Rugged Software Using Rugged Driven Development

2,304
-1

Published on

Security testing is often done at the cadence of auditors and not at the pace of the development team which hurts delivery time in agile teams. Rugged Driven Development (RDD) utilizes security and other stress testing methodologies during the development process to impact the end product so that you create software that is secure, reliable and resilient.

Using the Gauntlt open source framework to help implement RDD you will find it fun to live by the Gauntlt motto, “be mean to your code.” You will be equipped to deliver and release ruggedized software faster as well as span the communication gaps that exist between dev, ops and security teams. This talk will help you implement RDD your projects with plenty of real world examples.

At the end of the workshop, you should:

Be Rugged Driven Dev savvy and ready to ruggedize your next project with some new practices and tooling
Know how to use gauntlt and the security tools it hooks into
Take some of the pre-built gauntlt attacks and modify them to your own project

Write your own gauntlt attacks and put them in practice

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,304
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
29
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Rugged Software Using Rugged Driven Development

  1. 1. RUGGED SOFTWARE USING RUGGED DRIVEN DEVELOPMENT @wickett // @iteration1 // @mattjay
  2. 2. $ wget http://bit.ly/rugged-sxsw-box AND ! Install Virtual Box and Vagrant
  3. 3. BE RUGGED AND BE MEAN TO YOUR CODE #RUGGED #SXSW + #BEMEAN Use this one to troll SXSW Official tag
  4. 4. THEORY APPLIED 63% HANDS ON LABS!
  5. 5. WORKSHOP PLEDGE
  6. 6. I will not attempt to access my neighbor’s computer ! I will not hack the wifi ! I will be friendly to those around me You/Me
  7. 7. ONE 5-MINUTE BREAK
  8. 8. HANDS-ON LABS 8 Mini Labs lasting 5 to 15 minutes each Let us know if you are having a problem, and we will help We will also be around after the class to help as well
  9. 9. VIRTUAL BOX AND VAGRANT
  10. 10. TIPS FOR THE LABS Open the labs folder in your browser to follow along to benefit from markdown display Run all commands from the ~/gauntlt-demo
  11. 11. LOOKING FOR THE 5’S
  12. 12. WHY ARE YOU HERE?
  13. 13. OUR GOAL: EQUIP YOU WITH THE THEORY, EXAMPLES AND TOOLING SO THAT YOU CAN BEGIN YOUR RUGGED JOURNEY
  14. 14. WHO ARE WE?
  15. 15. JAMES WICKETT Austin, TX Sr. DevOps Engr, Mentor Graphics Gauntlt Core Team DevOps Days Austin Organizer Velocity, LASCON, ISC2, AppSecUSA, B-Sides, …
  16. 16. MATT JOHANSEN Houston, TX Sr. Manager, TRC WhiteHat Security BlackHat, DEFCON, RSA, more++ Wannabe Dev (node.js, angularjs) I’m hiring
  17. 17. KARTHIK GAEKWAD Austin, TX Sr. Software Engr, Mentor Graphics DevOps Days Austin Organizer Agile, LASCON, DevOps Days, AppSecUSA, …
  18. 18. WHY DOES THIS MATTER?
  19. 19. SNOWDEN, NSA, NATION-STATE ACTORS, …
  20. 20. PEOPLE MATTER
  21. 21. PEOPLE MATTER
  22. 22. THE BROKEN WINDOW FALLACY & THE PRISONER’S DILEMMA
  23. 23. BREACHES CAUSE CYNICISM, DISTRUST AND LOSS
  24. 24. SOFTWARE HAS CHANGED
  25. 25. SOFTWARE AS A SERVICE
  26. 26. SOFTWARE AS BRICOLAGE
  27. 27. BOLT ON FEATURE APPROACH
  28. 28. FRAGILE CODE AS A SERVICE
  29. 29. DEPLOY TIMELINES HAVE CHANGED
  30. 30. DEV AND OPS HAVE TEAMED UP IN THIS NEW WORLD
  31. 31. CONTINUOUS DELIVERY IS A THING
  32. 32. http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
  33. 33. DEVOPS IS 5 YEARS OLD NOW
  34. 34. SECURITY IS STUCK IN 1997 … MOSTLY
  35. 35. WHY IS THAT?
  36. 36. COMPLIANCE DRIVEN CULTURE: PCI, SOX, …
  37. 37. RATIO PROBLEM DEVS / OPS / SECURITY 100 / 10 / 1
  38. 38. SECURITY TOOLS ARE CONFUSING
  39. 39. BUT, THERE IS HOPE
  40. 40. https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring
  41. 41. http://www.youtube.com/watch?v=jQblKuMuS0Y
  42. 42. THE RUGGED MANIFESTO
  43. 43. I AM RUGGED AND, MORE IMPORTANTLY, MY CODE IS RUGGED. ! I RECOGNIZE THAT SOFTWARE HAS BECOME A FOUNDATION OF OUR MODERN WORLD. ! I RECOGNIZE THE AWESOME RESPONSIBILITY THAT COMES WITH THIS FOUNDATIONAL ROLE.
  44. 44. I RECOGNIZE THAT MY CODE WILL BE USED IN WAYS I CANNOT ANTICIPATE, IN WAYS IT WAS NOT DESIGNED, AND FOR LONGER THAN IT WAS EVER INTENDED. ! I RECOGNIZE THAT MY CODE WILL BE ATTACKED BY TALENTED AND PERSISTENT ADVERSARIES WHO THREATEN OUR PHYSICAL, ECONOMIC AND NATIONAL SECURITY.
  45. 45. I RECOGNIZE THESE THINGS – AND I CHOOSE TO BE RUGGED. ! I AM RUGGED BECAUSE I REFUSE TO BE A SOURCE OF VULNERABILITY OR WEAKNESS. ! I AM RUGGED BECAUSE I ASSURE MY CODE WILL SUPPORT ITS MISSION.
  46. 46. I AM RUGGED BECAUSE MY CODE CAN FACE THESE CHALLENGES AND PERSIST IN SPITE OF THEM. ! I AM RUGGED, NOT BECAUSE IT IS EASY, BUT BECAUSE IT IS NECESSARY AND I AM UP FOR THE CHALLENGE.
  47. 47. DEV / OPS / SEC JOIN FORCES
  48. 48. #RUGGEDDEVOPS
  49. 49. http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
  50. 50. LET’S BUILD RUGGED SOFTWARE
  51. 51. RUGGED WEB APPS
  52. 52. VULNERABLE CODE IS EVERYWHERE
  53. 53. CROSS SITE SCRIPTING [XSS]
  54. 54. WHAT IS IT? [XSS]
  55. 55. REFLECTIVE [XSS]
  56. 56. PERSISTENT [XSS]
  57. 57. DOM BASED [XSS]
  58. 58. WHY IS IT BAD? [XSS]
  59. 59. DOCUMENT.COOKIE [XSS]
  60. 60. DOCUMENT.LOCATION [XSS]
  61. 61. HOW DO I FIX IT? [XSS]
  62. 62. GOOD: INPUT SANITIZATION [XSS]
  63. 63. BLACKLIST :( [XSS]
  64. 64. WHITELIST :) [XSS]
  65. 65. BETTER: OUTPUT ENCODING [XSS]
  66. 66. < > BECOME &LT; &GT; [XSS]
  67. 67. SQL INJECTION [SQLi]
  68. 68. WHAT IS IT? [SQLi]
  69. 69. WHY IS IT BAD? [SQLi]
  70. 70. CREDIT: XKCD
  71. 71. HOW WOULD YOU EXPLOIT?
  72. 72. ‘;
  73. 73. PWNED
  74. 74. HOW DO I FIX IT? [SQLi]
  75. 75. PARAMETERIZED QUERIES [SQLi]
  76. 76. PARAMETERIZED QUERIES (PHP) [SQLi]
  77. 77. PARAMETERIZED QUERIES (JAVA) [SQLi]
  78. 78. CROSS SITE REQUEST FORGERY [CSRF]
  79. 79. WHAT IS IT? [CSRF]
  80. 80. WHY IS IT BAD? [CSRF]
  81. 81. HOW DO I FIX IT? [CSRF]
  82. 82. TOKENS! [CSRF]
  83. 83. IMAGE CREDIT: DOTNETBIPS.COM
  84. 84. AGAIN… VULNERABLE CODE IS EVERYWHERE
  85. 85. GETS FIXED SLOWLY
  86. 86. GETS FIXED SLOWLY
  87. 87. …IF EVER
  88. 88. OWASP TOP 10
  89. 89. LAB #1 - SETUP
  90. 90. github.com/gauntlt/gauntlt-demo Open the Labs in your browser > https:// github.com/gauntlt/gauntlt-demo/tree/master/labs/ sxsw-2014 You need Vagrant and VirtualBox installed on your laptop SETUP
  91. 91. For this lab, you will complete: ├── 01_Overview.md ├── 02_Setup using Vagrant.md LAB INSTRUCTIONS
  92. 92. 5-MINUTE BREAK
  93. 93. LAB #2 - WEB APP HACKING
  94. 94. XSS DEMO
  95. 95. FIND THE VULN
  96. 96. FIND THE VULN
  97. 97. FIND THE VULN
  98. 98. For this lab, you will complete: ├── 04_Start up Vulnerable Target.md LAB INSTRUCTIONS
  99. 99. For this lab, poke around and try to find a second XSS vulnerability ! Let us know when you find it…
  100. 100. INTRO TO GAUNTLT
  101. 101. WOULDN’T IT BE GREAT IF WE COULD AUTOMATE OUR SECURITY TESTS…
  102. 102. http://static.hothdwallpaper.net/51b8e4ee5a5ae19808.jpg
  103. 103. GAUNTLT IS AN OPINIONATED FRAMEWORK TO DO RUGGED TESTING
  104. 104. GAUNTLT IS OPEN SOURCE MIT LICENSED
  105. 105. GAUNTLT AUTOMATES SECURITY TOOLS
  106. 106. GAUNTLT = SECURITY + CUCUMBER
  107. 107. GARMR CODE NMAP CURL ARACHNI
  108. 108. GARMR NMAP CURL CODE ARACHNI
  109. 109. BUILT ON CUCUMBER
  110. 110. GAUNTLT PHILOSOPHY Gauntlt comes with pre-canned steps that hook security testing tools Gauntlt does not install tools Gauntlt wants to be part of the CI/CD pipeline Be a good citizen of exit status and stdout/stderr
  111. 111. GAUNTLT IS COLLABORATION
  112. 112. *.attack something.attack else.attack GAUNTLT IN ACTION
  113. 113. Feature Description Background Setup Scenario Logic ATTACK STRUCTURE
  114. 114. Given When Then ATTACK LOGIC
  115. 115. Setup steps Check Resource Available Given “arachni” is installed ATTACK STEP: GIVEN
  116. 116. Action steps When I launch an “arachni-xss” attack ATTACK STEP: WHEN
  117. 117. Parsing Steps Then the output should not contain “fail” ATTACK STEP: THEN
  118. 118. LET’S PUT IT ALL TOGETHER
  119. 119. LAB #3 - HELLO WORLD
  120. 120. For this lab, you will complete: ├── 05_Hello World with Gauntlt.md LAB INSTRUCTIONS
  121. 121. HELLO WORLD
  122. 122. LAB #4 - BASIC PORT CHECK
  123. 123. For this lab, you will complete: ├── 06_Port Check.md LAB INSTRUCTIONS
  124. 124. TRY OUT NMAP $ nmap -F localhost $ nmap -F scanme.nmap.org
  125. 125. @challenge @slow Feature: check to make sure the right ports are open on our server ! ! Background: Given "nmap" is installed And the following profile: | name | value | host | localhost | | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <host> """ # Then ... # TODO: figure out a way to parse the output and determine what is passing # For hints consult the README.md
  126. 126. $ bundle exec gauntlt --allsteps
  127. 127. TRUST THE PIPE
  128. 128. SOLUTION @final @slow Feature: check to make sure the right ports are open on our server ! Background: Given "nmap" is installed And the following profile: | name | value | | host | localhost | ! Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <host> """ Then the output should contain: """ 8008 """
  129. 129. LAB #5 - CLI AND REGEX
  130. 130. For this lab, you will complete: ├── 07_Working with Gauntlt CLI.md ├── 08_Regex.md LAB INSTRUCTIONS
  131. 131. Open 07_Working with Gauntlt CLI.md and run the following:
  132. 132. 08_Regex.md
  133. 133. SOLUTION Then the output should match: """ 8008/tcps+open """ Then the output should not match /3001.tcps+open/
  134. 134. LAB #6 - GARMR
  135. 135. For this lab, you will complete: ├── 09_Garmr and Web Security.md LAB INSTRUCTIONS
  136. 136. WHAT IS GARMR?
  137. 137. GARMR IS A SCRIPT FROM MOZILLA THAT CHECKS FOR A BUNCH OF SECURITY POLICIES IN WEB APPS
  138. 138. MOZILLA SECURITY POLICY DISTILLED FOR THE REST OF US
  139. 139. LAB #7 - XSS WITH ARACHNI
  140. 140. For this lab, you will complete: ├── 10_Arachni and XSS testing.md LAB INSTRUCTIONS
  141. 141. XSS LAB!
  142. 142. TRY OUT ARACHNI arachni --modules=xss --depth=1 --link-count=10 --auto-redundant=2 scanme.nmap.org
  143. 143. BONUS POINTS, FIND THE VULN!
  144. 144. Hint…. ! When I launch an "arachni-full_xss" attack
  145. 145. LET US KNOW WHEN YOU HAVE FOUND IT
  146. 146. Arachni found XSS in Gruyere, Oh noes! ! localhost:8008/signup/<script>alert(1)</script>
  147. 147. LAB #8 - ADVANCED GAUNTLT
  148. 148. For this lab, you will complete: ├── 11_Assert Network.md ├── 12_Output to HTML.md └── 13_Working with Environment Variables.md LAB INSTRUCTIONS
  149. 149. HTML OUTPUT bundle exec gauntlt --format html > out.html
  150. 150. out.html
  151. 151. RUGGED TESTING ON EVERY COMMIT
  152. 152. YOU PROMISED CI/CD PIPELINE…
  153. 153. THIS DEFINITELY IS 5 STAR TERRITORY
  154. 154. TRAVIS CI PARSES CONFIG AND THEN RUNS RAKE
  155. 155. RAKEFILE require 'gauntlt' ! task sh sh sh end :gauntlt do "cd ./vendor/gruyere && ./manual_launch.sh && cd ../.." "cd ./examples && bundle exec gauntlt --tags @final && cd .." "cd ./vendor/gruyere && ./manual_kill.sh && cd ../.."
  156. 156. gauntlt-demo/.travis.yml language: ruby rvm: - 1.9.3 before_install: - git submodule update --init --recursive before_script: - sudo apt-get install nmap - sudo apt-get install wget - sudo apt-get install libcurl4-openssl-dev - 'pwd' - export SSLYZE_PATH="/home/travis/build/gauntlt/gauntlt-demo/vendor/sslyze/ sslyze.py" - export SQLMAP_PATH="/home/travis/build/gauntlt/gauntlt-demo/vendor/sqlmap/ sqlmap.py" - 'cd vendor/Garmr && sudo python setup.py install && cd ../..' - 'cd vendor && wget http://downloads.sourceforge.net/project/dirb/dirb/2.03/ dirb203.tar.gz && tar xvfz dirb203.tar.gz && cd dirb && ./configure && make && sudo cp dirb /usr/local/bin/ && cd ../../' - export DIRB_WORDLISTS="/home/travis/build/gauntlt/gauntlt/vendor/dirb/ wordlists" notifications: irc: channels: - "chat.freenode.net#gauntlt" use_notice: true
  157. 157. WE HAVE BEEN DOING CONTINUOUS INTEGRATION WITH GAUNTLT THIS WHOLE TIME WITH THE LABS!
  158. 158. SAHWEET!
  159. 159. NOW WHAT?
  160. 160. THESE SLIDES http://bit.ly/gauntlt-sxsw-slides
  161. 161. • Google Group > https://groups.google.com/d/ • • • • • forum/gauntlt Wiki > https://github.com/gauntlt/gauntlt/wiki Twitter > @gauntlt IRC > #gauntlt on freenode Weekly hangout > http://bit.ly/gauntlt-hangout Issue tracking > http://github.com/gauntlt/gauntlt
  162. 162. https://vimeo.com/79797907
  163. 163. FREE GAUNTLT BETA BOOK FOR SXSW ATTENDEES! http://leanpub.com/hands-on-gauntlt/c/SXSW Valid until March 11th Caveat Emptor: No content at the moment!
  164. 164. GAUNTLT-SERVER COMING SOON!
  165. 165. WILL YOU GIVE US THE 5’S?
  166. 166. QUESTIONS?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×