Your SlideShare is downloading. ×
Be Mean to Your Code
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Be Mean to Your Code

1,940
views

Published on

Be Mean to Your Code - The gauntlt project was created to help you do just that!

Be Mean to Your Code - The gauntlt project was created to help you do just that!


1 Comment
1 Like
Statistics
Notes
  • Hello
    My name is amarilla, I saw your profile today and become interested in you. Please reply to me at(amarilla.adura01@yahoo.co.uk) I have much more to discuss with you.
    Thank you.
    Miss amarilla
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
1,940
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
8
Comments
1
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Be Mean to Your Code!
  • 2. @wickettSr. DevOps EngineerMentor Graphics,Embedded SoftwareDivisionCISSP, GWAPT, CCSK,GSEC, GCFWjames@ruggeddevops.orgruggeddevops.org
  • 3. I recognize that mycode will be used inways I cannotanticipate, in ways itwas not designed,and for longer than itwas ever intended.
  • 4. Ruggedization TheoryBuilding solutions to handleadversity will causeunintended, positive benefitsthat will provide value thatwould have been unrealizedotherwise.
  • 5. "Secondly, our network got a lot stronger as a result of the LulzSec attacks."-Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012 by CloudFlare team
  • 6. Security vs. Rugged• Absence of • Verification of Events quality• Cost • Benefit• Negative • Positive• FUD • Known values• Toxic • Affirming
  • 7. “[RISK ASSESSMENT] INTRODUCES ADANGEROUS FALLACY: THATSTRUCTURED INADEQUACY ISALMOST AS GOOD AS ADEQUACYAND THAT UNDERFUNDEDSECURITY EFFORTS PLUS RISKMANAGEMENT ARE ABOUT ASGOOD AS PROPERLY FUNDEDSECURITY WORK” - MICHAL ZALEWSKI
  • 8. RUGGED source: Jessica Allen, http://drbl.in/bgwy
  • 9. REPEATABLE – NO MANUAL STEPSRELIABLE - NO DOS HEREREVIEWABLE – AKA AUDITRAPID – FAST TO BUILD, DEPLOY, RESTORERESILIENT – AUTOMATED RECONFIGURATIONREDUCED - LIMITED ATTACK SURFACE
  • 10. Put your code through the Gauntlet custom attacks dirbuster metasploit sqlmap fuzzers nessus w3af nmap
  • 11. Put your code through the Gauntlet custom attacks dirbuster metasploit sqlmap fuzzers nessus w3af nmap Your web app You
  • 12. GAUNTLT ALLOWS DEV ANDOPS AND SECURITY TOCOMMUNICATE
  • 13. feature for nmap: nmap.feature@runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml.Background: Given nmap is installedScenario:Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """
  • 14. feature for nmap: nmap.feature@run @webserverFeature: Run nmap against a target and pass the value of the hostname from theprofile.xml.Background: #optional Given nmap is installedScenario: Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """
  • 15. step definition for nmap: nmap.rbGiven /^nmap is installed$/ do steps %{ When I run `which nmap` Then the output should contain: """ nmap """ }endWhen /^I run nmap against the hostname in the profile on ports (d+),(d+)$/ do |arg2, arg3| steps %{ When I run `nmap "#{@hostname}" -p80,443` }end...
  • 16. running gauntlt with failing testswickett$ gauntlt@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 8080,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 8080/tcp open http 443/tcp open https """...Failing Scenarios:cucumber features/nmap/nmap.feature:8 # Scenario:Verify server is available on standard web ports1 scenario (1 failed)4 steps (1 failed, 3 passed)0m0.341s
  • 17. running gauntlt with passing testswickett$ gauntlt@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 80,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 80/tcp open http 443/tcp open https """1 scenario (1 passed)4 steps (4 passed)0m1.117s
  • 18. HTTPS://GITHUB.COM/THEGAUNTLET/GAUNTLT
  • 19. gauntlt team: James Wickett Mani Tadayon Roy Rapoport Jason Chan Matt Tesauro Tarek Moussa Jeremiah Shirk Luis De Leon Dan Cornell Scott Muc
  • 20. Join Us• github > http://bit.ly/gauntlt_repo• google group > http://bit.ly/gauntlt_group• twitter: @gauntlt