Putting Rugged Into your DevOps Toolchain

  • 1,634 views
Uploaded on

Presentation given at DevOps Days Mountain View, on June 29th, 2012. #devopsdays

Presentation given at DevOps Days Mountain View, on June 29th, 2012. #devopsdays

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,634
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
23
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. PUTTING RUGGED INTOYOUR DEVOPS TOOLCHAIN JAMES WICKETT, @WICKETT
  • 2. I WANT YOU TO BESUCCESSFUL ANDMAKE A DIFFERENCE
  • 3. James WickettCISSP, GWAPT,CCSK, GSEC, GCFW @wickett@RuggedDevOps @gauntlt
  • 4. HTTP://BIT.LY/RUGGED-DEVOPS
  • 5. A BRIEF HISTORY OFINFORMATION SECURITY
  • 6. WE USED TO BE COOL
  • 7. WE HADCINEMA
  • 8. WE HADHEROES
  • 9. WE MADE FREEPHONE CALLS
  • 10. WE WERE COOL
  • 11. WE MADE IT INTO THEORGANIZATIONSWE HAD PREVIOUSLY FOUGHT
  • 12. WE HELD CONFERENCESIN FANCY HOTELSWHERE WE CLAIMED WE HADNO BUSINESS SUPPORT
  • 13. WE HAVE BUSINESS CARDSWITH TITLES LIKECISO ON THEM
  • 14. ONCE IN THE ORGINFOSEC MADEBIG CLAIMS
  • 15. WE COULDN’T STOP THEVIRUSES AND WORMS
  • 16. ENTER RISKASSESSMENT
  • 17. INSTEAD OF ENGINEERINGINFOSEC BECAME ACTUARIES
  • 18. WE BECAME EXPERTSIN BUYING INSURANCE POLICIES
  • 19. “[RISK ASSESSMENT] INTRODUCES ADANGEROUS FALLACY: THATSTRUCTURED INADEQUACY ISALMOST AS GOOD AS ADEQUACYAND THAT UNDERFUNDEDSECURITY EFFORTS PLUS RISKMANAGEMENT ARE ABOUT ASGOOD AS PROPERLY FUNDEDSECURITY WORK” - MICHAL ZALEWSKI
  • 20. WE MADE ASIGNIFICANTERROR
  • 21. WE THOUGHT THIS WAS TRUE:EVERY SECURITY EVENTRESULTS IN A FINANCIAL LOSS
  • 22. TJX H@CK3D!
  • 23. THE STOCK PRICEDIDN’T DROP
  • 24. OUR ASSUMPTIONWAS INCOMPLETE
  • 25. INFOSEC ALSO MADEA SECOND BIG MISTAKE
  • 26. IT STAYED ININFORMATIONTECHNOLOGY
  • 27. IT WAS A COST CENTERAND NOT IN A POSITIONTO ADD VALUE
  • 28. SOMETHING ELSEHAPPENED GLOBALLY
  • 29. DEVS BECAME COOL
  • 30. CODE BECAME SOCIAL
  • 31. “I DON’T WANT YOUTO SEND ME ANINSTALLATION DVD”
  • 32. WE SELL TIME NOW
  • 33. WE SELL SOCIALAND FRIENDSHIPS
  • 34. “IS THIS SECURE?”-YOUR CUSTOMER
  • 35. “ITS CERTIFIED”- YOU
  • 36. WHY CAN’T YOUGIVE A BETTER ANSWER?
  • 37. THE INEQUITABLEDISTRIBUTION OFLABOR IN SECURITYMIMICS THAT IN DEV/OPS
  • 38. source: Gene Kim, “When IT says No @SXSW 2012”
  • 39. Security sees...• They give advice that goes unheeded• Business decisions made w/o regard of risk• Irrelevancy in the organization• Constant bearer of bad news• Feels ignored by their peers (you know, those devops guys)• Inequitable distribution of labor
  • 40. 2% OF AN ENGINEERINGDEV TEAM ARE WORKINGON SECURITY - BSIMM 2012 data, http://bsimm.com/
  • 41. HOW DO WE FIXTHESE PROBLEMS?
  • 42. -LEARNING FROM(PREFERABLY OTHERPEOPLE’S) MISTAKES-DEVELOPING TOOLS TOCORRECT PROBLEMS- PLANNING TO HAVEEVERYTHINGCOMPROMISED
  • 43. UNDERSTANDINGTOOLINGARCHITECTURE
  • 44. OPEN WEB APPLICATIONSECURITY PROJECT
  • 45. Current Software
  • 46. Rugged Software
  • 47. Current Software
  • 48. Rugged Software
  • 49. Current Software
  • 50. Rugged Software
  • 51. ADVERSITY REQUIRESRUGGED SOLUTIONS
  • 52. ADVERSITY IS REAL ORPERCEIVED NEGATIVEACTIONS AND EVENTSTHAT PROHIBIT NORMALFUNCTION AND OPERATION.
  • 53. Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise. RUGGEDIZATION THEORY
  • 54. NO PAIN, NO GAIN
  • 55. "Secondly, our network got a lot stronger as a result of the LulzSec attacks."-Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012 by CloudFlare team
  • 56. REPEATABLE – NO MANUAL STEPSRELIABLE - NO DOS HEREREVIEWABLE – AKA AUDITRAPID – FAST TO BUILD, DEPLOY, RESTORERESILIENT – AUTOMATED RECONFIGURATIONREDUCED - LIMITED ATTACK SURFACE
  • 57. RUGGED BY DESIGN,DEVOPS BY CULTURE
  • 58. RUGGED DEVOPS
  • 59. Put your code through the gauntlt
  • 60. GAUNTLET, N.AN ATTACK FROMALL SIDES
  • 61. custom attacks dirbuster metasploit sqlmap fuzzers nessusw3af nmap Your web app You
  • 62. gauntlt is built for doing security testing in a DevOps world
  • 63. GAUNTLT IS
  • 64. AN ALWAYS-ATTACKINGENVIRONMENT FORDEVELOPERS
  • 65. WITH ATTACKSWRITTEN INEASY-TO-READLANGUAGE
  • 66. ACCESSIBLE TOEVERYONE INVOLVEDIN DEV, OPS,TESTING, SECURITY, ...
  • 67. MEET THE GAUNTLTTEAM
  • 68. MANITADAYON"SOFTWARE -WAR = SOFTE"@BWSR_SR
  • 69. ROYRAPOPORT“I PICKED UP THE TEESHIRTS”@ROYRAPOPORT
  • 70. BILL BURNS@X509V3“SMITHERS,RELEASE THEMONKEYS!”
  • 71. JOSHUACORMAN@JOSHCORMAN@RUGGEDSOFTWARE“HONEY BADGERDOES CARE” 
  • 72. JASONCHAN@CHANJBS
  • 73. NOT PICTURED:MATT TESAUROTAREK MOUSSA
  • 74. WHY GAUNTLT?SECURITY DOMAINKNOWLEDGE IS GENERALLYA MYSTERY TO DEV TEAMS
  • 75. GAUNTLT ALLOWS DEV ANDOPS AND SECURITY TOCOMMUNICATE
  • 76. GAUNTLT JOINSTHE PHILOSOPHY OFRUGGED SOFTWARE& CONTINUOUS INTEGRATION
  • 77. HTTPS://GITHUB.COM/THEGAUNTLET/GAUNTLT
  • 78. LETS LOOK INSIDE ACOUPLE OF THESE FILES
  • 79. feature for nmap: nmap.feature@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml.Background: Given nmap is installedScenario:Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """
  • 80. step definition for nmap: nmap.rbGiven /^nmap is installed$/ do steps %{ When I run `which nmap` Then the output should contain: """ nmap """ }endWhen /^I run nmap against the hostname in the profile on ports (d+),(d+)$/ do |arg2, arg3| steps %{ When I run `nmap "#{@hostname}" -p80,443` }end
  • 81. running gauntlt with failing testswickett$ gauntlt@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 8080,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 8080/tcp open http 443/tcp open https """...Failing Scenarios:cucumber features/nmap/nmap.feature:8 # Scenario:Verify server is available on standard web ports1 scenario (1 failed)4 steps (1 failed, 3 passed)0m0.341s
  • 82. running gauntlt with passing testswickett$ gauntlt@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 80,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 80/tcp open http 443/tcp open https """1 scenario (1 passed)4 steps (4 passed)0m1.117s
  • 83. RESOURCES
  • 84. WANT TO JOIN THEGAUNTLT TEAM?EMAIL JAMES@RUGGEDDEVOPS.ORG
  • 85. Please get intouch with me:@wickett@RuggedDevOps@gauntlt