Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

BE MEAN TO YOUR CODE WITH
G A U N T LT A N D T H E R U G G E D W AY
JAMES WICKETT // @WICKETT

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

@WICKETT
• Austin, TX
• Gauntlt Core Team
• LASCON Founder
• Cloud Austin Organizer
• DevOps Days Austin Organizer
• DevOps, Ruby, AppSec, Chef, Cucumber, Gauntlt

REQUIREMENTS
OPTION 1

OPTION 2

• Virtual Box

• Ruby 1.9.3

• Vagrant

• Git

OR

• Gauntlt Box

• Bundler

• Pre-downloaded

• Reliable Internet


INSTRUCTIONS

bit.ly/gauntlt-demo-instructions


W H Y D O E S T H I S M AT T E R ?


P E O P L E M AT T E R


T H E B R O K E N W I N D O W FA L L A C Y
–HENRY HAZLITT


BESIDES LOSS, BREACHES CAUSE
CYNICISM AND DISTRUST


SOFTWARE HAS CHANGED


SOFTWARE AS A SERVICE


SOFTWARE AS
BRICOLAGE


B O LT O N F E AT U R E A P P R O A C H


FRAGILE CODE AS A SERVICE


D E P L O Y T I M E L I N E S H AV E
CHANGED


D E V A N D O P S H AV E F O U N D A
NEW RELIGION


SECURITY HAS NOT CHANGED


C O M P L I A N C E D R I V E N C U LT U R E :
PCI, SOX, …


PEOPLE PROCESS TOOLS


W E H AV E A P E O P L E P R O B L E M


T H E R AT I O P R O B L E M


D E V: O P S : S E C U R I T Y
100:10:1


LANGUAGE GAP


S E C U R I T Y D O E S N ' T A L W AY S
SPEAK THE LANGUAGE OF THE
BIZ / DEV / OPS TEAMS


A B D I C AT I N G R E S P O N S I B I L I T Y
PROCESS


YOU NEED EXPERTS TO TEST FOR
SECURITY


FORMALIZED VIA AUDITORS AND
C O M P L I A N C E A N N U A L LY


DEV -> SVN || GIT


OPS -> TXT || WIKIS


DEV -> GIT <- OPS


SECURITY -> SOURCEFORGE!


S I G N S T H AT S E C U R I T Y I S
MOVING INTO A NEW ERA


A N A LY T I C S , M O N I T O R S , L O G S , T E L E M E T R Y,
TESTING, CONFIG MANAGEMENT


AT TA C K C H A I N S A N D S I G N A L S

http://www.youtube.com/watch?v=jQblKuMuS0Y


V U L N E R A B I L I T Y E X P L O I TAT I O N I S
A TIMELINE


DISCOVERY

VULNERABILITY


EXPLOIT

S Q L S Y N TA X E R R O R S
D B TA B L E N A M E S
LARGE RESPONSE SIZES


I N S T R U M E N T F U L L AT TA C K
C H A I N S A N D W AT C H F O R S I G N A L S


RUGGED


http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain


https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring

DETECTION EARLIER


security tools today


E N T E R G A U N T LT


G A U N T LT I S A N O P I N I O N AT E D
FRAMEWORK TO DO RUGGED TESTING


G A U N T LT = S E C U R I T Y + C U C U M B E R


http://www.flickr.com/photos/35231744@N00/286858571/

CODE
BUILD
TEST
DEPLOY

FEEDBACK

CODE
BUILD
TEST
DEPLOY
~12 MOS. LATER
SECURITY

CODE
BUILD
TEST
SECURITY
DEPLOY

FEEDBACK

A STORY FROM 2010…


DEVOPS (+ SECURITY!)
@ernestmueller, @iteration1, @bproverb and friends


Ruby Script

REST ENDPOINTS

Questionable Payloads
Invalid Sessions
Large Payloads


COLLECTION OF SCRIPTS
MERGED INTO OUR TEST RUNNER


IN’S AND OUT’S ARE EASY TO
MESS UP


CUCUMBER AND OUTSIDE IN
TESTING


T H E S TA R T O F G A U N T LT


OUTSIDE IN TESTING FOR
SECURITY TOOLS


OUTPUT FROM SECURITY TOOLS
IS HARD TO DECIPHER


BE MEAN TO YOUR CODE


GARMR

NMAP

CODE


ARACHNI

SQLMAP

GARMR

NMAP

ARACHNI

SQLMAP

CODE


GARMR

NMAP

CODE


ARACHNI

SQLMAP

CODE

CODE

B U T W H AT A B O U T T H E P E O P L E


C O N V E R S AT I O N A N D C O L L A B O R AT I O N
I S T H E C O R E O F G A U N T LT


DEV
*.attack

OPS
SECURITY

• Execution Knowledge
• Testing Logic Captured
• Repeatable

G A U N T LT I N A C T I O N


*.attack

something.attack
else.attack


Attack Structure
Feature

Description

Background

Setup

Scenario

Logic


Attack Logic
Given
When
Then


Attack Step: Given
Setup steps
Check Resource Available
Given “arachni” is installed


Attack Step: When
Action steps
When I launch an
“arachni-xss” attack


Attack Step: Then
Parsing Steps
Then the output should
not contain “fail”


G A U N T LT P H I L O S O P H Y


RUN SECURITY TOOLS IN A
R E P E ATA B L E , E A S Y T O R E A D W AY


G A U N T LT D O E S N O T I N S TA L L
TOOLS


G A U N T LT S H I P W I T H P R E C A N N E D AT TA C K S A N D S T E P S


B E PA R T O F T H E C I / C D P I P E L I N E


H A N D L E S T D I N , S T D O U T, A N D
E X I T S TAT U S


G A U N T LT I N U S E


AT A G A M E D E V S H O P

• Check for XSS (cross site scripting) [Arachni]
• Check for new login pages [Garmr]
• Check for insecure refs in login flows [Garmr]
• Extended XSS testing [Custom Arachni] (PR coming soon)


MENTOR GRAPHICS
• Smoke Test integration on environment build
• Checks REST services [curl]
• Tests for XSS [arachni]
• Injection attacks [sqlmap, dirb]
• Misconfiguration [dirb]
• SSL checks [sslyze]

AT C A B F O R W A R D

• Ruby Dev Shop
• Integrated into CI for customers
• GITHUB -> TravisCI -> Unit Tests / Integration Tests / Gauntlt


G I T H U B . C O M / G A U N T LT / G A U N T LT


$ gem install gauntlt


!

Given

Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name
| value
|
| hostname
| example.com |

!

When
Then
When
Then

Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open http
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""


HANDS ON


EVERYTHING YOU NEED…

http://bit.ly/gauntlt-demo-instructions


OPTION 1


OPTION 1 - CONTINUED


OPTION 2


$ vagrant ssh
!

vagrant@precise32:~$


$ cd gauntlt-demo


$ rvm use 1.9.3


04_Hello World with Gauntlt.md
$ cd ./examples
$ gauntlt ./hello_world/hello_world.attack


$ gauntlt --steps

/^"(w+)" is installed in my path$/
/^"arachni" is installed$/
/^"curl" is installed$/
/^"dirb" is installed$/
/^"garmr" is installed$/
/^"nmap" is installed$/
/^"sqlmap" is installed$/
/^"sslyze" is installed$/
/Î launch (?:a|an) "arachni" attack with:$/
/Î launch (?:a|an) "arachni-(.*?)" attack$/
/Î launch (?:a|an) "curl" attack with:$/
/Î launch (?:a|an) "dirb" attack with:$/
/Î launch (?:a|an) "garmr" attack with:$/
/Î launch (?:a|an) "generic" attack with:$/
/Î launch (?:a|an) "nmap" attack with:$/
/Î launch (?:a|an) "nmap-(.*?)" attack$/
/Î launch (?:a|an) "sqlmap" attack with:$/
/Î launch (?:a|an) "sslyze" attack with:$/
/^the "(.*?)" command line binary is installed$/
/^the DIRB_WORDLISTS environment variable is set$/
/^the file "(.*?)" should contain XML:$/
/^the file "(.*?)" should not contain XML:$/
/^the following cookies should be received:$/
/^the following environment variables:$/
/^the following profile:$/

bundle exec gauntlt --format html > out.html


• Google Group > https://groups.google.com/d/forum/gauntlt
• Wiki > https://github.com/gauntlt/gauntlt/wiki
• IRC > #gauntlt on freenode
• Weekly hangout > http://bit.ly/gauntlt-hangout
• Issue tracking > http://github.com/gauntlt/gauntlt

B E TA I N V I T E T O U D E M Y C L A S S ?
E M A I L J A M E S @ G A U N T LT. O R G


Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

Recommended

Recommended

More Related Content

What's hot

What's hot (15)

Viewers also liked

Viewers also liked (20)

Similar to Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

Similar to Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop (20)

More from James Wickett

More from James Wickett (20)

Recently uploaded

Recently uploaded (20)

Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop