This document discusses Gauntlt, an open source security tool that helps developers test their code for vulnerabilities. It allows writing security tests using a behavior-driven development style. Gauntlt runs predefined attacks against a target and checks the output against success criteria. The document provides an overview of Gauntlt's features, examples of how to write tests for tools like nmap and sqlmap, and information on how to get started and contribute to the project.

1. Be Mean to
Your Code
with Gauntlt
@gauntlt
gauntlt.org

2. @wickett
College Startup
Web Systems Engineer
Media Startup
Web Ops Lead
DevOps

3. the devops
life is
great

4. I want you
to join the
devops
movement

5. I want you
to join the
gauntlt
project

6. how do you
join?

7. great
question
but first

8. a brief
history of
infosec

9. 1337 tools

10. the worms
and viruses
didn’t stop

11. we faced
skilled
adversaries

12. we couldn’t
win

13. Instead of
Engineering
InfoSec
became
Actuaries

14. “[RISK ASSESSMENT]
INTRODUCES A DANGEROUS
FALLACY: THAT
STRUCTURED INADEQUACY
IS ALMOST AS GOOD AS
ADEQUACY AND THAT
UNDERFUNDED SECURITY
EFFORTS PLUS RISK
MANAGEMENT ARE ABOUT
AS GOOD AS PROPERLY
FUNDED SECURITY WORK”

15. there were
other
movements

16. devs became cool

17. devs became cool agile

18. the biz
sells time
now

20. dev and ops
now play nice

21. http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr

22. http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr

23. culture
automation
measurement
sharing
credit to John Willis and Damon Edwards

24. infosec
hasn’t kept
pace

25. Your punch
is soft,just
like your
heart

26. “Is this
Secure?”
-Your
Customer

27. “It’s
Certified”
-You

28. there’s a
better way

30. 6 R’s of
Rugged
DevOps

31. http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain

32. how does
one join
rugged
devops?

34. enter
gauntlt

35. gauntlt
credits:
Creators:
Mani Tadayon
James Wickett
Community Wrangler:
Jeremiah Shirk
Friends:
Jason Chan, Netflix
Neil Matatall, Twitter

36. security tools
are confusing

37. mapping
discovery
exploitation

38. security
tests on
every change

39. wisdom from
a video game

40. always
listen to
Doc

41. Find the
weakness of
your enemy

42. Codify your
knowledge
(cheat sheets)

43. sometimes, you
face the same
enemies again

44. gauntlt is
like this

45. fuzzfind inject

46. sqlmap sslyze
dirb
curl
generic
nmap
your app
gauntlt
exit status: 0

47. Gauntlt helps
dev and ops
and security
to communicate

48. gauntlt
harmonizes
our languages

49. Conway’s Law
Any organization that designs a system ... will
inevitably produce a design whose structure is
a copy of the organization's communication
structure.
Melvin E. Conway, 1968

50. Behavior
Driven
Development
BDD is a second-generation, outside–in, pull-based,
multiple-stakeholder, multiple-scale, high-automation, agile
methodology. It describes a cycle of interactions with well-
defined outputs, resulting in the delivery of working, tested
software that matters.
Dan North , 2009

51. we have to
start
somewhere

52. $ gem install gauntlt
install gauntlt

53. gauntlt
design
Simple
Extensible
UNIX™: stdin, stdout, exit status
Minimum features yield maximum
utility

54. $ gauntlt --list
Defined attacks:
curl
dirb
garmr
generic
nmap
sqlmap
sslyze

55. Attack File
Plain Text File
Gherkin syntax:
Given
When
Then

56. Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open http
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
Given
When
Then
When
Then

57. running gauntlt with failing tests
$ gauntlt
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F www.example.com
"""
Then the output should contain:
"""
443/tcp open https
"""
1 scenario (1 failed)
5 steps (1 failed, 4 passed)
0m18.341s

58. $ gauntlt
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F www.example.com
"""
Then the output should contain:
"""
443/tcp open https
"""
1 scenario (1 passed)
4 steps (4 passed)
0m18.341s
running gauntlt with passing tests

59. $ gauntlt --steps
/^"(w+)" is installed in my path$/
/^"curl" is installed$/
/^"dirb" is installed$/
/^"garmr" is installed$/
/^"nmap" is installed$/
/^"sqlmap" is installed$/
/^"sslyze" is installed$/
/^I launch a "curl" attack with:$/
/^I launch a "dirb" attack with:$/
/^I launch a "garmr" attack with:$/
/^I launch a "generic" attack with:$/
/^I launch an "nmap" attack with:$/
/^I launch an "sslyze" attack with:$/
/^I launch an? "sqlmap" attack with:$/
/^the "(.*?)" command line binary is installed$/
/^the file "(.*?)" should contain XML:$/
/^the file "(.*?)" should not contain XML:$/
/^the following cookies should be received:$/
/^the following profile:$/

60. $ gauntlt --steps
/^"(w+)" is installed in my path$/
/^"sqlmap" is installed$/
/^I launch a "generic" attack with:$/
/^I launch an? "sqlmap" attack with:$/

61. Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open http
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
setup steps
verify
tool
set
config

62. Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open http
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
attack
get
config

63. Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open http
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
assert
needle
haystack

64. Supported
Tools
curl
nmap
sqlmap
sslyze
Garmr
dirb
generic

65. Netflix
Use Case
Real World Cloud Application Security, Jason Chan
https://vimeo.com/54157394

66. Check your ssl certs

67. cookie tampering

68. curl hacking

69. Look for common
apache
misconfigurations

70. @slow
Feature: Run dirb scan on a URL
Scenario: Run a dirb scan looking for common
vulnerabilities in apache
Given "dirb" is installed
And the following profile:
| name | value |
| hostname | http://example.com |
| wordlist | vulns/apache.txt |
When I launch a "dirb" attack with:
"""
dirb <hostname> <dirb_wordlists_path>/<wordlist>
"""
Then the output should contain:
"""
FOUND: 0
"""
.htaccess
.htpasswd
.meta
.web
access_log
cgi
cgi-bin
cgi-pub
cgi-script
dummy
error
error_log
htdocs
httpd
httpd.pid
icons
server-info
server-status
logs
manual
printenv
test-cgi
tmp
~bin
~ftp
~nobody
~root

71. I have my weakness.
But I won't tell
you! Ha Ha Ha!

72. Test for SQL Injection

73. @slow @announce
Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities
Given "sqlmap" is installed
And the following profile:
| name | value |
| target_url | http://example.com?x=1 |
When I launch a "sqlmap" attack with:
"""
python <sqlmap_path> -u <target_url> --dbms sqlite --batch -v 0 --tables
"""

75. my_first.attack
See ‘GET STARTED’ on
project repo
Start here > https://
github.com/gauntlt/
gauntlt/tree/master/
examples
Find examples for the
attacks
Add your config (hostname,
login url, user)
Repeat

76. Starter Kit on GitHub
The starter kit is on GitHub:
github.com/gauntlt/gauntlt-starter-kit
Or, download a copy from:
www.gauntlt.org/

77. Contribute
to gauntlt
See ‘FOR DEVELOPERS’ in
the README
Get started in 7 steps

78. If you get
stuck
Check the README
IRC Channel: #gauntlt
on freenode
@gauntlt on twitter
Mailing List (https://
groups.google.com/forum/#!forum/
gauntlt)
Office hours with
weekly google hangout

79. @gauntlt
future plans

80. culture
automation
measurement
sharing
credit to John Willis and Damon Edwards

81. Next
Features
More output parsers
More attack adapters
JRuby & Java Support
Front end UI / web
reports

82. Add feature
requests here:
https://github.com/
gauntlt/gauntlt/
issues

83. get started
with gauntlt
github/gauntlt
gauntlt.org
videos
tutorials
@gauntlt
IRC #gauntlt
we
help!
start here
cool
vids!

84. @wickett
james@gauntlt.org
Be Mean to
Your Code!

85. @wickett
james@gauntlt.org
Be Mean to
Your Code!