The document introduces Gauntlt, an open source security tool that automates security tests. It can run tools like nmap, sqlmap, and dirb against applications and check the output for vulnerabilities. Gauntlt uses behavior-driven development syntax to define tests in an easy to read format. The document provides examples of using Gauntlt to test for open ports, SQL injection vulnerabilities, and common misconfigurations. It also discusses the motivation behind Gauntlt and plans for future development.

1. Be Mean to
your Code
with
Gauntlt

2. @wickett
College Startup
Web Systems Engineer
Media Startup
Web Ops Lead
DevOps
CISSP
CISSP, sounds cool

3. a brief
history of
infosec

4. 1337 tools

5. the worms
and viruses
didn’t stop

6. we faced
skilled
adversaries

7. we couldn’t
win

8. Instead of
Engineering
InfoSec
became
Actuaries

9. “[RISK ASSESSMENT]
INTRODUCES A DANGEROUS
FALLACY: THAT
STRUCTURED INADEQUACY
IS ALMOST AS GOOD AS
ADEQUACY AND THAT
UNDERFUNDED SECURITY
EFFORTS PLUS RISK
MANAGEMENT ARE ABOUT
AS GOOD AS PROPERLY
FUNDED SECURITY WORK”

10. there were
other
movements

11. devs became cool

12. devs became cool agile

13. the biz
sells time
now

15. dev and ops
now play nice

16. http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr

17. http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr

18. culture
automation
measurement
sharing
credit to John Willis and Damon Edwards

19. infosec
hasn’t kept
pace

20. Your punch
is soft,just
like your
heart

21. “Is this
Secure?”
-Your
Customer

22. “It’s
Certified”
-You

23. there’s a
better way

25. 6 R’s of
Rugged
DevOps

26. http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain

27. how does
one join
rugged
devops?

29. enter
gauntlt

30. gauntlt is
like this

31. sqlmap sslyze
dirb
curl
generic
nmap
your app
gauntlt
exit status: 0

32. gauntlt
credits:
Creators:
Mani Tadayon
James Wickett
Community Wrangler:
Jeremiah Shirk
Friends:
Jason Chan, Netflix
Neil Matatall, Twitter

33. security tools
are confusing

34. mapping
discovery
exploitation

35. fuzzfind inject

36. security
tests on
every change

37. wisdom from
a video game

38. always
listen to
Doc

39. Find the
weakness of
your enemy

40. Codify your
knowledge
(cheat sheets)

41. sometimes, you
face the same
enemies again

42. gauntlt is
collaboration

43. Gauntlt helps
dev and ops
and security
to communicate

44. gauntlt
harmonizes
our languages

45. Behavior
Driven
Development
BDD is a second-generation, outside–in, pull-based,
multiple-stakeholder, multiple-scale, high-automation, agile
methodology. It describes a cycle of interactions with well-
defined outputs, resulting in the delivery of working, tested
software that matters.
Dan North , 2009

46. we have to
start
somewhere

47. $ gem install gauntlt
install gauntlt

48. gauntlt
design
Simple
Extensible
UNIX™: stdin, stdout, exit status
Minimum features yield maximum
utility

49. $ gauntlt --list
Defined attacks:
curl
dirb
garmr
generic
nmap
sqlmap
sslyze

50. Attack File
Plain Text File
Gherkin syntax:
Given
When
Then

51. Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open http
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
Given
When
Then
When
Then

52. running gauntlt with failing tests
$ gauntlt
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F www.example.com
"""
Then the output should contain:
"""
443/tcp open https
"""
1 scenario (1 failed)
5 steps (1 failed, 4 passed)
0m18.341s

53. $ gauntlt
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F www.example.com
"""
Then the output should contain:
"""
443/tcp open https
"""
1 scenario (1 passed)
4 steps (4 passed)
0m18.341s
running gauntlt with passing tests

54. $ gauntlt --steps
/^"(w+)" is installed in my path$/
/^"curl" is installed$/
/^"dirb" is installed$/
/^"garmr" is installed$/
/^"nmap" is installed$/
/^"sqlmap" is installed$/
/^"sslyze" is installed$/
/^I launch a "curl" attack with:$/
/^I launch a "dirb" attack with:$/
/^I launch a "garmr" attack with:$/
/^I launch a "generic" attack with:$/
/^I launch an "nmap" attack with:$/
/^I launch an "sslyze" attack with:$/
/^I launch an? "sqlmap" attack with:$/
/^the "(.*?)" command line binary is installed$/
/^the file "(.*?)" should contain XML:$/
/^the file "(.*?)" should not contain XML:$/
/^the following cookies should be received:$/
/^the following profile:$/

55. $ gauntlt --steps
/^"(w+)" is installed in my path$/
/^"sqlmap" is installed$/
/^I launch a "generic" attack with:$/
/^I launch an? "sqlmap" attack with:$/

56. Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open http
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
setup steps
verify
tool
set
config

57. Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open http
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
attack
get
config

58. Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open http
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
assert
needle
haystack

59. Supported
Tools
curl
nmap
sqlmap
sslyze
Garmr
dirb
generic

60. Netflix
Use Case
Real World Cloud Application Security, Jason Chan
https://vimeo.com/54157394

61. Check your ssl certs

62. cookie tampering

63. curl hacking

64. Look for common
apache
misconfigurations

65. @slow
Feature: Run dirb scan on a URL
Scenario: Run a dirb scan looking for common
vulnerabilities in apache
Given "dirb" is installed
And the following profile:
| name | value |
| hostname | http://example.com |
| wordlist | vulns/apache.txt |
When I launch a "dirb" attack with:
"""
dirb <hostname> <dirb_wordlists_path>/<wordlist>
"""
Then the output should contain:
"""
FOUND: 0
"""
.htaccess
.htpasswd
.meta
.web
access_log
cgi
cgi-bin
cgi-pub
cgi-script
dummy
error
error_log
htdocs
httpd
httpd.pid
icons
server-info
server-status
logs
manual
printenv
test-cgi
tmp
~bin
~ftp
~nobody
~root

66. I have my weakness.
But I won't tell
you! Ha Ha Ha!

67. Test for SQL
Injection

68. @slow @announce
Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities
Given "sqlmap" is installed
And the following profile:
| name | value |
| target_url | http://example.com?x=1 |
When I launch a "sqlmap" attack with:
"""
python <sqlmap_path> -u <target_url> --dbms sqlite --batch -v 0 --tables
"""

70. my_first.attack
See ‘GET STARTED’ on
project repo
Start here > https://
github.com/gauntlt/
gauntlt/tree/master/
examples
Find examples for the
attacks
Add your config (hostname,
login url, user)
Repeat

71. Starter Kit on GitHub
The starter kit is on GitHub:
github.com/gauntlt/gauntlt-starter-kit
Or, download a copy from:
www.gauntlt.org/

72. Contribute
to gauntlt
See ‘FOR DEVELOPERS’ in
the README
Get started in 7 steps

73. If you get
stuck
Check the README
IRC Channel: #gauntlt
on freenode
@gauntlt on twitter
Mailing List (https://
groups.google.com/forum/#!forum/
gauntlt)
Office hours with
weekly google hangout

74. @gauntlt
future plans

75. culture
automation
measurement
sharing
credit to John Willis and Damon Edwards

76. Next
Features
More output parsers
More attack adapters
JRuby & Java Support
Front end UI / web
reports

77. Add feature
requests here:
https://github.com/
gauntlt/gauntlt/
issues

78. get started
with gauntlt
github/gauntlt
gauntlt.org
videos
tutorials
google group
@gauntlt
IRC #gauntlt
we
help!
start here
cool
vids!

79. @wickett
james@gauntlt.org
Be Mean to
Your Code!