Goal: Equip you with the
Theory, Examples and Tooling
so that you can begin Your
rugged journey with an
attacking pipeline...
James Wickett
james@gauntlt.org

Austin, TX

Gauntlt Core Team

DevOps Days Austin Organizer

Velocity, LASCON, ISC2, AppS...
Why does this matter?
“I want to solve a problem
so we can make awesome”
- Business
CIO say whut?
…in 2 years with an
expensive, bloated project
that is so fragile that we
can only make changes to
it 4 times a year and o...
CISO say whut?
Biz say whut?
Just Ship It!
SPOILER ALERT!
the business wins
How did we get here?
Software has Changed
Software as a Service
Software
as
Bricolage
Bolt on
Feature
Approach
Fragile Code as a
Service
Deploy Timelines Have
Changed
Dev and Ops have teamed
up in this new world
http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
DevOps is 5 years old
now
The security organization
is stuck in 1997
… mostly
Why is that?
Compliance Driven
Culture: PCI, SOX, …
Ratio Problem
Devs / Ops / Security
100 / 10 / 1
Security Tools
are run out-of-band
But, there is hope
https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring
http://www.youtube.com/watch?v=jQblKuMuS0Y
The Society of Rugged
Developers
!
ruggeddev.org
Rugged Journey
Quality

Transparency

Value Creation

Culture infusion
#RuggedDevOps
http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
Pipelines!
Continuous Integration
commit -> test -> deploy
github -> travis -> s3
git -> jenkins -> rundeck
you can now answer
the question of what is
deployed and how it
was tested
Simple is better
Continuous Integration Options
On premise: Jenkins

Cloud hosted: Travis CI, Circle CI,
CloudBees, Wercker, Shippable,
Dro...
Attacking Pipeline Guide
Check your app/service/thing into a github repo

Create some security tests

Setup Travis CI to t...
Try this at home
github.com/gauntlt/gauntlt-demo
Fork This
What is gauntlt-demo
Contains vulnerable web apps written in
python and ruby on rails
Easy hooks for spinning up the apps
...
Installation
$ git clone https://github.com/gauntlt/
gauntlt-demo
$ cd ./gauntlt-demo
$ git submodule update --init --recu...
$ bundle exec start_services
config/gruyere.rb
http://localhost:8008/
Attacking Pipeline Guide
Check your app/service/thing into a github repo

Create some security tests

Setup Travis CI to t...
Security Testing
Static Code Analysis

Dynamic Testing

Virus Scanning

Code Signing Checks

Business logic/flow testing
convert thy pdf to tests!
Wouldn’t it be great if we
could automate our
security tests…
http://static.hothdwallpaper.net/51b8e4ee5a5ae19808.jpg
Security + Cucumber =
Gauntlt
Built on Cucumber
Gauntlt Philosophy
Gauntlt comes with pre-canned steps that hook
security testing tools

Gauntlt does not install tools

G...
Who uses Gauntlt?
TLDR;
!
Gauntlt automates
security tools
Attack Logic
GIVEN

WHEN

THEN
Let’s automate two
attacks
Garmr is Mozilla Security
policy distilled for the rest
of us
Check for XSS
Rake
require 'gauntlt'

task :gauntlt do

sh "cd ./vendor/gruyere && ./manual_launch.sh && cd ../.."

sh "cd ./examples &&...
Attacking Pipeline Guide
Check your app/service/thing into a github repo

Create some security tests

Setup Travis CI to t...
Let’s set up the
pipeline
Setup Travis CI
Go to travis-ci.org, login with github credentials 

Find the repo you cloned (might need to sync)

Flip t...
Attacking Pipeline Guide
Check your app/service/thing into a github repo

Create some security tests

Setup Travis CI to t...
.travis.yml
language: ruby
rvm:
- 1.9.3
before_install:
- git submodule update --init --
recursive
.travis.yml
before_script:
- sudo apt-get install nmap
- export SSLYZE_PATH="/home/travis/build/
gauntlt/gauntlt-demo/vend...
.travis.yml
script: bundle exec rake
.travis.yml
notifications:
irc:
channels:
- “chat.freenode.net#gauntlt"
use_notice: true
.travis.yml
deploy:
provider: s3
access_key_id: ASDBDSABDASDBDSDASD
secret_access_key:
secure:dasjdkla;sdjsakdsadasd
bucke...
Sahweet!
Attacking Pipeline Guide
Check your app/service/thing into a github repo

Create some security tests

Setup Travis CI to t...
https://speakerdeck.com/mkonda/appsecusa-2013-insecure-expectations
http://vimeo.com/75930344
more on gauntlt
• Google Group > https://groups.google.com/d/
forum/gauntlt

• Wiki > https://github.com/gauntlt/gauntlt/w...
https://vimeo.com/79797907
50% off Gauntlt Book
leanpub.com/hands-on-gauntlt/c/austin-sdlc
Caveat Emptor:
Under
development!
Valid until June 15th
Questions?
!
twitter: @wickett
email: james@gauntlt.org
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
Upcoming SlideShare
Loading in …5
×

Attacking Pipelines--Security meets Continuous Delivery

5,151 views

Published on

Talk given at ISC2 Secure SDLC event in Austin, TX

The release velocity for our applications is increasing, often leaving security testing behind. In some cases, the security team ends up being the bottleneck. That's bad. In an idyllic world, security testing would happen earlier in the development lifecycle, but lets do one better. Lets do security testing on every code change. Using automation tooling and DevOps practices, this talk will help you tune security testing to your release cadence and more importantly help you deliver more rugged software.

Published in: Technology

Attacking Pipelines--Security meets Continuous Delivery

  1. 1. Goal: Equip you with the Theory, Examples and Tooling so that you can begin Your rugged journey with an attacking pipeline you can lovingly call your very own
  2. 2. James Wickett james@gauntlt.org Austin, TX Gauntlt Core Team DevOps Days Austin Organizer Velocity, LASCON, ISC2, AppSecUSA, B-Sides, …
  3. 3. Why does this matter?
  4. 4. “I want to solve a problem so we can make awesome” - Business
  5. 5. CIO say whut?
  6. 6. …in 2 years with an expensive, bloated project that is so fragile that we can only make changes to it 4 times a year and only after the sacred upgrade rituals are performed
  7. 7. CISO say whut?
  8. 8. Biz say whut?
  9. 9. Just Ship It!
  10. 10. SPOILER ALERT!
  11. 11. the business wins
  12. 12. How did we get here?
  13. 13. Software has Changed
  14. 14. Software as a Service
  15. 15. Software as Bricolage
  16. 16. Bolt on Feature Approach
  17. 17. Fragile Code as a Service
  18. 18. Deploy Timelines Have Changed
  19. 19. Dev and Ops have teamed up in this new world
  20. 20. http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
  21. 21. DevOps is 5 years old now
  22. 22. The security organization is stuck in 1997 … mostly
  23. 23. Why is that?
  24. 24. Compliance Driven Culture: PCI, SOX, …
  25. 25. Ratio Problem Devs / Ops / Security 100 / 10 / 1
  26. 26. Security Tools are run out-of-band
  27. 27. But, there is hope
  28. 28. https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring
  29. 29. http://www.youtube.com/watch?v=jQblKuMuS0Y
  30. 30. The Society of Rugged Developers ! ruggeddev.org
  31. 31. Rugged Journey Quality Transparency Value Creation Culture infusion
  32. 32. #RuggedDevOps
  33. 33. http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
  34. 34. Pipelines!
  35. 35. Continuous Integration
  36. 36. commit -> test -> deploy
  37. 37. github -> travis -> s3
  38. 38. git -> jenkins -> rundeck
  39. 39. you can now answer the question of what is deployed and how it was tested
  40. 40. Simple is better
  41. 41. Continuous Integration Options On premise: Jenkins Cloud hosted: Travis CI, Circle CI, CloudBees, Wercker, Shippable, Drone.io… Or a mix: DotCI
  42. 42. Attacking Pipeline Guide Check your app/service/thing into a github repo Create some security tests Setup Travis CI to talk to your repo Create a .travis.yml file Write code, write moar security tests…
  43. 43. Try this at home
  44. 44. github.com/gauntlt/gauntlt-demo Fork This
  45. 45. What is gauntlt-demo Contains vulnerable web apps written in python and ruby on rails Easy hooks for spinning up the apps Contains labs and examples for writing attacks An attacking pipeline Travis CI to attack the web apps
  46. 46. Installation $ git clone https://github.com/gauntlt/ gauntlt-demo $ cd ./gauntlt-demo $ git submodule update --init --recursive $ bundle
  47. 47. $ bundle exec start_services config/gruyere.rb
  48. 48. http://localhost:8008/
  49. 49. Attacking Pipeline Guide Check your app/service/thing into a github repo Create some security tests Setup Travis CI to talk to your repo Create a .travis.yml file Write code, write moar security tests…
  50. 50. Security Testing Static Code Analysis Dynamic Testing Virus Scanning Code Signing Checks Business logic/flow testing
  51. 51. convert thy pdf to tests!
  52. 52. Wouldn’t it be great if we could automate our security tests…
  53. 53. http://static.hothdwallpaper.net/51b8e4ee5a5ae19808.jpg
  54. 54. Security + Cucumber = Gauntlt
  55. 55. Built on Cucumber
  56. 56. Gauntlt Philosophy Gauntlt comes with pre-canned steps that hook security testing tools Gauntlt does not install tools Gauntlt can be part of the CI/CD pipeline Be a good citizen of exit status and stdout/stderr MIT Open Source License
  57. 57. Who uses Gauntlt?
  58. 58. TLDR; ! Gauntlt automates security tools
  59. 59. Attack Logic GIVEN WHEN THEN
  60. 60. Let’s automate two attacks
  61. 61. Garmr is Mozilla Security policy distilled for the rest of us
  62. 62. Check for XSS
  63. 63. Rake require 'gauntlt' task :gauntlt do sh "cd ./vendor/gruyere && ./manual_launch.sh && cd ../.." sh "cd ./examples && bundle exec gauntlt --tags @final && cd .." sh "cd ./vendor/gruyere && ./manual_kill.sh && cd ../.." end
  64. 64. Attacking Pipeline Guide Check your app/service/thing into a github repo Create some security tests Setup Travis CI to talk to your repo Create a .travis.yml file Write code, write moar security tests…
  65. 65. Let’s set up the pipeline
  66. 66. Setup Travis CI Go to travis-ci.org, login with github credentials Find the repo you cloned (might need to sync) Flip the switch ‘on’
  67. 67. Attacking Pipeline Guide Check your app/service/thing into a github repo Create some security tests Setup Travis CI to talk to your repo Create a .travis.yml file Write code, write moar security tests…
  68. 68. .travis.yml language: ruby rvm: - 1.9.3 before_install: - git submodule update --init -- recursive
  69. 69. .travis.yml before_script: - sudo apt-get install nmap - export SSLYZE_PATH="/home/travis/build/ gauntlt/gauntlt-demo/vendor/sslyze/sslyze.py" - export SQLMAP_PATH="/home/travis/build/ gauntlt/gauntlt-demo/vendor/sqlmap/sqlmap.py" - 'cd vendor/Garmr && sudo python setup.py install && cd ../..'
  70. 70. .travis.yml script: bundle exec rake
  71. 71. .travis.yml notifications: irc: channels: - “chat.freenode.net#gauntlt" use_notice: true
  72. 72. .travis.yml deploy: provider: s3 access_key_id: ASDBDSABDASDBDSDASD secret_access_key: secure:dasjdkla;sdjsakdsadasd bucket: build-artifacts
  73. 73. Sahweet!
  74. 74. Attacking Pipeline Guide Check your app/service/thing into a github repo Create some security tests Setup Travis CI to talk to your repo Create a .travis.yml file Write code, write moar security tests…
  75. 75. https://speakerdeck.com/mkonda/appsecusa-2013-insecure-expectations http://vimeo.com/75930344
  76. 76. more on gauntlt • Google Group > https://groups.google.com/d/ forum/gauntlt • Wiki > https://github.com/gauntlt/gauntlt/wiki • Twitter > @gauntlt • IRC > #gauntlt on freenode • Issue tracking > http://github.com/gauntlt/gauntlt
  77. 77. https://vimeo.com/79797907
  78. 78. 50% off Gauntlt Book leanpub.com/hands-on-gauntlt/c/austin-sdlc Caveat Emptor: Under development! Valid until June 15th
  79. 79. Questions? ! twitter: @wickett email: james@gauntlt.org

×