
hymdel
tools
and
inspect
or
specifically
our
handle
tools,
action
to
go
ahead
and
take
the
serif
file
and
go
ahead
and
print
it
out
as
a
json.
And
then
I
can
load
that
json
up
into
heimdall,
but
I'll
I'll
I'll.
Wait
for
your
cue
on
that
andrew.
C
You
know
robert,
you
brought
it
up
here,
I'd
love
to
see
it
I'd,
love
to
see
how
you
guys
are
leveraging
github
actions
today,
because
I
know
you
know
you
recently
publish
your
actions
to
get
a
marketplace
your
open
source,
so
you've
got
all
these
integrations
kind
of
ready
to
go
for
folks
that
are
interested
in
kind
of
trying
this
out,
but
yeah.
Please
do
dig
into
the
action
you've
developed
love
to
see.
You
know
how
kind
of
all
this
com
comes
together.
D
C
A
D
And
we
also
do
this.
We
have
a
burp
suite
converter
as
well,
which
also
has
and
sonar
cube,
which
both
are
also
both.
Also
do
our
other
static
code.
Analysis
formats
that
exist
standard,
serif,
isn't
serif
is
the
one,
that's
actually
a
standard.
I
don't
know
how
I
don't
know
if
the
burp
suite
and
it's
on
our
cloud.
I
know
those
are
just
outputs
of
those
programs.
C
E
D
And
so
I'm
gonna
start
here
with
just
a
real
basic
shell
of
a
github
workflow,
which
is
just
you
know,
basic
boilerplate
name.
I
want
to
run
on
my
main
branch
and
I
have
one
job
I
want
to
run,
which
is
my
convert
job
that
runs
on
ubuntu
latest.
The
steps
here
are
going
to
be.
First
up
we're
gonna
need
to
clone
the
repository
right
so.
D
A
D
D
C
D
Awesome
and
then
this
is
really
it
for
actually
creating
the
creating
the
output.
This
will
just
generate
the
output
at
a
file
called
heimdall
tool.
Serif.Json,
of
course
it's
not
very
useful
if
you
can't
actually
get
to
it
right,
so
I'm
going
to
go
ahead
and
add
one
more
step
here.
That
is
just
a
an
artifact
upload
that
goes
ahead
and
uses
the.
C
C
D
D
E
D
D
C
D
D
Once
that's
complete,
then
it
should
be
quite
easy
to
integrate
this
with,
because
I
know
all
the
new
actions.
The
version
two
actions
are
all
javascript
correct,
so
that'll
make
it
much
easier
to
actually
write
a
native
action,
and
so
we'll
start
on
that,
once
we
have
the
everything
rewritten
to
javascript,
awesome
love
it.
So
I'm
going
to
go
ahead
and
jump
over
here.
E
D
Let's
say
you
have
serif
results,
let's
say
you
have
a
red
hat
machine
say
you
have
an
nginx
server
running
in
front
of
your
your
code,
but
right
if
you
have
all
that
in
one
place,
it'll
this
dashboard
will
show
you
everything
as
you
load
it
up,
so
you
can
actually
load
ever
like
everything
about
your
environment
and
see
one
full
picture
right
here.
So
that's
just
one
of
the
features
of
heimdall,
but
I'm
going
to
go
ahead
and
actually
filter
this
down
to
just
the
serif
results
here
and
we'll
see.
D
Here's
the
different
different
checks
that
that
that
specific
serif
file
was
running
and
we
can
see.
Basically
all
of
them
are
fails
right
because
there's
no
such
thing
as
a
path,
a
pass
in
serif
format.
If
you
have
a
static,
if
you
have
a
problem
with
your
code,
it
doesn't
just
mark
every
other
line
as
a
good
line.
It
just
shows
you
the
bad
lines
right.
D
So
when
we
convert
it,
we
just
include
the
bads,
so
you
can
see
here
basically
the
actual
test,
what
what
line
it's
failing
on
and
the
problem
with
that
line
right.
So
this
was
based
on
these
one
of
the
example
files.
That's
in
our
hybrid
tools,
repo,
so
I
don't
have
the
original
source
code
for
this,
but
this
basically
shows
you
know
online
36
column,
two
of
one
of
those
files.
There
is
there's
a
lack
of
a
check
for
a
buffer
overflow.
C
C
E
E
C
Absolutely-
and
I
know
we've
mentioned
it-
a
bunch
of
times
853
for
those
that
are
aware.
853S
is
a
standard
from
nist
national
institute
of
standard
and
technology
akin
to
other
standards
organizations
and
it's
a
collection
of
nearly
a
thousand
security
controls
that
are
systems
and
technology
agnostic
for
best
practices.
In
terms
of
how
you
should
configure
you
know,
operating
systems
and
user
authentication,
and
that
catalog
is
used,
you
know
not
just
by
nist
and
organizations
within
the
u.s,
but
it's
used
by
a
lot
of
international
standards,
bodies
and
organizations
as
well.
C
D
No,
that's
that's
mostly
it.
We've
got
basically,
we've
managed
to
successfully
use
the
hybrid
tools
action
here
and
about
five
or
ten
minutes
to
convert
this
file
to
create
a
full
workflow
that
actually
would
convert
this
file
over
and
generate
an
artifact
every
time.
So
if
we
were
doing
this
in
the
real
world
right,
we
would
be
just
importing
our
artifact
and
writing
a
quick
workflow
to
convert
it,
and
then
we
just
load
it
right
up.
E
D
Well,
so
the
heimli
ui
is
actually
it's
a
view
application.
So
it's
actually
there's
two
parts.
There
is
a
heimdall
server
and
a
handle
lite
version
and
they're.
Actually,
the
way
we've
written.
It
is
they're,
actually
the
same
code
base.
The
hybrid
version
is
just
the
front
end.
Basically,
the
front
end
detects
whether
or
not
it
has
a
server
behind
it,
meaning
if
it
actually
has
the
back
end
behind
it
right
and
if
it
doesn't,
then
it
just
goes
ahead
and
gives
you
a
light
mode.
D
D
D
E
E
Everybody
in
the
world
can
use
this
and
you
can
adapt
it
to
to
help
meet
your
organizational
requirements,
use
our
workflows
just
to
help
your
projects
get
started
and
bootstrapped
right.
We
give
it
away
and
the
cooperation
by
the
community
has
been
huge
right.
We
have
almost
every
major
security
vendor
on
the
planet.
Is
one
of
our
strategic
partners
to
include
microsoft
and
github.
You
know
30
to
40
different
government
agencies.
All
across
each
of
the
spaces
are
all
strategic
partners.
B
C
That's
awesome
and
it's
just
it
looks
like
it's
a
heimdall
tool
off
the
miter
organization
on
github
excellent
and
I
I
was
looking
through
the
actions.
You've
got
quite
a
few,
which
is
really
cool
to
see
so
you've
got
I'm
sure.
Some
conditional
branch
policies
and
production
policies
in
place
looks
like
ui
tests
and
and
all
sorts
of
good
stuff.
That's
pretty
awesome.
D
So
we
we
actually
utilize
a
couple
different
things,
so
we
we
actually
run
cypress,
which
is
a
front-end.
It's
an
end-to-end
javascript
testing
framework
basically
lets
you
actually
click
through
your
application
for
end-to-end
tests.
We
also
use
jest
for
back-end
and
front-end
tests.
We
use.
We
run
codeql,
of
course,
previously
ran
lgtm
before
as
well.
We
also
use
github
pages
to
actually
publish
since
it's
a
view
application.
D
Well,
so
since
it's
since
we
have
a
light
and
server
mode
on
the
application,
we
actually
want
to
make
sure
that
every
pr
that
we
get
doesn't
actually
break
our
whole
process
right.
So
we
actually
go
ahead
and
own
in
one
of
the
actions
we
run
only
the
back
end
code
and
the
other
one.
We
run
only
the
front
end
code
we'll
actually
delete
the
rest
of
the
code
completely
out
of
our
application
to
make
sure
that
they
are.
D
Basically,
we
didn't
actually
introduce
something
that
that
causes
one
of
them
to
not
build
on
its
own,
because
that's
important
when
we
actually
go
to
deploy
this
in
a
production
environment,
and
then
we
also
go
ahead
and
make
it
do
a
couple
of
things
that
make
it
really
easy
for
us
to
actually
do
a
release.
One
of
my
favorite
action
actions
is
actually
the
release
drafter,
because
whenever
we.
C
D
Yeah,
no
it's
really
great.
All
I
have
to
do
is
go
ahead
and
just
click
on
the
draft.
That's
written
up
and
I'm
90
of
the
way
there
already
to
to
a
release
our
release
process,
there's
a
lot
of
stuff
that
we
actually
need
to
do,
but
they're,
really.
The
steps
that
I
actually
have
to
do
are
very
few,
because
we
actually
need
to
write
up
release
notes.
We
need
to
push
the
new
site
to
github
pages.
We
need
to
push
to
npm
for
our
home
to
light
application.
D
We
need
to
push
new
docker
images.
All
of
that
and
really
the
actual
process
that
I
have
to
do.
Each
time
we
do
a
release
is
really
two
steps.
It's
bump
the
versions
which
we
have
a
tool.
We
use
a
learner
for
that's
a
managed,
monitor,
javascript
model
repos
for
you,
so
I
just
basically
run
learn
a
version.
It
automatically
pushes
up
a
new
tag
and
then
I
just
click
on
releases
and
I
go
ahead
and
just
edit
and
publish
and
we
have
a
new
release
of
heimdall
everything
else.
D
D
As
you've
probably
noticed
when
I
went
to
releases
each
release,
we
have
there's
a
lot
of
dependency
updates
and
we
use
the
pentabot
to
make
that
a
process
a
lot
easier.
So
not
only
do
we
have
depend
about
setup,
but
we
also
have
it
configured
where
if
it
passes
ci
and
it
passes
all
of
our
checks.
Since
we
have
a
lot
of
checks,
we
just
go
ahead
and
let
that
merge
into
master
and
that
basically
makes
the
update
burden
on
me
and
the
developers
very
little.
We
can
really
focus
on
the
code.
C
Yeah,
dependable
is
awesome,
it's
just
such
a
great
service
and
it's
kind
of
imperative
for
you
all
to
take
into
account
a
lot
of
these
dependable
updates.
Since
you
yourselves,
are
building
a
tool
for
conveying
security
information
to
others.
So
I
think
it's
pretty
incredible
that
you
guys
are
using
just
the
full
gamut
of
the
github
ecosystem
to
do
all
this.
I
know
this
discussions.
Tab
is
open
as
well.
C
D
Out
aaron
yeah
we're
starting
to
work
towards
it
as
of
right
now,
we've
we've
still
had
people
mainly
just
not
realizing
and
still
posting
in
our
issues,
tab
when
they
kind
of
have
a
question,
but
I
think,
as
as
time
goes
on
with
discussions,
we'll
probably
start
just
clicking,
I
think
there's
a
migrate
to
discussion.
Button
right,
yep
so
as
as
time
goes
on,
we'll
probably
start
just
dumping
those
over
when
people
do
post
those
sort
of
things
in
our
issues.
C
Yeah,
especially
for
those
like
higher
level
types
of
conversations,
because
you
know
working
in
the
security
space,
you
have
a
lot
of
individuals
that
aren't
necessarily
going
to
be
writing,
github
actions
or
ruby
code
or
getting
it
to
this
level.
So
you
know
having
those
types
of
individuals
you
know
contribute.
Discussions
is
really
an
awesome
place
for
that.
So
it's
great
to
hear
that
you
guys
are
interested
in
leveraging
that
too.
C
So
we've
got
just
a
couple
minutes
left
I
just
want
to.
Let
you
all
give
you
all
an
opportunity
to
kind
of
wrap
things
up
here,
and
I
think
it's
just
a
really
awesome
framework
and
you
know
something
I
want
to
point
out.
This
is
not
end
all
be
all
for
the
way
you
do
security.
This
is
just
kind
of
one
approach
that
mitre
you
all
have
developed.
It's
a
really
cool
and
powerful
approach.
You
know.
Obviously
a
security
program
has
to
take
into
account
a
lot
of
different.
C
You
know
facets
not
just
hardening
and
technical
pieces,
but
you
know
processes
and
and
business
components
to
it,
but
you
know
I
think
it's
something
that
a
lot
of
organizations
a
lot
of
groups
just
kind
of
overlook.
They
get
run
into
the
code,
they
start
deploying
stuff
and
you
end
up
in
a
potentially
vulnerable
situation.
So
I
think
it's
really
cool
that
you've
all
developed
this
and
the
fact
that
it's
a
completely
open
source
it
looks
like
saf.minder.org
is
the
website
I
can
go
in.
E
Well,
one
of
the
things
that
I
will
notice
is
another
example
of
how
you
can
engage
with
the
staff
ecosystem
is
what
the
center
for
medicare
medicaid
did
in
hhs,
so
you
could
go
to
saf.cms.gov
and
you
could
see
where
they
took
all
of
our
open
source
content
and
they
tailored
it
for
their
organization.
They
even
borrowed
our
website
and
used
github
to
publish
their
page
and
awesome.
You
know
they
used
all
this,
but
if
you
look
at
their
validation,
section
right,
you'll
see
that
they
took
all
of
our
work
and
expanded
it
right.
E
They
have
a
sub
selection
of
compliance
requirements
that
they
have
to
meet
and
they're
basically
using
those
dependent
dependent
profiles
to
say
well.
If
I
want
to
do
this
for
a
high
or
a
low
or
a
moderate
categorized
system
right,
how
do
I
sub
select
and
pare
down
all
that
stuff?
So
I'm
not
testing
stuff.
I
don't
need
to
test,
and
all
that-
and
you
know
so.
This
is
a
great
example
of
how
the
community
borrowed
from
the
community
right
and
didn't
repeat
itself
right.
They
kept
it
dry.
D
C
Yep,
that's
that's
really
cool
so
effectively.
You
know
cms
and
others.
I
imagine
they're
just
forking
heimdall
and
then
really
kind
of
extending
that
and
implementing
that
you
know
for
their
own
requirements,
and
you
know
they
don't
have
to
do
a
lot
of
the
legwork.
You
all
have
done
the
legwork,
the
community's
done
the
legwork
to
get
them.
D
E
Well,
and
if
you
notice,
in
our
validation
section
we're
not
the
only
contributors
to
the
profiles
and
the
hardening
and
all
that
right,
mindpoint
group
has
been
helping
us
with
hardening.
Google
has
been
submitting
their
own
profiles
for
their
pci
things.
Vmware
has
been
submitting
a
lot
of
the
windows
work
because
they
have
to
do
a
lot
more
windows.
E
You
know
tenable,
has
even
been
pushing
in
right,
so
I
mean
it's
like
it's
now
becoming
more
of
a
commercially.
A
lot
of
these
are
guys,
are
you
know
they
each
have
their
own
space,
but
from
a
higher
level
security
perspective
and
as
security
practitioners
now
there's
having
a
place,
they
can
come
together
and
work
together
and
learn
from
each
other,
and
I
I
just
think
it's
really
cool.
C
Yeah,
that's
that
that's
awesome
well
really
again
really
appreciate
you
both
kind
of
joining
us
today,
I'm
gonna
hand
it
back
to
aj
in
a
second,
but
you
know
just
security
automation
in
general.
A
lot
of
folks
are
still
trying
to
figure
it
out,
and
I
think
this
is
a
great
way
for
them
to
get
started
and
figure
out
how
they
can
apply.
You
know
infrastructure's
code,
you
know
whether
they're
new
to
it
or
have
a
mature
infrastructure
code
strategy.
C
You
know,
I
think
this
is
just
a
phenomenal
example.
I
want
to
thank
you
both
and
writer,
for
kind
of
helping
us
today
and
sharing
this
knowledge
out
to
the
community
and
again
it's
open
source.
As
always,
so
you
can
go
in.
You
can
join
the
open
source
community
github.com
and
you
know,
contribute
so.
Thank
you
so
much.
I
really
appreciate
everyone's
participation
today
and
I'll
turn
it
back
over
to.