Be Mean to your Code with Gauntlt #txlf 2013

778 views

Published on

Talk presented at Texas Linux Fest 2013 (#txlf) in Austin, TX.

Published in: Technology, News & Politics

Be Mean to your Code with Gauntlt #txlf 2013

  1. 1. Be Mean toYour Codewith Gauntlt@gauntltgauntlt.org
  2. 2. @wickettCollege StartupWeb Systems EngineerMedia StartupWeb Ops LeadDevOps
  3. 3. the devopslife isgreat
  4. 4. I want youto join thedevopsmovement
  5. 5. I want youto join thegauntltproject
  6. 6. how do youjoin?
  7. 7. greatquestionbut first
  8. 8. a briefhistory ofinfosec
  9. 9. 1337 tools
  10. 10. the wormsand virusesdidn’t stop
  11. 11. we facedskilledadversaries
  12. 12. we couldn’twin
  13. 13. Instead ofEngineeringInfoSecbecameActuaries
  14. 14. “[RISK ASSESSMENT]INTRODUCES A DANGEROUSFALLACY: THATSTRUCTURED INADEQUACYIS ALMOST AS GOOD ASADEQUACY AND THATUNDERFUNDED SECURITYEFFORTS PLUS RISKMANAGEMENT ARE ABOUTAS GOOD AS PROPERLYFUNDED SECURITY WORK”
  15. 15. there wereothermovements
  16. 16. devs became cool
  17. 17. devs became cool agile
  18. 18. the bizsells timenow
  19. 19. dev and opsnow play nice
  20. 20. http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
  21. 21. http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
  22. 22. cultureautomationmeasurementsharingcredit to John Willis and Damon Edwards
  23. 23. infosechasn’t keptpace
  24. 24. Your punchis soft,justlike yourheart
  25. 25. “Is thisSecure?”-YourCustomer
  26. 26. “It’sCertified”-You
  27. 27. there’s abetter way
  28. 28. 6 R’s ofRuggedDevOps
  29. 29. http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
  30. 30. how doesone joinruggeddevops?
  31. 31. entergauntlt
  32. 32. gauntltcredits:Creators:Mani TadayonJames WickettCommunity Wrangler:Jeremiah ShirkFriends:Jason Chan, NetflixNeil Matatall, Twitter
  33. 33. security toolsare confusing
  34. 34. mappingdiscoveryexploitation
  35. 35. securitytests onevery change
  36. 36. wisdom froma video game
  37. 37. alwayslisten toDoc
  38. 38. Find theweakness ofyour enemy
  39. 39. Codify yourknowledge(cheat sheets)
  40. 40. sometimes, youface the sameenemies again
  41. 41. gauntlt islike this
  42. 42. fuzzfind inject
  43. 43. sqlmap sslyzedirbcurlgenericnmapyour appgauntltexit status: 0
  44. 44. Gauntlt helpsdev and opsand securityto communicate
  45. 45. gauntltharmonizesour languages
  46. 46. Conway’s LawAny organization that designs a system ... willinevitably produce a design whose structure isa copy of the organizations communicationstructure.Melvin E. Conway, 1968
  47. 47. BehaviorDrivenDevelopmentBDD is a second-generation, outside–in, pull-based,multiple-stakeholder, multiple-scale, high-automation, agilemethodology. It describes a cycle of interactions with well-defined outputs, resulting in the delivery of working, testedsoftware that matters.Dan North , 2009
  48. 48. we have tostartsomewhere
  49. 49. $ gem install gauntltinstall gauntlt
  50. 50. gauntltdesignSimpleExtensibleUNIX™: stdin, stdout, exit statusMinimum features yield maximumutility
  51. 51. $ gauntlt --listDefined attacks:curldirbgarmrgenericnmapsqlmapsslyze
  52. 52. Attack FilePlain Text FileGherkin syntax:GivenWhenThen
  53. 53. Feature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should contain:"""80/tcp open http"""Scenario: Verify that there are no unexpected ports openWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should not contain:"""25/tcp"""GivenWhenThenWhenThen
  54. 54. running gauntlt with failing tests$ gauntltFeature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F www.example.com"""Then the output should contain:"""443/tcp open https"""1 scenario (1 failed)5 steps (1 failed, 4 passed)0m18.341s
  55. 55. $ gauntltFeature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F www.example.com"""Then the output should contain:"""443/tcp open https"""1 scenario (1 passed)4 steps (4 passed)0m18.341srunning gauntlt with passing tests
  56. 56. $ gauntlt --steps/^"(w+)" is installed in my path$//^"curl" is installed$//^"dirb" is installed$//^"garmr" is installed$//^"nmap" is installed$//^"sqlmap" is installed$//^"sslyze" is installed$//^I launch a "curl" attack with:$//^I launch a "dirb" attack with:$//^I launch a "garmr" attack with:$//^I launch a "generic" attack with:$//^I launch an "nmap" attack with:$//^I launch an "sslyze" attack with:$//^I launch an? "sqlmap" attack with:$//^the "(.*?)" command line binary is installed$//^the file "(.*?)" should contain XML:$//^the file "(.*?)" should not contain XML:$//^the following cookies should be received:$//^the following profile:$/
  57. 57. $ gauntlt --steps/^"(w+)" is installed in my path$//^"sqlmap" is installed$//^I launch a "generic" attack with:$//^I launch an? "sqlmap" attack with:$/
  58. 58. Feature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should contain:"""80/tcp open http"""Scenario: Verify that there are no unexpected ports openWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should not contain:"""25/tcp"""setup stepsverifytoolsetconfig
  59. 59. Feature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should contain:"""80/tcp open http"""Scenario: Verify that there are no unexpected ports openWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should not contain:"""25/tcp"""attackgetconfig
  60. 60. Feature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should contain:"""80/tcp open http"""Scenario: Verify that there are no unexpected ports openWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should not contain:"""25/tcp"""assertneedlehaystack
  61. 61. SupportedToolscurlnmapsqlmapsslyzeGarmrdirbgeneric
  62. 62. NetflixUse CaseReal World Cloud Application Security, Jason Chanhttps://vimeo.com/54157394
  63. 63. Check your ssl certs
  64. 64. cookie tampering
  65. 65. curl hacking
  66. 66. Look for commonapachemisconfigurations
  67. 67. @slowFeature: Run dirb scan on a URLScenario: Run a dirb scan looking for commonvulnerabilities in apacheGiven "dirb" is installedAnd the following profile:| name | value || hostname | http://example.com || wordlist | vulns/apache.txt |When I launch a "dirb" attack with:"""dirb <hostname> <dirb_wordlists_path>/<wordlist>"""Then the output should contain:"""FOUND: 0""".htaccess.htpasswd.meta.webaccess_logcgicgi-bincgi-pubcgi-scriptdummyerrorerror_loghtdocshttpdhttpd.pidiconsserver-infoserver-statuslogsmanualprintenvtest-cgitmp~bin~ftp~nobody~root
  68. 68. I have my weakness.But I wont tellyou! Ha Ha Ha!
  69. 69. Test for SQL Injection
  70. 70. @slow @announceFeature: Run sqlmap against a targetScenario: Identify SQL injection vulnerabilitiesGiven "sqlmap" is installedAnd the following profile:| name | value || target_url | http://example.com?x=1 |When I launch a "sqlmap" attack with:"""python <sqlmap_path> -u <target_url> --dbms sqlite --batch -v 0 --tables"""
  71. 71. my_first.attackSee ‘GET STARTED’ onproject repoStart here > https://github.com/gauntlt/gauntlt/tree/master/examplesFind examples for theattacksAdd your config (hostname,login url, user)Repeat
  72. 72. Starter Kit on GitHubThe starter kit is on GitHub:github.com/gauntlt/gauntlt-starter-kitOr, download a copy from:www.gauntlt.org/
  73. 73. Contributeto gauntltSee ‘FOR DEVELOPERS’ inthe READMEGet started in 7 steps
  74. 74. If you getstuckCheck the READMEIRC Channel: #gauntlton freenode@gauntlt on twitterMailing List (https://groups.google.com/forum/#!forum/gauntlt)Office hours withweekly google hangout
  75. 75. @gauntltfuture plans
  76. 76. cultureautomationmeasurementsharingcredit to John Willis and Damon Edwards
  77. 77. NextFeaturesMore output parsersMore attack adaptersJRuby & Java SupportFront end UI / webreports
  78. 78. Add featurerequests here:https://github.com/gauntlt/gauntlt/issues
  79. 79. get startedwith gauntltgithub/gauntltgauntlt.orgvideostutorials@gauntltIRC #gauntltwehelp!start herecoolvids!
  80. 80. @wickettjames@gauntlt.orgBe Mean toYour Code!
  81. 81. @wickettjames@gauntlt.orgBe Mean toYour Code!

×