be mean to your code - devops days austin 2013
Post on 19-Oct-2014
1.170 views
DESCRIPTION
presented at DevOps Days Austin 2013TRANSCRIPT
Be Mean to Your Code with Gauntlt
free phone calls
1337 tools
“[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK” - MICHAL ZALEWSKI
“Is this Secure?” -Your Customer
“It’s Certified”- You
there’s a better way
Your app
sslyze
dirb
nmap
curl
sqlmapgarmr
You
generic
Put your code through the Gauntlet
security tools are confusing
Gauntlt allows dev and ops and security to communicate
$ gem install gauntlt
install gauntlt
Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | | tcp_ping_ports | 22,25,80,443 |
Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open https """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """
Given
When
Then
When
Then
$ gauntlt
Feature: nmap attacks for example.com
Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | | tcp_ping_ports | 22,25,80,443 |
Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """
1 scenario (1 failed)5 steps (1 failed, 4 passed)0m18.341s
running gauntlt with failing tests
$ gauntlt
Feature: nmap attacks for example.com
Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | | tcp_ping_ports | 22,25,80,443 |
Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """
1 scenario (1 passed)5 steps (5 passed)0m18.341s
running gauntlt with passing tests
Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | | tcp_ping_ports | 22,25,80,443 |
Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open https """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """
setup steps
verify tool
set config
Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | | tcp_ping_ports | 22,25,80,443 |
Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open https """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """
attack
get config
Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | | tcp_ping_ports | 22,25,80,443 |
Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open https """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """
assert
needle
haystack
Supported Toolscurl
nmap
sslyze
Garmr
dirb
generic
get started with gauntlt
github/gauntltgauntlt.org
videos tutorials@gauntlt
IRC #gauntltwe
help!
start here
cool vids!
be mean to your code and win!
slideshare.com/wickett