Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop
-
date post
19-Oct-2014 -
Category
Technology
-
view
4.248 -
download
0
description
Transcript of Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
B E M E A N T O Y O U R C O D E W I T H G A U N T LT A N D T H E R U G G E D W AY
J A M E S W I C K E T T / / @ W I C K E T T
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T
• Austin, TX
• Gauntlt Core Team
• LASCON Founder
• Cloud Austin Organizer
• DevOps Days Austin Organizer
• DevOps, Ruby, AppSec, Chef, Cucumber, Gauntlt
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
R E Q U I R E M E N T S
• Virtual Box
• Vagrant
• Gauntlt Box
• Pre-downloaded
• Ruby 1.9.3
• Git
• Bundler
• Reliable Internet
O R
O P T I O N 1 O P T I O N 2
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
bit.ly/gauntlt-demo-instructions
I N S T R U C T I O N S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
W H Y D O E S T H I S M AT T E R ?
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
P E O P L E M AT T E R
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
– H E N R Y H A Z L I T T
T H E B R O K E N W I N D O W FA L L A C Y
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
B E S I D E S L O S S , B R E A C H E S C A U S E C Y N I C I S M A N D D I S T R U S T
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
S O F T W A R E H A S C H A N G E D
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
S O F T W A R E A S A S E R V I C E
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
S O F T W A R E A S B R I C O L A G E
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
B O LT O N F E AT U R E A P P R O A C H
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
F R A G I L E C O D E A S A S E R V I C E
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D E P L O Y T I M E L I N E S H AV E C H A N G E D
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D E V A N D O P S H AV E F O U N D A N E W R E L I G I O N
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
S E C U R I T Y H A S N O T C H A N G E D
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O M P L I A N C E D R I V E N C U LT U R E : P C I , S O X , …
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
P E O P L E P R O C E S S T O O L S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
W E H AV E A P E O P L E P R O B L E M
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
T H E R AT I O P R O B L E M
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D E V: O P S : S E C U R I T Y
1 0 0 : 1 0 : 1
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
L A N G U A G E G A P
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
S E C U R I T Y D O E S N ' T A LW AY S S P E A K T H E L A N G U A G E O F T H E B I Z / D E V / O P S T E A M S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
P E O P L E P R O C E S S T O O L S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
A B D I C AT I N G R E S P O N S I B I L I T Y P R O C E S S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
Y O U N E E D E X P E R T S T O T E S T F O R S E C U R I T Y
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
F O R M A L I Z E D V I A A U D I T O R S A N D C O M P L I A N C E A N N U A L LY
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
P E O P L E P R O C E S S T O O L S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D E V - > S V N | | G I T
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
O P S - > T X T | | W I K I S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D E V - > G I T < - O P S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
S E C U R I T Y - > S O U R C E F O R G E !
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
S I G N S T H AT S E C U R I T Y I S M O V I N G I N T O A N E W E R A
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
A N A LY T I C S , M O N I T O R S , L O G S , T E L E M E T R Y, T E S T I N G , C O N F I G M A N A G E M E N T
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
AT TA C K C H A I N S A N D S I G N A L S
http://www.youtube.com/watch?v=jQblKuMuS0Y
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
V U L N E R A B I L I T Y E X P L O I TAT I O N I S A T I M E L I N E
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D I S C O V E R Y V U L N E R A B I L I T Y E X P L O I T
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
S Q L S Y N TA X E R R O R S D B TA B L E N A M E S L A R G E R E S P O N S E S I Z E S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
I N S T R U M E N T F U L L AT TA C K C H A I N S A N D W AT C H F O R S I G N A L S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
R U G G E D
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D E T E C T I O N E A R L I E R
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
security tools today
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
E N T E R G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
P E O P L E P R O C E S S T O O L S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G A U N T LT I S A N O P I N I O N AT E D F R A M E W O R K T O D O R U G G E D T E S T I N G
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G A U N T LT = S E C U R I T Y + C U C U M B E R
http://www.flickr.com/photos/35231744@N00/286858571/
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O D E
B U I L D T E S T D E P L O Y
F E E D B A C K
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O D E
B U I L D T E S T D E P L O Y
~ 1 2 M O S . L A T E R
S E C U R I T Y
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O D E
B U I L D T E S T S E C U R I T Y D E P L O Y
F E E D B A C K
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
A S T O R Y F R O M 2 0 1 0 …
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D E V O P S ( + S E C U R I T Y ! )
@ernestmueller, @iteration1, @bproverb and friends
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
R E S T E N D P O I N T S
Ruby Script
Questionable Payloads
Invalid Sessions
Large Payloads
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O L L E C T I O N O F S C R I P T S M E R G E D I N T O O U R T E S T R U N N E R
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
I N ’ S A N D O U T ’ S A R E E A S Y T O M E S S U P
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C U C U M B E R A N D O U T S I D E I N T E S T I N G
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
T H E S TA R T O F G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
O U T S I D E I N T E S T I N G F O R S E C U R I T Y T O O L S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
O U T P U T F R O M S E C U R I T Y T O O L S I S H A R D T O D E C I P H E R
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
B E M E A N T O Y O U R C O D E
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O D E
GARMRNMAP
SQLMAPARACHNI
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O D E
SQLMAPARACHNIGARMR
NMAP
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O D E
ARACHNIGARMRNMAP
SQLMAP
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O D E C O D E C O D E
GARMRNMAP
SQLMAPARACHNI
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
B U T W H AT A B O U T T H E P E O P L E
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O N V E R S AT I O N A N D C O L L A B O R AT I O N I S T H E C O R E O F G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D E V
O P S
S E C U R I T Y
*.attack• Execution Knowledge
• Testing Logic Captured
• Repeatable
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G A U N T LT I N A C T I O N
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
*.attack
something.attackelse.attack
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
Attack Structure
Feature
Background
Scenario
Description
Setup
Logic
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
Attack Logic
Given
When
Then
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
Attack Step: Given
Setup steps
Check Resource Available
Given “arachni” is installed
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
Attack Step: When
Action steps
When I launch an “arachni-xss” attack
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
Attack Step: Then
Parsing Steps
Then the output should not contain “fail”
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G A U N T LT P H I L O S O P H Y
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
R U N S E C U R I T Y T O O L S I N A R E P E ATA B L E , E A S Y T O R E A D W AY
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G A U N T LT D O E S N O T I N S TA L L T O O L S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G A U N T LT S H I P W I T H P R E -C A N N E D AT TA C K S A N D S T E P S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
B E PA R T O F T H E C I / C D P I P E L I N E
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
H A N D L E S T D I N , S T D O U T, A N D E X I T S TAT U S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G A U N T LT I N U S E
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
AT A G A M E D E V S H O P
• Check for XSS (cross site scripting) [Arachni]
• Check for new login pages [Garmr]
• Check for insecure refs in login flows [Garmr]
• Extended XSS testing [Custom Arachni] (PR coming soon)
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
M E N T O R G R A P H I C S
• Smoke Test integration on environment build
• Checks REST services [curl]
• Tests for XSS [arachni]
• Injection attacks [sqlmap, dirb]
• Misconfiguration [dirb]
• SSL checks [sslyze]
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
AT C A B F O R W A R D
• Ruby Dev Shop
• Integrated into CI for customers
• GITHUB -> TravisCI -> Unit Tests / Integration Tests / Gauntlt
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G I T H U B . C O M / G A U N T LT / G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
$ gem install gauntlt
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
!Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | ! Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """
Given
When
Then
When
Then
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
H A N D S O N
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
E V E R Y T H I N G Y O U N E E D …
http://bit.ly/gauntlt-demo-instructions
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
O P T I O N 1
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
O P T I O N 1 - C O N T I N U E D
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
O P T I O N 2
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
$ vagrant ssh !
vagrant@precise32:~$
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
$ cd gauntlt-demo
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
$ rvm use 1.9.3
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
$ cd ./examples
$ gauntlt ./hello_world/hello_world.attack
04_Hello World with Gauntlt.md
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
$ gauntlt --steps /^"(\w+)" is installed in my path$/ /^"arachni" is installed$/ /^"curl" is installed$/ /^"dirb" is installed$/ /^"garmr" is installed$/ /^"nmap" is installed$/ /^"sqlmap" is installed$/ /^"sslyze" is installed$/ /^I launch (?:a|an) "arachni" attack with:$/ /^I launch (?:a|an) "arachni-(.*?)" attack$/ /^I launch (?:a|an) "curl" attack with:$/ /^I launch (?:a|an) "dirb" attack with:$/ /^I launch (?:a|an) "garmr" attack with:$/ /^I launch (?:a|an) "generic" attack with:$/ /^I launch (?:a|an) "nmap" attack with:$/ /^I launch (?:a|an) "nmap-(.*?)" attack$/ /^I launch (?:a|an) "sqlmap" attack with:$/ /^I launch (?:a|an) "sslyze" attack with:$/ /^the "(.*?)" command line binary is installed$/ /^the DIRB_WORDLISTS environment variable is set$/ /^the file "(.*?)" should contain XML:$/ /^the file "(.*?)" should not contain XML:$/ /^the following cookies should be received:$/ /^the following environment variables:$/ /^the following profile:$/
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
bundle exec gauntlt --format html > out.html
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
• Google Group > https://groups.google.com/d/forum/gauntlt
• Wiki > https://github.com/gauntlt/gauntlt/wiki
• IRC > #gauntlt on freenode
• Weekly hangout > http://bit.ly/gauntlt-hangout
• Issue tracking > http://github.com/gauntlt/gauntlt
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
B E TA I N V I T E T O U D E M Y C L A S S ? E M A I L J A M E S @ G A U N T LT. O R G