Pragmatic Security and Rugged DevOps - SXSW 2015

10,368 views

Published on

From SXSW Interactive 2015

Writing code that works is hard. Writing rugged code that can stand the test of time is even harder. This difficulty is often compounded by crunched timelines and fast cycles that prioritize new features. Add in evolving business needs and new technology and it becomes confusing to know what to do and how to integrate security into your application.

This workshop brings in some of the top developers and application security practitioners to help you ruggedize your end-to-end development lifecycle from code commit to running system.

Three Takeaways:
1. You will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines.

2. Armed with tools and ideas for monitoring your operational and runtime security.

3. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.

http://schedule.sxsw.com/2015/events/event_IAP35935

Published in: Technology

Pragmatic Security and Rugged DevOps - SXSW 2015

  1. 1. PRAGMATIC SECURITY AND RUGGED DEVOPS WORKSHOP @WICKETT // @MATTJAY
  2. 2. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY CONVERSATION #SXSW + #RUGGED CODE
  3. 3. #SXSW #RUGGEDCODE 50% OFF GAUNTLT BOOK FOR SXSW ATTENDEES! leanpub.com/hands-on-gauntlt/c/50percentoff
  4. 4. #SXSW #RUGGEDCODE 63% HANDS ON LABS! APPLIEDTHEORY
  5. 5. #SXSW #RUGGEDCODE WORKSHOP PLEDGE
  6. 6. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY You/Me I will not attempt to access my neighbor’s computer I will not hack the wifi I will be friendly to those around me
  7. 7. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY TWO 5-MINUTE BREAK
  8. 8. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY HANDS-ON LABS ~8 Mini Labs lasting 5 to 10 minutes each Let us know if you are having a problem, and we will help We will also be around after the class to help as well
  9. 9. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY TIPS FOR THE LABS Open the labs folder in your browser to follow along to benefit from markdown display Run all commands from the ~/gauntlt-demo
  10. 10. #SXSW #RUGGEDCODE WHY ARE YOU HERE?
  11. 11. #SXSW #RUGGEDCODE
  12. 12. #SXSW #RUGGEDCODE OUR GOAL: EQUIP YOU WITH PRAGMATIC APPROACHES TO SECURITY THAT CAN HELP YOU MAKE A DIFFERENCE
  13. 13. #SXSW #RUGGEDCODE WHO ARE WE?
  14. 14. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY JAMES WICKETT Sr. Engineer at Signal Sciences Austin, TX Gauntlt Core Team DevOps Days Austin Organizer Velocity, LASCON, ISC2, AppSecUSA, B-Sides, …
  15. 15. signalsciences.com
  16. 16. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY MATT JOHANSEN Houston, TX Sr. Manager, TRC WhiteHat Security BlackHat, DEFCON, RSA, more++ Wannabe Dev (node.js, angularjs) I’m hiring
  17. 17. #SXSW #RUGGEDCODE WHY DOES THIS MATTER?
  18. 18. #SXSW #RUGGEDCODE SONY, SONY, SONY, SONY, SONY SONY, SONY, SONY, SONY, SONY SONY, SONY, SONY, SONY, SONY SONY, SONY, SONY, SONY, SONY SONY, SONY, SONY, SONY, SONY SONY, SONY, SONY, SONY, SONY
  19. 19. #SXSW #RUGGEDCODE HUMANS OPTIMIZE FOR THE PROBABLE
  20. 20. #SXSW #RUGGEDCODE WE OPTIMIZE FOR THE PROBABLE
  21. 21. #SXSW #RUGGEDCODE UNIT TESTING
  22. 22. #SXSW #RUGGEDCODE INTEGRATION TESTING
  23. 23. #SXSW #RUGGEDCODE HAPPY PATH ENGINEERING
  24. 24. #SXSW #RUGGEDCODE WE OPTIMIZE FOR THE POSSIBLE
  25. 25. #SXSW #RUGGEDCODE OVER ENGINEERING
  26. 26. #SXSW #RUGGEDCODE STRESS AND LOAD TESTING
  27. 27. #SXSW #RUGGEDCODE WE OPTIMIZE FOR THE PERCEIVED PROBABLE
  28. 28. #SXSW #RUGGEDCODE HOW DO WE PERCEIVE WHAT IS PROBABLE?
  29. 29. #SXSW #RUGGEDCODE EPISTEMOLOGICAL PROBLEM OF SOFTWARE DEVELOPMENT
  30. 30. #SXSW #RUGGEDCODE WE ATTEMPT TO SOLVE IT BY GATHERING DATA OR RHETORIC
  31. 31. #SXSW #RUGGEDCODE 3 APPROACHES TO SOLVE THE EPISTEMOLOGICAL PROBLEM OF SOFTWARE DEVELOPMENT
  32. 32. #SXSW #RUGGEDCODE ARC 1: AGILE
  33. 33. #SXSW #RUGGEDCODE AGILE SIDE-STEPS THE PROBLEM
  34. 34. #SXSW #RUGGEDCODE AGILE SAYS WE DON’T KNOW WHAT WE ARE BUILDING
  35. 35. #SXSW #RUGGEDCODE SOLUTION: RELEASE FEATURES TO CUSTOMERS RAPIDLY
  36. 36. #SXSW #RUGGEDCODE JUST SHIP IT!
  37. 37. #SXSW #RUGGEDCODE BEHAVIOR DRIVEN DEV
  38. 38. #SXSW #RUGGEDCODE BEHAVIOR DRIVEN DEVELOPMENT IS A SECOND- GENERATION, OUTSIDE–IN, PULL-BASED, MULTIPLE-STAKEHOLDER, MULTIPLE-SCALE, HIGH- AUTOMATION, AGILE METHODOLOGY. IT DESCRIBES A CYCLE OF INTERACTIONS WITH WELL-DEFINED OUTPUTS, RESULTING IN THE DELIVERY OF WORKING, TESTED SOFTWARE THAT MATTERS. DAN NORTH , 2009
  39. 39. #SXSW #RUGGEDCODE AMPLIFY THE FEEDBACK LOOP
  40. 40. #SXSW #RUGGEDCODE TLDR RAPID ITERATIONS WIN
  41. 41. #SXSW #RUGGEDCODE AGILE IS OUR GUIDING LIGHT
  42. 42. #SXSW #RUGGEDCODE PEOPLE MATTER
  43. 43. #SXSW #RUGGEDCODE WE DON'T SELL CD’S ANYMORE #SXSW #RUGGEDCODE
  44. 44. #SXSW #RUGGEDCODE SOFTWARE AS A SERVICE
  45. 45. #SXSW #RUGGEDCODE THE LAST 15 YEARS HAVE BROUGHT A COMPLETE CHANGE IN OUR DELIVERY CADENCE, DISTRIBUTION, AND REVENUE MODELS
  46. 46. #SXSW #RUGGEDCODE DEVOPS IS THE APPLICATION OF AGILE METHODOLOGY TO SYSTEM ADMINISTRATION - THE PRACTICE OF CLOUD SYSTEM ADMINISTRATION BOOK
  47. 47. #SXSW #RUGGEDCODEARC 2: DEVOPS
  48. 48. #SXSW #RUGGEDCODE
  49. 49. #SXSW #RUGGEDCODE AGILE INFRASTRUCTURE http://itrevolution.com/the-history-of-devops/
  50. 50. #SXSW #RUGGEDCODE http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
  51. 51. #SXSW #RUGGEDCODE FIRST DEVOPS DAYS, GHENT 2009 @PATRICKDEBOIS
  52. 52. #SXSW #RUGGEDCODE THE OPPOSITE OF DEVOPS IS DESPAIR - GENE KIM #SXSW #RUGGEDCODE
  53. 53. #SXSW #RUGGEDCODE http://dev2ops.org/blog/2010/2/22/what-is-devops.html
  54. 54. #SXSW #RUGGEDCODE
  55. 55. #SXSW #RUGGEDCODE DEVOPS REALIZED THAT OPS DOESN'T KNOW WHAT DEVS KNOW AND VICE VERSA
  56. 56. #SXSW #RUGGEDCODE DEV : OPS 10 : 1
  57. 57. #SXSW #RUGGEDCODE DEVOPS IS AN EPISTEMOLOGICAL BREAKTHROUGH JOINING DISPARATE PEOPLE AROUND A COMMON PROBLEM
  58. 58. #SXSW #RUGGEDCODE DEVOPS IS AN INCLUSIVE MOVEMENT THAT CODIFIES A CULTURE - ADAM JACOBS
  59. 59. #SXSW #RUGGEDCODE CULTURE IS THE MOST IMPORTANT ASPECT TO DEVOPS SUCCEEDING IN THE ENTERPRISE
  60. 60. #SXSW #RUGGEDCODE WHAT WE VALUE DETERMINES OUR CULTURE
  61. 61. #SXSW #RUGGEDCODE #SXSW #RUGGEDCODE
  62. 62. #SXSW #RUGGEDCODE MUTUAL UNDERSTANDING SHARED LANGUAGE OPENNESS VISUALIZATION TOOLING
  63. 63. #SXSW #RUGGEDCODE DEVOPS IS THE INEVITABLE RESULT OF NEEDING TO DO EFFICIENT OPERATIONS IN A [DISTRIBUTED COMPUTING AND CLOUD] ENVIRONMENT. - TOM LIMONCELLI
  64. 64. #SXSW #RUGGEDCODE DEVOPS IS NOT A TECHNOLOGICAL PROBLEM. DEVOPS IS A BUSINESS PROBLEM. - DAMON EDWARDS
  65. 65. #SXSW #RUGGEDCODE http://puppetlabs.com/sites/default/files/2014-state-of-devops-report.pdf
  66. 66. #SXSW #RUGGEDCODE THE FIRST SCIENTIFIC STUDY OF THE RELATIONSHIP BETWEEN ORGANIZATIONAL PERFORMANCE, IT PERFORMANCE AND DEVOPS PRACTICES
  67. 67. #SXSW #RUGGEDCODE DEVOPS PRACTICES IMPROVE IT PERFORMANCE
  68. 68. #SXSW #RUGGEDCODE CULTURE AUTOMATION MEASUREMENT SHARING @BOTCHAGALUPE @DAMONEDWARDS
  69. 69. #SXSW #RUGGEDCODE ANTIPATTERN: REBRAND YOUR OPS TEAM TO DEVOPS TEAM
  70. 70. #SXSW #RUGGEDCODE ANTIPATTERN: MANUAL CONFIG OF PRODUCTION ENVIRONMENT #SXSW #RUGGEDCODE
  71. 71. #SXSW #RUGGEDCODE CHEF, PUPPET, ANSIBLE, CFENGINE RUNDECK, MCOLLECTIVE JENKINS, TRAVIS, KITCHEN CUCUMBER, GAUNTLT, SERVERSPEC VAGRANT, DOCKER
  72. 72. #SXSW #RUGGEDCODE BEWARE OF THE DEVOPS SOFTWARE SOLUTION
  73. 73. #SXSW #RUGGEDCODE “THAT THE WORD #DEVOPS GETS REDUCED TO TECHNOLOGY IS A MANIFESTATION OF HOW BADLY WE NEED A CULTURAL SHIFT” - @PATRICKDEBOIS http://www.slideshare.net/cm6051/london-devops-31-5-years-of-devops
  74. 74. #SXSW #RUGGEDCODE BUSINESS METRICS EVENT CORRELATION USAGE BASED MONITORING
  75. 75. #SXSW #RUGGEDCODE
  76. 76. #SXSW #RUGGEDCODE ARC 3: CONTINUOUS DELIVERY
  77. 77. #SXSW #RUGGEDCODE CONTINUOUS DELIVERY IS NOT MERELY HOW OFTEN YOU DELIVER BUT HOW LITTLE YOU CAN DELIVER AT A TIME
  78. 78. #SXSW #RUGGEDCODE #SXSW #RUGGEDCODE
  79. 79. #SXSW #RUGGEDCODE BATCH SIZE OF 1
  80. 80. #SXSW #RUGGEDCODE OLD WAY CHANGES BREAK STUFF, SO LIMIT THEM AND BATCH THEM ALL TOGETHER
  81. 81. #SXSW #RUGGEDCODE NEW WAY DELIVERY OF ONE CHANGE AT A TIME REDUCES OUTAGES, INCREASES PERFORMANCE, AND LIMITS TECHNICAL DEBT
  82. 82. #SXSW #RUGGEDCODE NEVER PASS DEFECTS TO THE NEXT STEP The Practice of Cloud System Administration
  83. 83. #SXSW #RUGGEDCODE YOU MUST DEPLOY YOUR STUFF #SXSW #RUGGEDCODE
  84. 84. #SXSW #RUGGEDCODE LET THE BOTS TROLL THE USERS FOR THE LOLZ.
  85. 85. #SXSW #RUGGEDCODE ALLOCATE TIME TO ENHANCE THE BUILD, TEST AND DEPLOY SYSTEM The Practice of Cloud System Administration
  86. 86. #SXSW #RUGGEDCODE REDUCE CODE LATENCY AND INCREASE CODE VELOCITY
  87. 87. #SXSW #RUGGEDCODE THE NEXT ARC: SECURITY Rugged
  88. 88. #SXSW #RUGGEDCODE “… THOSE STUPID DEVELOPERS” - SECURITY PERSON
  89. 89. #SXSW #RUGGEDCODE “SECURITY PREFERS A SYSTEM POWERED OFF AND UNPLUGGED” - DEVELOPER
  90. 90. #SXSW #RUGGEDCODE CULTURAL UNREST WITH SECURITY IN AN ORGANIZATION
  91. 91. #SXSW #RUGGEDCODE COMPLIANCE DRIVEN CULTURE: PCI, SOX, …
  92. 92. #SXSW #RUGGEDCODE “[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK”
  93. 93. #SXSW #RUGGEDCODE RATIO PROBLEM DEVS : OPS : SECURITY 100 : 10 : 1
  94. 94. #SXSW #RUGGEDCODE SECURITY TOOLS ARE RUN OUT-OF-BAND
  95. 95. #SXSW #RUGGEDCODE SECURITY TOOLS ARE CONFUSING
  96. 96. #SXSW #RUGGEDCODE
  97. 97. #SXSW #RUGGEDCODE AND WHEN THEY ARE DONE THEY GIVE YOU THIS LOVELY GEM
  98. 98. #SXSW #RUGGEDCODE THE TIDE IS CHANGING
  99. 99. #SXSW #RUGGEDCODE RESILIENCY ENGINEERING
  100. 100. #SXSW #RUGGEDCODE THE INFAMOUS NETFLIX CHAOS MONKEY
  101. 101. #SXSW #RUGGEDCODE RUGGED
  102. 102. #SXSW #RUGGEDCODE
  103. 103. #SXSW #RUGGEDCODE
  104. 104. #SXSW #RUGGEDCODE THE RUGGED MANIFESTO (EXCERPTS)
  105. 105. #SXSW #RUGGEDCODE I AM RUGGED AND, MORE IMPORTANTLY, MY CODE IS RUGGED. I RECOGNIZE THAT SOFTWARE HAS BECOME A FOUNDATION OF OUR MODERN WORLD. I RECOGNIZE THE AWESOME RESPONSIBILITY THAT COMES WITH THIS FOUNDATIONAL ROLE.
  106. 106. #SXSW #RUGGEDCODE I AM RUGGED BECAUSE MY CODE CAN FACE THESE CHALLENGES AND PERSIST IN SPITE OF THEM.
  107. 107. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY #RUGGEDDEVOPS #DEVOPSSEC
  108. 108. #SXSW #RUGGEDCODE http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
  109. 109. #SXSW #RUGGEDCODE RUGGED JOURNEY
  110. 110. #SXSW #RUGGEDCODE http://videos.2012.appsecusa.org/video/54250716
  111. 111. #SXSW #RUGGEDCODE http://www.youtube.com/watch?v=jQblKuMuS0Y
  112. 112. #SXSW #RUGGEDCODE https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring
  113. 113. #SXSW #RUGGEDCODE HTTPS://SPEAKERDECK.COM/MKONDA/APPSECUSA-2013-INSECURE-EXPECTATIONS http://vimeo.com/75930344
  114. 114. #SXSW #RUGGEDCODE SECURITY TOOLING TO DELIVERY PIPELINE
  115. 115. #SXSW #RUGGEDCODE …TO INFLUENCE CULTURE, AUTOMATION, MEASUREMENT AND SHARING
  116. 116. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY RUGGED WEB APPS
  117. 117. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY VULNERABLE CODE IS EVERYWHERE
  118. 118. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY CROSS SITE SCRIPTING [XSS]
  119. 119. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY WHAT IS IT? [XSS]
  120. 120. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY REFLECTIVE [XSS]
  121. 121. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  122. 122. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY PERSISTENT [XSS]
  123. 123. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY DOM BASED [XSS]
  124. 124. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY WHY IS IT BAD? [XSS]
  125. 125. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY DOCUMENT.COOKIE [XSS]
  126. 126. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  127. 127. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY DOCUMENT.LOCATION [XSS]
  128. 128. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY HOW DO I FIX IT? [XSS]
  129. 129. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY GOOD: INPUT SANITIZATION [XSS]
  130. 130. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY BLACKLIST :( [XSS]
  131. 131. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY WHITELIST :) [XSS]
  132. 132. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY BETTER: OUTPUT ENCODING [XSS]
  133. 133. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY < > BECOME &LT; &GT; [XSS]
  134. 134. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY SQL INJECTION [SQLi]
  135. 135. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY WHAT IS IT? [SQLi]
  136. 136. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY WHY IS IT BAD? [SQLi]
  137. 137. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  138. 138. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  139. 139. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY CREDIT: XKCD
  140. 140. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY HOW WOULD YOU EXPLOIT?
  141. 141. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY ‘;
  142. 142. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY PWNED
  143. 143. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY HOW DO I FIX IT? [SQLi]
  144. 144. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY PARAMETERIZED QUERIES [SQLi]
  145. 145. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY PARAMETERIZED QUERIES (PHP) [SQLi]
  146. 146. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY PARAMETERIZED QUERIES (JAVA) [SQLi]
  147. 147. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY CROSS SITE REQUEST FORGERY [CSRF]
  148. 148. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY WHAT IS IT? [CSRF]
  149. 149. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY WHY IS IT BAD? [CSRF]
  150. 150. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  151. 151. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  152. 152. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY HOW DO I FIX IT? [CSRF]
  153. 153. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  154. 154. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY TOKENS! [CSRF]
  155. 155. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY IMAGE CREDIT: DOTNETBIPS.COM
  156. 156. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY AGAIN… VULNERABLE CODE IS EVERYWHERE
  157. 157. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY GETS FIXED SLOWLY
  158. 158. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY GETS FIXED SLOWLY
  159. 159. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY …IF EVER
  160. 160. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY OWASP TOP 10
  161. 161. #SXSW #RUGGEDCODE LAB #1 - SETUP
  162. 162. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY SETUP github.com/gauntlt/gauntlt-demo Open the Labs in your browser > https:// github.com/gauntlt/gauntlt-demo/tree/master/labs/ sxsw-2015 You need Vagrant and VirtualBox installed on your laptop
  163. 163. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY LAB INSTRUCTIONS For this lab, you will complete: ├── 01_Overview.md ├── 02_Setup using Vagrant.md
  164. 164. ├── 02_Setup using Vagrant.md
  165. 165. ├── 02_Setup using Vagrant.md
  166. 166. ├── 02_Setup using Vagrant.md
  167. 167. #SXSW #RUGGEDCODE 5-MINUTE BREAK
  168. 168. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY LAB #2 - WEB APP HACKING
  169. 169. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY XSS DEMO
  170. 170. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  171. 171. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  172. 172. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY FIND THE VULN
  173. 173. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY FIND THE VULN
  174. 174. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY LAB INSTRUCTIONS For this lab, you will complete: ├── 04_Start up Vulnerable Target.md
  175. 175. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY For this lab, poke around and try to find a second XSS vulnerability Let us know when you find it…
  176. 176. #SXSW #RUGGEDCODE INTRO TO GAUNTLT
  177. 177. #SXSW #RUGGEDCODE WOULDN’T IT BE GREAT IF WE COULD AUTOMATE OUR SECURITY TESTS…
  178. 178. #SXSW #RUGGEDCODE http://static.hothdwallpaper.net/51b8e4ee5a5ae19808.jpg
  179. 179. #SXSW #RUGGEDCODE GAUNTLT IS AN OPINIONATED FRAMEWORK TO DO RUGGED TESTING
  180. 180. #SXSW #RUGGEDCODE GAUNTLT IS OPEN SOURCE MIT LICENSED
  181. 181. #SXSW #RUGGEDCODE GAUNTLT AUTOMATES SECURITY TOOLS
  182. 182. #SXSW #RUGGEDCODE GAUNTLT = SECURITY + CUCUMBER
  183. 183. #SXSW #RUGGEDCODE
  184. 184. #SXSW #RUGGEDCODE
  185. 185. #SXSW #RUGGEDCODE
  186. 186. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  187. 187. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY C O D E GARMR NMAP CURL ARACHNI
  188. 188. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY GARMR NMAP CURL ARACHNI C O D E
  189. 189. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  190. 190. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY BUILT ON CUCUMBER
  191. 191. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY GAUNTLT PHILOSOPHY Gauntlt comes with pre-canned steps that hook security testing tools Gauntlt does not install tools Gauntlt wants to be part of the CI/CD pipeline Be a good citizen of exit status and stdout/stderr
  192. 192. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY GAUNTLT IS COLLABORATION
  193. 193. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY *.attack something.attack else.attack GAUNTLT IN ACTION
  194. 194. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY Feature Background Scenario Description Setup Logic ATTACK STRUCTURE
  195. 195. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY ATTACK LOGIC Given When Then
  196. 196. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY Given “arachni” is installed Setup steps Check Resource Available ATTACK STEP: GIVEN
  197. 197. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY ATTACK STEP: WHEN Action steps When I launch an “arachni-xss” attack
  198. 198. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY ATTACK STEP: THEN Parsing Steps Then the output should not contain “fail”
  199. 199. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY LET’S PUT IT ALL TOGETHER
  200. 200. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  201. 201. #SXSW #RUGGEDCODE LAB #3 - HELLO WORLD
  202. 202. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY LAB INSTRUCTIONS For this lab, you will complete: ├── 05_Hello World with Gauntlt.md
  203. 203. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY HELLO WORLD
  204. 204. #SXSW #RUGGEDCODE LAB #4 - BASIC PORT CHECK
  205. 205. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY LAB INSTRUCTIONS For this lab, you will complete: ├── 06_Port Check.md
  206. 206. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  207. 207. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY $ nmap -F localhost $ nmap -F scanme.nmap.org TRY OUT NMAP
  208. 208. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  209. 209. @challenge @slow Feature: check to make sure the right ports are open on our server Background: Given "nmap" is installed And the following profile: | name | value | | host | localhost | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <host> """ # Then ... # TODO: figure out a way to parse the output and determine what is passing # For hints consult the README.md
  210. 210. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY $ bundle exec gauntlt --allsteps
  211. 211. @final @slow Feature: check to make sure the right ports are open on our server Background: Given "nmap" is installed And the following profile: | name | value | | host | localhost | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <host> """ Then the output should contain: """ 8008 """ SOLUTION
  212. 212. #SXSW #RUGGEDCODE LAB #5 - CLI AND REGEX
  213. 213. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY LAB INSTRUCTIONS For this lab, you will complete: ├── 07_Working with Gauntlt CLI.md ├── 08_Regex.md
  214. 214. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY Open 07_Working with Gauntlt CLI.md and run the following:
  215. 215. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY 08_Regex.md
  216. 216. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY Then the output should match: """ 8008/tcps+open """ Then the output should not match /3001.tcps+open/ SOLUTION
  217. 217. #SXSW #RUGGEDCODE LAB #6 - GARMR
  218. 218. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY LAB INSTRUCTIONS For this lab, you will complete: ├── 09_Garmr and Web Security.md
  219. 219. #SXSW #RUGGEDCODE WHAT IS GARMR?
  220. 220. #SXSW #RUGGEDCODE GARMR IS A SCRIPT FROM MOZILLA THAT CHECKS FOR A BUNCH OF SECURITY POLICIES IN WEB APPS
  221. 221. #SXSW #RUGGEDCODE MOZILLA SECURITY POLICY DISTILLED FOR THE REST OF US
  222. 222. #SXSW #RUGGEDCODE LAB #7 - XSS WITH ARACHNI
  223. 223. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY LAB INSTRUCTIONS For this lab, you will complete: ├── 10_Arachni and XSS testing.md
  224. 224. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY XSS LAB!
  225. 225. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY arachni --modules=xss --depth=1 --link-count=10 --auto-redundant=2 scanme.nmap.org TRY OUT ARACHNI
  226. 226. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY BONUS POINTS, FIND THE VULN!
  227. 227. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY Hint…. When I launch an "arachni-full_xss" attack
  228. 228. #SXSW #RUGGEDCODE LET US KNOW WHEN YOU HAVE FOUND IT
  229. 229. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY Arachni found XSS in Gruyere, Oh noes! localhost:8008/signup/<script>alert(1)</script>
  230. 230. #SXSW #RUGGEDCODE LAB #8 - ADVANCED GAUNTLT
  231. 231. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY LAB INSTRUCTIONS For this lab, you will complete: ├── 11_Assert Network.md ├── 12_Output to HTML.md └── 13_Working with Environment Variables.md
  232. 232. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  233. 233. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY bundle exec gauntlt --format html > out.html HTML OUTPUT
  234. 234. out.html
  235. 235. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  236. 236. #SXSW #RUGGEDCODE RUGGED TESTING ON EVERY COMMIT
  237. 237. #SXSW #RUGGEDCODE WE HAVE BEEN DOING CONTINUOUS INTEGRATION WITH GAUNTLT THIS WHOLE TIME WITH THE LABS!
  238. 238. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY SAHWEET!
  239. 239. #SXSW #RUGGEDCODE YOU VERY OWN BUILD SYSTEM
  240. 240. #SXSW #RUGGEDCODE bit.ly/secure-pipeline-lab0
  241. 241. #SXSW #RUGGEDCODE YOU NEED: GITHUB ACCOUNT TRAVIS CI ACCOUNT
  242. 242. #SXSW #RUGGEDCODE FORK THE REPO
  243. 243. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  244. 244. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  245. 245. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  246. 246. #SXSW #RUGGEDCODE YOU SHOULD HAVE: A FORK OF THE REPO UNDERSTANDING OF TRAVIS.YML
  247. 247. #SXSW #RUGGEDCODE bit.ly/secure-pipeline-lab1
  248. 248. #SXSW #RUGGEDCODE IN TRAVIS CI SET THE REPO TO ‘ON’ In Travis CI set the repo to ‘ON’
  249. 249. #SXSW #RUGGEDCODE ADD THE TRAVIS BADGE IN README.md
  250. 250. #SXSW #RUGGEDCODE ADD THE TRAVIS BADGE IN README.md
  251. 251. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  252. 252. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  253. 253. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  254. 254. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  255. 255. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY READ THE RAKEFILE rails-travis-example/Rakefile
  256. 256. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  257. 257. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  258. 258. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  259. 259. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  260. 260. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY HOMEWORK / EXTRAS
  261. 261. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY
  262. 262. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY http://localhost:3000
  263. 263. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY <script>alert('The Obligatory XSS Popup');</ script>
  264. 264. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY arachni http://localhost:3000 --plugin=autologin:url=http://localhost:3000/users/ sign_in,params='user[email]=test@test.com&user[passwo rd]=testtest',check='Logout test@test.com' -e /users/sign_out http://support.arachni-scanner.com/kb/general-use/logging-in-and-maintaining-a-valid-session
  265. 265. #SXSW #RUGGEDCODE @WICKETT // @MATTJAY BRAKEMAN
  266. 266. #SXSW #RUGGEDCODE NOW WHAT?
  267. 267. #SXSW #RUGGEDCODE 50% OFF GAUNTLT BOOK FOR SXSW ATTENDEES! leanpub.com/hands-on-gauntlt/c/50percentoff
  268. 268. #SXSW #RUGGEDCODE Google Group > groups.google.com/d/forum/gauntlt Wiki > github.com/gauntlt/gauntlt/wiki Twitter > @gauntlt IRC > #gauntlt on freenode Issue tracking > github.com/gauntlt/gauntlt
  269. 269. #SXSW #RUGGEDCODE QUESTIONS?

×