Be Mean to Your Code
2 likes3,205 views
The document discusses building secure code by rigorously testing it through automated attacks and verification. It introduces the concept of "ruggedization" where code is made resilient through repeated, automated testing against attacks. This helps code handle adversity in unexpected ways and provides unrealized value. It promotes using the Gauntlet framework to put code through extensive security testing with tools like nmap, metasploit, fuzzers and custom attacks to improve security.
![“[RISK ASSESSMENT] INTRODUCES A
DANGEROUS FALLACY: THAT
STRUCTURED INADEQUACY IS
ALMOST AS GOOD AS ADEQUACY
AND THAT UNDERFUNDED
SECURITY EFFORTS PLUS RISK
MANAGEMENT ARE ABOUT AS
GOOD AS PROPERLY FUNDED
SECURITY WORK” - MICHAL ZALEWSKI](https://image.slidesharecdn.com/bemeantoyourcode-120731084146-phpapp01/85/Be-Mean-to-Your-Code-7-320.jpg)
Be Mean to Your Code
- 1. Be Mean to Your Code!
- 2. @wickett Sr. DevOps Engineer Mentor Graphics, Embedded Software Division CISSP, GWAPT, CCSK, GSEC, GCFW james@ruggeddevops.org ruggeddevops.org
- 3. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
- 4. Ruggedization Theory Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.
- 5. "Secondly, our network got a lot stronger as a result of the LulzSec attacks." -Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012 by CloudFlare team
- 6. Security vs. Rugged • Absence of • Verification of Events quality • Cost • Benefit • Negative • Positive • FUD • Known values • Toxic • Affirming
- 7. “[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK” - MICHAL ZALEWSKI
- 8. RUGGED source: Jessica Allen, http://drbl.in/bgwy
- 9. REPEATABLE – NO MANUAL STEPS RELIABLE - NO DOS HERE REVIEWABLE – AKA AUDIT RAPID – FAST TO BUILD, DEPLOY, RESTORE RESILIENT – AUTOMATED RECONFIGURATION REDUCED - LIMITED ATTACK SURFACE
- 10. Put your code through the Gauntlet custom attacks dirbuster metasploit sqlmap fuzzers nessus w3af nmap
- 11. Put your code through the Gauntlet custom attacks dirbuster metasploit sqlmap fuzzers nessus w3af nmap Your web app You
- 12. GAUNTLT ALLOWS DEV AND OPS AND SECURITY TO COMMUNICATE
- 13. feature for nmap: nmap.feature @run Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: Given nmap is installed Scenario:Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """
- 14. feature for nmap: nmap.feature @run @webserver Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: #optional Given nmap is installed Scenario: Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """
- 15. step definition for nmap: nmap.rb Given /^nmap is installed$/ do steps %{ When I run `which nmap` Then the output should contain: """ nmap """ } end When /^I run nmap against the hostname in the profile on ports (d+),(d+)$/ do |arg2, arg3| steps %{ When I run `nmap "#{@hostname}" -p80,443` } end ...
- 16. running gauntlt with failing tests wickett$ gauntlt @gauntlet @run Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 8080,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 8080/tcp open http 443/tcp open https """ ... Failing Scenarios: cucumber features/nmap/nmap.feature:8 # Scenario:Verify server is available on standard web ports 1 scenario (1 failed) 4 steps (1 failed, 3 passed) 0m0.341s
- 17. running gauntlt with passing tests wickett$ gauntlt @gauntlet @run Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 80,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 80/tcp open http 443/tcp open https """ 1 scenario (1 passed) 4 steps (4 passed) 0m1.117s
- 19. gauntlt team: James Wickett Mani Tadayon Roy Rapoport Jason Chan Matt Tesauro Tarek Moussa Jeremiah Shirk Luis De Leon Dan Cornell Scott Muc
- 20. Join Us • github > http://bit.ly/gauntlt_repo • google group > http://bit.ly/gauntlt_group • twitter: @gauntlt