Bringing Harmony between Devand Ops and Security Teamsusing Gauntlt
Be Mean toyour CodewithGauntlt
@wickettCollege StartupWeb Systems EngineerMedia StartupWeb Ops LeadDevOpsCISSPCISSP, sounds cool
a briefhistory ofinfosec
1337 tools
the wormsand virusesdidn’t stop
we facedskilledadversaries
we couldn’twin
Instead ofEngineeringInfoSecbecameActuaries
“[RISK ASSESSMENT]INTRODUCES A DANGEROUSFALLACY: THATSTRUCTURED INADEQUACYIS ALMOST AS GOOD ASADEQUACY AND THATUNDERFUNDED...
there wereothermovements
devs became cool
devs became cool agile
the bizsells timenow
dev and opsnow play nice
http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
cultureautomationmeasurementsharingcredit to John Willis and Damon Edwards
infosechasn’t keptpace
Your punchis soft,justlike yourheart
“Is thisSecure?”-YourCustomer
“It’sCertified”-You
6 R’s ofRuggedDevOps
http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
how doesone joinruggeddevops?
entergauntlt
gauntlt islike this
sqlmap sslyzedirbcurlgenericnmapyour appgauntltexit status: 0
gauntltcredits:Creators:Mani TadayonJames WickettCommunity Wrangler:Jeremiah ShirkFriends:Jason Chan, NetflixNeil Matatall...
security toolsare confusing
mappingdiscoveryexploitation
fuzzfind inject
securitytests onevery change
wisdom froma video game
alwayslisten toDoc
Find theweakness ofyour enemy
Codify yourknowledge(cheat sheets)
sometimes, youface the sameenemies again
gauntlt iscollaboration
Gauntlt helpsdev and opsand securityto communicate
gauntltharmonizesour languages
BehaviorDrivenDevelopmentBDD is a second-generation, outside–in, pull-based,multiple-stakeholder, multiple-scale, high-aut...
we have tostartsomewhere
$ gem install gauntltinstall gauntlt
gauntltdesignSimpleExtensibleUNIX™: stdin, stdout, exit statusMinimum features yield maximumutility
$ gauntlt --listDefined attacks:curldirbgarmrgenericnmapsqlmapsslyze
Attack FilePlain Text FileGherkin syntax:GivenWhenThen
Feature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostn...
running gauntlt with failing tests$ gauntltFeature: nmap attacks for example.comBackground:Given "nmap" is installedAnd th...
$ gauntltFeature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value...
$ gauntlt --steps/^"(w+)" is installed in my path$//^"curl" is installed$//^"dirb" is installed$//^"garmr" is installed$//...
$ gauntlt --steps/^"(w+)" is installed in my path$//^"sqlmap" is installed$//^I launch a "generic" attack with:$//^I launc...
Feature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostn...
Feature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostn...
Feature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostn...
SupportedToolscurlnmapsqlmapsslyzeGarmrdirbgeneric
NetflixUse CaseReal World Cloud Application Security, Jason Chanhttps://vimeo.com/54157394
Check your ssl certs
cookie tampering
curl hacking
Look for commonapachemisconfigurations
@slowFeature: Run dirb scan on a URLScenario: Run a dirb scan looking for commonvulnerabilities in apacheGiven "dirb" is i...
I have my weakness.But I wont tellyou! Ha Ha Ha!
Test for SQLInjection
@slow @announceFeature: Run sqlmap against a targetScenario: Identify SQL injection vulnerabilitiesGiven "sqlmap" is insta...
my_first.attackSee ‘GET STARTED’ onproject repoStart here > https://github.com/gauntlt/gauntlt/tree/master/examplesFind ex...
Starter Kit on GitHubThe starter kit is on GitHub:github.com/gauntlt/gauntlt-starter-kitOr, download a copy from:www.gaunt...
@gauntltfuture plans
NextFeaturesMore output parsersMore attack adaptersJRuby & Java SupportFront end UI / webreports
Add featurerequests here:https://github.com/gauntlt/gauntlt/issues
Contributeto gauntltSee ‘FOR DEVELOPERS’ inthe READMEGet started in 7 steps
If you getstuckCheck the READMEIRC Channel: #gauntlt onfreenode@gauntlt on twitterMailing List (https://groups.google.com/...
get startedwith gauntltgithub/gauntltgauntlt.orgvideostutorialsgoogle group@gauntltIRC #gauntltwehelp!start herecoolvids!
@wickettjames@gauntlt.orgBe Mean toYour Code!
@wickettjames@gauntlt.orgslides:bit.ly/gauntlt-isc2
Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 Austin Event
Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 Austin Event
Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 Austin Event
Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 Austin Event
Upcoming SlideShare
Loading in …5
×

Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 Austin Event

660 views

Published on

Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 Austin Event

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
660
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 Austin Event

  1. 1. Bringing Harmony between Devand Ops and Security Teamsusing Gauntlt
  2. 2. Be Mean toyour CodewithGauntlt
  3. 3. @wickettCollege StartupWeb Systems EngineerMedia StartupWeb Ops LeadDevOpsCISSPCISSP, sounds cool
  4. 4. a briefhistory ofinfosec
  5. 5. 1337 tools
  6. 6. the wormsand virusesdidn’t stop
  7. 7. we facedskilledadversaries
  8. 8. we couldn’twin
  9. 9. Instead ofEngineeringInfoSecbecameActuaries
  10. 10. “[RISK ASSESSMENT]INTRODUCES A DANGEROUSFALLACY: THATSTRUCTURED INADEQUACYIS ALMOST AS GOOD ASADEQUACY AND THATUNDERFUNDED SECURITYEFFORTS PLUS RISKMANAGEMENT ARE ABOUTAS GOOD AS PROPERLYFUNDED SECURITY WORK”
  11. 11. there wereothermovements
  12. 12. devs became cool
  13. 13. devs became cool agile
  14. 14. the bizsells timenow
  15. 15. dev and opsnow play nice
  16. 16. http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
  17. 17. http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
  18. 18. cultureautomationmeasurementsharingcredit to John Willis and Damon Edwards
  19. 19. infosechasn’t keptpace
  20. 20. Your punchis soft,justlike yourheart
  21. 21. “Is thisSecure?”-YourCustomer
  22. 22. “It’sCertified”-You
  23. 23. 6 R’s ofRuggedDevOps
  24. 24. http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
  25. 25. how doesone joinruggeddevops?
  26. 26. entergauntlt
  27. 27. gauntlt islike this
  28. 28. sqlmap sslyzedirbcurlgenericnmapyour appgauntltexit status: 0
  29. 29. gauntltcredits:Creators:Mani TadayonJames WickettCommunity Wrangler:Jeremiah ShirkFriends:Jason Chan, NetflixNeil Matatall, Twitter
  30. 30. security toolsare confusing
  31. 31. mappingdiscoveryexploitation
  32. 32. fuzzfind inject
  33. 33. securitytests onevery change
  34. 34. wisdom froma video game
  35. 35. alwayslisten toDoc
  36. 36. Find theweakness ofyour enemy
  37. 37. Codify yourknowledge(cheat sheets)
  38. 38. sometimes, youface the sameenemies again
  39. 39. gauntlt iscollaboration
  40. 40. Gauntlt helpsdev and opsand securityto communicate
  41. 41. gauntltharmonizesour languages
  42. 42. BehaviorDrivenDevelopmentBDD is a second-generation, outside–in, pull-based,multiple-stakeholder, multiple-scale, high-automation, agilemethodology. It describes a cycle of interactions with well-defined outputs, resulting in the delivery of working, testedsoftware that matters.Dan North , 2009
  43. 43. we have tostartsomewhere
  44. 44. $ gem install gauntltinstall gauntlt
  45. 45. gauntltdesignSimpleExtensibleUNIX™: stdin, stdout, exit statusMinimum features yield maximumutility
  46. 46. $ gauntlt --listDefined attacks:curldirbgarmrgenericnmapsqlmapsslyze
  47. 47. Attack FilePlain Text FileGherkin syntax:GivenWhenThen
  48. 48. Feature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should contain:"""80/tcp open http"""Scenario: Verify that there are no unexpected ports openWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should not contain:"""25/tcp"""GivenWhenThenWhenThen
  49. 49. running gauntlt with failing tests$ gauntltFeature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F www.example.com"""Then the output should contain:"""443/tcp open https"""1 scenario (1 failed)5 steps (1 failed, 4 passed)0m18.341s
  50. 50. $ gauntltFeature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F www.example.com"""Then the output should contain:"""443/tcp open https"""1 scenario (1 passed)4 steps (4 passed)0m18.341srunning gauntlt with passing tests
  51. 51. $ gauntlt --steps/^"(w+)" is installed in my path$//^"curl" is installed$//^"dirb" is installed$//^"garmr" is installed$//^"nmap" is installed$//^"sqlmap" is installed$//^"sslyze" is installed$//^I launch a "curl" attack with:$//^I launch a "dirb" attack with:$//^I launch a "garmr" attack with:$//^I launch a "generic" attack with:$//^I launch an "nmap" attack with:$//^I launch an "sslyze" attack with:$//^I launch an? "sqlmap" attack with:$//^the "(.*?)" command line binary is installed$//^the file "(.*?)" should contain XML:$//^the file "(.*?)" should not contain XML:$//^the following cookies should be received:$//^the following profile:$/
  52. 52. $ gauntlt --steps/^"(w+)" is installed in my path$//^"sqlmap" is installed$//^I launch a "generic" attack with:$//^I launch an? "sqlmap" attack with:$/
  53. 53. Feature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should contain:"""80/tcp open http"""Scenario: Verify that there are no unexpected ports openWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should not contain:"""25/tcp"""setup stepsverifytoolsetconfig
  54. 54. Feature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should contain:"""80/tcp open http"""Scenario: Verify that there are no unexpected ports openWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should not contain:"""25/tcp"""attackgetconfig
  55. 55. Feature: nmap attacks for example.comBackground:Given "nmap" is installedAnd the following profile:| name | value || hostname | example.com |Scenario: Verify server is open on expected portsWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should contain:"""80/tcp open http"""Scenario: Verify that there are no unexpected ports openWhen I launch an "nmap" attack with:"""nmap -F <hostname>"""Then the output should not contain:"""25/tcp"""assertneedlehaystack
  56. 56. SupportedToolscurlnmapsqlmapsslyzeGarmrdirbgeneric
  57. 57. NetflixUse CaseReal World Cloud Application Security, Jason Chanhttps://vimeo.com/54157394
  58. 58. Check your ssl certs
  59. 59. cookie tampering
  60. 60. curl hacking
  61. 61. Look for commonapachemisconfigurations
  62. 62. @slowFeature: Run dirb scan on a URLScenario: Run a dirb scan looking for commonvulnerabilities in apacheGiven "dirb" is installedAnd the following profile:| name | value || hostname | http://example.com || wordlist | vulns/apache.txt |When I launch a "dirb" attack with:"""dirb <hostname> <dirb_wordlists_path>/<wordlist>"""Then the output should contain:"""FOUND: 0""".htaccess.htpasswd.meta.webaccess_logcgicgi-bincgi-pubcgi-scriptdummyerrorerror_loghtdocshttpdhttpd.pidiconsserver-infoserver-statuslogsmanualprintenvtest-cgitmp~bin~ftp~nobody~root
  63. 63. I have my weakness.But I wont tellyou! Ha Ha Ha!
  64. 64. Test for SQLInjection
  65. 65. @slow @announceFeature: Run sqlmap against a targetScenario: Identify SQL injection vulnerabilitiesGiven "sqlmap" is installedAnd the following profile:| name | value || target_url | http://example.com?x=1 |When I launch a "sqlmap" attack with:"""python <sqlmap_path> -u <target_url> --dbms sqlite --batch -v 0 --tables"""
  66. 66. my_first.attackSee ‘GET STARTED’ onproject repoStart here > https://github.com/gauntlt/gauntlt/tree/master/examplesFind examples for theattacksAdd your config (hostname,login url, user)Repeat
  67. 67. Starter Kit on GitHubThe starter kit is on GitHub:github.com/gauntlt/gauntlt-starter-kitOr, download a copy from:www.gauntlt.org/
  68. 68. @gauntltfuture plans
  69. 69. NextFeaturesMore output parsersMore attack adaptersJRuby & Java SupportFront end UI / webreports
  70. 70. Add featurerequests here:https://github.com/gauntlt/gauntlt/issues
  71. 71. Contributeto gauntltSee ‘FOR DEVELOPERS’ inthe READMEGet started in 7 steps
  72. 72. If you getstuckCheck the READMEIRC Channel: #gauntlt onfreenode@gauntlt on twitterMailing List (https://groups.google.com/forum/#!forum/gauntlt)Office hours with weeklygoogle hangout
  73. 73. get startedwith gauntltgithub/gauntltgauntlt.orgvideostutorialsgoogle group@gauntltIRC #gauntltwehelp!start herecoolvids!
  74. 74. @wickettjames@gauntlt.orgBe Mean toYour Code!
  75. 75. @wickettjames@gauntlt.orgslides:bit.ly/gauntlt-isc2

×