Writing code that works is hard. Writing rugged code that can stand the test of time is even harder. This difficulty is often compounded by crunched timelines and fast cycles that prioritize new features. Add in evolving business needs and new technology and it becomes confusing to know what to do and how to integrate security into your application. This talk brings some advice/tools of the top developers and application security practitioners to help you ruggedize your end-to-end development lifecycle from code commit to running system. You will learn pragmatic approaches and tooling that will affect your development processes, delivery pipelines and even the operational runtime. You will walk away with solutions you can put into practice right away and you will also be armed with rugged anti-patterns to help you identify what to change.

1. BE MEAN TO
YOUR CODE
RUGGED DEVELOPMENT
& YOU
MATT JOHANSEN
JAMES WICKETT

2. @mattjay
The Beard of Destiny
Gauntlt Cheerleader
Head of WhiteHat
Threat Research
Center
BlackHat, DEFCON,
RSA, SXSW, more++

3. @wickett
Gauntlt Project Lead
Founder of LASCON
Sr. Engineer at Signal
Sciences

4. We’re making AppSec effective and practical
signalsciences.com

5. AUDIENCE SURVEY
Cloud or Metal?
DevOps? Agile? Flavors?
How does code get to production?
How often do you do code changes?
Do you do security testing in the build/deploy
pipeline?
#RUGGEDCODE

6. PRINCIPLES FOR A
MODERN SECURITY
#RUGGEDCODE
TEAM

7. #RUGGEDCODE
OSSM
On Demand
Scalable
Self-Service
Measured
Source: Dave Neilsen

8. OLD DECISION MATRIX
Function
Features
Gartner Magic Quadrant
Trial Eval
TCO
#RUGGEDCODE

9. NEW DECISION MATRIX
API and Integrations
Service Billing
Half Decent?
#RUGGEDCODE

10. PRINCIPLE #1
PLAY NICE AND
INTEGRATE WITH
#RUGGEDCODE
OTHERS

11. PEOPLE
PROCESS
TECHNOLOGY
#RUGGEDCODE

12. PRINCIPLE #2
INFLUENCE THE
#RUGGEDCODE
PEOPLE

13. #RUGGEDCODE
DEVOPS

14. #RUGGEDCODE
CAMS
Culture
Lean*
Automation
Measurement
Sharing
Source: @botchagalupe @damonedwards

15. #RUGGEDCODE

16. PRINCIPLE #3
WHAT WE VALUE IS
DETERMINED BY OUR
#RUGGEDCODE
CULTURE

17. #RUGGEDCODE

18. CONTINUOUS
DELIVERY IS KING
#RUGGEDCODE
PRINCIPLE #4

19. THERE ARE TWO PATHS
TO WINNING FOR
#RUGGEDCODE
SECURITY

20. THE DEVELOPMENT
AND BUILD PIPELINE
#RUGGEDCODE

21. OPERATIONAL
RUNTIME STATE AND
MONITORING
#RUGGEDCODE

22. WE ARE FOCUSING ON
DEV/BUILD PIPELINE IN
THIS PRESENTATION
#RUGGEDCODE

23. DETECT AND FIX
IN DEVELOPMENT
#RUGGEDCODE

24. WHY DOES THIS
#RUGGEDCODE
MATTER?
VULNERABLE CODE IS
EVERYWHERE

25. #RUGGEDCODE

26. HOW DO I FIX XSS?
#RUGGEDCODE

27. GOOD: INPUT
SANITIZATION
#RUGGEDCODE
[XSS]

28. BLACKLIST :(
#RUGGEDCODE
[XSS]

29. WHITELIST :)
#RUGGEDCODE
[XSS]

30. BETTER: OUTPUT
#RUGGEDCODE
ENCODING
[XSS]

31. < > BECOME &LT; &GT;
#RUGGEDCODE
[XSS]

32. SQL INJECTION
#RUGGEDCODE
[SQLi]

33. #RUGGEDCODE

34. #RUGGEDCODE

35. #RUGGEDCODE
CREDIT: XKCD

36. HOW DO I FIX IT?
#RUGGEDCODE
[SQLi]

37. PARAMETERIZED
#RUGGEDCODE
QUERIES
[SQLi]

38. PARAMETERIZED QUERIES (PHP)
#RUGGEDCODE
[SQLi]

39. PARAMETERIZED QUERIES (JAVA)
#RUGGEDCODE
[SQLi]

40. CROSS SITE REQUEST
#RUGGEDCODE
FORGERY
[CSRF]

41. #RUGGEDCODE

42. #RUGGEDCODE

43. HOW DO I FIX IT?
#RUGGEDCODE
[CSRF]

44. #RUGGEDCODE

45. #RUGGEDCODE
TOKENS!
[CSRF]

46. #RUGGEDCODE IMAGE CREDIT: DOTNETBIPS.COM

47. #RUGGEDCODE
AGAIN… VULNERABLE
CODE IS EVERYWHERE

48. GETS FIXED SLOWLY
#RUGGEDCODE

49. #RUGGEDCODE GETS FIXED SLOWLY

50. #RUGGEDCODE
…IF EVER

51. #RUGGEDCODE
OWASP TOP 10

52. #RUGGEDCODE

53. YOU HAVE A BUILD PIPELINE
TELL ME MORE ABOUT HOW
#RUGGEDCODE
SPECIAL YOU ARE

54. #RUGGEDCODE
GAUNTLT

55. BUILT ON
CUCUMBER
#RUGGEDCODE

56. GAUNTLT PRINCIPLES
AND PHILOSOPHY
Gauntlt comes with pre-canned steps that
hook security testing tools
Gauntlt does not install tools
Gauntlt can be part of the CI/CD pipeline
Be a good citizen of exit status and stdout/
stderr
MIT Open Source License
#RUGGEDCODE

57. #RUGGEDCODE

58. GAUNTLT
RESOURCES
• Google Group > https://groups.google.com/d/
forum/gauntlt
• Wiki > https://github.com/gauntlt/gauntlt/wiki
• Twitter > @gauntlt
• IRC > #gauntlt on freenode
• Issue tracking > http://github.com/gauntlt/
gauntlt
#RUGGEDCODE

59. THE GAUNTLT BOOK
FREE FOR LASCON!
book@gauntlt.org
#RUGGEDCODE

60. #RUGGEDCODE

61. ./velocity/lab_3/.travis.yml
#RUGGEDCODE

62. ./velocity/lab_3/.travis.yml
#RUGGEDCODE

63. #RUGGEDCODE
./Rakefile

64. ./test/attacks/email_leakage.attack
#RUGGEDCODE

65. ./test/attacks/email_leakage.attack
#RUGGEDCODE

66. ./test/attacks/backdoors.attack
#RUGGEDCODE

67. ./test/attacks/sql_injection.attack
#RUGGEDCODE

68. #RUGGEDCODE
DEMO

69. #RUGGEDCODE
@MATTJAY
@WICKETT