Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

123
@WICKETT // #VELOCITYCONF // @GAUNTLT BE MEAN TO YOUR CODE WITH GAUNTLT AND THE RUGGED WAY JAMES WICKETT // @WICKETT

  • date post

    19-Oct-2014

  • Category

    Technology

  • view

    4.248

  • download

    0

TAGS:

description

This is a hands-on workshop for working with Gauntlt. The first half is philosophy, theory and social commentary. The second half is the hands on workshop. There are two options for working through the workshop. The recommended way is to use the virtual box image as there are a couple of security tools (arachni, nmap, ...) that we will be using. It is not required for you to use it though and you can just clone the repo if you have ruby 1.9.3 and bundler. If you want to use the vagrant box setup for the workshop, please follow the instructions in 02_Using Vagrant Box.md and if you want to just use our own box, follow the directions in 03_Using Repo Only.md This has been tested to work on linux and OS X. You can follow along using the instructions > https://gist.github.com/wickett/25d90a462706639446cc

Transcript of Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

Page 1: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

B E M E A N T O Y O U R C O D E W I T H G A U N T LT A N D T H E R U G G E D W AY

J A M E S W I C K E T T / / @ W I C K E T T

Page 2: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

@ W I C K E T T

• Austin, TX

• Gauntlt Core Team

• LASCON Founder

• Cloud Austin Organizer

• DevOps Days Austin Organizer

• DevOps, Ruby, AppSec, Chef, Cucumber, Gauntlt

Page 3: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

R E Q U I R E M E N T S

• Virtual Box

• Vagrant

• Gauntlt Box

• Pre-downloaded

• Ruby 1.9.3

• Git

• Bundler

• Reliable Internet

O R

O P T I O N 1 O P T I O N 2

Page 4: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

bit.ly/gauntlt-demo-instructions

I N S T R U C T I O N S

http://bit.ly/gauntlt-demo-instructions
Page 5: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

W H Y D O E S T H I S M AT T E R ?

Page 6: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

P E O P L E M AT T E R

Page 7: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

– H E N R Y H A Z L I T T

T H E B R O K E N W I N D O W FA L L A C Y

Page 8: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

B E S I D E S L O S S , B R E A C H E S C A U S E C Y N I C I S M A N D D I S T R U S T

Page 9: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

S O F T W A R E H A S C H A N G E D

Page 10: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

S O F T W A R E A S A S E R V I C E

Page 11: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

S O F T W A R E A S B R I C O L A G E

Page 12: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

B O LT O N F E AT U R E A P P R O A C H

Page 13: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

F R A G I L E C O D E A S A S E R V I C E

Page 14: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

D E P L O Y T I M E L I N E S H AV E C H A N G E D

Page 15: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

D E V A N D O P S H AV E F O U N D A N E W R E L I G I O N

Page 16: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

S E C U R I T Y H A S N O T C H A N G E D

Page 17: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

C O M P L I A N C E D R I V E N C U LT U R E : P C I , S O X , …

Page 18: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

P E O P L E P R O C E S S T O O L S

Page 19: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

W E H AV E A P E O P L E P R O B L E M

Page 20: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

T H E R AT I O P R O B L E M

Page 21: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

D E V: O P S : S E C U R I T Y

1 0 0 : 1 0 : 1

Page 22: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

L A N G U A G E G A P

Page 23: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

S E C U R I T Y D O E S N ' T A LW AY S S P E A K T H E L A N G U A G E O F T H E B I Z / D E V / O P S T E A M S

Page 24: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

P E O P L E P R O C E S S T O O L S

Page 25: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

A B D I C AT I N G R E S P O N S I B I L I T Y P R O C E S S

Page 26: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Y O U N E E D E X P E R T S T O T E S T F O R S E C U R I T Y

Page 27: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

F O R M A L I Z E D V I A A U D I T O R S A N D C O M P L I A N C E A N N U A L LY

Page 28: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

P E O P L E P R O C E S S T O O L S

Page 29: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

D E V - > S V N | | G I T

Page 30: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

O P S - > T X T | | W I K I S

Page 31: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

D E V - > G I T < - O P S

Page 32: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

S E C U R I T Y - > S O U R C E F O R G E !

Page 33: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

S I G N S T H AT S E C U R I T Y I S M O V I N G I N T O A N E W E R A

Page 34: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

A N A LY T I C S , M O N I T O R S , L O G S , T E L E M E T R Y, T E S T I N G , C O N F I G M A N A G E M E N T

Page 35: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

AT TA C K C H A I N S A N D S I G N A L S

http://www.youtube.com/watch?v=jQblKuMuS0Y

http://www.youtube.com/watch?v=jQblKuMuS0Y
Page 36: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

V U L N E R A B I L I T Y E X P L O I TAT I O N I S A T I M E L I N E

Page 37: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

D I S C O V E R Y V U L N E R A B I L I T Y E X P L O I T

Page 38: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

S Q L S Y N TA X E R R O R S D B TA B L E N A M E S L A R G E R E S P O N S E S I Z E S

Page 39: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

I N S T R U M E N T F U L L AT TA C K C H A I N S A N D W AT C H F O R S I G N A L S

Page 40: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

R U G G E D

Page 41: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Page 42: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain

http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
Page 43: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring

https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring
Page 44: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

D E T E C T I O N E A R L I E R

Page 45: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

security tools today

Page 46: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

E N T E R G A U N T LT

Page 47: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

P E O P L E P R O C E S S T O O L S

Page 48: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

G A U N T LT I S A N O P I N I O N AT E D F R A M E W O R K T O D O R U G G E D T E S T I N G

Page 49: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

G A U N T LT = S E C U R I T Y + C U C U M B E R

http://www.flickr.com/photos/35231744@N00/286858571/

http://www.flickr.com/photos/35231744@N00/286858571/
Page 50: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

C O D E

B U I L D T E S T D E P L O Y

F E E D B A C K

Page 51: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

C O D E

B U I L D T E S T D E P L O Y

~ 1 2 M O S . L A T E R

S E C U R I T Y

Page 52: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

C O D E

B U I L D T E S T S E C U R I T Y D E P L O Y

F E E D B A C K

Page 53: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

A S T O R Y F R O M 2 0 1 0 …

Page 54: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

D E V O P S ( + S E C U R I T Y ! )

@ernestmueller, @iteration1, @bproverb and friends

Page 55: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

R E S T E N D P O I N T S

Ruby Script

Questionable Payloads

Invalid Sessions

Large Payloads

Page 56: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

C O L L E C T I O N O F S C R I P T S M E R G E D I N T O O U R T E S T R U N N E R

Page 57: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

I N ’ S A N D O U T ’ S A R E E A S Y T O M E S S U P

Page 58: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

C U C U M B E R A N D O U T S I D E I N T E S T I N G

Page 59: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Page 60: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

T H E S TA R T O F G A U N T LT

Page 61: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

O U T S I D E I N T E S T I N G F O R S E C U R I T Y T O O L S

Page 62: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

O U T P U T F R O M S E C U R I T Y T O O L S I S H A R D T O D E C I P H E R

Page 63: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

B E M E A N T O Y O U R C O D E

Page 64: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

C O D E

GARMRNMAP

SQLMAPARACHNI

Page 65: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

C O D E

SQLMAPARACHNIGARMR

NMAP

Page 66: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

C O D E

ARACHNIGARMRNMAP

SQLMAP

Page 67: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

C O D E C O D E C O D E

GARMRNMAP

SQLMAPARACHNI

Page 68: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Page 69: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

B U T W H AT A B O U T T H E P E O P L E

Page 70: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

C O N V E R S AT I O N A N D C O L L A B O R AT I O N I S T H E C O R E O F G A U N T LT

Page 71: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

D E V

O P S

S E C U R I T Y

*.attack• Execution Knowledge

• Testing Logic Captured

• Repeatable

Page 72: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

G A U N T LT I N A C T I O N

Page 73: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

*.attack

something.attackelse.attack

Page 74: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Attack Structure

Feature

Background

Scenario

Description

Setup

Logic

Page 75: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Attack Logic

Given

When

Then

Page 76: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Attack Step: Given

Setup steps

Check Resource Available

Given “arachni” is installed

Page 77: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Attack Step: When

Action steps

When I launch an “arachni-xss” attack

Page 78: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Attack Step: Then

Parsing Steps

Then the output should not contain “fail”

Page 79: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

G A U N T LT P H I L O S O P H Y

Page 80: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

R U N S E C U R I T Y T O O L S I N A R E P E ATA B L E , E A S Y T O R E A D W AY

Page 81: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

G A U N T LT D O E S N O T I N S TA L L T O O L S

Page 82: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

G A U N T LT S H I P W I T H P R E -C A N N E D AT TA C K S A N D S T E P S

Page 83: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

B E PA R T O F T H E C I / C D P I P E L I N E

Page 84: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

H A N D L E S T D I N , S T D O U T, A N D E X I T S TAT U S

Page 85: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

G A U N T LT I N U S E

Page 86: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

AT A G A M E D E V S H O P

• Check for XSS (cross site scripting) [Arachni]

• Check for new login pages [Garmr]

• Check for insecure refs in login flows [Garmr]

• Extended XSS testing [Custom Arachni] (PR coming soon)

Page 87: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

M E N T O R G R A P H I C S

• Smoke Test integration on environment build

• Checks REST services [curl]

• Tests for XSS [arachni]

• Injection attacks [sqlmap, dirb]

• Misconfiguration [dirb]

• SSL checks [sslyze]

Page 88: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

AT C A B F O R W A R D

• Ruby Dev Shop

• Integrated into CI for customers

• GITHUB -> TravisCI -> Unit Tests / Integration Tests / Gauntlt

Page 89: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

G I T H U B . C O M / G A U N T LT / G A U N T LT

http://github.com/gauntlt/gauntlt
Page 90: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

$ gem install gauntlt

Page 91: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

!Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | ! Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """

Given

When

Then

When

Then

Page 92: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

H A N D S O N

Page 93: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

E V E R Y T H I N G Y O U N E E D …

http://bit.ly/gauntlt-demo-instructions

http://bit.ly/gauntlt-demo-instructions
Page 94: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

O P T I O N 1

Page 95: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

O P T I O N 1 - C O N T I N U E D

Page 96: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

O P T I O N 2

Page 97: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

$ vagrant ssh !

vagrant@precise32:~$

Page 98: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

$ cd gauntlt-demo

Page 99: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

$ rvm use 1.9.3

Page 100: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

$ cd ./examples

$ gauntlt ./hello_world/hello_world.attack

04_Hello World with Gauntlt.md

Page 101: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Page 102: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Page 103: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Page 104: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Page 105: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Page 106: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Page 107: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Page 108: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Page 109: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

$ gauntlt --steps /^"(\w+)" is installed in my path$/ /^"arachni" is installed$/ /^"curl" is installed$/ /^"dirb" is installed$/ /^"garmr" is installed$/ /^"nmap" is installed$/ /^"sqlmap" is installed$/ /^"sslyze" is installed$/ /^I launch (?:a|an) "arachni" attack with:$/ /^I launch (?:a|an) "arachni-(.*?)" attack$/ /^I launch (?:a|an) "curl" attack with:$/ /^I launch (?:a|an) "dirb" attack with:$/ /^I launch (?:a|an) "garmr" attack with:$/ /^I launch (?:a|an) "generic" attack with:$/ /^I launch (?:a|an) "nmap" attack with:$/ /^I launch (?:a|an) "nmap-(.*?)" attack$/ /^I launch (?:a|an) "sqlmap" attack with:$/ /^I launch (?:a|an) "sslyze" attack with:$/ /^the "(.*?)" command line binary is installed$/ /^the DIRB_WORDLISTS environment variable is set$/ /^the file "(.*?)" should contain XML:$/ /^the file "(.*?)" should not contain XML:$/ /^the following cookies should be received:$/ /^the following environment variables:$/ /^the following profile:$/

Page 110: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Page 111: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Page 112: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Page 113: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Page 114: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Page 115: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Page 116: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Page 117: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Page 118: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Page 119: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Page 120: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

bundle exec gauntlt --format html > out.html

Page 121: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

Page 122: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

• Google Group > https://groups.google.com/d/forum/gauntlt

• Wiki > https://github.com/gauntlt/gauntlt/wiki

• IRC > #gauntlt on freenode

• Weekly hangout > http://bit.ly/gauntlt-hangout

• Issue tracking > http://github.com/gauntlt/gauntlt

https://github.com/gauntlt/gauntlt/wiki
http://bit.ly/gauntlt-hangout
http://github.com/gauntlt/gauntlt
Page 123: Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT

B E TA I N V I T E T O U D E M Y C L A S S ? E M A I L J A M E S @ G A U N T LT. O R G

mailto:[email protected]

Rugged Computing

Rugged Computing

The Rugged Place | The Rugged Archive

The Rugged Place | The Rugged Archive

RUGGED COTS-BASED DEVICES BUILT TO HANDLE ANY MISSION€¦ · TOUGHBOOK N1 Flat – Fully Rugged Lightweight yet powerful. A synthesis of rugged computer and rugged smartphone, the

RUGGED COTS-BASED DEVICES BUILT TO HANDLE ANY MISSION€¦ · TOUGHBOOK N1 Flat – Fully Rugged Lightweight yet powerful. A synthesis of rugged computer and rugged smartphone, the

Rugged Landscape

Rugged Landscape

LATITUDE 7220EX RUGGED EXTREME The 12” fully-rugged tablet … · The 12” fully-rugged tablet with ATEX, IECEx ... LATITUDE 7220EX RUGGED EXTREME. Features & technical specifications

LATITUDE 7220EX RUGGED EXTREME The 12” fully-rugged tablet … · The 12” fully-rugged tablet with ATEX, IECEx ... LATITUDE 7220EX RUGGED EXTREME. Features & technical specifications

Rugged _RugsCarpetsKelims_Profile_PPT

Rugged _RugsCarpetsKelims_Profile_PPT

Rugged & Compact

Rugged & Compact

Continuous Opportunity: DevOps & Security - … · OWASP Ames Continuous Opportunity: ... • OWASP Bricks • PHAN ... Running the Gauntlt. Continuous Opportunity: DevOps & Security

Continuous Opportunity: DevOps & Security - … · OWASP Ames Continuous Opportunity: ... • OWASP Bricks • PHAN ... Running the Gauntlt. Continuous Opportunity: DevOps & Security

Rugged Book - Zaggcfprod.zagg.com/downloads/rugged-book/Rugged+Book_Generic_US:… · Rugged Book Keyboard Instructions See the important Health and Safety information on page 6 before

Rugged Book - Zaggcfprod.zagg.com/downloads/rugged-book/Rugged+Book_Generic_US:… · Rugged Book Keyboard Instructions See the important Health and Safety information on page 6 before

Rugged Mag

Rugged Mag

In-Situ Rugged TROLL 100 and 200 and Rugged BaroTROLL ...

In-Situ Rugged TROLL 100 and 200 and Rugged BaroTROLL ...

RUGGED MOBILE

RUGGED MOBILE

Gecko Range 2017 - Aimil Ltd. · KELUNJI GECKO Seismographs & Accelerographs Technical Specifications Gecko Compact Gecko Rugged Gecko SMA Gecko SMA-HR Gecko Helix Inputs Type Velocity

Gecko Range 2017 - Aimil Ltd. · KELUNJI GECKO Seismographs & Accelerographs Technical Specifications Gecko Compact Gecko Rugged Gecko SMA Gecko SMA-HR Gecko Helix Inputs Type Velocity

WHY IT MATTERScdn.logic-control.com/media/Why_Xplore__6_Key... · WHY IT MATTERS RUGGED TOTAL COST OF OWNERSHIP RUGGED VS NON-RUGGED Non-rugged devices have an annual TCO that is

WHY IT MATTERScdn.logic-control.com/media/Why_Xplore__6_Key... · WHY IT MATTERS RUGGED TOTAL COST OF OWNERSHIP RUGGED VS NON-RUGGED Non-rugged devices have an annual TCO that is

1 Rugged Meets Smart Phone PA550 Rugged Meets Smart Phone.

1 Rugged Meets Smart Phone PA550 Rugged Meets Smart Phone.

Gauntlt: Go Ahead, Be Mean to your Code

Gauntlt: Go Ahead, Be Mean to your Code

Rugged MediaConverter

Rugged MediaConverter

Security testing with gauntlt

Security testing with gauntlt

Rugged Operating Zero-Packet-Loss™ System™ eRSTP€¦ · Rugged Operating System™ Rugged Operating System™ Power Over Ethernet Rugged Operating System™ The RuggedSwitch®

Rugged Operating Zero-Packet-Loss™ System™ eRSTP€¦ · Rugged Operating System™ Rugged Operating System™ Power Over Ethernet Rugged Operating System™ The RuggedSwitch®

RUGGED - williamsrdmdev.com

RUGGED - williamsrdmdev.com