Attacking Pipelines--Security meets Continuous Delivery
-
date post
19-Oct-2014 -
Category
Technology
-
view
1.231 -
download
1
description
Transcript of Attacking Pipelines--Security meets Continuous Delivery
Goal: Equip you with the Theory, Examples and Tooling so that you can begin Your
rugged journey with an attacking pipeline you can lovingly call your very own
James [email protected]
Austin, TX
Gauntlt Core Team
DevOps Days Austin Organizer
Velocity, LASCON, ISC2, AppSecUSA, B-Sides, …
Why does this matter?
“I want to solve a problem so we can make awesome”
- Business
CIO say whut?
…in 2 years with an expensive, bloated project that is so fragile that we
can only make changes to it 4 times a year and only after the sacred upgrade
rituals are performed
CISO say whut?
Biz say whut?
Just Ship It!
SPOILER ALERT!
the business wins
How did we get here?
Software has Changed
Software as a Service
Software as
Bricolage
Bolt on Feature
Approach
Fragile Code as a Service
Deploy Timelines Have Changed
Dev and Ops have teamed up in this new world
http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
DevOps is 5 years old now
The security organization is stuck in 1997
… mostly
Why is that?
Compliance Driven Culture: PCI, SOX, …
Ratio Problem Devs / Ops / Security
100 / 10 / 1
Security Tools are run out-of-band
But, there is hope
https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring
http://www.youtube.com/watch?v=jQblKuMuS0Y
Rugged Journey
Quality
Transparency
Value Creation
Culture infusion
#RuggedDevOps
http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
Pipelines!
Continuous Integration
commit -> test -> deploy
github -> travis -> s3
git -> jenkins -> rundeck
you can now answer the question of what is deployed and how it
was tested
Simple is better
Continuous Integration Options
On premise: Jenkins
Cloud hosted: Travis CI, Circle CI, CloudBees, Wercker, Shippable, Drone.io…
Or a mix: DotCI
Attacking Pipeline Guide
Check your app/service/thing into a github repo
Create some security tests
Setup Travis CI to talk to your repo
Create a .travis.yml file
Write code, write moar security tests…
Try this at home
What is gauntlt-demoContains vulnerable web apps written in python and ruby on rails
Easy hooks for spinning up the apps
Contains labs and examples for writing attacks
An attacking pipeline Travis CI to attack the web apps
Installation
$ git clone https://github.com/gauntlt/gauntlt-demo
$ cd ./gauntlt-demo
$ git submodule update --init --recursive
$ bundle
$ bundle exec start_services\ config/gruyere.rb
http://localhost:8008/
Attacking Pipeline Guide
Check your app/service/thing into a github repo
Create some security tests
Setup Travis CI to talk to your repo
Create a .travis.yml file
Write code, write moar security tests…
Security Testing
Static Code Analysis
Dynamic Testing
Virus Scanning
Code Signing Checks
Business logic/flow testing
convert thy pdf to tests!
Wouldn’t it be great if we could automate our
security tests…
http://static.hothdwallpaper.net/51b8e4ee5a5ae19808.jpg
Security + Cucumber = Gauntlt
Built on Cucumber
Gauntlt PhilosophyGauntlt comes with pre-canned steps that hook security testing tools
Gauntlt does not install tools
Gauntlt can be part of the CI/CD pipeline
Be a good citizen of exit status and stdout/stderr
MIT Open Source License
Who uses Gauntlt?
TLDR; !
Gauntlt automates security tools
Attack Logic
GIVENWHENTHEN
Let’s automate two attacks
Garmr is Mozilla Security policy distilled for the rest
of us
Check for XSS
Rakerequire 'gauntlt'
task :gauntlt do
sh "cd ./vendor/gruyere && ./manual_launch.sh && cd ../.."
sh "cd ./examples && bundle exec gauntlt --tags @final && cd .."
sh "cd ./vendor/gruyere && ./manual_kill.sh && cd ../.."
end
Attacking Pipeline Guide
Check your app/service/thing into a github repo
Create some security tests
Setup Travis CI to talk to your repo
Create a .travis.yml file
Write code, write moar security tests…
Let’s set up the pipeline
Setup Travis CI
Go to travis-ci.org, login with github credentials
Find the repo you cloned (might need to sync)
Flip the switch ‘on’
Attacking Pipeline Guide
Check your app/service/thing into a github repo
Create some security tests
Setup Travis CI to talk to your repo
Create a .travis.yml file
Write code, write moar security tests…
.travis.ymllanguage: ruby
rvm:
- 1.9.3
before_install:
- git submodule update --init --recursive
.travis.ymlbefore_script:
- sudo apt-get install nmap
- export SSLYZE_PATH="/home/travis/build/gauntlt/gauntlt-demo/vendor/sslyze/sslyze.py"
- export SQLMAP_PATH="/home/travis/build/gauntlt/gauntlt-demo/vendor/sqlmap/sqlmap.py"
- 'cd vendor/Garmr && sudo python setup.py install && cd ../..'
.travis.yml
script: bundle exec rake
.travis.ymlnotifications:
irc:
channels:
- “chat.freenode.net#gauntlt"
use_notice: true
.travis.ymldeploy:
provider: s3
access_key_id: ASDBDSABDASDBDSDASD
secret_access_key:
secure:dasjdkla;sdjsakdsadasd
bucket: build-artifacts
Sahweet!
Attacking Pipeline Guide
Check your app/service/thing into a github repo
Create some security tests
Setup Travis CI to talk to your repo
Create a .travis.yml file
Write code, write moar security tests…
https://speakerdeck.com/mkonda/appsecusa-2013-insecure-expectations
http://vimeo.com/75930344
more on gauntlt
• Google Group > https://groups.google.com/d/forum/gauntlt
• Wiki > https://github.com/gauntlt/gauntlt/wiki• Twitter > @gauntlt• IRC > #gauntlt on freenode• Issue tracking > http://github.com/gauntlt/gauntlt
https://vimeo.com/79797907
50% off Gauntlt Bookleanpub.com/hands-on-gauntlt/c/austin-sdlc
Caveat Emptor: Under
development!
Valid until June 15th