James Wickett, profile picture
Uploaded byJames Wickett
7,759 views

Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

The document discusses the integration of security testing within the DevOps process through the use of a framework called Gauntlt. It emphasizes the need for collaboration between development, operations, and security teams to address vulnerabilities effectively. Key topics include the importance of automated testing, attack structures, and the evolving nature of security practices.

Embed presentation

Downloaded 65 times
1 / 123
2 / 123
3 / 123
4 / 123
5 / 123
6 / 123
7 / 123
8 / 123
9 / 123
10 / 123
11 / 123
12 / 123
13 / 123
14 / 123
15 / 123
16 / 123
17 / 123
18 / 123
19 / 123
20 / 123
21 / 123
22 / 123
23 / 123
24 / 123
25 / 123
26 / 123
27 / 123
28 / 123
29 / 123
30 / 123
31 / 123
32 / 123
33 / 123
34 / 123
35 / 123
36 / 123
37 / 123
38 / 123
39 / 123
40 / 123
41 / 123
42 / 123
43 / 123
44 / 123
45 / 123
46 / 123
47 / 123
48 / 123
49 / 123
50 / 123
51 / 123
52 / 123
53 / 123
54 / 123
55 / 123
56 / 123
57 / 123
58 / 123
59 / 123
60 / 123
61 / 123
62 / 123
63 / 123
64 / 123
65 / 123
66 / 123
67 / 123
68 / 123
69 / 123
70 / 123
71 / 123
72 / 123
73 / 123
74 / 123
75 / 123
76 / 123
77 / 123
78 / 123
79 / 123
80 / 123
81 / 123
82 / 123
83 / 123
84 / 123
85 / 123
86 / 123
87 / 123
88 / 123
89 / 123
90 / 123
91 / 123
92 / 123
93 / 123
94 / 123
95 / 123
96 / 123
97 / 123
98 / 123
99 / 123
100 / 123
101 / 123
102 / 123
103 / 123
104 / 123
105 / 123
106 / 123
107 / 123
108 / 123
109 / 123
110 / 123
111 / 123
112 / 123
113 / 123
114 / 123
115 / 123
116 / 123
117 / 123
118 / 123
119 / 123
120 / 123
121 / 123
122 / 123
123 / 123
BE MEAN TO YOUR CODE WITH G A U N T LT A N D T H E R U G G E D W AY JAMES WICKETT // @WICKETT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@WICKETT • Austin, TX • Gauntlt Core Team • LASCON Founder • Cloud Austin Organizer • DevOps Days Austin Organizer • DevOps, Ruby, AppSec, Chef, Cucumber, Gauntlt @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
REQUIREMENTS OPTION 1 OPTION 2 • Virtual Box • Ruby 1.9.3 • Vagrant • Git OR • Gauntlt Box • Bundler • Pre-downloaded • Reliable Internet @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
INSTRUCTIONS bit.ly/gauntlt-demo-instructions @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
W H Y D O E S T H I S M AT T E R ? @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
P E O P L E M AT T E R @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
T H E B R O K E N W I N D O W FA L L A C Y –HENRY HAZLITT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
BESIDES LOSS, BREACHES CAUSE CYNICISM AND DISTRUST @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
SOFTWARE HAS CHANGED @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
SOFTWARE AS A SERVICE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
SOFTWARE AS BRICOLAGE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
B O LT O N F E AT U R E A P P R O A C H @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
FRAGILE CODE AS A SERVICE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D E P L O Y T I M E L I N E S H AV E CHANGED @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D E V A N D O P S H AV E F O U N D A NEW RELIGION @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
SECURITY HAS NOT CHANGED @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O M P L I A N C E D R I V E N C U LT U R E : PCI, SOX, … @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
PEOPLE PROCESS TOOLS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
W E H AV E A P E O P L E P R O B L E M @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
T H E R AT I O P R O B L E M @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D E V: O P S : S E C U R I T Y 100:10:1 @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
LANGUAGE GAP @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
S E C U R I T Y D O E S N ' T A L W AY S SPEAK THE LANGUAGE OF THE BIZ / DEV / OPS TEAMS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
PEOPLE PROCESS TOOLS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
A B D I C AT I N G R E S P O N S I B I L I T Y PROCESS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
YOU NEED EXPERTS TO TEST FOR SECURITY @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
FORMALIZED VIA AUDITORS AND C O M P L I A N C E A N N U A L LY @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
PEOPLE PROCESS TOOLS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
DEV -> SVN || GIT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
OPS -> TXT || WIKIS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
DEV -> GIT <- OPS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
SECURITY -> SOURCEFORGE! @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
S I G N S T H AT S E C U R I T Y I S MOVING INTO A NEW ERA @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
A N A LY T I C S , M O N I T O R S , L O G S , T E L E M E T R Y, TESTING, CONFIG MANAGEMENT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
AT TA C K C H A I N S A N D S I G N A L S http://www.youtube.com/watch?v=jQblKuMuS0Y @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
V U L N E R A B I L I T Y E X P L O I TAT I O N I S A TIMELINE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
DISCOVERY VULNERABILITY @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT EXPLOIT
S Q L S Y N TA X E R R O R S D B TA B L E N A M E S LARGE RESPONSE SIZES @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
I N S T R U M E N T F U L L AT TA C K C H A I N S A N D W AT C H F O R S I G N A L S @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
RUGGED @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
DETECTION EARLIER @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
security tools today @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
E N T E R G A U N T LT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
PEOPLE PROCESS TOOLS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G A U N T LT I S A N O P I N I O N AT E D FRAMEWORK TO DO RUGGED TESTING @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G A U N T LT = S E C U R I T Y + C U C U M B E R @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT http://www.flickr.com/photos/35231744@N00/286858571/
CODE BUILD TEST DEPLOY FEEDBACK @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
CODE BUILD TEST DEPLOY ~12 MOS. LATER SECURITY @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
CODE BUILD TEST SECURITY DEPLOY FEEDBACK @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
A STORY FROM 2010… @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
DEVOPS (+ SECURITY!) @ernestmueller, @iteration1, @bproverb and friends @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
Ruby Script REST ENDPOINTS Questionable Payloads Invalid Sessions Large Payloads @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
COLLECTION OF SCRIPTS MERGED INTO OUR TEST RUNNER @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
IN’S AND OUT’S ARE EASY TO MESS UP @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
CUCUMBER AND OUTSIDE IN TESTING @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
T H E S TA R T O F G A U N T LT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
OUTSIDE IN TESTING FOR SECURITY TOOLS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
OUTPUT FROM SECURITY TOOLS IS HARD TO DECIPHER @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
BE MEAN TO YOUR CODE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
GARMR NMAP CODE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT ARACHNI SQLMAP
GARMR NMAP ARACHNI SQLMAP CODE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
GARMR NMAP ARACHNI SQLMAP CODE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
GARMR NMAP CODE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT ARACHNI SQLMAP CODE CODE
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
B U T W H AT A B O U T T H E P E O P L E @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O N V E R S AT I O N A N D C O L L A B O R AT I O N I S T H E C O R E O F G A U N T LT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
DEV *.attack OPS SECURITY @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT • Execution Knowledge • Testing Logic Captured • Repeatable
G A U N T LT I N A C T I O N @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
*.attack something.attack else.attack @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
Attack Structure Feature Description Background Setup Scenario Logic @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
Attack Logic Given When Then @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
Attack Step: Given Setup steps Check Resource Available Given “arachni” is installed @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
Attack Step: When Action steps When I launch an “arachni-xss” attack @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
Attack Step: Then Parsing Steps Then the output should not contain “fail” @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G A U N T LT P H I L O S O P H Y @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
RUN SECURITY TOOLS IN A R E P E ATA B L E , E A S Y T O R E A D W AY @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G A U N T LT D O E S N O T I N S TA L L TOOLS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G A U N T LT S H I P W I T H P R E C A N N E D AT TA C K S A N D S T E P S @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
B E PA R T O F T H E C I / C D P I P E L I N E @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
H A N D L E S T D I N , S T D O U T, A N D E X I T S TAT U S @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G A U N T LT I N U S E @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
AT A G A M E D E V S H O P • Check for XSS (cross site scripting) [Arachni] • Check for new login pages [Garmr] • Check for insecure refs in login flows [Garmr] • Extended XSS testing [Custom Arachni] (PR coming soon) @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
MENTOR GRAPHICS • Smoke Test integration on environment build • Checks REST services [curl] • Tests for XSS [arachni] • Injection attacks [sqlmap, dirb] • Misconfiguration [dirb] • SSL checks [sslyze] @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
AT C A B F O R W A R D • Ruby Dev Shop • Integrated into CI for customers • GITHUB -> TravisCI -> Unit Tests / Integration Tests / Gauntlt @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G I T H U B . C O M / G A U N T LT / G A U N T LT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
$ gem install gauntlt @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
! Given Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | ! When Then When Then Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """ @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
HANDS ON @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
EVERYTHING YOU NEED… http://bit.ly/gauntlt-demo-instructions @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
OPTION 1 @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
OPTION 1 - CONTINUED @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
OPTION 2 @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
$ vagrant ssh ! vagrant@precise32:~$ @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
$ cd gauntlt-demo @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
$ rvm use 1.9.3 @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
04_Hello World with Gauntlt.md $ cd ./examples $ gauntlt ./hello_world/hello_world.attack @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
$ gauntlt --steps /^"(w+)" is installed in my path$/ /^"arachni" is installed$/ /^"curl" is installed$/ /^"dirb" is installed$/ /^"garmr" is installed$/ /^"nmap" is installed$/ /^"sqlmap" is installed$/ /^"sslyze" is installed$/ /^I launch (?:a|an) "arachni" attack with:$/ /^I launch (?:a|an) "arachni-(.*?)" attack$/ /^I launch (?:a|an) "curl" attack with:$/ /^I launch (?:a|an) "dirb" attack with:$/ /^I launch (?:a|an) "garmr" attack with:$/ /^I launch (?:a|an) "generic" attack with:$/ /^I launch (?:a|an) "nmap" attack with:$/ /^I launch (?:a|an) "nmap-(.*?)" attack$/ /^I launch (?:a|an) "sqlmap" attack with:$/ /^I launch (?:a|an) "sslyze" attack with:$/ /^the "(.*?)" command line binary is installed$/ /^the DIRB_WORDLISTS environment variable is set$/ /^the file "(.*?)" should contain XML:$/ /^the file "(.*?)" should not contain XML:$/ /^the following cookies should be received:$/ /^the following environment variables:$/ /^the following profile:$/ @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
bundle exec gauntlt --format html > out.html @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
• Google Group > https://groups.google.com/d/forum/gauntlt • Wiki > https://github.com/gauntlt/gauntlt/wiki • IRC > #gauntlt on freenode • Weekly hangout > http://bit.ly/gauntlt-hangout • Issue tracking > http://github.com/gauntlt/gauntlt @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
B E TA I N V I T E T O U D E M Y C L A S S ? E M A I L J A M E S @ G A U N T LT. O R G @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

More Related Content

PDF
#casesmc As Easy As Herding Squirrels: Coordinating Social Media Across Your ...
byTiffany Beker
 
PDF
Sacramento GovTech Social Academy Keynote
byDustin Haisler
 
PDF
Reducing Resistance: Deployment as Surface
byJeffrey Hulten
 
PDF
Public Sector Social Media Innovation
byDustin Haisler
 
PDF
As Easy As Herding Squirrels: Managing Social Media on Your Campus #heweb15 #...
byTiffany Beker
 
PDF
TMT - Cybercrime - Stibbe
byYeri Tiete
 
PDF
GENSummit - WEARABLE NEWS BEYOND THE GADGETS 2015
byToan Bach Quang Bao
 
PDF
Project Management & Innovation
bymade4gov
 
#casesmc As Easy As Herding Squirrels: Coordinating Social Media Across Your ...
byTiffany Beker
 
Sacramento GovTech Social Academy Keynote
byDustin Haisler
 
Reducing Resistance: Deployment as Surface
byJeffrey Hulten
 
Public Sector Social Media Innovation
byDustin Haisler
 
As Easy As Herding Squirrels: Managing Social Media on Your Campus #heweb15 #...
byTiffany Beker
 
TMT - Cybercrime - Stibbe
byYeri Tiete
 
GENSummit - WEARABLE NEWS BEYOND THE GADGETS 2015
byToan Bach Quang Bao
 
Project Management & Innovation
bymade4gov
 

What's hot

PDF
Hallaran robert 4.4
byFENNODYREE
 
PDF
Data Science Festival - Beginners Guide to Weather and Climate Data
byMargriet Groenendijk
 
PDF
Pregnancy travel-essentials
bybugshieldclothing1
 
PDF
Progressive Web Apps: Is it a replacement for your mobile app?
byÖnder Ceylan
 
PDF
CIA For WordPress Developers
byDavid Brumbaugh
 
PDF
Global WordPress Translation Day – WordPress Meetup FRA
bypixolin
 
PDF
Linked Open GeoData for Enel Drive (W3C LOD2014)
byAndrea Volpini
 
PDF
Enel linked open geo data
byRaffaele Cirullo
 
PPTX
Delineating sea level rise inundation
byCJ Grady
 
PDF
AVID Community Service Dilemma
byReneeMerritt1
 
PDF
100% Visibility - Jason Yee - Codemotion Amsterdam 2018
byCodemotion
 
PPS
Tifflowers
byChris Himes
 
PDF
Indiana FirstNet Exponential Government Presentation
byDustin Haisler
 
Hallaran robert 4.4
byFENNODYREE
 
Data Science Festival - Beginners Guide to Weather and Climate Data
byMargriet Groenendijk
 
Pregnancy travel-essentials
bybugshieldclothing1
 
Progressive Web Apps: Is it a replacement for your mobile app?
byÖnder Ceylan
 
CIA For WordPress Developers
byDavid Brumbaugh
 
Global WordPress Translation Day – WordPress Meetup FRA
bypixolin
 
Linked Open GeoData for Enel Drive (W3C LOD2014)
byAndrea Volpini
 
Enel linked open geo data
byRaffaele Cirullo
 
Delineating sea level rise inundation
byCJ Grady
 
AVID Community Service Dilemma
byReneeMerritt1
 
100% Visibility - Jason Yee - Codemotion Amsterdam 2018
byCodemotion
 
Tifflowers
byChris Himes
 
Indiana FirstNet Exponential Government Presentation
byDustin Haisler
 

Viewers also liked

PDF
Continuous Security Testing
bySteven Mak
 
PDF
Bring the Noise
byJon Cowie
 
PDF
Rugged Driven Development with Gauntlt
byJames Wickett
 
PDF
Be Mean To Your Code: Rugged Development & You
byJames Wickett
 
PPTX
Why Page Speed Isn't Enough - Tim Morrow - Velocity Europe 2012
byTim Morrow
 
PDF
Performance and Metrics at Lonely Planet
byMark Jennings
 
PDF
Velocity EU 2013 What is the velocity of an unladen swallow?
bypdyball
 
PPTX
Data viz as_interface_makoto_inoue
byMakoto Inoue
 
PDF
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?
byAndy Davies
 
PDF
MeasureWorks - Velocity Conference Europe 2012 - a Web Performance dashboard ...
byMeasureWorks
 
PPT
Velocity EU 2012 - Third party scripts and you
byPatrick Meenan
 
PDF
Integrating multiple CDNs at Etsy
byLaurie Denness
 
PDF
DevOps Proverbs - DevOps Wisdom, Principles and Practices
byJames Wickett
 
PDF
Getting 100B Metrics to Disk
byjthurman42
 
PDF
Serverless Security: Doing Security in 100 milliseconds
byJames Wickett
 
PDF
Application Security Epistemology in a Continuous Delivery World
byJames Wickett
 
PDF
Velocity EU 2012 Escalating Scenarios: Outage Handling Pitfalls
byJohn Allspaw
 
PDF
Monitoring and observability
byTheo Schlossnagle
 
PDF
Velocity 2013 london developer-friendly web performance testing in continuou...
byMichael Klepikov
 
PPTX
Velocity Europe 2013: Beyond Pretty Charts: Analytics for the cloud infrastru...
bytboubez
 
Continuous Security Testing
bySteven Mak
 
Bring the Noise
byJon Cowie
 
Rugged Driven Development with Gauntlt
byJames Wickett
 
Be Mean To Your Code: Rugged Development & You
byJames Wickett
 
Why Page Speed Isn't Enough - Tim Morrow - Velocity Europe 2012
byTim Morrow
 
Performance and Metrics at Lonely Planet
byMark Jennings
 
Velocity EU 2013 What is the velocity of an unladen swallow?
bypdyball
 
Data viz as_interface_makoto_inoue
byMakoto Inoue
 
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?
byAndy Davies
 
MeasureWorks - Velocity Conference Europe 2012 - a Web Performance dashboard ...
byMeasureWorks
 
Velocity EU 2012 - Third party scripts and you
byPatrick Meenan
 
Integrating multiple CDNs at Etsy
byLaurie Denness
 
DevOps Proverbs - DevOps Wisdom, Principles and Practices
byJames Wickett
 
Getting 100B Metrics to Disk
byjthurman42
 
Serverless Security: Doing Security in 100 milliseconds
byJames Wickett
 
Application Security Epistemology in a Continuous Delivery World
byJames Wickett
 
Velocity EU 2012 Escalating Scenarios: Outage Handling Pitfalls
byJohn Allspaw
 
Monitoring and observability
byTheo Schlossnagle
 
Velocity 2013 london developer-friendly web performance testing in continuou...
byMichael Klepikov
 
Velocity Europe 2013: Beyond Pretty Charts: Analytics for the cloud infrastru...
bytboubez
 

Similar to Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

PDF
New Era of Software with modern Application Security v1.0
byDinis Cruz
 
PDF
The Emergent Cloud Security Toolchain for CI/CD
byJames Wickett
 
PDF
VSLive Las Vegas - The Shift to Rugged DevOps
byRene Van Osnabrugge
 
PDF
Pragmatic Pipeline Security
byJames Wickett
 
PDF
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
byOWASP Delhi
 
PPTX
How an Attacker "Audits" Your Software Systems
bySecurity Innovation
 
PDF
Agile Secure Development
byBosnia Agile
 
PDF
Rugged Software Using Rugged Driven Development
byJames Wickett
 
PPTX
Web security-–-everything-we-know-is-wrong-eoin-keary
bydrewz lin
 
PDF
DevSecOps and the New Path Forward
byJames Wickett
 
PDF
Writing Software not Code with Cucumber
byBen Mabey
 
PDF
Cyber Security in a Fully Mobile World
byUniversity of Hertfordshire
 
PDF
Secure Coding principles by example: Build Security In from the start - Carlo...
byCodemotion
 
PPTX
Pentesting Tips: Beyond Automated Testing
byAndrew McNicol
 
PDF
Wfh security risks - Ed Adams, President, Security Innovation
byPriyanka Aash
 
PPTX
Word camp orange county 2012 enduser security
byTony Perez
 
PDF
How GitLab and HackerOne help organizations innovate faster without compromis...
byHackerOne
 
PDF
Maturing DevSecOps: From Easy to High Impact
bySBWebinars
 
PPTX
Bringing CD to the DoD
byGene Gotimer
 
PDF
Application Security Guide for Beginners
byCheckmarx
 
New Era of Software with modern Application Security v1.0
byDinis Cruz
 
The Emergent Cloud Security Toolchain for CI/CD
byJames Wickett
 
VSLive Las Vegas - The Shift to Rugged DevOps
byRene Van Osnabrugge
 
Pragmatic Pipeline Security
byJames Wickett
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
byOWASP Delhi
 
How an Attacker "Audits" Your Software Systems
bySecurity Innovation
 
Agile Secure Development
byBosnia Agile
 
Rugged Software Using Rugged Driven Development
byJames Wickett
 
Web security-–-everything-we-know-is-wrong-eoin-keary
bydrewz lin
 
DevSecOps and the New Path Forward
byJames Wickett
 
Writing Software not Code with Cucumber
byBen Mabey
 
Cyber Security in a Fully Mobile World
byUniversity of Hertfordshire
 
Secure Coding principles by example: Build Security In from the start - Carlo...
byCodemotion
 
Pentesting Tips: Beyond Automated Testing
byAndrew McNicol
 
Wfh security risks - Ed Adams, President, Security Innovation
byPriyanka Aash
 
Word camp orange county 2012 enduser security
byTony Perez
 
How GitLab and HackerOne help organizations innovate faster without compromis...
byHackerOne
 
Maturing DevSecOps: From Easy to High Impact
bySBWebinars
 
Bringing CD to the DoD
byGene Gotimer
 
Application Security Guide for Beginners
byCheckmarx
 

More from James Wickett

PDF
A Pragmatic Union: Security and SRE
byJames Wickett
 
PDF
A Way to Think about DevSecOps: MEASURE
byJames Wickett
 
PDF
The Security, DevOps, and Chaos Playbook to Change the World
byJames Wickett
 
PDF
A Tale of Woe, Chaos, and Business
byJames Wickett
 
PDF
A DevSecOps Tale of Business, Engineering, and People
byJames Wickett
 
PDF
The New Ways of DevSecOps - The Secure Dev 2019
byJames Wickett
 
PDF
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
byJames Wickett
 
PDF
The New Ways of Chaos, Security, and DevOps
byJames Wickett
 
PDF
DevOpsDays Austin: Security in the FaaS Lane
byJames Wickett
 
PDF
The Seven Habits of the Highly Effective DevSecOp
byJames Wickett
 
PDF
Serverless Security: A How-to Guide @ SnowFROC 2019
byJames Wickett
 
PDF
Release Your Inner DevSecOp
byJames Wickett
 
PDF
Security in the FaaS Lane
byJames Wickett
 
PDF
The New Security Playbook: DevSecOps
byJames Wickett
 
PDF
The Emergent Cloud Security Toolchain for CI/CD
byJames Wickett
 
PDF
Adversary Driven Defense in the Real World
byJames Wickett
 
PDF
The DevSecOps Builder’s Guide to the CI/CD Pipeline
byJames Wickett
 
PDF
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
PDF
The State of DevSecOps in 2018
byJames Wickett
 
PDF
DevSecOps in the Year 2018
byJames Wickett
 
A Pragmatic Union: Security and SRE
byJames Wickett
 
A Way to Think about DevSecOps: MEASURE
byJames Wickett
 
The Security, DevOps, and Chaos Playbook to Change the World
byJames Wickett
 
A Tale of Woe, Chaos, and Business
byJames Wickett
 
A DevSecOps Tale of Business, Engineering, and People
byJames Wickett
 
The New Ways of DevSecOps - The Secure Dev 2019
byJames Wickett
 
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
byJames Wickett
 
The New Ways of Chaos, Security, and DevOps
byJames Wickett
 
DevOpsDays Austin: Security in the FaaS Lane
byJames Wickett
 
The Seven Habits of the Highly Effective DevSecOp
byJames Wickett
 
Serverless Security: A How-to Guide @ SnowFROC 2019
byJames Wickett
 
Release Your Inner DevSecOp
byJames Wickett
 
Security in the FaaS Lane
byJames Wickett
 
The New Security Playbook: DevSecOps
byJames Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
byJames Wickett
 
Adversary Driven Defense in the Real World
byJames Wickett
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
byJames Wickett
 
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
The State of DevSecOps in 2018
byJames Wickett
 
DevSecOps in the Year 2018
byJames Wickett
 

Recently uploaded

PDF
December Patch Tuesday
byIvanti
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PPTX
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
December Patch Tuesday
byIvanti
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
cybercrime in Information security .pptx
byismaeelsahib032
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
The year in review - MarvelClient in 2025
bypanagenda
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 

Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

  • 1.
    BE MEAN TOYOUR CODE WITH G A U N T LT A N D T H E R U G G E D W AY JAMES WICKETT // @WICKETT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 2.
    @WICKETT • Austin, TX •Gauntlt Core Team • LASCON Founder • Cloud Austin Organizer • DevOps Days Austin Organizer • DevOps, Ruby, AppSec, Chef, Cucumber, Gauntlt @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 3.
    REQUIREMENTS OPTION 1 OPTION 2 •Virtual Box • Ruby 1.9.3 • Vagrant • Git OR • Gauntlt Box • Bundler • Pre-downloaded • Reliable Internet @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 4.
    INSTRUCTIONS bit.ly/gauntlt-demo-instructions @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 5.
    W H YD O E S T H I S M AT T E R ? @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 6.
    P E OP L E M AT T E R @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 7.
    T H EB R O K E N W I N D O W FA L L A C Y –HENRY HAZLITT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 8.
    BESIDES LOSS, BREACHESCAUSE CYNICISM AND DISTRUST @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 9.
    SOFTWARE HAS CHANGED @W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 10.
    SOFTWARE AS ASERVICE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 11.
    SOFTWARE AS BRICOLAGE @ WI C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 12.
    B O LTO N F E AT U R E A P P R O A C H @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 13.
    FRAGILE CODE ASA SERVICE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 14.
    D E PL O Y T I M E L I N E S H AV E CHANGED @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 15.
    D E VA N D O P S H AV E F O U N D A NEW RELIGION @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 16.
    SECURITY HAS NOTCHANGED @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 17.
    C O MP L I A N C E D R I V E N C U LT U R E : PCI, SOX, … @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 18.
    PEOPLE PROCESS TOOLS @W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 19.
    W E HAV E A P E O P L E P R O B L E M @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 20.
    T H ER AT I O P R O B L E M @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 21.
    D E V:O P S : S E C U R I T Y 100:10:1 @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 22.
    LANGUAGE GAP @ WI C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 23.
    S E CU R I T Y D O E S N ' T A L W AY S SPEAK THE LANGUAGE OF THE BIZ / DEV / OPS TEAMS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 24.
    PEOPLE PROCESS TOOLS @W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 25.
    A B DI C AT I N G R E S P O N S I B I L I T Y PROCESS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 26.
    YOU NEED EXPERTSTO TEST FOR SECURITY @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 27.
    FORMALIZED VIA AUDITORSAND C O M P L I A N C E A N N U A L LY @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 28.
    PEOPLE PROCESS TOOLS @W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 29.
    DEV -> SVN|| GIT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 30.
    OPS -> TXT|| WIKIS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 31.
    DEV -> GIT<- OPS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 32.
    SECURITY -> SOURCEFORGE! @W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 33.
    S I GN S T H AT S E C U R I T Y I S MOVING INTO A NEW ERA @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 34.
    A N ALY T I C S , M O N I T O R S , L O G S , T E L E M E T R Y, TESTING, CONFIG MANAGEMENT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 35.
    AT TA CK C H A I N S A N D S I G N A L S http://www.youtube.com/watch?v=jQblKuMuS0Y @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 36.
    V U LN E R A B I L I T Y E X P L O I TAT I O N I S A TIMELINE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 37.
    DISCOVERY VULNERABILITY @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT EXPLOIT
  • 38.
    S Q LS Y N TA X E R R O R S D B TA B L E N A M E S LARGE RESPONSE SIZES @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 39.
    I N ST R U M E N T F U L L AT TA C K C H A I N S A N D W AT C H F O R S I G N A L S @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 40.
    RUGGED @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 41.
    @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 42.
    http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 43.
  • 44.
    DETECTION EARLIER @ WI C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 45.
    security tools today @W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 46.
    E N TE R G A U N T LT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 47.
    PEOPLE PROCESS TOOLS @W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 48.
    G A UN T LT I S A N O P I N I O N AT E D FRAMEWORK TO DO RUGGED TESTING @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 49.
    G A UN T LT = S E C U R I T Y + C U C U M B E R @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT http://www.flickr.com/photos/35231744@N00/286858571/
  • 50.
    CODE BUILD TEST DEPLOY FEEDBACK @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 51.
    CODE BUILD TEST DEPLOY ~12 MOS. LATER SECURITY @W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 52.
    CODE BUILD TEST SECURITY DEPLOY FEEDBACK @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 53.
    A STORY FROM2010… @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 54.
    DEVOPS (+ SECURITY!) @ernestmueller,@iteration1, @bproverb and friends @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 55.
    Ruby Script REST ENDPOINTS QuestionablePayloads Invalid Sessions Large Payloads @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 56.
    COLLECTION OF SCRIPTS MERGEDINTO OUR TEST RUNNER @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 57.
    IN’S AND OUT’SARE EASY TO MESS UP @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 58.
    CUCUMBER AND OUTSIDEIN TESTING @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 59.
    @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 60.
    T H ES TA R T O F G A U N T LT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 61.
    OUTSIDE IN TESTINGFOR SECURITY TOOLS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 62.
    OUTPUT FROM SECURITYTOOLS IS HARD TO DECIPHER @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 63.
    BE MEAN TOYOUR CODE @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 64.
    GARMR NMAP CODE @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT ARACHNI SQLMAP
  • 65.
    GARMR NMAP ARACHNI SQLMAP CODE @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 66.
    GARMR NMAP ARACHNI SQLMAP CODE @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 67.
    GARMR NMAP CODE @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT ARACHNI SQLMAP CODE CODE
  • 68.
    @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 69.
    B U TW H AT A B O U T T H E P E O P L E @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 70.
    C O NV E R S AT I O N A N D C O L L A B O R AT I O N I S T H E C O R E O F G A U N T LT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 71.
    DEV *.attack OPS SECURITY @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT • Execution Knowledge • Testing Logic Captured • Repeatable
  • 72.
    G A UN T LT I N A C T I O N @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 73.
    *.attack something.attack else.attack @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 74.
    Attack Structure Feature Description Background Setup Scenario Logic @ WI C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 75.
    Attack Logic Given When Then @ WI C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 76.
    Attack Step: Given Setupsteps Check Resource Available Given “arachni” is installed @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 77.
    Attack Step: When Actionsteps When I launch an “arachni-xss” attack @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 78.
    Attack Step: Then ParsingSteps Then the output should not contain “fail” @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 79.
    G A UN T LT P H I L O S O P H Y @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 80.
    RUN SECURITY TOOLSIN A R E P E ATA B L E , E A S Y T O R E A D W AY @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 81.
    G A UN T LT D O E S N O T I N S TA L L TOOLS @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 82.
    G A UN T LT S H I P W I T H P R E C A N N E D AT TA C K S A N D S T E P S @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 83.
    B E PAR T O F T H E C I / C D P I P E L I N E @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 84.
    H A ND L E S T D I N , S T D O U T, A N D E X I T S TAT U S @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 85.
    G A UN T LT I N U S E @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 86.
    AT A GA M E D E V S H O P • Check for XSS (cross site scripting) [Arachni] • Check for new login pages [Garmr] • Check for insecure refs in login flows [Garmr] • Extended XSS testing [Custom Arachni] (PR coming soon) @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 87.
    MENTOR GRAPHICS • SmokeTest integration on environment build • Checks REST services [curl] • Tests for XSS [arachni] • Injection attacks [sqlmap, dirb] • Misconfiguration [dirb] • SSL checks [sslyze] @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 88.
    AT C AB F O R W A R D • Ruby Dev Shop • Integrated into CI for customers • GITHUB -> TravisCI -> Unit Tests / Integration Tests / Gauntlt @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 89.
    G I TH U B . C O M / G A U N T LT / G A U N T LT @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 90.
    $ gem installgauntlt @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 91.
    ! Given Feature: nmap attacksfor example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | ! When Then When Then Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """ @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 92.
    HANDS ON @ WI C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 93.
    EVERYTHING YOU NEED… http://bit.ly/gauntlt-demo-instructions @W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 94.
    OPTION 1 @ WI C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 95.
    OPTION 1 -CONTINUED @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 96.
    OPTION 2 @ WI C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 97.
    $ vagrant ssh ! vagrant@precise32:~$ @W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 98.
    $ cd gauntlt-demo @W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 99.
    $ rvm use1.9.3 @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 100.
    04_Hello World withGauntlt.md $ cd ./examples $ gauntlt ./hello_world/hello_world.attack @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 101.
    @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 102.
    @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 103.
    @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 104.
    @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 105.
    @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 106.
    @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 107.
    @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 108.
    @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 109.
    $ gauntlt --steps /^"(w+)"is installed in my path$/ /^"arachni" is installed$/ /^"curl" is installed$/ /^"dirb" is installed$/ /^"garmr" is installed$/ /^"nmap" is installed$/ /^"sqlmap" is installed$/ /^"sslyze" is installed$/ /^I launch (?:a|an) "arachni" attack with:$/ /^I launch (?:a|an) "arachni-(.*?)" attack$/ /^I launch (?:a|an) "curl" attack with:$/ /^I launch (?:a|an) "dirb" attack with:$/ /^I launch (?:a|an) "garmr" attack with:$/ /^I launch (?:a|an) "generic" attack with:$/ /^I launch (?:a|an) "nmap" attack with:$/ /^I launch (?:a|an) "nmap-(.*?)" attack$/ /^I launch (?:a|an) "sqlmap" attack with:$/ /^I launch (?:a|an) "sslyze" attack with:$/ /^the "(.*?)" command line binary is installed$/ /^the DIRB_WORDLISTS environment variable is set$/ /^the file "(.*?)" should contain XML:$/ /^the file "(.*?)" should not contain XML:$/ /^the following cookies should be received:$/ /^the following environment variables:$/ /^the following profile:$/ @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 110.
    @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 111.
    @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 112.
    @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 113.
    @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 114.
    @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 115.
    @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 116.
    @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 117.
    @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 118.
    @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 119.
    @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 120.
    bundle exec gauntlt--format html > out.html @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 121.
    @ W IC K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 122.
    • Google Group> https://groups.google.com/d/forum/gauntlt • Wiki > https://github.com/gauntlt/gauntlt/wiki • IRC > #gauntlt on freenode • Weekly hangout > http://bit.ly/gauntlt-hangout • Issue tracking > http://github.com/gauntlt/gauntlt @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
  • 123.
    B E TAI N V I T E T O U D E M Y C L A S S ? E M A I L J A M E S @ G A U N T LT. O R G @ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT