SlideShare a Scribd company logo

Gauntlt Rugged By Example

James Wickett
James Wickett

Talk given at AppSec USA 2012. See the video here > https://vimeo.com/54250714

Technology
1 of 106
Download to read offline
GAUNTLT: RUGGED BY EXAMPLE JAMES WICKETT MANI TADAYON JEREMIAH SHIRK SG: JASON CHAN
WE WANT YOU TO BE SUCCESSFUL AND MAKE A DIFFERENCE
James Wickett CISSP, GWAPT, CCSK, GSEC, GCFW @wickett @RuggedDevOps @gauntlt
A BRIEF HISTORY OF INFORMATION SECURITY
WE USED TO BE COOL
WE HAD CINEMA
WE HAD HEROES
WE MADE FREE PHONE CALLS
WE WERE COOL
WE MADE IT INTO THE ORGANIZATIONS WE HAD PREVIOUSLY FOUGHT
WE COULDN’T STOP THE VIRUSES AND WORMS
INSTEAD OF ENGINEERING INFOSEC BECAME ACTUARIES
WE BECAME EXPERTS IN BUYING INSURANCE POLICIES
“[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK” - MICHAL ZALEWSKI
SOMETHING ELSE HAPPENED GLOBALLY
DEVS BECAME COOL
ENTER DEVOPS
CODE BECAME SOCIAL
“I DON’T WANT YOU TO SEND ME AN INSTALLATION DVD”
WE SELL TIME NOW
WE SELL SOCIAL AND FRIENDSHIPS
“IS THIS SECURE?” -YOUR CUSTOMER
“ITS CERTIFIED”- YOU
WHY CAN’T YOU GIVE A BETTER ANSWER?
THE INEQUITABLE DISTRIBUTION OF LABOR IN SECURITY MIMICS THAT IN DEV/OPS
2% OF AN ENGINEERING DEV TEAM ARE WORKING ON SECURITY - BSIMM 2012 data, http://bsimm.com/
-LEARNING FROM (PREFERABLY OTHER PEOPLE’S) MISTAKES -DEVELOPING TOOLS TO CORRECT PROBLEMS - PLANNING TO HAVE EVERYTHING COMPROMISED
ENTER RUGGED
Current Software
Rugged Software
ADVERSITY REQUIRES RUGGED SOLUTIONS
ADVERSITY IS REAL OR PERCEIVED NEGATIVE ACTIONS AND EVENTS THAT PROHIBIT NORMAL FUNCTION AND OPERATION.
Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise. RUGGEDIZATION THEORY
NO PAIN, NO GAIN
"Secondly, our network got a lot stronger as a result of the LulzSec attacks." -Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012 by CloudFlare team
RUGGED BY DESIGN, DEVOPS BY CULTURE
RUGGED DEVOPS
REPEATABLE – NO MANUAL STEPS, CI RELIABLE - NO DOS HERE REVIEWABLE – AKA AUDIT, INFRA AS CODE RAPID – FAST TO BUILD, DEPLOY, RESTORE RESILIENT – AUTOMATED RECONFIGURATION REDUCED - LIMITED ATTACK SURFACE
ENTER GAUNTLT
Put your code through the GAUNTLT
GAUNTLET, N. AN ATTACK FROM ALL SIDES
custom attacks dirbuster metasploit sqlmap fuzzers nessus w3af nmap Your web app You
gauntlt is built for doing security testing in a DevOps world
GAUNTLT IS
AN ALWAYS- ATTACKING ENVIRONMENT FOR DEVELOPERS
WITH ATTACKS WRITTEN IN EASY-TO-READ LANGUAGE
ACCESSIBLE TO EVERYONE INVOLVED IN DEV, OPS, TESTING, SECURITY, ...
WHY GAUNTLT? SECURITY DOMAIN KNOWLEDGE IS GENERALLY A MYSTERY TO DEV TEAMS
GAUNTLT ALLOWS DEV AND OPS AND SECURITY TO COMMUNICATE
GAUNTLT JOINS THE PHILOSOPHY OF RUGGED SOFTWARE & CONTINUOUS INTEGRATION
HTTPS://GITHUB.COM/THEGAUNTLET/GAUNTLT
$ gem install gauntlt # download attacks $ gauntlt
install gauntlt $ gem install gauntlt # download example attacks from github # customize the example attacks # now you can run gauntlt $ gauntlt Examples > https://github.com/thegauntlet/gauntlt/tree/master/examples
LETS LOOK INSIDE A COUPLE OF THESE FILES
GAUNTLT ATTACKS
@slow nmap.attack Feature: nmap attacks for example.com Background: Given "nmap" is installed And the target hostname is "www.example.com" And the target tcp_ping_ports are "22,25,80,443" Scenario: Verify server is open on expected set of ports using the nmap fast flag When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open https """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """
running gauntlt with failing tests wickett$ gauntlt @slow Feature: nmap attacks for example.com Background: Given "nmap" is installed And the target hostname is "www.example.com" And the target tcp_ping_ports are "22,25,80,443" Scenario: Verify server is open on expected set of ports using the nmap fast flag When I launch an "nmap" attack with: """ nmap -F www-stage.cloudsourcery.com """ Then the output should contain: """ 443/tcp open https """ 1 scenario (1 failed) 5 steps (1 failed, 4 passed) 0m18.341s
running gauntlt with passing tests wickett$ gauntlt @slow Feature: nmap attacks for example.com Background: Given "nmap" is installed And the target hostname is "www.example.com" And the target tcp_ping_ports are "22,25,80,443" Scenario: Verify server is open on expected set of ports using the nmap fast flag When I launch an "nmap" attack with: """ nmap -F www-stage.cloudsourcery.com """ Then the output should contain: """ 443/tcp open https """ 1 scenario (1 passed) 5 steps (5 passed) 0m18.341s
gauntlt: Netflix Use Case
Problem Statement • Netflix is a heavy AWS user, and we provide self- service deployment for dev teams • AWS’ Elastic Load Balancer (ELB) provides cross- datacenter traffic balancing, but no security controls (if your cluster is attached to an ELB, it is available to the Internet) • Engineers may misunderstand use cases for ELBs, security features, and/or other measures that can be used to protect ELB-fronted clusters
How do we ensure the 100s of clusters associated with ELBs are configured and protected as intended?
Solution: Use gauntlt to organize and perform ELB testing
gauntlt test: What response will an ELB provide to an arbitrary Internet node, and is it expected?
Process 1. Launch gauntlt test runner instance, loaded with “master list” of ELBs and expected state 2. Determine “target list” of current ELBs to evaluate 3. Generate per-ELB listener gauntlt attack files 4. Execute attacks 5. Alert on failures and new ELBs 6. Triage findings and update ELB master list
gauntlt Attack Template • Uses gauntlt curl feature • Sub in protocol, port, hostname, and response code from ELB master and target list
GAUNTLT A VERY SHORT INTRODUCTION
ABOUT MANI • Mani Tadayon • Senior Software Engineer, ZestFinance • Lots of experience in web development, ruby and test automation • Learning Clojure
CONWAY’S LAW Any organization that designs a system ... will inevitably produce a design whose structure is a copy of the organization's communication structure. Melvin E. Conway, 1968
BEHAVIOR-DRIVEN DEVELOPMENT BDD is a second-generation, outside–in, pull- based, multiple-stakeholder, multiple-scale, high- automation, agile methodology. It describes a cycle of interactions with well-defined outputs, resulting in the delivery of working, tested software that matters. Dan North , 2009
CUCUMBER
ATTACK FILE • Plain text file • Gherkin syntax: • Given • When • Then
Feature: Run sqlmap against a target Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """
Feature: Run sqlmap against a target verify Scenario: Identify SQL injection vulnerabilities tool Given "sqlmap" is installed setup steps And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: set """ config python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """
Feature: Run sqlmap against a target Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ attack! python <sqlmap_path> -u <target_url> """ env Then the output should contain: get param config """ sqlmap identified the following injection points """
Feature: Run sqlmap against a target Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ haystack Then the output should contain: """ assert sqlmap identified the following injection points """ needle
ATTACK ADAPTER • Step definition for attack file • Support code in ruby or java • Support shell script
Given /^"sqlmap" is installed$/ do step definition ensure_python_script_installed('sqlmap') ruby end When /^I launch an? "sqlmap" attack with:$/ do |command| sqlmap_path = path_to_python_script("sqlmap") command.gsub!('<target_url>', target_url) command.gsub!('<sqlmap_path>', sqlmap_path) run command end
Given /^"sqlmap" is installed$/ do ensure_python_script_installed('sqlmap') end When /^I launch an? "sqlmap" attack with:$/ do |command| sqlmap_path = path_to_python_script("sqlmap") step definition command.gsub!('<target_url>', target_url) command.gsub!('<sqlmap_path>', sqlmap_path) run command end execute
GAUNTLT DESIGN • Simple • Extensible • UNIX™ : stdin, stdout, exit status • Minimum features yield maximum utility
UPCOMING FEATURES • More output parsers • More attack adapters • More goats • Better support for JRuby & Java • Anything you want: https://github.com/thegauntlet/gauntlt/issues
Gauntlt Using the Gauntlt Starter Kit
About me • Jeremiah Shirk • Application & Infrastructure Manager, Kansas State University • 18 years doing unix admin, security, and some open source contributions • Keeper of tiny flocks
KSU 55 - WVU 14
Gauntlt Starter Kit
Dependencies VirtualBox Vagrant
Download • https://www.virtualbox.org/ • http://vagrantup.com/
Starter Kit on GitHub • The starter kit is on GitHub at https:// github.com/thegauntlet/gauntlt-starter-kit • Or, download a copy from: www.gauntlt.org/...
Base box $ vagrant box add precise32 http://files.vagrantup.com/precise32.box [vagrant] Downloading with Vagrant::Downloaders::HTTP... [vagrant] Downloading box: http://files.vagrantup.com/precise32.box [vagrant] Extracting box... [vagrant] Verifying box... [vagrant] Cleaning up downloaded box... $
Start the VM $ cd gauntlt-starter-kit/vagrant/gauntlt $ vagrant up [default] Importing base box 'precise32'... [default] Matching MAC address for NAT networking... [default] Clearing any previously set forwarded ports... [default] Forwarding ports... [default] -- 22 => 2222 (adapter 1) [default] Creating shared folders metadata... [default] Clearing any previously set network interfaces... [default] Booting VM... [default] Waiting for VM to boot. This can take a few minutes. ...
Vagrantfile Vagrant::Config.run do |config| config.ssh.private_key_path = "~/.ssh/id_rsa" config.vm.box = "precise32" config.vm.box_url = "http://files.vagrantup.com/precise32.box" # config.vm.network :hostonly, "33.33.33.10" # config.vm.network :bridged # config.vm.forward_port 80, 8080 # config.vm.share_folder "v-data", "/vagrant_data", "../data" config.vm.provision :chef_solo do |chef| chef.cookbooks_path = ["cookbooks", "site-cookbooks"] chef.add_recipe "vagrant_main" end end
SSH to the VM $ vagrant ssh
Secure SSH Keys $ vagrant ssh-config | grep Port Port 2222 $ scp -i ~/.vagrant.d/insecure_private_key -P 2222 ~/.ssh/ id_rsa.pub vagrant@localhost:~/.ssh/authorized_keys
vagrant@precise32:~$ gauntlt attacks/nmap Feature: simple nmap attack (sanity check) Background: Given "nmap" is installed And the target hostname is "google.com" Scenario: Verify server is available on standard web ports When I launch an "nmap" attack with: """ nmap -p 80,443 google.com """ Then the output should contain: """ 80/tcp open http 443/tcp open https """ 1 scenario (1 passed) 4 steps (4 passed) 0m0.112s vagrant@precise32:~$
vagrant@precise32:~$ gauntlt attacks/sslyze Feature: Run sslyze against a target Background: # attacks/sslyze:3 Given "sslyze" is installed # gauntlt-0.0.8/lib/gauntlt/ attack_adapters/sslyze.rb:1 And the target hostname is "google.com" # gauntlt-0.0.8/lib/gauntlt/ attack_adapters/nmap.rb:7 Scenario: Ensure no anonymous certificates # attacks/sslyze:7 When I launch an "sslyze" attack with: # gauntlt-0.0.8/lib/gauntlt/ attack_adapters/sslyze.rb:5 """ python /home/vagrant/sslyze/sslyze.py google.com:443 """ Then the output should not contain: # aruba-0.5.0/lib/aruba/ cucumber.rb:111 """ Anon """ 1 scenario (1 passed) 4 steps (4 passed) 0m0.736s vagrant@precise32:~$
Try it yourself http://gauntlt.org/
Office hours Hotel bar Tonight, 10 p.m.
Questions?

Recommended

Be Mean to Your Code - OWASP San Antonio
Be Mean to Your Code - OWASP San Antonio Be Mean to Your Code - OWASP San Antonio
Be Mean to Your Code - OWASP San Antonio James Wickett
 
Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 ...
Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 ...Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 ...
Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 ...James Wickett
 
Rugged by example with Gauntlt (Hacker Headshot)
Rugged by example with Gauntlt (Hacker Headshot)Rugged by example with Gauntlt (Hacker Headshot)
Rugged by example with Gauntlt (Hacker Headshot)James Wickett
 
Be Mean to your Code with Gauntlt #txlf 2013
Be Mean to your Code with Gauntlt #txlf 2013Be Mean to your Code with Gauntlt #txlf 2013
Be Mean to your Code with Gauntlt #txlf 2013James Wickett
 
Advanced Weapons Training for the Empire
Advanced Weapons Training for the EmpireAdvanced Weapons Training for the Empire
Advanced Weapons Training for the EmpireJeremy Johnson
 
Gauntlt: Go Ahead, Be Mean to your Code
Gauntlt: Go Ahead, Be Mean to your CodeGauntlt: Go Ahead, Be Mean to your Code
Gauntlt: Go Ahead, Be Mean to your CodeJames Wickett
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
Run your code through the Gauntlt
Run your code through the GauntltRun your code through the Gauntlt
Run your code through the GauntltJames Wickett
 

Recommended

Be Mean to Your Code - OWASP San Antonio
Be Mean to Your Code - OWASP San Antonio Be Mean to Your Code - OWASP San Antonio
Be Mean to Your Code - OWASP San Antonio James Wickett
 
Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 ...
Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 ...Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 ...
Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 ...James Wickett
 
Rugged by example with Gauntlt (Hacker Headshot)
Rugged by example with Gauntlt (Hacker Headshot)Rugged by example with Gauntlt (Hacker Headshot)
Rugged by example with Gauntlt (Hacker Headshot)James Wickett
 
Be Mean to your Code with Gauntlt #txlf 2013
Be Mean to your Code with Gauntlt #txlf 2013Be Mean to your Code with Gauntlt #txlf 2013
Be Mean to your Code with Gauntlt #txlf 2013James Wickett
 
Advanced Weapons Training for the Empire
Advanced Weapons Training for the EmpireAdvanced Weapons Training for the Empire
Advanced Weapons Training for the EmpireJeremy Johnson
 
Gauntlt: Go Ahead, Be Mean to your Code
Gauntlt: Go Ahead, Be Mean to your CodeGauntlt: Go Ahead, Be Mean to your Code
Gauntlt: Go Ahead, Be Mean to your CodeJames Wickett
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
Run your code through the Gauntlt
Run your code through the GauntltRun your code through the Gauntlt
Run your code through the GauntltJames Wickett
 
Testing Terraform
Testing TerraformTesting Terraform
Testing TerraformNathen Harvey
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Daniel Bohannon
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karman|u - The Open Security Community
 
ruxc0n 2012
ruxc0n 2012ruxc0n 2012
ruxc0n 2012mimeframe
 
SignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesSignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesDaniel Bohannon
 
Revoke-Obfuscation
Revoke-ObfuscationRevoke-Obfuscation
Revoke-ObfuscationDaniel Bohannon
 
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...CODE BLUE
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesRavishankar Somasundaram
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCRahul Raghavan
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersNikhil Mittal
 
Pwnstaller
PwnstallerPwnstaller
PwnstallerWill Schroeder
 
DevSec Defense
DevSec DefenseDevSec Defense
DevSec DefenseDaniel Bohannon
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Malicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryMalicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryDaniel Bohannon
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellEnclaveSecurity
 
Modern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSDModern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSDSean Chittenden
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Rugged Driven Development with Gauntlt
Rugged Driven Development with GauntltRugged Driven Development with Gauntlt
Rugged Driven Development with GauntltJames Wickett
 
Epistemological Problem of Application Security
Epistemological Problem of Application SecurityEpistemological Problem of Application Security
Epistemological Problem of Application SecurityJames Wickett
 

More Related Content

What's hot

Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Daniel Bohannon
 
SignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesSignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesDaniel Bohannon
 
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...CODE BLUE
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCRahul Raghavan
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersNikhil Mittal
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Malicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryMalicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryDaniel Bohannon
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellEnclaveSecurity
 
Modern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSDModern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSDSean Chittenden
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 

What's hot (20)

Testing Terraform
Testing TerraformTesting Terraform
Testing Terraform
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karma
 
ruxc0n 2012
ruxc0n 2012ruxc0n 2012
ruxc0n 2012
 
SignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesSignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT Signatures
 
Revoke-Obfuscation
Revoke-ObfuscationRevoke-Obfuscation
Revoke-Obfuscation
 
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
DevSec Defense
DevSec DefenseDevSec Defense
DevSec Defense
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Malicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryMalicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell Story
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
 
Modern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSDModern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSD
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 

Viewers also liked

Rugged Driven Development with Gauntlt
Rugged Driven Development with GauntltRugged Driven Development with Gauntlt
Rugged Driven Development with GauntltJames Wickett
 
Epistemological Problem of Application Security
Epistemological Problem of Application SecurityEpistemological Problem of Application Security
Epistemological Problem of Application SecurityJames Wickett
 
DevOps Proverbs - DevOps Wisdom, Principles and Practices
DevOps Proverbs - DevOps Wisdom, Principles and PracticesDevOps Proverbs - DevOps Wisdom, Principles and Practices
DevOps Proverbs - DevOps Wisdom, Principles and PracticesJames Wickett
 
09 application security fundamentals - part 2 - security mechanisms - logging
09 application security fundamentals - part 2 - security mechanisms - logging09 application security fundamentals - part 2 - security mechanisms - logging
09 application security fundamentals - part 2 - security mechanisms - loggingappsec
 
Web Application Security 101 - 12 Logging
Web Application Security 101 - 12 LoggingWeb Application Security 101 - 12 Logging
Web Application Security 101 - 12 LoggingWebsecurify
 
Logging : How much is too much? Network Security Monitoring Talk @ hasgeek
Logging : How much is too much? Network Security Monitoring Talk @ hasgeekLogging : How much is too much? Network Security Monitoring Talk @ hasgeek
Logging : How much is too much? Network Security Monitoring Talk @ hasgeekvivekrajan
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security LoggingMilton Smith
 
DevOps for the Discouraged
DevOps for the Discouraged DevOps for the Discouraged
DevOps for the Discouraged James Wickett
 
Pracital application logging and monitoring
Pracital application logging and monitoringPracital application logging and monitoring
Pracital application logging and monitoringLaurynas Tretjakovas
 
What Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorWhat Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorAnton Chuvakin
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at ScaleRaffael Marty
 
Application Logging for Forensics
Application Logging for ForensicsApplication Logging for Forensics
Application Logging for ForensicsRaffael Marty
 
Monitoring in the DevOps Era
Monitoring in the DevOps EraMonitoring in the DevOps Era
Monitoring in the DevOps EraMike Kavis
 

Viewers also liked (13)

Rugged Driven Development with Gauntlt
Rugged Driven Development with GauntltRugged Driven Development with Gauntlt
Rugged Driven Development with Gauntlt
 
Epistemological Problem of Application Security
Epistemological Problem of Application SecurityEpistemological Problem of Application Security
Epistemological Problem of Application Security
 
DevOps Proverbs - DevOps Wisdom, Principles and Practices
DevOps Proverbs - DevOps Wisdom, Principles and PracticesDevOps Proverbs - DevOps Wisdom, Principles and Practices
DevOps Proverbs - DevOps Wisdom, Principles and Practices
 
09 application security fundamentals - part 2 - security mechanisms - logging
09 application security fundamentals - part 2 - security mechanisms - logging09 application security fundamentals - part 2 - security mechanisms - logging
09 application security fundamentals - part 2 - security mechanisms - logging
 
Web Application Security 101 - 12 Logging
Web Application Security 101 - 12 LoggingWeb Application Security 101 - 12 Logging
Web Application Security 101 - 12 Logging
 
Logging : How much is too much? Network Security Monitoring Talk @ hasgeek
Logging : How much is too much? Network Security Monitoring Talk @ hasgeekLogging : How much is too much? Network Security Monitoring Talk @ hasgeek
Logging : How much is too much? Network Security Monitoring Talk @ hasgeek
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security Logging
 
DevOps for the Discouraged
DevOps for the Discouraged DevOps for the Discouraged
DevOps for the Discouraged
 
Pracital application logging and monitoring
Pracital application logging and monitoringPracital application logging and monitoring
Pracital application logging and monitoring
 
What Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorWhat Every Organization Should Log And Monitor
What Every Organization Should Log And Monitor
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at Scale
 
Application Logging for Forensics
Application Logging for ForensicsApplication Logging for Forensics
Application Logging for Forensics
 
Monitoring in the DevOps Era
Monitoring in the DevOps EraMonitoring in the DevOps Era
Monitoring in the DevOps Era
 

Similar to Gauntlt Rugged By Example

Be Mean to Your Code - DevOps Days Austin 2013
Be Mean to Your Code - DevOps Days Austin 2013Be Mean to Your Code - DevOps Days Austin 2013
Be Mean to Your Code - DevOps Days Austin 2013James Wickett
 
Be Mean to Your Code
Be Mean to Your CodeBe Mean to Your Code
Be Mean to Your CodeJames Wickett
 
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainPutting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainJames Wickett
 
Kraken Front-Trends
Kraken Front-TrendsKraken Front-Trends
Kraken Front-TrendsPayPal
 
Self Service Agile Infrastructure for Product Teams - Pop-up Loft Tel Aviv
Self Service Agile Infrastructure for Product Teams - Pop-up Loft Tel AvivSelf Service Agile Infrastructure for Product Teams - Pop-up Loft Tel Aviv
Self Service Agile Infrastructure for Product Teams - Pop-up Loft Tel AvivAmazon Web Services
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
 
Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014Barney Hanlon
 
Large-scaled Deploy Over 100 Servers in 3 Minutes
Large-scaled Deploy Over 100 Servers in 3 MinutesLarge-scaled Deploy Over 100 Servers in 3 Minutes
Large-scaled Deploy Over 100 Servers in 3 MinutesHiroshi SHIBATA
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSTeri Radichel
 
Boot-To-Root KIOPTRIX Level -1
Boot-To-Root KIOPTRIX Level -1Boot-To-Root KIOPTRIX Level -1
Boot-To-Root KIOPTRIX Level -1Venkat Raman
 
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf
 
JavaScript TDD with Jasmine and Karma
JavaScript TDD with Jasmine and KarmaJavaScript TDD with Jasmine and Karma
JavaScript TDD with Jasmine and KarmaChristopher Bartling
 
Kraken
KrakenKraken
KrakenPayPal
 
Omaha (Google Update) server
Omaha (Google Update) serverOmaha (Google Update) server
Omaha (Google Update) serverDmitry Lyfar
 
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy Jeffrey Holden
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysisIbrahim Baliç
 

Similar to Gauntlt Rugged By Example (20)

Gauntlt Rugged By Example
Gauntlt Rugged By ExampleGauntlt Rugged By Example
Gauntlt Rugged By Example
 
Be Mean to Your Code - DevOps Days Austin 2013
Be Mean to Your Code - DevOps Days Austin 2013Be Mean to Your Code - DevOps Days Austin 2013
Be Mean to Your Code - DevOps Days Austin 2013
 
Be Mean to Your Code
Be Mean to Your CodeBe Mean to Your Code
Be Mean to Your Code
 
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainPutting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps Toolchain
 
Kraken Front-Trends
Kraken Front-TrendsKraken Front-Trends
Kraken Front-Trends
 
Self Service Agile Infrastructure for Product Teams - Pop-up Loft Tel Aviv
Self Service Agile Infrastructure for Product Teams - Pop-up Loft Tel AvivSelf Service Agile Infrastructure for Product Teams - Pop-up Loft Tel Aviv
Self Service Agile Infrastructure for Product Teams - Pop-up Loft Tel Aviv
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
 
Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014
 
Large-scaled Deploy Over 100 Servers in 3 Minutes
Large-scaled Deploy Over 100 Servers in 3 MinutesLarge-scaled Deploy Over 100 Servers in 3 Minutes
Large-scaled Deploy Over 100 Servers in 3 Minutes
 
CI and CD
CI and CDCI and CD
CI and CD
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
 
Boot-To-Root KIOPTRIX Level -1
Boot-To-Root KIOPTRIX Level -1Boot-To-Root KIOPTRIX Level -1
Boot-To-Root KIOPTRIX Level -1
 
Node.JS security
Node.JS securityNode.JS security
Node.JS security
 
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
 
JavaScript TDD with Jasmine and Karma
JavaScript TDD with Jasmine and KarmaJavaScript TDD with Jasmine and Karma
JavaScript TDD with Jasmine and Karma
 
Kraken
KrakenKraken
Kraken
 
Omaha (Google Update) server
Omaha (Google Update) serverOmaha (Google Update) server
Omaha (Google Update) server
 
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysis
 

More from James Wickett

A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREJames Wickett
 
A Way to Think about DevSecOps: MEASURE
A Way to Think about DevSecOps: MEASUREA Way to Think about DevSecOps: MEASURE
A Way to Think about DevSecOps: MEASUREJames Wickett
 
The Security, DevOps, and Chaos Playbook to Change the World
The Security, DevOps, and Chaos Playbook to Change the WorldThe Security, DevOps, and Chaos Playbook to Change the World
The Security, DevOps, and Chaos Playbook to Change the WorldJames Wickett
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
A Tale of Woe, Chaos, and Business
A Tale of Woe, Chaos, and BusinessA Tale of Woe, Chaos, and Business
A Tale of Woe, Chaos, and BusinessJames Wickett
 
A DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleA DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleJames Wickett
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019James Wickett
 
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsNewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsJames Wickett
 
The New Ways of Chaos, Security, and DevOps
The New Ways of Chaos, Security, and DevOpsThe New Ways of Chaos, Security, and DevOps
The New Ways of Chaos, Security, and DevOpsJames Wickett
 
DevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS LaneDevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS LaneJames Wickett
 
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpThe Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpJames Wickett
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOpJames Wickett
 
Security in the FaaS Lane
Security in the FaaS LaneSecurity in the FaaS Lane
Security in the FaaS LaneJames Wickett
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldJames Wickett
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
The State of DevSecOps in 2018
The State of DevSecOps in 2018The State of DevSecOps in 2018
The State of DevSecOps in 2018James Wickett
 

More from James Wickett (20)

A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SRE
 
A Way to Think about DevSecOps: MEASURE
A Way to Think about DevSecOps: MEASUREA Way to Think about DevSecOps: MEASURE
A Way to Think about DevSecOps: MEASURE
 
The Security, DevOps, and Chaos Playbook to Change the World
The Security, DevOps, and Chaos Playbook to Change the WorldThe Security, DevOps, and Chaos Playbook to Change the World
The Security, DevOps, and Chaos Playbook to Change the World
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
A Tale of Woe, Chaos, and Business
A Tale of Woe, Chaos, and BusinessA Tale of Woe, Chaos, and Business
A Tale of Woe, Chaos, and Business
 
A DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleA DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and People
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019
 
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsNewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
 
The New Ways of Chaos, Security, and DevOps
The New Ways of Chaos, Security, and DevOpsThe New Ways of Chaos, Security, and DevOps
The New Ways of Chaos, Security, and DevOps
 
DevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS LaneDevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS Lane
 
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpThe Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOp
 
Security in the FaaS Lane
Security in the FaaS LaneSecurity in the FaaS Lane
Security in the FaaS Lane
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real World
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
The State of DevSecOps in 2018
The State of DevSecOps in 2018The State of DevSecOps in 2018
The State of DevSecOps in 2018
 

Recently uploaded

Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 

Recently uploaded (20)

Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Gauntlt Rugged By Example

  • 1. GAUNTLT: RUGGED BY EXAMPLE JAMES WICKETT MANI TADAYON JEREMIAH SHIRK SG: JASON CHAN
  • 2. WE WANT YOU TO BE SUCCESSFUL AND MAKE A DIFFERENCE
  • 3. James Wickett CISSP, GWAPT, CCSK, GSEC, GCFW @wickett @RuggedDevOps @gauntlt
  • 4. A BRIEF HISTORY OF INFORMATION SECURITY
  • 5. WE USED TO BE COOL
  • 10. WE MADE IT INTO THE ORGANIZATIONS WE HAD PREVIOUSLY FOUGHT
  • 11. WE COULDN’T STOP THE VIRUSES AND WORMS
  • 12. INSTEAD OF ENGINEERING INFOSEC BECAME ACTUARIES
  • 13. WE BECAME EXPERTS IN BUYING INSURANCE POLICIES
  • 14. “[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK” - MICHAL ZALEWSKI
  • 18.
  • 19.
  • 21. “I DON’T WANT YOU TO SEND ME AN INSTALLATION DVD”
  • 23. WE SELL SOCIAL AND FRIENDSHIPS
  • 26. WHY CAN’T YOU GIVE A BETTER ANSWER?
  • 27. THE INEQUITABLE DISTRIBUTION OF LABOR IN SECURITY MIMICS THAT IN DEV/OPS
  • 28. 2% OF AN ENGINEERING DEV TEAM ARE WORKING ON SECURITY - BSIMM 2012 data, http://bsimm.com/
  • 29. -LEARNING FROM (PREFERABLY OTHER PEOPLE’S) MISTAKES -DEVELOPING TOOLS TO CORRECT PROBLEMS - PLANNING TO HAVE EVERYTHING COMPROMISED
  • 31.
  • 32.
  • 36. ADVERSITY IS REAL OR PERCEIVED NEGATIVE ACTIONS AND EVENTS THAT PROHIBIT NORMAL FUNCTION AND OPERATION.
  • 37. Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise. RUGGEDIZATION THEORY
  • 38. NO PAIN, NO GAIN
  • 39. "Secondly, our network got a lot stronger as a result of the LulzSec attacks." -Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012 by CloudFlare team
  • 40.
  • 43. REPEATABLE – NO MANUAL STEPS, CI RELIABLE - NO DOS HERE REVIEWABLE – AKA AUDIT, INFRA AS CODE RAPID – FAST TO BUILD, DEPLOY, RESTORE RESILIENT – AUTOMATED RECONFIGURATION REDUCED - LIMITED ATTACK SURFACE
  • 45. Put your code through the GAUNTLT
  • 46. GAUNTLET, N. AN ATTACK FROM ALL SIDES
  • 47. custom attacks dirbuster metasploit sqlmap fuzzers nessus w3af nmap Your web app You
  • 48. gauntlt is built for doing security testing in a DevOps world
  • 52. ACCESSIBLE TO EVERYONE INVOLVED IN DEV, OPS, TESTING, SECURITY, ...
  • 53. WHY GAUNTLT? SECURITY DOMAIN KNOWLEDGE IS GENERALLY A MYSTERY TO DEV TEAMS
  • 54. GAUNTLT ALLOWS DEV AND OPS AND SECURITY TO COMMUNICATE
  • 55. GAUNTLT JOINS THE PHILOSOPHY OF RUGGED SOFTWARE & CONTINUOUS INTEGRATION
  • 56.
  • 58. $ gem install gauntlt # download attacks $ gauntlt
  • 59. install gauntlt $ gem install gauntlt # download example attacks from github # customize the example attacks # now you can run gauntlt $ gauntlt Examples > https://github.com/thegauntlet/gauntlt/tree/master/examples
  • 60. LETS LOOK INSIDE A COUPLE OF THESE FILES
  • 62. @slow nmap.attack Feature: nmap attacks for example.com Background: Given "nmap" is installed And the target hostname is "www.example.com" And the target tcp_ping_ports are "22,25,80,443" Scenario: Verify server is open on expected set of ports using the nmap fast flag When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open https """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """
  • 63. running gauntlt with failing tests wickett$ gauntlt @slow Feature: nmap attacks for example.com Background: Given "nmap" is installed And the target hostname is "www.example.com" And the target tcp_ping_ports are "22,25,80,443" Scenario: Verify server is open on expected set of ports using the nmap fast flag When I launch an "nmap" attack with: """ nmap -F www-stage.cloudsourcery.com """ Then the output should contain: """ 443/tcp open https """ 1 scenario (1 failed) 5 steps (1 failed, 4 passed) 0m18.341s
  • 64. running gauntlt with passing tests wickett$ gauntlt @slow Feature: nmap attacks for example.com Background: Given "nmap" is installed And the target hostname is "www.example.com" And the target tcp_ping_ports are "22,25,80,443" Scenario: Verify server is open on expected set of ports using the nmap fast flag When I launch an "nmap" attack with: """ nmap -F www-stage.cloudsourcery.com """ Then the output should contain: """ 443/tcp open https """ 1 scenario (1 passed) 5 steps (5 passed) 0m18.341s
  • 66. Problem Statement • Netflix is a heavy AWS user, and we provide self- service deployment for dev teams • AWS’ Elastic Load Balancer (ELB) provides cross- datacenter traffic balancing, but no security controls (if your cluster is attached to an ELB, it is available to the Internet) • Engineers may misunderstand use cases for ELBs, security features, and/or other measures that can be used to protect ELB-fronted clusters
  • 67. How do we ensure the 100s of clusters associated with ELBs are configured and protected as intended?
  • 68. Solution: Use gauntlt to organize and perform ELB testing
  • 69. gauntlt test: What response will an ELB provide to an arbitrary Internet node, and is it expected?
  • 70. Process 1. Launch gauntlt test runner instance, loaded with “master list” of ELBs and expected state 2. Determine “target list” of current ELBs to evaluate 3. Generate per-ELB listener gauntlt attack files 4. Execute attacks 5. Alert on failures and new ELBs 6. Triage findings and update ELB master list
  • 71. gauntlt Attack Template • Uses gauntlt curl feature • Sub in protocol, port, hostname, and response code from ELB master and target list
  • 72. GAUNTLT A VERY SHORT INTRODUCTION
  • 73. ABOUT MANI • Mani Tadayon • Senior Software Engineer, ZestFinance • Lots of experience in web development, ruby and test automation • Learning Clojure
  • 74. CONWAY’S LAW Any organization that designs a system ... will inevitably produce a design whose structure is a copy of the organization's communication structure. Melvin E. Conway, 1968
  • 75. BEHAVIOR-DRIVEN DEVELOPMENT BDD is a second-generation, outside–in, pull- based, multiple-stakeholder, multiple-scale, high- automation, agile methodology. It describes a cycle of interactions with well-defined outputs, resulting in the delivery of working, tested software that matters. Dan North , 2009
  • 77. ATTACK FILE • Plain text file • Gherkin syntax: • Given • When • Then
  • 78. Feature: Run sqlmap against a target Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """
  • 79.
  • 80. Feature: Run sqlmap against a target verify Scenario: Identify SQL injection vulnerabilities tool Given "sqlmap" is installed setup steps And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: set """ config python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """
  • 81. Feature: Run sqlmap against a target Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ attack! python <sqlmap_path> -u <target_url> """ env Then the output should contain: get param config """ sqlmap identified the following injection points """
  • 82. Feature: Run sqlmap against a target Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ haystack Then the output should contain: """ assert sqlmap identified the following injection points """ needle
  • 83.
  • 84. ATTACK ADAPTER • Step definition for attack file • Support code in ruby or java • Support shell script
  • 85. Given /^"sqlmap" is installed$/ do step definition ensure_python_script_installed('sqlmap') ruby end When /^I launch an? "sqlmap" attack with:$/ do |command| sqlmap_path = path_to_python_script("sqlmap") command.gsub!('<target_url>', target_url) command.gsub!('<sqlmap_path>', sqlmap_path) run command end
  • 86. Given /^"sqlmap" is installed$/ do ensure_python_script_installed('sqlmap') end When /^I launch an? "sqlmap" attack with:$/ do |command| sqlmap_path = path_to_python_script("sqlmap") step definition command.gsub!('<target_url>', target_url) command.gsub!('<sqlmap_path>', sqlmap_path) run command end execute
  • 87. GAUNTLT DESIGN • Simple • Extensible • UNIX™ : stdin, stdout, exit status • Minimum features yield maximum utility
  • 88. UPCOMING FEATURES • More output parsers • More attack adapters • More goats • Better support for JRuby & Java • Anything you want: https://github.com/thegauntlet/gauntlt/issues
  • 90. About me • Jeremiah Shirk • Application & Infrastructure Manager, Kansas State University • 18 years doing unix admin, security, and some open source contributions • Keeper of tiny flocks
  • 91. KSU 55 - WVU 14
  • 95. Starter Kit on GitHub • The starter kit is on GitHub at https:// github.com/thegauntlet/gauntlt-starter-kit • Or, download a copy from: www.gauntlt.org/...
  • 96. Base box $ vagrant box add precise32 http://files.vagrantup.com/precise32.box [vagrant] Downloading with Vagrant::Downloaders::HTTP... [vagrant] Downloading box: http://files.vagrantup.com/precise32.box [vagrant] Extracting box... [vagrant] Verifying box... [vagrant] Cleaning up downloaded box... $
  • 97. Start the VM $ cd gauntlt-starter-kit/vagrant/gauntlt $ vagrant up [default] Importing base box 'precise32'... [default] Matching MAC address for NAT networking... [default] Clearing any previously set forwarded ports... [default] Forwarding ports... [default] -- 22 => 2222 (adapter 1) [default] Creating shared folders metadata... [default] Clearing any previously set network interfaces... [default] Booting VM... [default] Waiting for VM to boot. This can take a few minutes. ...
  • 98.
  • 99. Vagrantfile Vagrant::Config.run do |config| config.ssh.private_key_path = "~/.ssh/id_rsa" config.vm.box = "precise32" config.vm.box_url = "http://files.vagrantup.com/precise32.box" # config.vm.network :hostonly, "33.33.33.10" # config.vm.network :bridged # config.vm.forward_port 80, 8080 # config.vm.share_folder "v-data", "/vagrant_data", "../data" config.vm.provision :chef_solo do |chef| chef.cookbooks_path = ["cookbooks", "site-cookbooks"] chef.add_recipe "vagrant_main" end end
  • 100. SSH to the VM $ vagrant ssh
  • 101. Secure SSH Keys $ vagrant ssh-config | grep Port Port 2222 $ scp -i ~/.vagrant.d/insecure_private_key -P 2222 ~/.ssh/ id_rsa.pub vagrant@localhost:~/.ssh/authorized_keys
  • 102. vagrant@precise32:~$ gauntlt attacks/nmap Feature: simple nmap attack (sanity check) Background: Given "nmap" is installed And the target hostname is "google.com" Scenario: Verify server is available on standard web ports When I launch an "nmap" attack with: """ nmap -p 80,443 google.com """ Then the output should contain: """ 80/tcp open http 443/tcp open https """ 1 scenario (1 passed) 4 steps (4 passed) 0m0.112s vagrant@precise32:~$
  • 103. vagrant@precise32:~$ gauntlt attacks/sslyze Feature: Run sslyze against a target Background: # attacks/sslyze:3 Given "sslyze" is installed # gauntlt-0.0.8/lib/gauntlt/ attack_adapters/sslyze.rb:1 And the target hostname is "google.com" # gauntlt-0.0.8/lib/gauntlt/ attack_adapters/nmap.rb:7 Scenario: Ensure no anonymous certificates # attacks/sslyze:7 When I launch an "sslyze" attack with: # gauntlt-0.0.8/lib/gauntlt/ attack_adapters/sslyze.rb:5 """ python /home/vagrant/sslyze/sslyze.py google.com:443 """ Then the output should not contain: # aruba-0.5.0/lib/aruba/ cucumber.rb:111 """ Anon """ 1 scenario (1 passed) 4 steps (4 passed) 0m0.736s vagrant@precise32:~$
  • 105. Office hours Hotel bar Tonight, 10 p.m.