Getting StrongDM Comply Running on Windows 11 using WSL

I started this blog as a repository where I could document solutions to very niche problems I’d encountered, and this problem is about as niche as it gets…

Background

A colleague suggested StrongDM Comply as a free and open-source solution for generating SOC 2 Compliance policies. It’s a handy utility designed to run on Mac and Linux, but since I work on a Windows 11 PC, I needed to explore my options.

My first thought was to use Docker, but the image I found was a few years old and would exit immediately after starting. Three other options came to mind:

  • Dual boot a Linux distro
  • Turn up a Linux VM
  • Use the Windows Subsystem for Linux (WSL)

I only needed this for a single application, so WSL seemed to be the best solution for my [very] particular use case.

Installing WSL

Open PowerShell as an Administrator, then run:

 wsl --install

Note: This will require a reboot to finalize the installation. This command requires Windows 10 version 2004 (build 19041 or higher) or Windows 11 to function.

The default subsystem is Ubuntu, but you can choose other distributions if you like. See https://learn.microsoft.com/en-us/windows/wsl/install for additional details and instructions.

Setting Up the Linux Terminal

To access your new environment, you’ll need to install Windows Terminal from the Microsoft Store. Once installed, you can use the dropdown arrow to open a new Ubuntu terminal:

You’ll be prompted to set a UNIX username and password, and then you’ll receive a welcome screen and terminal prompt. The first command you’ll run is:

sudo apt update && sudo apt upgrade

This will get you a list of Ubuntu packages that have available updates and install them for you.

Cloning the Comply Repository

The installation instructions on the GitHub page are deprecated, so we’ll do it a little differently, using Git to clone (copy down) the repository:

git clone https://github.com/strongdm/comply.git

Dependencies

There are two dependencies Comply needs to function:

  1. Pandoc – a universal document converter
  2. PdfLatex – a tool that converts LaTeX sources into PDF (required by Pandoc to generate PDFs)

To install Pandoc, we’ll use APT again:

sudo apt install pandoc

…and then verify that it installed successfully:

pandoc --version

Installing PdfLatex is a little more involved, but these are the instructions that worked for me (From Yosep Kim):

# Install the TexLive base...
sudo apt-get install texlive-latex-base
# Install recommended fonts to avoid possible errors...
sudo apt-get install texlive-fonts-recommended
sudo apt-get install texlive-fonts-extra
# Install extra packages...
sudo apt-get install texlive-latex-extra

Compiling The App

Now that all of the dependencies are installed, we can compile the app using  Go, but first, we’ll need to install the Go package:

sudo apt install golang-go

With that done, we navigate to the “comply” directory and can compile the app using Go:

cd comply
go build

Note: This needs to be run from the folder where the go.mod resides, usually /comply relative to where you ran the ‘git clone’ command above.

Running Comply

At this point, Comply (and all of its dependencies) are installed and ready to run. This consists of:

  1. Creating an empty directory
  2. Initializing a new Comply project
  3. Building the PDF documents
  4. Running the Web Server

Here’s what that looks like:

mkdir [myCompanyName]
cd [myCompanyName]
../comply init
../comply build
../comply serve

You can access your newly created PDFs by opening File Explorer, expanding the Linux > Ubuntu folders, and then browsing to the sub-folder you created (e.g., Linux > Ubuntu > home > [Username] > comply > ExecutiveOutcomes > Output):

PDFs are created using the markdown (.MD) format documents, which you can modify using a text editor (e.g., nano, vi, etc.) within the Linux subsystem:

When you’ve finished updating your documentation, you can serve up a web interface using the aptly named “serve” parameter:

../comply serve

Then, browse to the index.html file:

There you have it! I think it’s a fantastic little tool (once you get it running), and would recommend it anyone looking for who needs customizable SOC2 Compliance documentation.

Becoming a CISSP, Part II: Getting Certified

The CISSP Application

After provisionally passing the CISSP, I contacted a coworker who’d agreed to endorse me. For those who are unaware, passing the CISSP Exam does not automatically grant you the certification; you’re also required to:

  1. Meet ISC2’s CISSP experience requirements
  2. An existing CISSP member in good standing has to endorse you

Note: If you pass the exam but don’t possess the relevant experience, you will NOT be granted certification! Instead, you’ll become an “Associate of ISC2” and have 6 years to meet the experience requirements.

This entailed going through my resume and correlating my experience to their applicable CISSP Domains.  My application was submitted for endorsement within a couple of days, and the wait began…

I couldn’t help but feel deflated. I’d worked so hard to prepare for the exam and aced it, yet I still couldn’t call myself a CISSP! When faced with the inevitable, I did what I always do: I tried to put it out of my mind and move on.

Acceptance

About 4 weeks later, I received an email from ISC2 indicating that my application had been accepted and asking for my $125 annual maintenance fee. Upon payment, I received a follow-up email with my CISSP certification number.

I could at last breathe easy, knowing that it was finally over, and I could now celebrate my achievement in earnest! I did not yet have my physical certificate. It would be another 4 weeks before I arrived, and with it, disappointment…

The Card

While preparing for my CISSP, I stumbled on a couple of videos from a group called “Host Uknown”:

  1. Host Unkown presents: I’m a C I Double S P
  2. Benefits of being a CISSP

I found these to be a hilarious and welcome distraction amidst the stress of preparing for the CISSP exam. In particular, the second video led me to expect a card in addition to my physical certificate.

When the envelope containing my certificate arrived, I was disappointed to find that it didn’t include a card! Instead, I got a cheesy little pin… My disappointment was immeasurable. So much so that I actually reached out to ISC2, and was told this was something they discontinued due to COVID. While I can’t see why that would matter, I was powerless to do anything about it… save for maybe scanning my certificate and converting it to an SVG, then shrinking it down to business card-size, printing off and laminating it…

To be continued…

I Passed the CISSP Exam!

“…The people who pass are those that simply start and keep going. They have grit and determination. They show up. Then there is everyone else. They don’t.”
– Nathan House, CEO, StationX

Preface

On December 27th, 2023, I passed the Certified Information Systems Security Professional (CISSP) exam on my first attempt at question 125, roughly 2 hours and 5 minutes in. This post is to share how I managed it, what helped me, and what didn’t.

About the CISSP Exam

At the time of writing, the English-language CISSP exam is only offered in CAT (Computerized Adaptive Testing) format and is between 125 and 175 [multiple-choice] questions long.

For those who are taking the exam on or after April 15, 2024, be aware of the following changes:

  • Domain 1’s weight increases by 1%, and Domain 8’s weight decreases by 1%
  • The total number of questions will be reduced from 125-175 to 100-150
  • The time limit will be reduced from 4 hours to 3 hours

Preparation Strategy

Beginning in August, I committed to spending 5-7 hours a week on CISSP study, which included books (physical and digital), video courses, and practice questions.

Courses and videos:

  • Derek Fisher’s Ultimate Cybersecurity Course & CISSP Exam Prep (StationX, August-October 2023)
  • Thor Pedersen’s CISSP Video Bootcamp series (StationX, October-December 2023)
  • Peter Zerger’s CISSP Exam Cram (YouTube, December 2023)

Derek Fisher’s course is a good introduction to the CISSP material but doesn’t go into much detail. I object to using the word “ultimate” in the title because this implies that it’s the final word when it should be the first.

Thor Pedersen’s course goes into much more detail and includes other goodies such as external links, downloadable study notes, and practice quizzes for each domain.

Peter Zerger’s CISSP Exam Cram was the best of both worlds, concise and complete.

Books:

  • The Official (ISC)2 CISSP CBK Reference 6th Edition
  • (ISC)2 CISSP Official Study Guide (both 8th and 9th editions)
  • All-In-One CISSP Exam Guide 8th Edition
  • How to Think Like a Manager for the CISSP Exam

I didn’t read any of these books cover-to-cover. Instead, I used them as reference material and for their practice questions.

Practice Questions:

  • End-of-domain course quizzes
  • Peter Zerger’s CISSP practice test
  • CISSP Official Practice Tests
  • TotalTester CISSP practice exams (came with All-In-One CISSP Exam Guide)
  • WannaPractice CISSP practice exams
  • Boson CISSP practice exams

Altogether, I completed about 3,000 practice questions. This helped me develop my time management, question analysis, and answer evaluation skills. It also helped me to identify which areas I was weakest in so I could focus my study efforts.

In the last week leading up to my test date, I averaged 80-84% across multiple sources on my complete practice exams.

Additional Activities:

  • I actively participated in an online study group hosted on StationX. I posted a summary of my weekly progress and screenshots of quiz/test results and articulated my intentions for the following week. This helped me stay on track and accountable.
  • I explained the CISSP concepts I was learning to friends and family members. Thor Pedersen is a big advocate of this, and I can attest that if you can’t teach it, you don’t understand it.
  • I invented mnemonics to memorize concepts I struggled with but was unlikely to ever use in my day-to-day work.
  • I researched topics from sources that were not CISSP-specific/centric (e.g., cryptographic systems, networking concepts, security models, etc.). The CBK doesn’t always provide detailed information, so having additional sources of information helped me contextualize what I was learning.

Afterthoughts

In a conversation with Nathan House, CEO of StationX, shortly after passing the exam, he said to me:

“I knew you would pass. If not the first time then the next. Because I see it all the time. The people who pass are those that simply start and keep going. They have grit and determination. They show up. Then there is everyone else. They don’t.”

There’s a lot of truth to that. Passing the CISSP exam has been a professional goal of mine for years, and I wasn’t entirely sure I could do it until I did. It’s also important to understand who it’s for and what it’s supposed to represent.

This is not an entry-level certification, despite many job postings that would elude to the contrary. It’s intended for experienced professionals with 5 years of experience (or 4 years of experience and a four-year degree or one of a handful of certifications).

That’s not to say that you couldn’t study hard and pass it with little to no preparation or experience; some have, but why would you want to? What would this prove other than to suggest that you’re a good test taker? Waiting until I had the requisite experience, desire, and incentives made the process all the more worthwhile.

My best advice to anyone considering taking the CISSP is to ensure you have as much time as you need. Think of it as a marathon rather than a sprint. For me, this took about four and a half months. As you work your way through the process, test your knowledge often and focus your time on the areas you’re weakest in.

Above all, try to learn, retain, and apply something new every day.