Be Mean to Your Code - DevOps Days Austin 2013
4 likes1,123 views
Gauntlt is a tool that allows developers, operations, and security teams to communicate by automatically running security tools like nmap and validating the results meet expectations. It helps surface vulnerabilities by treating code and infrastructure like attackers would through configuring profiles that launch tools with attacks and validating outputs against pass/fail criteria. Users can get started with Gauntlt by installing it and following tutorials that demonstrate how to define features with scenarios for setup, execution, and assertion steps to test infrastructure is secure.
![“[RISK ASSESSMENT] INTRODUCES A
DANGEROUS FALLACY:THAT
STRUCTURED INADEQUACY IS
ALMOST AS GOOD AS ADEQUACY
AND THAT UNDERFUNDED
SECURITY EFFORTS PLUS RISK
MANAGEMENT ARE ABOUT AS
GOOD AS PROPERLY FUNDED
SECURITY WORK” - MICHAL ZALEWSKI](https://image.slidesharecdn.com/devopsdaysaustin-2013-130429232435-phpapp01/85/Be-Mean-to-Your-Code-DevOps-Days-Austin-2013-4-320.jpg)
Be Mean to Your Code - DevOps Days Austin 2013
- 1. Be Mean toYour Code with Gauntlt
- 3. 1337 tools
- 4. “[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY:THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK” - MICHAL ZALEWSKI
- 5. “Is this Secure?” -Your Customer “It’s Certified” -You
- 6. there’s a better way
- 7. Your app sslyze dirb nmap curl sqlmapgarmr You generic Put your code through the Gauntlet
- 8. security tools are confusing
- 9. Gauntlt allows dev and ops and security to communicate
- 10. $ gem install gauntlt install gauntlt
- 11. Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | | tcp_ping_ports | 22,25,80,443 | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open https """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """ Given When Then When Then
- 12. $ gauntlt Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | | tcp_ping_ports | 22,25,80,443 | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """ 1 scenario (1 failed) 5 steps (1 failed, 4 passed) 0m18.341s running gauntlt with failing tests
- 13. $ gauntlt Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | | tcp_ping_ports | 22,25,80,443 | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """ 1 scenario (1 passed) 5 steps (5 passed) 0m18.341s running gauntlt with passing tests
- 14. Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | | tcp_ping_ports | 22,25,80,443 | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open https """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """ setup steps verify tool set config
- 15. Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | | tcp_ping_ports | 22,25,80,443 | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open https """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """ attack get config
- 16. Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | | tcp_ping_ports | 22,25,80,443 | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open https """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """ assert needle haystack
- 18. get started with gauntlt github/gauntlt gauntlt.org videos tutorials @gauntlt IRC #gauntlt we help! start here cool vids!
- 19. be mean to your code and win! slideshare.com/wickett