Gauntlt Rugged By Example

1,551 views

Published on

Talk given at AppSec USA 2012. See the video here > https://vimeo.com/54250714

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,551
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
16
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Gauntlt Rugged By Example

  1. 1. GAUNTLT:RUGGEDBY EXAMPLEJAMES WICKETTMANI TADAYONJEREMIAH SHIRKSG: JASON CHAN
  2. 2. WE WANT YOU TO BESUCCESSFUL ANDMAKE A DIFFERENCE
  3. 3. James WickettCISSP, GWAPT,CCSK, GSEC, GCFW @wickett@RuggedDevOps @gauntlt
  4. 4. A BRIEF HISTORY OFINFORMATION SECURITY
  5. 5. WE USED TO BE COOL
  6. 6. WE HADCINEMA
  7. 7. WE HADHEROES
  8. 8. WE MADE FREEPHONE CALLS
  9. 9. WE WERE COOL
  10. 10. WE MADE IT INTO THEORGANIZATIONSWE HAD PREVIOUSLY FOUGHT
  11. 11. WE COULDN’T STOP THEVIRUSES AND WORMS
  12. 12. INSTEAD OF ENGINEERINGINFOSEC BECAME ACTUARIES
  13. 13. WE BECAME EXPERTSIN BUYING INSURANCE POLICIES
  14. 14. “[RISK ASSESSMENT] INTRODUCES ADANGEROUS FALLACY: THATSTRUCTURED INADEQUACY ISALMOST AS GOOD AS ADEQUACYAND THAT UNDERFUNDEDSECURITY EFFORTS PLUS RISKMANAGEMENT ARE ABOUT ASGOOD AS PROPERLY FUNDEDSECURITY WORK” - MICHAL ZALEWSKI
  15. 15. SOMETHING ELSEHAPPENED GLOBALLY
  16. 16. DEVS BECAME COOL
  17. 17. ENTER DEVOPS
  18. 18. CODE BECAME SOCIAL
  19. 19. “I DON’T WANT YOUTO SEND ME ANINSTALLATION DVD”
  20. 20. WE SELL TIME NOW
  21. 21. WE SELL SOCIALAND FRIENDSHIPS
  22. 22. “IS THIS SECURE?”-YOUR CUSTOMER
  23. 23. “ITS CERTIFIED”- YOU
  24. 24. WHY CAN’T YOUGIVE A BETTER ANSWER?
  25. 25. THE INEQUITABLEDISTRIBUTION OFLABOR IN SECURITYMIMICS THAT IN DEV/OPS
  26. 26. 2% OF AN ENGINEERINGDEV TEAM ARE WORKINGON SECURITY - BSIMM 2012 data, http://bsimm.com/
  27. 27. -LEARNING FROM(PREFERABLY OTHERPEOPLE’S) MISTAKES-DEVELOPING TOOLS TOCORRECT PROBLEMS- PLANNING TO HAVEEVERYTHINGCOMPROMISED
  28. 28. ENTER RUGGED
  29. 29. Current Software
  30. 30. Rugged Software
  31. 31. ADVERSITY REQUIRESRUGGED SOLUTIONS
  32. 32. ADVERSITY IS REAL ORPERCEIVED NEGATIVEACTIONS AND EVENTSTHAT PROHIBIT NORMALFUNCTION AND OPERATION.
  33. 33. Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise. RUGGEDIZATION THEORY
  34. 34. NO PAIN, NO GAIN
  35. 35. "Secondly, our network got a lot stronger as a result of the LulzSec attacks."-Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012 by CloudFlare team
  36. 36. RUGGED BY DESIGN,DEVOPS BY CULTURE
  37. 37. RUGGED DEVOPS
  38. 38. REPEATABLE – NO MANUAL STEPS, CIRELIABLE - NO DOS HEREREVIEWABLE – AKA AUDIT, INFRA AS CODERAPID – FAST TO BUILD, DEPLOY, RESTORERESILIENT – AUTOMATED RECONFIGURATIONREDUCED - LIMITED ATTACK SURFACE
  39. 39. ENTER GAUNTLT
  40. 40. Put your code through the GAUNTLT
  41. 41. GAUNTLET, N.AN ATTACK FROMALL SIDES
  42. 42. custom attacks dirbuster metasploit sqlmap fuzzers nessusw3af nmap Your web app You
  43. 43. gauntlt is built for doing security testing in a DevOps world
  44. 44. GAUNTLT IS
  45. 45. AN ALWAYS-ATTACKINGENVIRONMENT FORDEVELOPERS
  46. 46. WITH ATTACKSWRITTEN INEASY-TO-READLANGUAGE
  47. 47. ACCESSIBLE TOEVERYONE INVOLVEDIN DEV, OPS,TESTING, SECURITY, ...
  48. 48. WHY GAUNTLT?SECURITY DOMAINKNOWLEDGE IS GENERALLYA MYSTERY TO DEV TEAMS
  49. 49. GAUNTLT ALLOWS DEV ANDOPS AND SECURITY TOCOMMUNICATE
  50. 50. GAUNTLT JOINSTHE PHILOSOPHY OFRUGGED SOFTWARE& CONTINUOUS INTEGRATION
  51. 51. HTTPS://GITHUB.COM/THEGAUNTLET/GAUNTLT
  52. 52. $ gem install gauntlt# download attacks$ gauntlt
  53. 53. install gauntlt$ gem install gauntlt# download example attacks from github# customize the example attacks# now you can run gauntlt$ gauntltExamples > https://github.com/thegauntlet/gauntlt/tree/master/examples
  54. 54. LETS LOOK INSIDE ACOUPLE OF THESE FILES
  55. 55. GAUNTLT ATTACKS
  56. 56. @slow nmap.attackFeature: nmap attacks for example.com Background: Given "nmap" is installed And the target hostname is "www.example.com" And the target tcp_ping_ports are "22,25,80,443" Scenario: Verify server is open on expected set of portsusing the nmap fast flag When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open https """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """
  57. 57. running gauntlt with failing testswickett$ gauntlt@slowFeature: nmap attacks for example.com Background: Given "nmap" is installed And the target hostname is "www.example.com" And the target tcp_ping_ports are "22,25,80,443" Scenario: Verify server is open on expected set of ports using thenmap fast flag When I launch an "nmap" attack with: """ nmap -F www-stage.cloudsourcery.com """ Then the output should contain: """ 443/tcp open https """1 scenario (1 failed)5 steps (1 failed, 4 passed)0m18.341s
  58. 58. running gauntlt with passing testswickett$ gauntlt@slowFeature: nmap attacks for example.com Background: Given "nmap" is installed And the target hostname is "www.example.com" And the target tcp_ping_ports are "22,25,80,443" Scenario: Verify server is open on expected set of ports using thenmap fast flag When I launch an "nmap" attack with: """ nmap -F www-stage.cloudsourcery.com """ Then the output should contain: """ 443/tcp open https """1 scenario (1 passed)5 steps (5 passed)0m18.341s
  59. 59. gauntlt:Netflix Use Case
  60. 60. Problem Statement• Netflix is a heavy AWS user, and we provide self- service deployment for dev teams• AWS’ Elastic Load Balancer (ELB) provides cross- datacenter traffic balancing, but no security controls (if your cluster is attached to an ELB, it is available to the Internet)• Engineers may misunderstand use cases for ELBs, security features, and/or other measures that can be used to protect ELB-fronted clusters
  61. 61. How do we ensure the100s of clusters associated with ELBs are configuredand protected as intended?
  62. 62. Solution: Use gauntlt to organize and perform ELB testing
  63. 63. gauntlt test:What response will an ELB provideto an arbitrary Internet node, and is it expected?
  64. 64. Process1. Launch gauntlt test runner instance, loaded with “master list” of ELBs and expected state2. Determine “target list” of current ELBs to evaluate3. Generate per-ELB listener gauntlt attack files4. Execute attacks5. Alert on failures and new ELBs6. Triage findings and update ELB master list
  65. 65. gauntlt Attack Template• Uses gauntlt curl feature• Sub in protocol, port, hostname, and response code from ELB master and target list
  66. 66. GAUNTLTA VERY SHORT INTRODUCTION
  67. 67. ABOUT MANI• Mani Tadayon• Senior Software Engineer, ZestFinance• Lots of experience in web development, ruby and test automation• Learning Clojure
  68. 68. CONWAY’S LAWAny organization that designs a system ... willinevitably produce a design whose structure is acopy of the organizations communicationstructure. Melvin E. Conway, 1968
  69. 69. BEHAVIOR-DRIVEN DEVELOPMENTBDD is a second-generation, outside–in, pull-based, multiple-stakeholder, multiple-scale, high-automation, agile methodology. It describes acycle of interactions with well-defined outputs,resulting in the delivery of working, testedsoftware that matters. Dan North , 2009
  70. 70. CUCUMBER
  71. 71. ATTACK FILE• Plain text file• Gherkin syntax: • Given • When • Then
  72. 72. Feature: Run sqlmap against a targetScenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injectionpoints """
  73. 73. Feature: Run sqlmap against a target verify Scenario: Identify SQL injection vulnerabilities tool Given "sqlmap" is installedsetup steps And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: set """ config python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """
  74. 74. Feature: Run sqlmap against a target Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """attack! python <sqlmap_path> -u <target_url> """ env Then the output should contain: get param config """ sqlmap identified the following injection points """
  75. 75. Feature: Run sqlmap against a target Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ haystack Then the output should contain: """assert sqlmap identified the following injection points """ needle
  76. 76. ATTACK ADAPTER• Step definition for attack file• Support code in ruby or java• Support shell script
  77. 77. Given /^"sqlmap" is installed$/ dostep definition ensure_python_script_installed(sqlmap) ruby end When /^I launch an? "sqlmap" attack with:$/ do |command| sqlmap_path = path_to_python_script("sqlmap") command.gsub!(<target_url>, target_url) command.gsub!(<sqlmap_path>, sqlmap_path) run command end
  78. 78. Given /^"sqlmap" is installed$/ do ensure_python_script_installed(sqlmap) end When /^I launch an? "sqlmap" attack with:$/ do |command| sqlmap_path = path_to_python_script("sqlmap")step definition command.gsub!(<target_url>, target_url) command.gsub!(<sqlmap_path>, sqlmap_path) run command end execute
  79. 79. GAUNTLT DESIGN• Simple• Extensible• UNIX™ : stdin, stdout, exit status• Minimum features yield maximum utility
  80. 80. UPCOMING FEATURES• More output parsers• More attack adapters• More goats• Better support for JRuby & Java• Anything you want: https://github.com/thegauntlet/gauntlt/issues
  81. 81. GauntltUsing the Gauntlt Starter Kit
  82. 82. About me• Jeremiah Shirk• Application & Infrastructure Manager, Kansas State University• 18 years doing unix admin, security, and some open source contributions• Keeper of tiny flocks
  83. 83. KSU 55 - WVU 14
  84. 84. Gauntlt Starter Kit
  85. 85. DependenciesVirtualBox Vagrant
  86. 86. Download• https://www.virtualbox.org/• http://vagrantup.com/
  87. 87. Starter Kit on GitHub• The starter kit is on GitHub at https:// github.com/thegauntlet/gauntlt-starter-kit• Or, download a copy from: www.gauntlt.org/...
  88. 88. Base box$ vagrant box add precise32 http://files.vagrantup.com/precise32.box[vagrant] Downloading with Vagrant::Downloaders::HTTP...[vagrant] Downloading box: http://files.vagrantup.com/precise32.box[vagrant] Extracting box...[vagrant] Verifying box...[vagrant] Cleaning up downloaded box...$
  89. 89. Start the VM$ cd gauntlt-starter-kit/vagrant/gauntlt$ vagrant up[default] Importing base box precise32...[default] Matching MAC address for NAT networking...[default] Clearing any previously set forwarded ports...[default] Forwarding ports...[default] -- 22 => 2222 (adapter 1)[default] Creating shared folders metadata...[default] Clearing any previously set network interfaces...[default] Booting VM...[default] Waiting for VM to boot. This can take a few minutes....
  90. 90. VagrantfileVagrant::Config.run do |config| config.ssh.private_key_path = "~/.ssh/id_rsa" config.vm.box = "precise32" config.vm.box_url = "http://files.vagrantup.com/precise32.box" # config.vm.network :hostonly, "33.33.33.10" # config.vm.network :bridged # config.vm.forward_port 80, 8080 # config.vm.share_folder "v-data", "/vagrant_data", "../data" config.vm.provision :chef_solo do |chef| chef.cookbooks_path = ["cookbooks", "site-cookbooks"] chef.add_recipe "vagrant_main" endend
  91. 91. SSH to the VM$ vagrant ssh
  92. 92. Secure SSH Keys$ vagrant ssh-config | grep Port Port 2222$ scp -i ~/.vagrant.d/insecure_private_key -P 2222 ~/.ssh/ id_rsa.pub vagrant@localhost:~/.ssh/authorized_keys
  93. 93. vagrant@precise32:~$ gauntlt attacks/nmapFeature: simple nmap attack (sanity check) Background: Given "nmap" is installed And the target hostname is "google.com" Scenario: Verify server is available on standard web ports When I launch an "nmap" attack with: """ nmap -p 80,443 google.com """ Then the output should contain: """ 80/tcp open http 443/tcp open https """1 scenario (1 passed)4 steps (4 passed)0m0.112svagrant@precise32:~$
  94. 94. vagrant@precise32:~$ gauntlt attacks/sslyzeFeature: Run sslyze against a target Background: # attacks/sslyze:3 Given "sslyze" is installed # gauntlt-0.0.8/lib/gauntlt/attack_adapters/sslyze.rb:1 And the target hostname is "google.com" # gauntlt-0.0.8/lib/gauntlt/attack_adapters/nmap.rb:7 Scenario: Ensure no anonymous certificates # attacks/sslyze:7 When I launch an "sslyze" attack with: # gauntlt-0.0.8/lib/gauntlt/attack_adapters/sslyze.rb:5 """ python /home/vagrant/sslyze/sslyze.py google.com:443 """ Then the output should not contain: # aruba-0.5.0/lib/aruba/cucumber.rb:111 """ Anon """1 scenario (1 passed)4 steps (4 passed)0m0.736svagrant@precise32:~$
  95. 95. Try it yourselfhttp://gauntlt.org/
  96. 96. Office hours Hotel bar Tonight, 10 p.m.
  97. 97. Questions?

×