Be Mean to Your Code - OWASP San Antonio

1,033 views

Published on

Published in: Technology, News & Politics

Be Mean to Your Code - OWASP San Antonio

  1. 1. Be Mean toyour CodewithGauntlt
  2. 2. @wickettCollege StartupWeb Systems EngineerMedia StartupWeb Ops LeadDevOpsCISSPCISSP, sounds cool
  3. 3. a briefhistory ofinfosec
  4. 4. 1337 tools
  5. 5. the wormsand virusesdidn’t stop
  6. 6. we facedskilledadversaries
  7. 7. we couldn’twin
  8. 8. Instead ofEngineeringInfoSecbecameActuaries
  9. 9. “[RISK ASSESSMENT]INTRODUCES A DANGEROUSFALLACY: THATSTRUCTURED INADEQUACYIS ALMOST AS GOOD ASADEQUACY AND THATUNDERFUNDED SECURITYEFFORTS PLUS RISKMANAGEMENT ARE ABOUTAS GOOD AS PROPERLYFUNDED SECURITY WORK”
  10. 10. there wereothermovements
  11. 11. devs became cool
  12. 12. devs became cool agile
  13. 13. the bizsells timenow
  14. 14. dev and opsnow play nice
  15. 15. http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
  16. 16. http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
  17. 17. cultureautomationmeasurementsharingcredit to John Willis and Damon Edwards
  18. 18. infosechasn’t keptpace
  19. 19. Your punchis soft,justlike yourheart
  20. 20. “Is thisSecure?”-YourCustomer
  21. 21. “It’sCertified”-You
  22. 22. there’s abetter way
  23. 23. 6 R’s ofRuggedDevOps
  24. 24. http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
  25. 25. how doesone joinruggeddevops?
  26. 26. entergauntlt
  27. 27. gauntlt islike this
  28. 28. sqlmap sslyzedirbcurlgenericnmapyour appgauntltexit status: 0
  29. 29. gauntltcredits:Creators:Mani TadayonJames WickettCommunity Wrangler:Jeremiah ShirkFriends:Jason Chan, NetflixNeil Matatall, Twitter
  30. 30. security toolsare confusing
  31. 31. mappingdiscoveryexploitation
  32. 32. fuzzfind inject
  33. 33. securitytests onevery change
  34. 34. wisdom froma video game
  35. 35. alwayslisten toDoc
  36. 36. Find theweakness ofyour enemy
  37. 37. Codify yourknowledge(cheat sheets)
  38. 38. sometimes, youface the sameenemies again
  39. 39. gauntlt iscollaboration
  40. 40. Gauntlt helpsdev and opsand securityto communicate
  41. 41. gauntltharmonizesour languages
  42. 42. BehaviorDrivenDevelopmentBDD is a second-generation, outside–in, pull-based,multiple-stakeholder, multiple-scale, high-automation, agilemethodology. It describes a cycle of interactions with well-defined outputs, resulting in the delivery of working, testedsoftware that matters.Dan North , 2009
  43. 43. we have tostartsomewhere
  44. 44. $ gem install gauntltinstall gauntlt
  45. 45. gauntltdesignSimpleExtensibleUNIX™: stdin, stdout, exit statusMinimum features yield maximumutility
  46. 46. $ gauntlt --listDefined attacks:curldirbgarmrgenericnmapsqlmapsslyze
  47. 47. Attack FilePlain Text FileGherkin syntax:GivenWhenThen
  48. 48. Feature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should contain:"""80/tcp open http"""Scenario: Verify that there are no unexpected ports openWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should not contain:"""25/tcp"""GivenWhenThenWhenThen
  49. 49. running gauntlt with failing tests$ gauntltFeature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F www.example.com"""Then the output should contain:"""443/tcp open https"""1 scenario (1 failed)5 steps (1 failed, 4 passed)0m18.341s
  50. 50. $ gauntltFeature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F www.example.com"""Then the output should contain:"""443/tcp open https"""1 scenario (1 passed)4 steps (4 passed)0m18.341srunning gauntlt with passing tests
  51. 51. $ gauntlt --steps/^"(w+)" is installed in my path$//^"curl" is installed$//^"dirb" is installed$//^"garmr" is installed$//^"nmap" is installed$//^"sqlmap" is installed$//^"sslyze" is installed$//^I launch a "curl" attack with:$//^I launch a "dirb" attack with:$//^I launch a "garmr" attack with:$//^I launch a "generic" attack with:$//^I launch an "nmap" attack with:$//^I launch an "sslyze" attack with:$//^I launch an? "sqlmap" attack with:$//^the "(.*?)" command line binary is installed$//^the file "(.*?)" should contain XML:$//^the file "(.*?)" should not contain XML:$//^the following cookies should be received:$//^the following profile:$/
  52. 52. $ gauntlt --steps/^"(w+)" is installed in my path$//^"sqlmap" is installed$//^I launch a "generic" attack with:$//^I launch an? "sqlmap" attack with:$/
  53. 53. Feature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should contain:"""80/tcp open http"""Scenario: Verify that there are no unexpected ports openWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should not contain:"""25/tcp"""setup stepsverifytoolsetconfig
  54. 54. Feature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should contain:"""80/tcp open http"""Scenario: Verify that there are no unexpected ports openWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should not contain:"""25/tcp"""attackgetconfig
  55. 55. Feature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should contain:"""80/tcp open http"""Scenario: Verify that there are no unexpected ports openWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should not contain:"""25/tcp"""assertneedlehaystack
  56. 56. SupportedToolscurlnmapsqlmapsslyzeGarmrdirbgeneric
  57. 57. NetflixUse CaseReal World Cloud Application Security, Jason Chanhttps://vimeo.com/54157394
  58. 58. Check your ssl certs
  59. 59. cookie tampering
  60. 60. curl hacking
  61. 61. Look for commonapachemisconfigurations
  62. 62. @slowFeature: Run dirb scan on a URLScenario: Run a dirb scan looking for commonvulnerabilities in apacheGiven "dirb" is installedAnd the following profile:| name | value || hostname | http://example.com || wordlist | vulns/apache.txt |When I launch a "dirb" attack with:"""dirb <hostname> <dirb_wordlists_path>/<wordlist>"""Then the output should contain:"""FOUND: 0""".htaccess.htpasswd.meta.webaccess_logcgicgi-bincgi-pubcgi-scriptdummyerrorerror_loghtdocshttpdhttpd.pidiconsserver-infoserver-statuslogsmanualprintenvtest-cgitmp~bin~ftp~nobody~root
  63. 63. I have my weakness.But I wont tellyou! Ha Ha Ha!
  64. 64. Test for SQLInjection
  65. 65. @slow @announceFeature: Run sqlmap against a targetScenario: Identify SQL injection vulnerabilitiesGiven "sqlmap" is installedAnd the following profile:| name | value || target_url | http://example.com?x=1 |When I launch a "sqlmap" attack with:"""python <sqlmap_path> -u <target_url> --dbms sqlite --batch -v 0 --tables"""
  66. 66. my_first.attackSee ‘GET STARTED’ onproject repoStart here > https://github.com/gauntlt/gauntlt/tree/master/examplesFind examples for theattacksAdd your config (hostname,login url, user)Repeat
  67. 67. Starter Kit on GitHubThe starter kit is on GitHub:github.com/gauntlt/gauntlt-starter-kitOr, download a copy from:www.gauntlt.org/
  68. 68. Contributeto gauntltSee ‘FOR DEVELOPERS’ inthe READMEGet started in 7 steps
  69. 69. If you getstuckCheck the READMEIRC Channel: #gauntlton freenode@gauntlt on twitterMailing List (https://groups.google.com/forum/#!forum/gauntlt)Office hours withweekly google hangout
  70. 70. @gauntltfuture plans
  71. 71. cultureautomationmeasurementsharingcredit to John Willis and Damon Edwards
  72. 72. NextFeaturesMore output parsersMore attack adaptersJRuby & Java SupportFront end UI / webreports
  73. 73. Add featurerequests here:https://github.com/gauntlt/gauntlt/issues
  74. 74. get startedwith gauntltgithub/gauntltgauntlt.orgvideostutorialsgoogle group@gauntltIRC #gauntltwehelp!start herecoolvids!
  75. 75. @wickettjames@gauntlt.orgBe Mean toYour Code!

×