• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Be Mean to Your Code - OWASP San Antonio
 

Be Mean to Your Code - OWASP San Antonio

on

  • 650 views

 

Statistics

Views

Total Views
650
Views on SlideShare
650
Embed Views
0

Actions

Likes
3
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

Be Mean to Your Code - OWASP San Antonio Be Mean to Your Code - OWASP San Antonio Presentation Transcript

  • Be Mean toyour CodewithGauntlt
  • @wickettCollege StartupWeb Systems EngineerMedia StartupWeb Ops LeadDevOpsCISSPCISSP, sounds cool
  • a briefhistory ofinfosec
  • 1337 tools
  • the wormsand virusesdidn’t stop
  • we facedskilledadversaries
  • we couldn’twin
  • Instead ofEngineeringInfoSecbecameActuaries
  • “[RISK ASSESSMENT]INTRODUCES A DANGEROUSFALLACY: THATSTRUCTURED INADEQUACYIS ALMOST AS GOOD ASADEQUACY AND THATUNDERFUNDED SECURITYEFFORTS PLUS RISKMANAGEMENT ARE ABOUTAS GOOD AS PROPERLYFUNDED SECURITY WORK”
  • there wereothermovements
  • devs became cool
  • devs became cool agile
  • the bizsells timenow
  • dev and opsnow play nice
  • http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
  • http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
  • cultureautomationmeasurementsharingcredit to John Willis and Damon Edwards
  • infosechasn’t keptpace
  • Your punchis soft,justlike yourheart
  • “Is thisSecure?”-YourCustomer
  • “It’sCertified”-You
  • there’s abetter way
  • 6 R’s ofRuggedDevOps
  • http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
  • how doesone joinruggeddevops?
  • entergauntlt
  • gauntlt islike this
  • sqlmap sslyzedirbcurlgenericnmapyour appgauntltexit status: 0
  • gauntltcredits:Creators:Mani TadayonJames WickettCommunity Wrangler:Jeremiah ShirkFriends:Jason Chan, NetflixNeil Matatall, Twitter
  • security toolsare confusing
  • mappingdiscoveryexploitation
  • fuzzfind inject
  • securitytests onevery change
  • wisdom froma video game
  • alwayslisten toDoc
  • Find theweakness ofyour enemy
  • Codify yourknowledge(cheat sheets)
  • sometimes, youface the sameenemies again
  • gauntlt iscollaboration
  • Gauntlt helpsdev and opsand securityto communicate
  • gauntltharmonizesour languages
  • BehaviorDrivenDevelopmentBDD is a second-generation, outside–in, pull-based,multiple-stakeholder, multiple-scale, high-automation, agilemethodology. It describes a cycle of interactions with well-defined outputs, resulting in the delivery of working, testedsoftware that matters.Dan North , 2009
  • we have tostartsomewhere
  • $ gem install gauntltinstall gauntlt
  • gauntltdesignSimpleExtensibleUNIX™: stdin, stdout, exit statusMinimum features yield maximumutility
  • $ gauntlt --listDefined attacks:curldirbgarmrgenericnmapsqlmapsslyze
  • Attack FilePlain Text FileGherkin syntax:GivenWhenThen
  • Feature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should contain:"""80/tcp open http"""Scenario: Verify that there are no unexpected ports openWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should not contain:"""25/tcp"""GivenWhenThenWhenThen
  • running gauntlt with failing tests$ gauntltFeature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F www.example.com"""Then the output should contain:"""443/tcp open https"""1 scenario (1 failed)5 steps (1 failed, 4 passed)0m18.341s
  • $ gauntltFeature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F www.example.com"""Then the output should contain:"""443/tcp open https"""1 scenario (1 passed)4 steps (4 passed)0m18.341srunning gauntlt with passing tests
  • $ gauntlt --steps/^"(w+)" is installed in my path$//^"curl" is installed$//^"dirb" is installed$//^"garmr" is installed$//^"nmap" is installed$//^"sqlmap" is installed$//^"sslyze" is installed$//^I launch a "curl" attack with:$//^I launch a "dirb" attack with:$//^I launch a "garmr" attack with:$//^I launch a "generic" attack with:$//^I launch an "nmap" attack with:$//^I launch an "sslyze" attack with:$//^I launch an? "sqlmap" attack with:$//^the "(.*?)" command line binary is installed$//^the file "(.*?)" should contain XML:$//^the file "(.*?)" should not contain XML:$//^the following cookies should be received:$//^the following profile:$/
  • $ gauntlt --steps/^"(w+)" is installed in my path$//^"sqlmap" is installed$//^I launch a "generic" attack with:$//^I launch an? "sqlmap" attack with:$/
  • Feature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should contain:"""80/tcp open http"""Scenario: Verify that there are no unexpected ports openWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should not contain:"""25/tcp"""setup stepsverifytoolsetconfig
  • Feature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should contain:"""80/tcp open http"""Scenario: Verify that there are no unexpected ports openWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should not contain:"""25/tcp"""attackgetconfig
  • Feature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should contain:"""80/tcp open http"""Scenario: Verify that there are no unexpected ports openWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should not contain:"""25/tcp"""assertneedlehaystack
  • SupportedToolscurlnmapsqlmapsslyzeGarmrdirbgeneric
  • NetflixUse CaseReal World Cloud Application Security, Jason Chanhttps://vimeo.com/54157394
  • Check your ssl certs
  • cookie tampering
  • curl hacking
  • Look for commonapachemisconfigurations
  • @slowFeature: Run dirb scan on a URLScenario: Run a dirb scan looking for commonvulnerabilities in apacheGiven "dirb" is installedAnd the following profile:| name | value || hostname | http://example.com || wordlist | vulns/apache.txt |When I launch a "dirb" attack with:"""dirb <hostname> <dirb_wordlists_path>/<wordlist>"""Then the output should contain:"""FOUND: 0""".htaccess.htpasswd.meta.webaccess_logcgicgi-bincgi-pubcgi-scriptdummyerrorerror_loghtdocshttpdhttpd.pidiconsserver-infoserver-statuslogsmanualprintenvtest-cgitmp~bin~ftp~nobody~root
  • I have my weakness.But I wont tellyou! Ha Ha Ha!
  • Test for SQLInjection
  • @slow @announceFeature: Run sqlmap against a targetScenario: Identify SQL injection vulnerabilitiesGiven "sqlmap" is installedAnd the following profile:| name | value || target_url | http://example.com?x=1 |When I launch a "sqlmap" attack with:"""python <sqlmap_path> -u <target_url> --dbms sqlite --batch -v 0 --tables"""
  • my_first.attackSee ‘GET STARTED’ onproject repoStart here > https://github.com/gauntlt/gauntlt/tree/master/examplesFind examples for theattacksAdd your config (hostname,login url, user)Repeat
  • Starter Kit on GitHubThe starter kit is on GitHub:github.com/gauntlt/gauntlt-starter-kitOr, download a copy from:www.gauntlt.org/
  • Contributeto gauntltSee ‘FOR DEVELOPERS’ inthe READMEGet started in 7 steps
  • If you getstuckCheck the READMEIRC Channel: #gauntlton freenode@gauntlt on twitterMailing List (https://groups.google.com/forum/#!forum/gauntlt)Office hours withweekly google hangout
  • @gauntltfuture plans
  • cultureautomationmeasurementsharingcredit to John Willis and Damon Edwards
  • NextFeaturesMore output parsersMore attack adaptersJRuby & Java SupportFront end UI / webreports
  • Add featurerequests here:https://github.com/gauntlt/gauntlt/issues
  • get startedwith gauntltgithub/gauntltgauntlt.orgvideostutorialsgoogle group@gauntltIRC #gauntltwehelp!start herecoolvids!
  • @wickettjames@gauntlt.orgBe Mean toYour Code!