Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

  • 4,299 views
Uploaded on

This is a hands-on workshop for working with Gauntlt. The first half is philosophy, theory and social commentary. The second half is the hands on workshop. …

This is a hands-on workshop for working with Gauntlt. The first half is philosophy, theory and social commentary. The second half is the hands on workshop.

There are two options for working through the workshop. The recommended way is to use the virtual box image as there are a couple of security tools (arachni, nmap, ...) that we will be using. It is not required for you to use it though and you can just clone the repo if you have ruby 1.9.3 and bundler.

If you want to use the vagrant box setup for the workshop, please follow the instructions in 02_Using Vagrant Box.md and if you want to just use our own box, follow the directions in 03_Using Repo Only.md

This has been tested to work on linux and OS X. You can follow along using the instructions > https://gist.github.com/wickett/25d90a462706639446cc

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
4,299
On Slideshare
0
From Embeds
0
Number of Embeds
20

Actions

Shares
Downloads
37
Comments
0
Likes
9

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. BE MEAN TO YOUR CODE WITH G A U N T LT A N D T H E R U G G E D W AY JAMES WICKETT // @WICKETT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 2. @WICKETT • Austin, TX • Gauntlt Core Team • LASCON Founder • Cloud Austin Organizer • DevOps Days Austin Organizer • DevOps, Ruby, AppSec, Chef, Cucumber, Gauntlt @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 3. REQUIREMENTS OPTION 1 OPTION 2 • Virtual Box • Ruby 1.9.3 • Vagrant • Git OR • Gauntlt Box • Bundler • Pre-downloaded • Reliable Internet @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 4. INSTRUCTIONS bit.ly/gauntlt-demo-instructions @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 5. W H Y D O E S T H I S M AT T E R ? @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 6. P E O P L E M AT T E R @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 7. T H E B R O K E N W I N D O W FA L L A C Y –HENRY HAZLITT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 8. BESIDES LOSS, BREACHES CAUSE CYNICISM AND DISTRUST @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 9. SOFTWARE HAS CHANGED @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 10. SOFTWARE AS A SERVICE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 11. SOFTWARE AS BRICOLAGE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 12. B O LT O N F E AT U R E A P P R O A C H @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 13. FRAGILE CODE AS A SERVICE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 14. D E P L O Y T I M E L I N E S H AV E CHANGED @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 15. D E V A N D O P S H AV E F O U N D A NEW RELIGION @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 16. SECURITY HAS NOT CHANGED @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 17. C O M P L I A N C E D R I V E N C U LT U R E : PCI, SOX, … @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 18. PEOPLE PROCESS TOOLS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 19. W E H AV E A P E O P L E P R O B L E M @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 20. T H E R AT I O P R O B L E M @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 21. D E V: O P S : S E C U R I T Y 100:10:1 @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 22. LANGUAGE GAP @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 23. S E C U R I T Y D O E S N ' T A L W AY S SPEAK THE LANGUAGE OF THE BIZ / DEV / OPS TEAMS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 24. PEOPLE PROCESS TOOLS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 25. A B D I C AT I N G R E S P O N S I B I L I T Y PROCESS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 26. YOU NEED EXPERTS TO TEST FOR SECURITY @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 27. FORMALIZED VIA AUDITORS AND C O M P L I A N C E A N N U A L LY @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 28. PEOPLE PROCESS TOOLS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 29. DEV -> SVN || GIT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 30. OPS -> TXT || WIKIS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 31. DEV -> GIT <- OPS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 32. SECURITY -> SOURCEFORGE! @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 33. S I G N S T H AT S E C U R I T Y I S MOVING INTO A NEW ERA @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 34. A N A LY T I C S , M O N I T O R S , L O G S , T E L E M E T R Y, TESTING, CONFIG MANAGEMENT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 35. AT TA C K C H A I N S A N D S I G N A L S http://www.youtube.com/watch?v=jQblKuMuS0Y @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 36. V U L N E R A B I L I T Y E X P L O I TAT I O N I S A TIMELINE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 37. DISCOVERY VULNERABILITY @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT EXPLOIT
  • 38. S Q L S Y N TA X E R R O R S D B TA B L E N A M E S LARGE RESPONSE SIZES @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 39. I N S T R U M E N T F U L L AT TA C K C H A I N S A N D W AT C H F O R S I G N A L S @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 40. RUGGED @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 41. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 42. http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 43. https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 44. DETECTION EARLIER @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 45. security tools today @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 46. E N T E R G A U N T LT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 47. PEOPLE PROCESS TOOLS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 48. G A U N T LT I S A N O P I N I O N AT E D FRAMEWORK TO DO RUGGED TESTING @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 49. G A U N T LT = S E C U R I T Y + C U C U M B E R @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT http://www.flickr.com/photos/35231744@N00/286858571/
  • 50. CODE BUILD TEST DEPLOY FEEDBACK @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 51. CODE BUILD TEST DEPLOY ~12 MOS. LATER SECURITY @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 52. CODE BUILD TEST SECURITY DEPLOY FEEDBACK @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 53. A STORY FROM 2010… @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 54. DEVOPS (+ SECURITY!) @ernestmueller, @iteration1, @bproverb and friends @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 55. Ruby Script REST ENDPOINTS Questionable Payloads Invalid Sessions Large Payloads @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 56. COLLECTION OF SCRIPTS MERGED INTO OUR TEST RUNNER @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 57. IN’S AND OUT’S ARE EASY TO MESS UP @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 58. CUCUMBER AND OUTSIDE IN TESTING @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 59. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 60. T H E S TA R T O F G A U N T LT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 61. OUTSIDE IN TESTING FOR SECURITY TOOLS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 62. OUTPUT FROM SECURITY TOOLS IS HARD TO DECIPHER @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 63. BE MEAN TO YOUR CODE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 64. GARMR NMAP CODE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT ARACHNI SQLMAP
  • 65. GARMR NMAP ARACHNI SQLMAP CODE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 66. GARMR NMAP ARACHNI SQLMAP CODE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 67. GARMR NMAP CODE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT ARACHNI SQLMAP CODE CODE
  • 68. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 69. B U T W H AT A B O U T T H E P E O P L E @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 70. C O N V E R S AT I O N A N D C O L L A B O R AT I O N I S T H E C O R E O F G A U N T LT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 71. DEV *.attack OPS SECURITY @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT • Execution Knowledge • Testing Logic Captured • Repeatable
  • 72. G A U N T LT I N A C T I O N @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 73. *.attack something.attack else.attack @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 74. Attack Structure Feature Description Background Setup Scenario Logic @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 75. Attack Logic Given When Then @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 76. Attack Step: Given Setup steps Check Resource Available Given “arachni” is installed @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 77. Attack Step: When Action steps When I launch an “arachni-xss” attack @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 78. Attack Step: Then Parsing Steps Then the output should not contain “fail” @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 79. G A U N T LT P H I L O S O P H Y @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 80. RUN SECURITY TOOLS IN A R E P E ATA B L E , E A S Y T O R E A D W AY @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 81. G A U N T LT D O E S N O T I N S TA L L TOOLS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 82. G A U N T LT S H I P W I T H P R E C A N N E D AT TA C K S A N D S T E P S @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 83. B E PA R T O F T H E C I / C D P I P E L I N E @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 84. H A N D L E S T D I N , S T D O U T, A N D E X I T S TAT U S @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 85. G A U N T LT I N U S E @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 86. AT A G A M E D E V S H O P • Check for XSS (cross site scripting) [Arachni] • Check for new login pages [Garmr] • Check for insecure refs in login flows [Garmr] • Extended XSS testing [Custom Arachni] (PR coming soon) @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 87. MENTOR GRAPHICS • Smoke Test integration on environment build • Checks REST services [curl] • Tests for XSS [arachni] • Injection attacks [sqlmap, dirb] • Misconfiguration [dirb] • SSL checks [sslyze] @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 88. AT C A B F O R W A R D • Ruby Dev Shop • Integrated into CI for customers • GITHUB -> TravisCI -> Unit Tests / Integration Tests / Gauntlt @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 89. G I T H U B . C O M / G A U N T LT / G A U N T LT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 90. $ gem install gauntlt @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 91. ! Given Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | ! When Then When Then Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """ @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 92. HANDS ON @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 93. EVERYTHING YOU NEED… http://bit.ly/gauntlt-demo-instructions @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 94. OPTION 1 @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 95. OPTION 1 - CONTINUED @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 96. OPTION 2 @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 97. $ vagrant ssh ! vagrant@precise32:~$ @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 98. $ cd gauntlt-demo @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 99. $ rvm use 1.9.3 @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 100. 04_Hello World with Gauntlt.md $ cd ./examples $ gauntlt ./hello_world/hello_world.attack @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 101. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 102. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 103. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 104. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 105. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 106. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 107. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 108. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 109. $ gauntlt --steps /^"(w+)" is installed in my path$/ /^"arachni" is installed$/ /^"curl" is installed$/ /^"dirb" is installed$/ /^"garmr" is installed$/ /^"nmap" is installed$/ /^"sqlmap" is installed$/ /^"sslyze" is installed$/ /^I launch (?:a|an) "arachni" attack with:$/ /^I launch (?:a|an) "arachni-(.*?)" attack$/ /^I launch (?:a|an) "curl" attack with:$/ /^I launch (?:a|an) "dirb" attack with:$/ /^I launch (?:a|an) "garmr" attack with:$/ /^I launch (?:a|an) "generic" attack with:$/ /^I launch (?:a|an) "nmap" attack with:$/ /^I launch (?:a|an) "nmap-(.*?)" attack$/ /^I launch (?:a|an) "sqlmap" attack with:$/ /^I launch (?:a|an) "sslyze" attack with:$/ /^the "(.*?)" command line binary is installed$/ /^the DIRB_WORDLISTS environment variable is set$/ /^the file "(.*?)" should contain XML:$/ /^the file "(.*?)" should not contain XML:$/ /^the following cookies should be received:$/ /^the following environment variables:$/ /^the following profile:$/ @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 110. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 111. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 112. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 113. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 114. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 115. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 116. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 117. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 118. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 119. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 120. bundle exec gauntlt --format html > out.html @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 121. @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 122. • Google Group > https://groups.google.com/d/forum/gauntlt • Wiki > https://github.com/gauntlt/gauntlt/wiki • IRC > #gauntlt on freenode • Weekly hangout > http://bit.ly/gauntlt-hangout • Issue tracking > http://github.com/gauntlt/gauntlt @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 123. B E TA I N V I T E T O U D E M Y C L A S S ? E M A I L J A M E S @ G A U N T LT. O R G @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT