Putting Rugged Into your DevOps Toolchain
Upcoming SlideShare
Loading in...5
×
 

Putting Rugged Into your DevOps Toolchain

on

  • 1,854 views

Presentation given at DevOps Days Mountain View, on June 29th, 2012. #devopsdays

Presentation given at DevOps Days Mountain View, on June 29th, 2012. #devopsdays

Statistics

Views

Total Views
1,854
Slideshare-icon Views on SlideShare
1,849
Embed Views
5

Actions

Likes
0
Downloads
20
Comments
0

3 Embeds 5

http://us-w1.rockmelt.com 3
https://twitter.com 1
http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Putting Rugged Into your DevOps Toolchain Putting Rugged Into your DevOps Toolchain Presentation Transcript

    • PUTTING RUGGED INTOYOUR DEVOPS TOOLCHAIN JAMES WICKETT, @WICKETT
    • I WANT YOU TO BESUCCESSFUL ANDMAKE A DIFFERENCE
    • James WickettCISSP, GWAPT,CCSK, GSEC, GCFW @wickett@RuggedDevOps @gauntlt
    • HTTP://BIT.LY/RUGGED-DEVOPS
    • A BRIEF HISTORY OFINFORMATION SECURITY
    • WE USED TO BE COOL
    • WE HADCINEMA
    • WE HADHEROES
    • WE MADE FREEPHONE CALLS
    • WE WERE COOL
    • WE MADE IT INTO THEORGANIZATIONSWE HAD PREVIOUSLY FOUGHT
    • WE HELD CONFERENCESIN FANCY HOTELSWHERE WE CLAIMED WE HADNO BUSINESS SUPPORT
    • WE HAVE BUSINESS CARDSWITH TITLES LIKECISO ON THEM
    • ONCE IN THE ORGINFOSEC MADEBIG CLAIMS
    • WE COULDN’T STOP THEVIRUSES AND WORMS
    • ENTER RISKASSESSMENT
    • INSTEAD OF ENGINEERINGINFOSEC BECAME ACTUARIES
    • WE BECAME EXPERTSIN BUYING INSURANCE POLICIES
    • “[RISK ASSESSMENT] INTRODUCES ADANGEROUS FALLACY: THATSTRUCTURED INADEQUACY ISALMOST AS GOOD AS ADEQUACYAND THAT UNDERFUNDEDSECURITY EFFORTS PLUS RISKMANAGEMENT ARE ABOUT ASGOOD AS PROPERLY FUNDEDSECURITY WORK” - MICHAL ZALEWSKI
    • WE MADE ASIGNIFICANTERROR
    • WE THOUGHT THIS WAS TRUE:EVERY SECURITY EVENTRESULTS IN A FINANCIAL LOSS
    • TJX H@CK3D!
    • THE STOCK PRICEDIDN’T DROP
    • OUR ASSUMPTIONWAS INCOMPLETE
    • INFOSEC ALSO MADEA SECOND BIG MISTAKE
    • IT STAYED ININFORMATIONTECHNOLOGY
    • IT WAS A COST CENTERAND NOT IN A POSITIONTO ADD VALUE
    • SOMETHING ELSEHAPPENED GLOBALLY
    • DEVS BECAME COOL
    • CODE BECAME SOCIAL
    • “I DON’T WANT YOUTO SEND ME ANINSTALLATION DVD”
    • WE SELL TIME NOW
    • WE SELL SOCIALAND FRIENDSHIPS
    • “IS THIS SECURE?”-YOUR CUSTOMER
    • “ITS CERTIFIED”- YOU
    • WHY CAN’T YOUGIVE A BETTER ANSWER?
    • THE INEQUITABLEDISTRIBUTION OFLABOR IN SECURITYMIMICS THAT IN DEV/OPS
    • source: Gene Kim, “When IT says No @SXSW 2012”
    • Security sees...• They give advice that goes unheeded• Business decisions made w/o regard of risk• Irrelevancy in the organization• Constant bearer of bad news• Feels ignored by their peers (you know, those devops guys)• Inequitable distribution of labor
    • 2% OF AN ENGINEERINGDEV TEAM ARE WORKINGON SECURITY - BSIMM 2012 data, http://bsimm.com/
    • HOW DO WE FIXTHESE PROBLEMS?
    • -LEARNING FROM(PREFERABLY OTHERPEOPLE’S) MISTAKES-DEVELOPING TOOLS TOCORRECT PROBLEMS- PLANNING TO HAVEEVERYTHINGCOMPROMISED
    • UNDERSTANDINGTOOLINGARCHITECTURE
    • OPEN WEB APPLICATIONSECURITY PROJECT
    • Current Software
    • Rugged Software
    • Current Software
    • Rugged Software
    • Current Software
    • Rugged Software
    • ADVERSITY REQUIRESRUGGED SOLUTIONS
    • ADVERSITY IS REAL ORPERCEIVED NEGATIVEACTIONS AND EVENTSTHAT PROHIBIT NORMALFUNCTION AND OPERATION.
    • Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise. RUGGEDIZATION THEORY
    • NO PAIN, NO GAIN
    • "Secondly, our network got a lot stronger as a result of the LulzSec attacks."-Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012 by CloudFlare team
    • REPEATABLE – NO MANUAL STEPSRELIABLE - NO DOS HEREREVIEWABLE – AKA AUDITRAPID – FAST TO BUILD, DEPLOY, RESTORERESILIENT – AUTOMATED RECONFIGURATIONREDUCED - LIMITED ATTACK SURFACE
    • RUGGED BY DESIGN,DEVOPS BY CULTURE
    • RUGGED DEVOPS
    • Put your code through the gauntlt
    • GAUNTLET, N.AN ATTACK FROMALL SIDES
    • custom attacks dirbuster metasploit sqlmap fuzzers nessusw3af nmap Your web app You
    • gauntlt is built for doing security testing in a DevOps world
    • GAUNTLT IS
    • AN ALWAYS-ATTACKINGENVIRONMENT FORDEVELOPERS
    • WITH ATTACKSWRITTEN INEASY-TO-READLANGUAGE
    • ACCESSIBLE TOEVERYONE INVOLVEDIN DEV, OPS,TESTING, SECURITY, ...
    • MEET THE GAUNTLTTEAM
    • MANITADAYON"SOFTWARE -WAR = SOFTE"@BWSR_SR
    • ROYRAPOPORT“I PICKED UP THE TEESHIRTS”@ROYRAPOPORT
    • BILL BURNS@X509V3“SMITHERS,RELEASE THEMONKEYS!”
    • JOSHUACORMAN@JOSHCORMAN@RUGGEDSOFTWARE“HONEY BADGERDOES CARE” 
    • JASONCHAN@CHANJBS
    • NOT PICTURED:MATT TESAUROTAREK MOUSSA
    • WHY GAUNTLT?SECURITY DOMAINKNOWLEDGE IS GENERALLYA MYSTERY TO DEV TEAMS
    • GAUNTLT ALLOWS DEV ANDOPS AND SECURITY TOCOMMUNICATE
    • GAUNTLT JOINSTHE PHILOSOPHY OFRUGGED SOFTWARE& CONTINUOUS INTEGRATION
    • HTTPS://GITHUB.COM/THEGAUNTLET/GAUNTLT
    • LETS LOOK INSIDE ACOUPLE OF THESE FILES
    • feature for nmap: nmap.feature@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml.Background: Given nmap is installedScenario:Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """
    • step definition for nmap: nmap.rbGiven /^nmap is installed$/ do steps %{ When I run `which nmap` Then the output should contain: """ nmap """ }endWhen /^I run nmap against the hostname in the profile on ports (d+),(d+)$/ do |arg2, arg3| steps %{ When I run `nmap "#{@hostname}" -p80,443` }end
    • running gauntlt with failing testswickett$ gauntlt@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 8080,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 8080/tcp open http 443/tcp open https """...Failing Scenarios:cucumber features/nmap/nmap.feature:8 # Scenario:Verify server is available on standard web ports1 scenario (1 failed)4 steps (1 failed, 3 passed)0m0.341s
    • running gauntlt with passing testswickett$ gauntlt@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 80,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 80/tcp open http 443/tcp open https """1 scenario (1 passed)4 steps (4 passed)0m1.117s
    • RESOURCES
    • WANT TO JOIN THEGAUNTLT TEAM?EMAIL JAMES@RUGGEDDEVOPS.ORG
    • Please get intouch with me:@wickett@RuggedDevOps@gauntlt