PUTTING RUGGED INTOYOUR DEVOPS TOOLCHAIN  JAMES WICKETT, @WICKETT
I WANT YOU TO BESUCCESSFUL ANDMAKE A DIFFERENCE
James WickettCISSP, GWAPT,CCSK, GSEC, GCFW  @wickett@RuggedDevOps  @gauntlt
HTTP://BIT.LY/RUGGED-DEVOPS
A BRIEF HISTORY OFINFORMATION SECURITY
WE USED TO BE COOL
WE HADCINEMA
WE HADHEROES
WE MADE FREEPHONE CALLS
WE WERE COOL
WE MADE IT INTO THEORGANIZATIONSWE HAD PREVIOUSLY FOUGHT
WE HELD CONFERENCESIN FANCY HOTELSWHERE WE CLAIMED WE HADNO BUSINESS SUPPORT
WE HAVE BUSINESS CARDSWITH TITLES LIKECISO ON THEM
ONCE IN THE ORGINFOSEC MADEBIG CLAIMS
WE COULDN’T STOP THEVIRUSES AND WORMS
ENTER RISKASSESSMENT
INSTEAD OF ENGINEERINGINFOSEC BECAME ACTUARIES
WE BECAME EXPERTSIN BUYING INSURANCE POLICIES
“[RISK ASSESSMENT] INTRODUCES ADANGEROUS FALLACY: THATSTRUCTURED INADEQUACY ISALMOST AS GOOD AS ADEQUACYAND THAT UNDERFUND...
WE MADE ASIGNIFICANTERROR
WE THOUGHT THIS WAS TRUE:EVERY SECURITY EVENTRESULTS IN A FINANCIAL LOSS
TJX H@CK3D!
THE STOCK PRICEDIDN’T DROP
OUR ASSUMPTIONWAS INCOMPLETE
INFOSEC ALSO MADEA SECOND BIG MISTAKE
IT STAYED ININFORMATIONTECHNOLOGY
IT WAS A COST CENTERAND NOT IN A POSITIONTO ADD VALUE
SOMETHING ELSEHAPPENED GLOBALLY
DEVS BECAME COOL
CODE BECAME SOCIAL
“I DON’T WANT YOUTO SEND ME ANINSTALLATION DVD”
WE SELL TIME NOW
WE SELL SOCIALAND FRIENDSHIPS
“IS THIS SECURE?”-YOUR CUSTOMER
“ITS CERTIFIED”- YOU
WHY CAN’T YOUGIVE A BETTER ANSWER?
THE INEQUITABLEDISTRIBUTION OFLABOR IN SECURITYMIMICS THAT IN DEV/OPS
source: Gene Kim, “When IT says No @SXSW 2012”
Security sees...• They give advice that goes unheeded• Business decisions made w/o regard of risk• Irrelevancy in the orga...
2% OF AN ENGINEERINGDEV TEAM ARE WORKINGON SECURITY    - BSIMM 2012 data, http://bsimm.com/
HOW DO WE FIXTHESE PROBLEMS?
-LEARNING FROM(PREFERABLY OTHERPEOPLE’S) MISTAKES-DEVELOPING TOOLS TOCORRECT PROBLEMS- PLANNING TO HAVEEVERYTHINGCOMPROMISED
UNDERSTANDINGTOOLINGARCHITECTURE
OPEN WEB APPLICATIONSECURITY PROJECT
Current Software
Rugged Software
Current Software
Rugged Software
Current Software
Rugged Software
ADVERSITY REQUIRESRUGGED SOLUTIONS
ADVERSITY IS REAL ORPERCEIVED NEGATIVEACTIONS AND EVENTSTHAT PROHIBIT NORMALFUNCTION AND OPERATION.
Building solutions to handle    adversity will cause    unintended, positive benefits    that will provide value that    wo...
NO PAIN, NO GAIN
"Secondly, our network got a lot stronger as a  result of the LulzSec        attacks."-Surviving Lulz: Behind the Scenes o...
REPEATABLE – NO MANUAL STEPSRELIABLE - NO DOS HEREREVIEWABLE – AKA AUDITRAPID – FAST TO BUILD, DEPLOY, RESTORERESILIENT – ...
RUGGED BY DESIGN,DEVOPS BY CULTURE
RUGGED DEVOPS
Put your code through      the gauntlt
GAUNTLET, N.AN ATTACK FROMALL SIDES
custom attacks   dirbuster   metasploit             sqlmap  fuzzers                      nessusw3af                       ...
gauntlt is built for doing security   testing in a DevOps world
GAUNTLT IS
AN ALWAYS-ATTACKINGENVIRONMENT FORDEVELOPERS
WITH ATTACKSWRITTEN INEASY-TO-READLANGUAGE
ACCESSIBLE TOEVERYONE INVOLVEDIN DEV, OPS,TESTING, SECURITY, ...
MEET THE GAUNTLTTEAM
MANITADAYON"SOFTWARE -WAR = SOFTE"@BWSR_SR
ROYRAPOPORT“I PICKED UP THE TEESHIRTS”@ROYRAPOPORT
BILL BURNS@X509V3“SMITHERS,RELEASE THEMONKEYS!”
JOSHUACORMAN@JOSHCORMAN@RUGGEDSOFTWARE“HONEY BADGERDOES CARE” 
JASONCHAN@CHANJBS
NOT PICTURED:MATT TESAUROTAREK MOUSSA
WHY GAUNTLT?SECURITY DOMAINKNOWLEDGE IS GENERALLYA MYSTERY TO DEV TEAMS
GAUNTLT ALLOWS DEV ANDOPS AND SECURITY TOCOMMUNICATE
GAUNTLT JOINSTHE PHILOSOPHY OFRUGGED SOFTWARE& CONTINUOUS INTEGRATION
HTTPS://GITHUB.COM/THEGAUNTLET/GAUNTLT
LETS LOOK INSIDE ACOUPLE OF THESE FILES
feature for nmap:                     nmap.feature@gauntlet @runFeature: Run nmap against a target and pass the value of t...
step definition for nmap:                 nmap.rbGiven /^nmap is installed$/ do steps %{   When I run `which nmap`   Then t...
running gauntlt with failing testswickett$ gauntlt@gauntlet @runFeature: Run nmap against a target and pass the value of t...
running gauntlt with passing testswickett$ gauntlt@gauntlet @runFeature: Run nmap against a target and pass the value of t...
RESOURCES
WANT TO JOIN THEGAUNTLT TEAM?EMAIL JAMES@RUGGEDDEVOPS.ORG
Please get intouch with me:@wickett@RuggedDevOps@gauntlt
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps Toolchain
Upcoming SlideShare
Loading in...5
×

Putting Rugged Into your DevOps Toolchain

1,838

Published on

Presentation given at DevOps Days Mountain View, on June 29th, 2012. #devopsdays

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,838
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
26
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Putting Rugged Into your DevOps Toolchain

  1. 1. PUTTING RUGGED INTOYOUR DEVOPS TOOLCHAIN JAMES WICKETT, @WICKETT
  2. 2. I WANT YOU TO BESUCCESSFUL ANDMAKE A DIFFERENCE
  3. 3. James WickettCISSP, GWAPT,CCSK, GSEC, GCFW @wickett@RuggedDevOps @gauntlt
  4. 4. HTTP://BIT.LY/RUGGED-DEVOPS
  5. 5. A BRIEF HISTORY OFINFORMATION SECURITY
  6. 6. WE USED TO BE COOL
  7. 7. WE HADCINEMA
  8. 8. WE HADHEROES
  9. 9. WE MADE FREEPHONE CALLS
  10. 10. WE WERE COOL
  11. 11. WE MADE IT INTO THEORGANIZATIONSWE HAD PREVIOUSLY FOUGHT
  12. 12. WE HELD CONFERENCESIN FANCY HOTELSWHERE WE CLAIMED WE HADNO BUSINESS SUPPORT
  13. 13. WE HAVE BUSINESS CARDSWITH TITLES LIKECISO ON THEM
  14. 14. ONCE IN THE ORGINFOSEC MADEBIG CLAIMS
  15. 15. WE COULDN’T STOP THEVIRUSES AND WORMS
  16. 16. ENTER RISKASSESSMENT
  17. 17. INSTEAD OF ENGINEERINGINFOSEC BECAME ACTUARIES
  18. 18. WE BECAME EXPERTSIN BUYING INSURANCE POLICIES
  19. 19. “[RISK ASSESSMENT] INTRODUCES ADANGEROUS FALLACY: THATSTRUCTURED INADEQUACY ISALMOST AS GOOD AS ADEQUACYAND THAT UNDERFUNDEDSECURITY EFFORTS PLUS RISKMANAGEMENT ARE ABOUT ASGOOD AS PROPERLY FUNDEDSECURITY WORK” - MICHAL ZALEWSKI
  20. 20. WE MADE ASIGNIFICANTERROR
  21. 21. WE THOUGHT THIS WAS TRUE:EVERY SECURITY EVENTRESULTS IN A FINANCIAL LOSS
  22. 22. TJX H@CK3D!
  23. 23. THE STOCK PRICEDIDN’T DROP
  24. 24. OUR ASSUMPTIONWAS INCOMPLETE
  25. 25. INFOSEC ALSO MADEA SECOND BIG MISTAKE
  26. 26. IT STAYED ININFORMATIONTECHNOLOGY
  27. 27. IT WAS A COST CENTERAND NOT IN A POSITIONTO ADD VALUE
  28. 28. SOMETHING ELSEHAPPENED GLOBALLY
  29. 29. DEVS BECAME COOL
  30. 30. CODE BECAME SOCIAL
  31. 31. “I DON’T WANT YOUTO SEND ME ANINSTALLATION DVD”
  32. 32. WE SELL TIME NOW
  33. 33. WE SELL SOCIALAND FRIENDSHIPS
  34. 34. “IS THIS SECURE?”-YOUR CUSTOMER
  35. 35. “ITS CERTIFIED”- YOU
  36. 36. WHY CAN’T YOUGIVE A BETTER ANSWER?
  37. 37. THE INEQUITABLEDISTRIBUTION OFLABOR IN SECURITYMIMICS THAT IN DEV/OPS
  38. 38. source: Gene Kim, “When IT says No @SXSW 2012”
  39. 39. Security sees...• They give advice that goes unheeded• Business decisions made w/o regard of risk• Irrelevancy in the organization• Constant bearer of bad news• Feels ignored by their peers (you know, those devops guys)• Inequitable distribution of labor
  40. 40. 2% OF AN ENGINEERINGDEV TEAM ARE WORKINGON SECURITY - BSIMM 2012 data, http://bsimm.com/
  41. 41. HOW DO WE FIXTHESE PROBLEMS?
  42. 42. -LEARNING FROM(PREFERABLY OTHERPEOPLE’S) MISTAKES-DEVELOPING TOOLS TOCORRECT PROBLEMS- PLANNING TO HAVEEVERYTHINGCOMPROMISED
  43. 43. UNDERSTANDINGTOOLINGARCHITECTURE
  44. 44. OPEN WEB APPLICATIONSECURITY PROJECT
  45. 45. Current Software
  46. 46. Rugged Software
  47. 47. Current Software
  48. 48. Rugged Software
  49. 49. Current Software
  50. 50. Rugged Software
  51. 51. ADVERSITY REQUIRESRUGGED SOLUTIONS
  52. 52. ADVERSITY IS REAL ORPERCEIVED NEGATIVEACTIONS AND EVENTSTHAT PROHIBIT NORMALFUNCTION AND OPERATION.
  53. 53. Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise. RUGGEDIZATION THEORY
  54. 54. NO PAIN, NO GAIN
  55. 55. "Secondly, our network got a lot stronger as a result of the LulzSec attacks."-Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012 by CloudFlare team
  56. 56. REPEATABLE – NO MANUAL STEPSRELIABLE - NO DOS HEREREVIEWABLE – AKA AUDITRAPID – FAST TO BUILD, DEPLOY, RESTORERESILIENT – AUTOMATED RECONFIGURATIONREDUCED - LIMITED ATTACK SURFACE
  57. 57. RUGGED BY DESIGN,DEVOPS BY CULTURE
  58. 58. RUGGED DEVOPS
  59. 59. Put your code through the gauntlt
  60. 60. GAUNTLET, N.AN ATTACK FROMALL SIDES
  61. 61. custom attacks dirbuster metasploit sqlmap fuzzers nessusw3af nmap Your web app You
  62. 62. gauntlt is built for doing security testing in a DevOps world
  63. 63. GAUNTLT IS
  64. 64. AN ALWAYS-ATTACKINGENVIRONMENT FORDEVELOPERS
  65. 65. WITH ATTACKSWRITTEN INEASY-TO-READLANGUAGE
  66. 66. ACCESSIBLE TOEVERYONE INVOLVEDIN DEV, OPS,TESTING, SECURITY, ...
  67. 67. MEET THE GAUNTLTTEAM
  68. 68. MANITADAYON"SOFTWARE -WAR = SOFTE"@BWSR_SR
  69. 69. ROYRAPOPORT“I PICKED UP THE TEESHIRTS”@ROYRAPOPORT
  70. 70. BILL BURNS@X509V3“SMITHERS,RELEASE THEMONKEYS!”
  71. 71. JOSHUACORMAN@JOSHCORMAN@RUGGEDSOFTWARE“HONEY BADGERDOES CARE” 
  72. 72. JASONCHAN@CHANJBS
  73. 73. NOT PICTURED:MATT TESAUROTAREK MOUSSA
  74. 74. WHY GAUNTLT?SECURITY DOMAINKNOWLEDGE IS GENERALLYA MYSTERY TO DEV TEAMS
  75. 75. GAUNTLT ALLOWS DEV ANDOPS AND SECURITY TOCOMMUNICATE
  76. 76. GAUNTLT JOINSTHE PHILOSOPHY OFRUGGED SOFTWARE& CONTINUOUS INTEGRATION
  77. 77. HTTPS://GITHUB.COM/THEGAUNTLET/GAUNTLT
  78. 78. LETS LOOK INSIDE ACOUPLE OF THESE FILES
  79. 79. feature for nmap: nmap.feature@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml.Background: Given nmap is installedScenario:Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """
  80. 80. step definition for nmap: nmap.rbGiven /^nmap is installed$/ do steps %{ When I run `which nmap` Then the output should contain: """ nmap """ }endWhen /^I run nmap against the hostname in the profile on ports (d+),(d+)$/ do |arg2, arg3| steps %{ When I run `nmap "#{@hostname}" -p80,443` }end
  81. 81. running gauntlt with failing testswickett$ gauntlt@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 8080,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 8080/tcp open http 443/tcp open https """...Failing Scenarios:cucumber features/nmap/nmap.feature:8 # Scenario:Verify server is available on standard web ports1 scenario (1 failed)4 steps (1 failed, 3 passed)0m0.341s
  82. 82. running gauntlt with passing testswickett$ gauntlt@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 80,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 80/tcp open http 443/tcp open https """1 scenario (1 passed)4 steps (4 passed)0m1.117s
  83. 83. RESOURCES
  84. 84. WANT TO JOIN THEGAUNTLT TEAM?EMAIL JAMES@RUGGEDDEVOPS.ORG
  85. 85. Please get intouch with me:@wickett@RuggedDevOps@gauntlt
  1. ¿Le ha llamado la atención una diapositiva en particular?

    Recortar diapositivas es una manera útil de recopilar información importante para consultarla más tarde.

×