Upload
james-wickett
View
3.508
Download
1
Tags:
Embed Size (px)
Citation preview
PRAGMATIC SECURITY AND RUGGED DEVOPS
WORKSHOP
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
CONVERSATION
#SXSW + #RUGGED CODE
#SXSW #RUGGEDCODE
50% OFF GAUNTLT BOOK FOR SXSW ATTENDEES!
leanpub.com/hands-on-gauntlt/c/50percentoff
#SXSW #RUGGEDCODE63% HANDS ON LABS!
APPLIEDTHEORY
#SXSW #RUGGEDCODE
WORKSHOP PLEDGE
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY You/Me
I will not attempt to access my neighbor’s computer
I will not hack the wifi
I will be friendly to those around me
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
TWO 5-MINUTE BREAK
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
HANDS-ON LABS
~8 Mini Labs lasting 5 to 10 minutes each
Let us know if you are having a problem, and we will help
We will also be around after the class to help as well
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
TIPS FOR THE LABS
Open the labs folder in your browser to follow along to benefit from markdown display
Run all commands from the ~/gauntlt-demo
#SXSW #RUGGEDCODE
WHY ARE YOU HERE?
#SXSW #RUGGEDCODE
#SXSW #RUGGEDCODE
OUR GOAL: EQUIP YOU WITH PRAGMATIC APPROACHES TO
SECURITY THAT CAN HELP YOU MAKE A DIFFERENCE
#SXSW #RUGGEDCODE
WHO ARE WE?
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
JAMES WICKETTSr. Engineer at Signal Sciences
Austin, TX
Gauntlt Core Team
DevOps Days Austin Organizer
Velocity, LASCON, ISC2, AppSecUSA, B-Sides, …
signalsciences.com
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
MATT JOHANSEN
Houston, TX
Sr. Manager, TRC WhiteHat Security
BlackHat, DEFCON, RSA, more++
Wannabe Dev (node.js, angularjs)
I’m hiring
#SXSW #RUGGEDCODE
WHY DOES THIS MATTER?
#SXSW #RUGGEDCODE
SONY, SONY, SONY, SONY, SONY SONY, SONY, SONY, SONY, SONY SONY, SONY, SONY, SONY, SONY SONY, SONY, SONY, SONY, SONY SONY, SONY, SONY, SONY, SONY SONY, SONY, SONY, SONY, SONY
#SXSW #RUGGEDCODE
HUMANS OPTIMIZE FOR THE PROBABLE
#SXSW #RUGGEDCODE
WE OPTIMIZE FOR THE PROBABLE
#SXSW #RUGGEDCODE
UNIT TESTING
#SXSW #RUGGEDCODE
INTEGRATION TESTING
#SXSW #RUGGEDCODE
HAPPY PATH ENGINEERING
#SXSW #RUGGEDCODE
WE OPTIMIZE FOR THE POSSIBLE
#SXSW #RUGGEDCODE
OVER ENGINEERING
#SXSW #RUGGEDCODE
STRESS AND LOAD TESTING
#SXSW #RUGGEDCODE
WE OPTIMIZE FOR THE PERCEIVED PROBABLE
#SXSW #RUGGEDCODE
HOW DO WE PERCEIVE WHAT IS PROBABLE?
#SXSW #RUGGEDCODE
EPISTEMOLOGICAL PROBLEM OF SOFTWARE DEVELOPMENT
#SXSW #RUGGEDCODE
WE ATTEMPT TO SOLVE IT BY GATHERING DATA OR RHETORIC
#SXSW #RUGGEDCODE
3 APPROACHES TO SOLVE THE EPISTEMOLOGICAL PROBLEM OF
SOFTWARE DEVELOPMENT
#SXSW #RUGGEDCODE
ARC 1: AGILE
#SXSW #RUGGEDCODE
AGILE SIDE-STEPS THE PROBLEM
#SXSW #RUGGEDCODE
AGILE SAYS WE DON’T KNOW WHAT WE ARE BUILDING
#SXSW #RUGGEDCODE
SOLUTION: RELEASE FEATURES TO CUSTOMERS RAPIDLY
#SXSW #RUGGEDCODE
JUST SHIP IT!
#SXSW #RUGGEDCODE
BEHAVIOR DRIVEN DEV
#SXSW #RUGGEDCODE
BEHAVIOR DRIVEN DEVELOPMENT IS A SECOND-GENERATION, OUTSIDE–IN, PULL-BASED,
MULTIPLE-STAKEHOLDER, MULTIPLE-SCALE, HIGH-AUTOMATION, AGILE METHODOLOGY. IT DESCRIBES A CYCLE OF INTERACTIONS WITH WELL-DEFINED
OUTPUTS, RESULTING IN THE DELIVERY OF WORKING, TESTED SOFTWARE THAT MATTERS.
DAN NORTH , 2009
#SXSW #RUGGEDCODE
AMPLIFY THE
FEEDBACK LOOP
#SXSW #RUGGEDCODE
TLDR
RAPID ITERATIONS WIN
#SXSW #RUGGEDCODE
AGILE IS OUR
GUIDING LIGHT
#SXSW #RUGGEDCODE
PEOPLE MATTER
#SXSW #RUGGEDCODE
WE DON'T SELL CD’S ANYMORE
#SXSW #RUGGEDCODE
#SXSW #RUGGEDCODE
SOFTWARE AS A SERVICE
#SXSW #RUGGEDCODE
THE LAST 15 YEARS HAVE BROUGHT A COMPLETE CHANGE IN OUR
DELIVERY CADENCE, DISTRIBUTION, AND REVENUE MODELS
#SXSW #RUGGEDCODE
DEVOPS IS THE APPLICATION OF AGILE METHODOLOGY TO SYSTEM
ADMINISTRATION - THE PRACTICE OF CLOUD SYSTEM ADMINISTRATION BOOK
#SXSW #RUGGEDCODEARC 2: DEVOPS
#SXSW #RUGGEDCODE
#SXSW #RUGGEDCODE
AGILE INFRASTRUCTURE
http://itrevolution.com/the-history-of-devops/
#SXSW #RUGGEDCODE
http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
#SXSW #RUGGEDCODE
FIRST DEVOPS DAYS, GHENT 2009
@PATRICKDEBOIS
#SXSW #RUGGEDCODE
THE OPPOSITE OF DEVOPS IS DESPAIR - GENE KIM
#SXSW #RUGGEDCODE
#SXSW #RUGGEDCODE
http://dev2ops.org/blog/2010/2/22/what-is-devops.html
#SXSW #RUGGEDCODE
#SXSW #RUGGEDCODE
DEVOPS REALIZED THAT OPS DOESN'T KNOW WHAT DEVS KNOW
AND VICE VERSA
#SXSW #RUGGEDCODE
DEV : OPS 10 : 1
#SXSW #RUGGEDCODE
DEVOPS IS AN EPISTEMOLOGICAL BREAKTHROUGH JOINING DISPARATE
PEOPLE AROUND A COMMON PROBLEM
#SXSW #RUGGEDCODE
DEVOPS IS AN INCLUSIVE MOVEMENT THAT CODIFIES A CULTURE
- ADAM JACOBS
#SXSW #RUGGEDCODE
CULTURE IS THE MOST IMPORTANT ASPECT TO DEVOPS SUCCEEDING IN
THE ENTERPRISE
#SXSW #RUGGEDCODE
WHAT WE VALUE DETERMINES OUR
CULTURE
#SXSW #RUGGEDCODE
#SXSW #RUGGEDCODE
#SXSW #RUGGEDCODE
MUTUAL UNDERSTANDING SHARED LANGUAGE
OPENNESS VISUALIZATION
TOOLING
#SXSW #RUGGEDCODE
DEVOPS IS THE INEVITABLE RESULT OF NEEDING TO DO EFFICIENT OPERATIONS IN A [DISTRIBUTED
COMPUTING AND CLOUD] ENVIRONMENT. - TOM LIMONCELLI
#SXSW #RUGGEDCODE
DEVOPS IS NOT A TECHNOLOGICAL PROBLEM. DEVOPS IS A BUSINESS PROBLEM.
- DAMON EDWARDS
#SXSW #RUGGEDCODE
http://puppetlabs.com/sites/default/files/2014-state-of-devops-report.pdf
#SXSW #RUGGEDCODE
THE FIRST SCIENTIFIC STUDY OF THE RELATIONSHIP BETWEEN
ORGANIZATIONAL PERFORMANCE, IT PERFORMANCE
AND DEVOPS PRACTICES
#SXSW #RUGGEDCODE
DEVOPS PRACTICES IMPROVE IT PERFORMANCE
#SXSW #RUGGEDCODE
CULTURE AUTOMATION
MEASUREMENT SHARING
@BOTCHAGALUPE @DAMONEDWARDS
#SXSW #RUGGEDCODE
ANTIPATTERN: REBRAND YOUR
OPS TEAM TO DEVOPS TEAM
#SXSW #RUGGEDCODE
ANTIPATTERN: MANUAL
CONFIG OF PRODUCTION
ENVIRONMENT#SXSW
#RUGGEDCODE
#SXSW #RUGGEDCODE
CHEF, PUPPET, ANSIBLE, CFENGINE RUNDECK, MCOLLECTIVE
JENKINS, TRAVIS, KITCHEN CUCUMBER, GAUNTLT, SERVERSPEC
VAGRANT, DOCKER
#SXSW #RUGGEDCODE
BEWARE OF THE
DEVOPS SOFTWARE SOLUTION
#SXSW #RUGGEDCODE
“THAT THE WORD #DEVOPS GETS REDUCED TO TECHNOLOGY IS A MANIFESTATION OF HOW
BADLY WE NEED A CULTURAL SHIFT” - @PATRICKDEBOIS
http://www.slideshare.net/cm6051/london-devops-31-5-years-of-devops
#SXSW #RUGGEDCODE
BUSINESS METRICS EVENT CORRELATION
USAGE BASED MONITORING
#SXSW #RUGGEDCODE
#SXSW #RUGGEDCODE
ARC 3: CONTINUOUS
DELIVERY
#SXSW #RUGGEDCODE
CONTINUOUS DELIVERY IS NOT MERELY HOW OFTEN YOU DELIVER BUT HOW LITTLE YOU CAN DELIVER AT A TIME
#SXSW #RUGGEDCODE
#SXSW #RUGGEDCODE
#SXSW #RUGGEDCODE
BATCH SIZE OF 1
#SXSW #RUGGEDCODE
OLD WAY
CHANGES BREAK STUFF, SO LIMIT THEM AND BATCH THEM ALL TOGETHER
#SXSW #RUGGEDCODE
NEW WAY
DELIVERY OF ONE CHANGE AT A TIME REDUCES OUTAGES,
INCREASES PERFORMANCE, AND LIMITS TECHNICAL DEBT
#SXSW #RUGGEDCODE
NEVER PASS DEFECTS TO THE NEXT STEP
The Practice of Cloud System Administration
#SXSW #RUGGEDCODE
YOU MUST DEPLOY YOUR STUFF
#SXSW #RUGGEDCODE
#SXSW #RUGGEDCODE
LET THE BOTS TROLL THE USERS FOR THE LOLZ.
#SXSW #RUGGEDCODE
ALLOCATE TIME TO ENHANCE THE BUILD, TEST AND DEPLOY SYSTEM
The Practice of Cloud System Administration
#SXSW #RUGGEDCODE
REDUCE CODE LATENCY AND INCREASE CODE VELOCITY
#SXSW #RUGGEDCODE
THE NEXT ARC: SECURITYRugged
#SXSW #RUGGEDCODE
“… THOSE STUPID DEVELOPERS” - SECURITY PERSON
#SXSW #RUGGEDCODE
“SECURITY PREFERS A SYSTEM POWERED OFF AND UNPLUGGED”
- DEVELOPER
#SXSW #RUGGEDCODE
CULTURAL UNREST WITH SECURITY IN AN ORGANIZATION
#SXSW #RUGGEDCODE
COMPLIANCE DRIVEN CULTURE: PCI, SOX, …
#SXSW #RUGGEDCODE
“[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED
INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED
SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK”
#SXSW #RUGGEDCODE
RATIO PROBLEM DEVS : OPS : SECURITY
100 : 10 : 1
#SXSW #RUGGEDCODE
SECURITY TOOLS ARE RUN OUT-OF-BAND
#SXSW #RUGGEDCODE
SECURITY TOOLS ARE CONFUSING
#SXSW #RUGGEDCODE
#SXSW #RUGGEDCODE
AND WHEN THEY ARE DONE THEY GIVE YOU THIS LOVELY GEM
#SXSW #RUGGEDCODE
THE TIDE IS CHANGING
#SXSW #RUGGEDCODE
RESILIENCY ENGINEERING
#SXSW #RUGGEDCODE
THE INFAMOUS NETFLIX CHAOS
MONKEY
#SXSW #RUGGEDCODE
RUGGED
#SXSW #RUGGEDCODE
#SXSW #RUGGEDCODE
#SXSW #RUGGEDCODE
THE RUGGED MANIFESTO (EXCERPTS)
#SXSW #RUGGEDCODE
I AM RUGGED AND, MORE IMPORTANTLY, MY CODE IS RUGGED.
I RECOGNIZE THAT SOFTWARE HAS BECOME A FOUNDATION OF OUR MODERN WORLD.
I RECOGNIZE THE AWESOME RESPONSIBILITY THAT COMES WITH THIS FOUNDATIONAL ROLE.
#SXSW #RUGGEDCODE
I AM RUGGED BECAUSE MY CODE CAN FACE THESE CHALLENGES AND PERSIST IN SPITE
OF THEM.
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#RUGGEDDEVOPS #DEVOPSSEC
#SXSW #RUGGEDCODE
http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
#SXSW #RUGGEDCODE
RUGGED JOURNEY
#SXSW #RUGGEDCODE
http://videos.2012.appsecusa.org/video/54250716
#SXSW #RUGGEDCODE
http://www.youtube.com/watch?v=jQblKuMuS0Y
#SXSW #RUGGEDCODE
https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring
#SXSW #RUGGEDCODE
HTTPS://SPEAKERDECK.COM/MKONDA/APPSECUSA-2013-INSECURE-EXPECTATIONS
http://vimeo.com/75930344
#SXSW #RUGGEDCODE
SECURITY TOOLING TO DELIVERY PIPELINE
#SXSW #RUGGEDCODE
…TO INFLUENCE CULTURE, AUTOMATION, MEASUREMENT AND
SHARING
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
RUGGED WEB APPS
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
VULNERABLE CODE IS EVERYWHERE
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
CROSS SITE SCRIPTING [XSS]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
WHAT IS IT? [XSS]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
REFLECTIVE [XSS]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
PERSISTENT [XSS]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
DOM BASED [XSS]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
WHY IS IT BAD? [XSS]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
DOCUMENT.COOKIE [XSS]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
DOCUMENT.LOCATION [XSS]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
HOW DO I FIX IT? [XSS]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
GOOD: INPUT SANITIZATION [XSS]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
BLACKLIST :( [XSS]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
WHITELIST :) [XSS]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
BETTER: OUTPUT ENCODING [XSS]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
< > BECOME < > [XSS]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
SQL INJECTION [SQLi]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
WHAT IS IT? [SQLi]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
WHY IS IT BAD? [SQLi]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
CREDIT: XKCD
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
HOW WOULD YOU EXPLOIT?
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
‘;
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
PWNED
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
HOW DO I FIX IT? [SQLi]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
PARAMETERIZED QUERIES [SQLi]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
PARAMETERIZED QUERIES (PHP) [SQLi]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
PARAMETERIZED QUERIES (JAVA) [SQLi]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
CROSS SITE REQUEST FORGERY [CSRF]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
WHAT IS IT? [CSRF]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
WHY IS IT BAD? [CSRF]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
HOW DO I FIX IT? [CSRF]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
TOKENS! [CSRF]
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
AGAIN… VULNERABLE CODE IS EVERYWHERE
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
GETS FIXED SLOWLY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
GETS FIXED SLOWLY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
…IF EVER
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
OWASP TOP 10
#SXSW #RUGGEDCODE
LAB #1 - SETUP
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
SETUP
github.com/gauntlt/gauntlt-demo
Open the Labs in your browser > https://github.com/gauntlt/gauntlt-demo/tree/master/labs/sxsw-2015
You need Vagrant and VirtualBox installed on your laptop
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
LAB INSTRUCTIONS
For this lab, you will complete:├── 01_Overview.md
├── 02_Setup using Vagrant.md
├── 02_Setup using Vagrant.md
├── 02_Setup using Vagrant.md
├── 02_Setup using Vagrant.md
#SXSW #RUGGEDCODE
5-MINUTE BREAK
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
LAB #2 - WEB APP HACKING
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
XSS DEMO
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
FIND THE VULN
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
FIND THE VULN
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
LAB INSTRUCTIONS
For this lab, you will complete:├── 04_Start up Vulnerable Target.md
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
For this lab, poke around and try to find a second XSS vulnerability
Let us know when you find it…
#SXSW #RUGGEDCODE
INTRO TO GAUNTLT
#SXSW #RUGGEDCODE
WOULDN’T IT BE GREAT IF WE COULD AUTOMATE OUR SECURITY
TESTS…
#SXSW #RUGGEDCODE
http://static.hothdwallpaper.net/51b8e4ee5a5ae19808.jpg
#SXSW #RUGGEDCODE
GAUNTLT IS AN OPINIONATED FRAMEWORK TO DO RUGGED TESTING
#SXSW #RUGGEDCODE
GAUNTLT IS OPEN SOURCE MIT LICENSED
#SXSW #RUGGEDCODE
GAUNTLT AUTOMATES SECURITY TOOLS
#SXSW #RUGGEDCODE
GAUNTLT = SECURITY + CUCUMBER
#SXSW #RUGGEDCODE
#SXSW #RUGGEDCODE
#SXSW #RUGGEDCODE
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
CODE
GARMR NMAP CURL ARACHNI
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
GARMR NMAP CURL ARACHNI
CODE
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
BUILT ON CUCUMBER
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
GAUNTLT PHILOSOPHYGauntlt comes with pre-canned steps that hook security testing tools
Gauntlt does not install tools
Gauntlt wants to be part of the CI/CD pipeline
Be a good citizen of exit status and stdout/stderr
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
GAUNTLT IS COLLABORATION
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
*.attack
something.attackelse.attack
GAUNTLT IN ACTION
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
FeatureBackground
Scenario
DescriptionSetup
Logic
ATTACK STRUCTURE
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
ATTACK LOGIC
Given
When
Then
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
Given “arachni” is installed
Setup steps
Check Resource Available
ATTACK STEP: GIVEN
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
ATTACK STEP: WHEN
Action steps
When I launch an “arachni-xss” attack
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
ATTACK STEP: THEN
Parsing Steps
Then the output should not contain “fail”
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
LET’S PUT IT ALL TOGETHER
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
LAB #3 - HELLO WORLD
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
LAB INSTRUCTIONS
For this lab, you will complete:├── 05_Hello World with Gauntlt.md
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
HELLO WORLD
#SXSW #RUGGEDCODE
LAB #4 - BASIC PORT CHECK
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
LAB INSTRUCTIONS
For this lab, you will complete:├── 06_Port Check.md
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
$ nmap -F localhost $ nmap -F scanme.nmap.org
TRY OUT NMAP
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
@challenge @slow Feature: check to make sure the right ports are open on our server
Background: Given "nmap" is installed And the following profile: | name | value | | host | localhost |
Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <host> """ # Then ... # TODO: figure out a way to parse the output and determine what is passing # For hints consult the README.md
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
$ bundle exec gauntlt --allsteps
@final @slow Feature: check to make sure the right ports are open on our server
Background: Given "nmap" is installed And the following profile: | name | value | | host | localhost |
Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <host> """ Then the output should contain: """ 8008 """
SOLUTION
#SXSW #RUGGEDCODE
LAB #5 - CLI AND REGEX
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
LAB INSTRUCTIONS
For this lab, you will complete:├── 07_Working with Gauntlt CLI.md
├── 08_Regex.md
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
Open 07_Working with Gauntlt CLI.md and run the following:
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
08_Regex.md
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
Then the output should match: """ 8008\/tcp\s+open """ Then the output should not match /3001.tcp\s+open/
SOLUTION
#SXSW #RUGGEDCODE
LAB #6 - GARMR
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
LAB INSTRUCTIONS
For this lab, you will complete:├── 09_Garmr and Web Security.md
#SXSW #RUGGEDCODE
WHAT IS GARMR?
#SXSW #RUGGEDCODE
GARMR IS A SCRIPT FROM MOZILLA THAT CHECKS FOR A
BUNCH OF SECURITY POLICIES IN WEB APPS
#SXSW #RUGGEDCODE
MOZILLA SECURITY POLICY DISTILLED FOR THE REST OF US
#SXSW #RUGGEDCODE
LAB #7 - XSS WITH ARACHNI
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
LAB INSTRUCTIONS
For this lab, you will complete:├── 10_Arachni and XSS testing.md
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
XSS LAB!
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
arachni --modules=xss --depth=1 \ --link-count=10 --auto-redundant=2 \ scanme.nmap.org
TRY OUT ARACHNI
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
BONUS POINTS, FIND THE VULN!
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
Hint….
When I launch an "arachni-full_xss" attack
#SXSW #RUGGEDCODE
LET US KNOW WHEN YOU HAVE FOUND IT
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
Arachni found XSS in Gruyere, Oh noes!localhost:8008/signup/<script>alert(1)</script>
#SXSW #RUGGEDCODE
LAB #8 - ADVANCED GAUNTLT
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
LAB INSTRUCTIONS
For this lab, you will complete:├── 11_Assert Network.md
├── 12_Output to HTML.md
└── 13_Working with Environment Variables.md
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
bundle exec gauntlt --format html > out.html
HTML OUTPUT
out.html
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
RUGGED TESTING ON EVERY COMMIT
#SXSW #RUGGEDCODE
WE HAVE BEEN DOING CONTINUOUS INTEGRATION WITH GAUNTLT THIS
WHOLE TIME WITH THE LABS!
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
SAHWEET!
#SXSW #RUGGEDCODE
YOU VERY OWN BUILD SYSTEM
#SXSW #RUGGEDCODE
bit.ly/secure-pipeline-lab0
#SXSW #RUGGEDCODE
YOU NEED: GITHUB ACCOUNT
TRAVIS CI ACCOUNT
#SXSW #RUGGEDCODE
FORK THE REPO
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
YOU SHOULD HAVE: A FORK OF THE REPO
UNDERSTANDING OF TRAVIS.YML
#SXSW #RUGGEDCODE
bit.ly/secure-pipeline-lab1
#SXSW #RUGGEDCODE
IN TRAVIS CI SET THE REPO TO ‘ON’
In Travis CI set the repo to ‘ON’
#SXSW #RUGGEDCODE
ADD THE TRAVIS BADGE IN README.md
#SXSW #RUGGEDCODE
ADD THE TRAVIS BADGE IN README.md
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
READ THE RAKEFILErails-travis-example/Rakefile
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
HOMEWORK / EXTRAS
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
<script>alert('The Obligatory XSS Popup');</script>
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
arachni http://localhost:3000 \ --plugin=autologin:url=http://localhost:3000/users/ sign_in,params='user[email][email protected]&user[passwo rd]=testtest',check='Logout \[email protected]' \ -e /users/sign_out
http://support.arachni-scanner.com/kb/general-use/logging-in-and-maintaining-a-valid-session
#SXSW #RUGGEDCODE
@WICKETT // @MATTJAY
BRAKEMAN
#SXSW #RUGGEDCODE
NOW WHAT?
#SXSW #RUGGEDCODE
50% OFF GAUNTLT BOOK FOR SXSW ATTENDEES!
leanpub.com/hands-on-gauntlt/c/50percentoff
#SXSW #RUGGEDCODE
Google Group > groups.google.com/d/forum/gauntltWiki > github.com/gauntlt/gauntlt/wikiTwitter > @gauntltIRC > #gauntlt on freenodeIssue tracking > github.com/gauntlt/gauntlt
#SXSW #RUGGEDCODE
QUESTIONS?