Your SlideShare is downloading. ×
Putting Rugged Into your DevOps Toolchain
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Putting Rugged Into your DevOps Toolchain

1,720
views

Published on

Presentation given at DevOps Days Mountain View, on June 29th, 2012. #devopsdays

Presentation given at DevOps Days Mountain View, on June 29th, 2012. #devopsdays

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,720
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
24
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. PUTTING RUGGED INTOYOUR DEVOPS TOOLCHAIN JAMES WICKETT, @WICKETT
  • 2. I WANT YOU TO BESUCCESSFUL ANDMAKE A DIFFERENCE
  • 3. James WickettCISSP, GWAPT,CCSK, GSEC, GCFW @wickett@RuggedDevOps @gauntlt
  • 4. HTTP://BIT.LY/RUGGED-DEVOPS
  • 5. A BRIEF HISTORY OFINFORMATION SECURITY
  • 6. WE USED TO BE COOL
  • 7. WE HADCINEMA
  • 8. WE HADHEROES
  • 9. WE MADE FREEPHONE CALLS
  • 10. WE WERE COOL
  • 11. WE MADE IT INTO THEORGANIZATIONSWE HAD PREVIOUSLY FOUGHT
  • 12. WE HELD CONFERENCESIN FANCY HOTELSWHERE WE CLAIMED WE HADNO BUSINESS SUPPORT
  • 13. WE HAVE BUSINESS CARDSWITH TITLES LIKECISO ON THEM
  • 14. ONCE IN THE ORGINFOSEC MADEBIG CLAIMS
  • 15. WE COULDN’T STOP THEVIRUSES AND WORMS
  • 16. ENTER RISKASSESSMENT
  • 17. INSTEAD OF ENGINEERINGINFOSEC BECAME ACTUARIES
  • 18. WE BECAME EXPERTSIN BUYING INSURANCE POLICIES
  • 19. “[RISK ASSESSMENT] INTRODUCES ADANGEROUS FALLACY: THATSTRUCTURED INADEQUACY ISALMOST AS GOOD AS ADEQUACYAND THAT UNDERFUNDEDSECURITY EFFORTS PLUS RISKMANAGEMENT ARE ABOUT ASGOOD AS PROPERLY FUNDEDSECURITY WORK” - MICHAL ZALEWSKI
  • 20. WE MADE ASIGNIFICANTERROR
  • 21. WE THOUGHT THIS WAS TRUE:EVERY SECURITY EVENTRESULTS IN A FINANCIAL LOSS
  • 22. TJX H@CK3D!
  • 23. THE STOCK PRICEDIDN’T DROP
  • 24. OUR ASSUMPTIONWAS INCOMPLETE
  • 25. INFOSEC ALSO MADEA SECOND BIG MISTAKE
  • 26. IT STAYED ININFORMATIONTECHNOLOGY
  • 27. IT WAS A COST CENTERAND NOT IN A POSITIONTO ADD VALUE
  • 28. SOMETHING ELSEHAPPENED GLOBALLY
  • 29. DEVS BECAME COOL
  • 30. CODE BECAME SOCIAL
  • 31. “I DON’T WANT YOUTO SEND ME ANINSTALLATION DVD”
  • 32. WE SELL TIME NOW
  • 33. WE SELL SOCIALAND FRIENDSHIPS
  • 34. “IS THIS SECURE?”-YOUR CUSTOMER
  • 35. “ITS CERTIFIED”- YOU
  • 36. WHY CAN’T YOUGIVE A BETTER ANSWER?
  • 37. THE INEQUITABLEDISTRIBUTION OFLABOR IN SECURITYMIMICS THAT IN DEV/OPS
  • 38. source: Gene Kim, “When IT says No @SXSW 2012”
  • 39. Security sees...• They give advice that goes unheeded• Business decisions made w/o regard of risk• Irrelevancy in the organization• Constant bearer of bad news• Feels ignored by their peers (you know, those devops guys)• Inequitable distribution of labor
  • 40. 2% OF AN ENGINEERINGDEV TEAM ARE WORKINGON SECURITY - BSIMM 2012 data, http://bsimm.com/
  • 41. HOW DO WE FIXTHESE PROBLEMS?
  • 42. -LEARNING FROM(PREFERABLY OTHERPEOPLE’S) MISTAKES-DEVELOPING TOOLS TOCORRECT PROBLEMS- PLANNING TO HAVEEVERYTHINGCOMPROMISED
  • 43. UNDERSTANDINGTOOLINGARCHITECTURE
  • 44. OPEN WEB APPLICATIONSECURITY PROJECT
  • 45. Current Software
  • 46. Rugged Software
  • 47. Current Software
  • 48. Rugged Software
  • 49. Current Software
  • 50. Rugged Software
  • 51. ADVERSITY REQUIRESRUGGED SOLUTIONS
  • 52. ADVERSITY IS REAL ORPERCEIVED NEGATIVEACTIONS AND EVENTSTHAT PROHIBIT NORMALFUNCTION AND OPERATION.
  • 53. Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise. RUGGEDIZATION THEORY
  • 54. NO PAIN, NO GAIN
  • 55. "Secondly, our network got a lot stronger as a result of the LulzSec attacks."-Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012 by CloudFlare team
  • 56. REPEATABLE – NO MANUAL STEPSRELIABLE - NO DOS HEREREVIEWABLE – AKA AUDITRAPID – FAST TO BUILD, DEPLOY, RESTORERESILIENT – AUTOMATED RECONFIGURATIONREDUCED - LIMITED ATTACK SURFACE
  • 57. RUGGED BY DESIGN,DEVOPS BY CULTURE
  • 58. RUGGED DEVOPS
  • 59. Put your code through the gauntlt
  • 60. GAUNTLET, N.AN ATTACK FROMALL SIDES
  • 61. custom attacks dirbuster metasploit sqlmap fuzzers nessusw3af nmap Your web app You
  • 62. gauntlt is built for doing security testing in a DevOps world
  • 63. GAUNTLT IS
  • 64. AN ALWAYS-ATTACKINGENVIRONMENT FORDEVELOPERS
  • 65. WITH ATTACKSWRITTEN INEASY-TO-READLANGUAGE
  • 66. ACCESSIBLE TOEVERYONE INVOLVEDIN DEV, OPS,TESTING, SECURITY, ...
  • 67. MEET THE GAUNTLTTEAM
  • 68. MANITADAYON"SOFTWARE -WAR = SOFTE"@BWSR_SR
  • 69. ROYRAPOPORT“I PICKED UP THE TEESHIRTS”@ROYRAPOPORT
  • 70. BILL BURNS@X509V3“SMITHERS,RELEASE THEMONKEYS!”
  • 71. JOSHUACORMAN@JOSHCORMAN@RUGGEDSOFTWARE“HONEY BADGERDOES CARE” 
  • 72. JASONCHAN@CHANJBS
  • 73. NOT PICTURED:MATT TESAUROTAREK MOUSSA
  • 74. WHY GAUNTLT?SECURITY DOMAINKNOWLEDGE IS GENERALLYA MYSTERY TO DEV TEAMS
  • 75. GAUNTLT ALLOWS DEV ANDOPS AND SECURITY TOCOMMUNICATE
  • 76. GAUNTLT JOINSTHE PHILOSOPHY OFRUGGED SOFTWARE& CONTINUOUS INTEGRATION
  • 77. HTTPS://GITHUB.COM/THEGAUNTLET/GAUNTLT
  • 78. LETS LOOK INSIDE ACOUPLE OF THESE FILES
  • 79. feature for nmap: nmap.feature@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml.Background: Given nmap is installedScenario:Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """
  • 80. step definition for nmap: nmap.rbGiven /^nmap is installed$/ do steps %{ When I run `which nmap` Then the output should contain: """ nmap """ }endWhen /^I run nmap against the hostname in the profile on ports (d+),(d+)$/ do |arg2, arg3| steps %{ When I run `nmap "#{@hostname}" -p80,443` }end
  • 81. running gauntlt with failing testswickett$ gauntlt@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 8080,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 8080/tcp open http 443/tcp open https """...Failing Scenarios:cucumber features/nmap/nmap.feature:8 # Scenario:Verify server is available on standard web ports1 scenario (1 failed)4 steps (1 failed, 3 passed)0m0.341s
  • 82. running gauntlt with passing testswickett$ gauntlt@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 80,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 80/tcp open http 443/tcp open https """1 scenario (1 passed)4 steps (4 passed)0m1.117s
  • 83. RESOURCES
  • 84. WANT TO JOIN THEGAUNTLT TEAM?EMAIL JAMES@RUGGEDDEVOPS.ORG
  • 85. Please get intouch with me:@wickett@RuggedDevOps@gauntlt