BE MEAN TO YOUR CODE WITH
G A U N T LT A N D T H E R U G G E D W AY
JAMES WICKETT // @WICKETT

@ W I C K E T T / / # V E L...
@WICKETT
• Austin, TX
• Gauntlt Core Team
• LASCON Founder
• Cloud Austin Organizer
• DevOps Days Austin Organizer
• DevOp...
REQUIREMENTS
OPTION 1

OPTION 2

• Virtual Box

• Ruby 1.9.3

• Vagrant

• Git

OR

• Gauntlt Box

• Bundler

• Pre-downlo...
INSTRUCTIONS

bit.ly/gauntlt-demo-instructions

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
W H Y D O E S T H I S M AT T E R ?

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
P E O P L E M AT T E R

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
T H E B R O K E N W I N D O W FA L L A C Y
–HENRY HAZLITT

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T L...
BESIDES LOSS, BREACHES CAUSE
CYNICISM AND DISTRUST

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
SOFTWARE HAS CHANGED

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
SOFTWARE AS A SERVICE

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
SOFTWARE AS
BRICOLAGE

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
B O LT O N F E AT U R E A P P R O A C H

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
FRAGILE CODE AS A SERVICE

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D E P L O Y T I M E L I N E S H AV E
CHANGED

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D E V A N D O P S H AV E F O U N D A
NEW RELIGION

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
SECURITY HAS NOT CHANGED

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O M P L I A N C E D R I V E N C U LT U R E :
PCI, SOX, …

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T ...
PEOPLE PROCESS TOOLS

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
W E H AV E A P E O P L E P R O B L E M

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
T H E R AT I O P R O B L E M

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D E V: O P S : S E C U R I T Y
100:10:1

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
LANGUAGE GAP

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
S E C U R I T Y D O E S N ' T A L W AY S
SPEAK THE LANGUAGE OF THE
BIZ / DEV / OPS TEAMS

@ W I C K E T T / / # V E L O C ...
PEOPLE PROCESS TOOLS

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
A B D I C AT I N G R E S P O N S I B I L I T Y
PROCESS

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
YOU NEED EXPERTS TO TEST FOR
SECURITY

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
FORMALIZED VIA AUDITORS AND
C O M P L I A N C E A N N U A L LY

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U ...
PEOPLE PROCESS TOOLS

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
DEV -> SVN || GIT

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
OPS -> TXT || WIKIS

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
DEV -> GIT <- OPS

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
SECURITY -> SOURCEFORGE!

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
S I G N S T H AT S E C U R I T Y I S
MOVING INTO A NEW ERA

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T ...
A N A LY T I C S , M O N I T O R S , L O G S , T E L E M E T R Y,
TESTING, CONFIG MANAGEMENT

@ W I C K E T T / / # V E L ...
AT TA C K C H A I N S A N D S I G N A L S

http://www.youtube.com/watch?v=jQblKuMuS0Y

@ W I C K E T T / / # V E L O C I T...
V U L N E R A B I L I T Y E X P L O I TAT I O N I S
A TIMELINE

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U ...
DISCOVERY

VULNERABILITY

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

EXPLOIT
S Q L S Y N TA X E R R O R S
D B TA B L E N A M E S
LARGE RESPONSE SIZES

@ W I C K E T T / / # V E L O C I T Y C O N F / ...
I N S T R U M E N T F U L L AT TA C K
C H A I N S A N D W AT C H F O R S I G N A L S

@ W I C K E T T / / # V E L O C I T ...
RUGGED

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain

@ W I C K E T T / / # V E L O C I T Y C O N F...
https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring
@ W I C K E T T / / # V E L O C I...
DETECTION EARLIER

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
security tools today

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
E N T E R G A U N T LT

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
PEOPLE PROCESS TOOLS

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G A U N T LT I S A N O P I N I O N AT E D
FRAMEWORK TO DO RUGGED TESTING

@ W I C K E T T / / # V E L O C I T Y C O N F / ...
G A U N T LT = S E C U R I T Y + C U C U M B E R

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

http:/...
CODE
BUILD
TEST
DEPLOY

FEEDBACK
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
CODE
BUILD
TEST
DEPLOY
~12 MOS. LATER
SECURITY
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
CODE
BUILD
TEST
SECURITY
DEPLOY

FEEDBACK
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
A STORY FROM 2010…

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
DEVOPS (+ SECURITY!)
@ernestmueller, @iteration1, @bproverb and friends

@ W I C K E T T / / # V E L O C I T Y C O N F / /...
Ruby Script

REST ENDPOINTS

Questionable Payloads
Invalid Sessions
Large Payloads

@ W I C K E T T / / # V E L O C I T Y ...
COLLECTION OF SCRIPTS
MERGED INTO OUR TEST RUNNER

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
IN’S AND OUT’S ARE EASY TO
MESS UP

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
CUCUMBER AND OUTSIDE IN
TESTING

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
T H E S TA R T O F G A U N T LT

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
OUTSIDE IN TESTING FOR
SECURITY TOOLS

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
OUTPUT FROM SECURITY TOOLS
IS HARD TO DECIPHER

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
BE MEAN TO YOUR CODE

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
GARMR

NMAP

CODE

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

ARACHNI

SQLMAP
GARMR

NMAP

ARACHNI

SQLMAP

CODE

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
GARMR

NMAP

ARACHNI

SQLMAP

CODE

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
GARMR

NMAP

CODE

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

ARACHNI

SQLMAP

CODE

CODE
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
B U T W H AT A B O U T T H E P E O P L E

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O N V E R S AT I O N A N D C O L L A B O R AT I O N
I S T H E C O R E O F G A U N T LT

@ W I C K E T T / / # V E L O C ...
DEV
*.attack

OPS
SECURITY
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

• Execution Knowledge
• Testi...
G A U N T LT I N A C T I O N

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
*.attack

something.attack
else.attack

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
Attack Structure
Feature

Description

Background

Setup

Scenario

Logic

@ W I C K E T T / / # V E L O C I T Y C O N F /...
Attack Logic
Given
When
Then

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
Attack Step: Given
Setup steps
Check Resource Available
Given “arachni” is installed

@ W I C K E T T / / # V E L O C I T ...
Attack Step: When
Action steps
When I launch an
“arachni-xss” attack

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ ...
Attack Step: Then
Parsing Steps
Then the output should
not contain “fail”

@ W I C K E T T / / # V E L O C I T Y C O N F /...
G A U N T LT P H I L O S O P H Y

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
RUN SECURITY TOOLS IN A
R E P E ATA B L E , E A S Y T O R E A D W AY

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ ...
G A U N T LT D O E S N O T I N S TA L L
TOOLS

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G A U N T LT S H I P W I T H P R E C A N N E D AT TA C K S A N D S T E P S

@ W I C K E T T / / # V E L O C I T Y C O N F ...
B E PA R T O F T H E C I / C D P I P E L I N E

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
H A N D L E S T D I N , S T D O U T, A N D
E X I T S TAT U S

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N ...
G A U N T LT I N U S E

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
AT A G A M E D E V S H O P

• Check for XSS (cross site scripting) [Arachni]
• Check for new login pages [Garmr]
• Check f...
MENTOR GRAPHICS
• Smoke Test integration on environment build
• Checks REST services [curl]
• Tests for XSS [arachni]
• In...
AT C A B F O R W A R D

• Ruby Dev Shop
• Integrated into CI for customers
• GITHUB -> TravisCI -> Unit Tests / Integratio...
G I T H U B . C O M / G A U N T LT / G A U N T LT

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
$ gem install gauntlt

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
!

Given

Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name
| ...
HANDS ON

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
EVERYTHING YOU NEED…

http://bit.ly/gauntlt-demo-instructions

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N...
OPTION 1

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
OPTION 1 - CONTINUED

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
OPTION 2

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
$ vagrant ssh
!

vagrant@precise32:~$

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
$ cd gauntlt-demo

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
$ rvm use 1.9.3

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
04_Hello World with Gauntlt.md
$ cd ./examples
$ gauntlt ./hello_world/hello_world.attack

@ W I C K E T T / / # V E L O C...
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
$ gauntlt --steps

/^"(w+)" is installed in my path$/
/^"arachni" is installed$/
/^"curl" is installed$/
/^"dirb" is insta...
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
bundle exec gauntlt --format html > out.html

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
• Google Group > https://groups.google.com/d/forum/gauntlt
• Wiki > https://github.com/gauntlt/gauntlt/wiki
• IRC > #gaunt...
B E TA I N V I T E T O U D E M Y C L A S S ?
E M A I L J A M E S @ G A U N T LT. O R G

@ W I C K E T T / / # V E L O C I ...
Upcoming SlideShare
Loading in...5
×

Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

4,763

Published on

This is a hands-on workshop for working with Gauntlt. The first half is philosophy, theory and social commentary. The second half is the hands on workshop.

There are two options for working through the workshop. The recommended way is to use the virtual box image as there are a couple of security tools (arachni, nmap, ...) that we will be using. It is not required for you to use it though and you can just clone the repo if you have ruby 1.9.3 and bundler.

If you want to use the vagrant box setup for the workshop, please follow the instructions in 02_Using Vagrant Box.md and if you want to just use our own box, follow the directions in 03_Using Repo Only.md

This has been tested to work on linux and OS X. You can follow along using the instructions > https://gist.github.com/wickett/25d90a462706639446cc

Published in: Technology
0 Comments
9 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,763
On Slideshare
0
From Embeds
0
Number of Embeds
22
Actions
Shares
0
Downloads
44
Comments
0
Likes
9
Embeds 0
No embeds

No notes for slide

Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

  1. 1. BE MEAN TO YOUR CODE WITH G A U N T LT A N D T H E R U G G E D W AY JAMES WICKETT // @WICKETT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  2. 2. @WICKETT • Austin, TX • Gauntlt Core Team • LASCON Founder • Cloud Austin Organizer • DevOps Days Austin Organizer • DevOps, Ruby, AppSec, Chef, Cucumber, Gauntlt @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  3. 3. REQUIREMENTS OPTION 1 OPTION 2 • Virtual Box • Ruby 1.9.3 • Vagrant • Git OR • Gauntlt Box • Bundler • Pre-downloaded • Reliable Internet @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  4. 4. INSTRUCTIONS bit.ly/gauntlt-demo-instructions @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  5. 5. W H Y D O E S T H I S M AT T E R ? @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  6. 6. P E O P L E M AT T E R @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  7. 7. T H E B R O K E N W I N D O W FA L L A C Y –HENRY HAZLITT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  8. 8. BESIDES LOSS, BREACHES CAUSE CYNICISM AND DISTRUST @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  9. 9. SOFTWARE HAS CHANGED @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  10. 10. SOFTWARE AS A SERVICE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  11. 11. SOFTWARE AS BRICOLAGE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  12. 12. B O LT O N F E AT U R E A P P R O A C H @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  13. 13. FRAGILE CODE AS A SERVICE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  14. 14. D E P L O Y T I M E L I N E S H AV E CHANGED @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  15. 15. D E V A N D O P S H AV E F O U N D A NEW RELIGION @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  16. 16. SECURITY HAS NOT CHANGED @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  17. 17. C O M P L I A N C E D R I V E N C U LT U R E : PCI, SOX, … @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  18. 18. PEOPLE PROCESS TOOLS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  19. 19. W E H AV E A P E O P L E P R O B L E M @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  20. 20. T H E R AT I O P R O B L E M @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  21. 21. D E V: O P S : S E C U R I T Y 100:10:1 @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  22. 22. LANGUAGE GAP @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  23. 23. S E C U R I T Y D O E S N ' T A L W AY S SPEAK THE LANGUAGE OF THE BIZ / DEV / OPS TEAMS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  24. 24. PEOPLE PROCESS TOOLS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  25. 25. A B D I C AT I N G R E S P O N S I B I L I T Y PROCESS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  26. 26. YOU NEED EXPERTS TO TEST FOR SECURITY @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  27. 27. FORMALIZED VIA AUDITORS AND C O M P L I A N C E A N N U A L LY @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  28. 28. PEOPLE PROCESS TOOLS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  29. 29. DEV -> SVN || GIT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  30. 30. OPS -> TXT || WIKIS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  31. 31. DEV -> GIT <- OPS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  32. 32. SECURITY -> SOURCEFORGE! @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  33. 33. S I G N S T H AT S E C U R I T Y I S MOVING INTO A NEW ERA @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  34. 34. A N A LY T I C S , M O N I T O R S , L O G S , T E L E M E T R Y, TESTING, CONFIG MANAGEMENT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  35. 35. AT TA C K C H A I N S A N D S I G N A L S http://www.youtube.com/watch?v=jQblKuMuS0Y @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  36. 36. V U L N E R A B I L I T Y E X P L O I TAT I O N I S A TIMELINE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  37. 37. DISCOVERY VULNERABILITY @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT EXPLOIT
  38. 38. S Q L S Y N TA X E R R O R S D B TA B L E N A M E S LARGE RESPONSE SIZES @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  39. 39. I N S T R U M E N T F U L L AT TA C K C H A I N S A N D W AT C H F O R S I G N A L S @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  40. 40. RUGGED @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  41. 41. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  42. 42. http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  43. 43. https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  44. 44. DETECTION EARLIER @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  45. 45. security tools today @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  46. 46. E N T E R G A U N T LT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  47. 47. PEOPLE PROCESS TOOLS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  48. 48. G A U N T LT I S A N O P I N I O N AT E D FRAMEWORK TO DO RUGGED TESTING @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  49. 49. G A U N T LT = S E C U R I T Y + C U C U M B E R @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT http://www.flickr.com/photos/35231744@N00/286858571/
  50. 50. CODE BUILD TEST DEPLOY FEEDBACK @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  51. 51. CODE BUILD TEST DEPLOY ~12 MOS. LATER SECURITY @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  52. 52. CODE BUILD TEST SECURITY DEPLOY FEEDBACK @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  53. 53. A STORY FROM 2010… @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  54. 54. DEVOPS (+ SECURITY!) @ernestmueller, @iteration1, @bproverb and friends @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  55. 55. Ruby Script REST ENDPOINTS Questionable Payloads Invalid Sessions Large Payloads @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  56. 56. COLLECTION OF SCRIPTS MERGED INTO OUR TEST RUNNER @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  57. 57. IN’S AND OUT’S ARE EASY TO MESS UP @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  58. 58. CUCUMBER AND OUTSIDE IN TESTING @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  59. 59. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  60. 60. T H E S TA R T O F G A U N T LT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  61. 61. OUTSIDE IN TESTING FOR SECURITY TOOLS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  62. 62. OUTPUT FROM SECURITY TOOLS IS HARD TO DECIPHER @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  63. 63. BE MEAN TO YOUR CODE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  64. 64. GARMR NMAP CODE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT ARACHNI SQLMAP
  65. 65. GARMR NMAP ARACHNI SQLMAP CODE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  66. 66. GARMR NMAP ARACHNI SQLMAP CODE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  67. 67. GARMR NMAP CODE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT ARACHNI SQLMAP CODE CODE
  68. 68. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  69. 69. B U T W H AT A B O U T T H E P E O P L E @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  70. 70. C O N V E R S AT I O N A N D C O L L A B O R AT I O N I S T H E C O R E O F G A U N T LT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  71. 71. DEV *.attack OPS SECURITY @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT • Execution Knowledge • Testing Logic Captured • Repeatable
  72. 72. G A U N T LT I N A C T I O N @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  73. 73. *.attack something.attack else.attack @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  74. 74. Attack Structure Feature Description Background Setup Scenario Logic @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  75. 75. Attack Logic Given When Then @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  76. 76. Attack Step: Given Setup steps Check Resource Available Given “arachni” is installed @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  77. 77. Attack Step: When Action steps When I launch an “arachni-xss” attack @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  78. 78. Attack Step: Then Parsing Steps Then the output should not contain “fail” @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  79. 79. G A U N T LT P H I L O S O P H Y @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  80. 80. RUN SECURITY TOOLS IN A R E P E ATA B L E , E A S Y T O R E A D W AY @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  81. 81. G A U N T LT D O E S N O T I N S TA L L TOOLS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  82. 82. G A U N T LT S H I P W I T H P R E C A N N E D AT TA C K S A N D S T E P S @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  83. 83. B E PA R T O F T H E C I / C D P I P E L I N E @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  84. 84. H A N D L E S T D I N , S T D O U T, A N D E X I T S TAT U S @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  85. 85. G A U N T LT I N U S E @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  86. 86. AT A G A M E D E V S H O P • Check for XSS (cross site scripting) [Arachni] • Check for new login pages [Garmr] • Check for insecure refs in login flows [Garmr] • Extended XSS testing [Custom Arachni] (PR coming soon) @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  87. 87. MENTOR GRAPHICS • Smoke Test integration on environment build • Checks REST services [curl] • Tests for XSS [arachni] • Injection attacks [sqlmap, dirb] • Misconfiguration [dirb] • SSL checks [sslyze] @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  88. 88. AT C A B F O R W A R D • Ruby Dev Shop • Integrated into CI for customers • GITHUB -> TravisCI -> Unit Tests / Integration Tests / Gauntlt @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  89. 89. G I T H U B . C O M / G A U N T LT / G A U N T LT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  90. 90. $ gem install gauntlt @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  91. 91. ! Given Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | ! When Then When Then Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """ @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  92. 92. HANDS ON @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  93. 93. EVERYTHING YOU NEED… http://bit.ly/gauntlt-demo-instructions @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  94. 94. OPTION 1 @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  95. 95. OPTION 1 - CONTINUED @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  96. 96. OPTION 2 @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  97. 97. $ vagrant ssh ! vagrant@precise32:~$ @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  98. 98. $ cd gauntlt-demo @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  99. 99. $ rvm use 1.9.3 @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  100. 100. 04_Hello World with Gauntlt.md $ cd ./examples $ gauntlt ./hello_world/hello_world.attack @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  101. 101. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  102. 102. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  103. 103. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  104. 104. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  105. 105. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  106. 106. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  107. 107. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  108. 108. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  109. 109. $ gauntlt --steps /^"(w+)" is installed in my path$/ /^"arachni" is installed$/ /^"curl" is installed$/ /^"dirb" is installed$/ /^"garmr" is installed$/ /^"nmap" is installed$/ /^"sqlmap" is installed$/ /^"sslyze" is installed$/ /^I launch (?:a|an) "arachni" attack with:$/ /^I launch (?:a|an) "arachni-(.*?)" attack$/ /^I launch (?:a|an) "curl" attack with:$/ /^I launch (?:a|an) "dirb" attack with:$/ /^I launch (?:a|an) "garmr" attack with:$/ /^I launch (?:a|an) "generic" attack with:$/ /^I launch (?:a|an) "nmap" attack with:$/ /^I launch (?:a|an) "nmap-(.*?)" attack$/ /^I launch (?:a|an) "sqlmap" attack with:$/ /^I launch (?:a|an) "sslyze" attack with:$/ /^the "(.*?)" command line binary is installed$/ /^the DIRB_WORDLISTS environment variable is set$/ /^the file "(.*?)" should contain XML:$/ /^the file "(.*?)" should not contain XML:$/ /^the following cookies should be received:$/ /^the following environment variables:$/ /^the following profile:$/ @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  110. 110. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  111. 111. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  112. 112. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  113. 113. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  114. 114. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  115. 115. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  116. 116. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  117. 117. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  118. 118. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  119. 119. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  120. 120. bundle exec gauntlt --format html > out.html @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  121. 121. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  122. 122. • Google Group > https://groups.google.com/d/forum/gauntlt • Wiki > https://github.com/gauntlt/gauntlt/wiki • IRC > #gauntlt on freenode • Weekly hangout > http://bit.ly/gauntlt-hangout • Issue tracking > http://github.com/gauntlt/gauntlt @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  123. 123. B E TA I N V I T E T O U D E M Y C L A S S ? E M A I L J A M E S @ G A U N T LT. O R G @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×