Pragmatic Security and Rugged DevOps - SXSW 2015

PRAGMATIC SECURITY
AND RUGGED DEVOPS
WORKSHOP
@WICKETT // @MATTJAY

#SXSW
#RUGGEDCODE
CONVERSATION
#SXSW + #RUGGED CODE

#SXSW
#RUGGEDCODE
50% OFF GAUNTLT BOOK
FOR SXSW ATTENDEES!
leanpub.com/hands-on-gauntlt/c/50percentoff

#SXSW
#RUGGEDCODE
63% HANDS ON LABS!
APPLIEDTHEORY

#SXSW
#RUGGEDCODE
WORKSHOP PLEDGE

#SXSW
#RUGGEDCODE
@WICKETT // @MATTJAY You/Me
I will not attempt to access
my neighbor’s computer

I will not hack the wiﬁ

I will be friendly to those
around me

#SXSW
#RUGGEDCODE
TWO 5-MINUTE BREAK

#SXSW
#RUGGEDCODE
HANDS-ON LABS
~8 Mini Labs lasting 5 to 10 minutes each

Let us know if you are having a problem, and we
will help

We will also be around after the class to help as
well

#SXSW
#RUGGEDCODE
TIPS FOR THE LABS
Open the labs folder in your browser to
follow along to beneﬁt from markdown
display

Run all commands from the ~/gauntlt-demo

#SXSW
#RUGGEDCODE
WHY ARE YOU HERE?

#SXSW
#RUGGEDCODE
OUR GOAL: EQUIP YOU WITH
PRAGMATIC APPROACHES TO
SECURITY THAT CAN HELP YOU
MAKE A DIFFERENCE

#SXSW
#RUGGEDCODE
JAMES WICKETT
Sr. Engineer at Signal Sciences

Austin, TX

Gauntlt Core Team

DevOps Days Austin Organizer

Velocity, LASCON, ISC2, AppSecUSA,
B-Sides, …

#SXSW
#RUGGEDCODE
MATT JOHANSEN
Houston, TX

Sr. Manager, TRC WhiteHat Security

BlackHat, DEFCON, RSA, more++

Wannabe Dev (node.js, angularjs)

I’m hiring

#SXSW
#RUGGEDCODE
WHY DOES THIS MATTER?

#SXSW
#RUGGEDCODE
SONY, SONY, SONY, SONY, SONY

#SXSW
#RUGGEDCODE
HUMANS OPTIMIZE FOR THE
PROBABLE

#SXSW
#RUGGEDCODE
WE OPTIMIZE FOR THE PROBABLE

#SXSW
#RUGGEDCODE
UNIT TESTING

#SXSW
#RUGGEDCODE
INTEGRATION TESTING

#SXSW
#RUGGEDCODE
HAPPY PATH ENGINEERING

#SXSW
#RUGGEDCODE
WE OPTIMIZE FOR THE POSSIBLE

#SXSW
#RUGGEDCODE
OVER ENGINEERING

#SXSW
#RUGGEDCODE
STRESS AND LOAD TESTING

#SXSW
#RUGGEDCODE
WE OPTIMIZE FOR THE
PERCEIVED PROBABLE

#SXSW
#RUGGEDCODE
HOW DO WE PERCEIVE WHAT IS
PROBABLE?

#SXSW
#RUGGEDCODE
EPISTEMOLOGICAL PROBLEM OF
SOFTWARE DEVELOPMENT

#SXSW
#RUGGEDCODE
WE ATTEMPT TO SOLVE IT BY
GATHERING DATA OR RHETORIC

#SXSW
#RUGGEDCODE
3 APPROACHES TO SOLVE THE
EPISTEMOLOGICAL PROBLEM OF
SOFTWARE DEVELOPMENT

#SXSW
#RUGGEDCODE
ARC 1:
AGILE

#SXSW
#RUGGEDCODE
AGILE SIDE-STEPS THE PROBLEM

#SXSW
#RUGGEDCODE
AGILE SAYS WE DON’T KNOW
WHAT WE ARE BUILDING

#SXSW
#RUGGEDCODE
SOLUTION: RELEASE FEATURES
TO CUSTOMERS RAPIDLY

#SXSW
#RUGGEDCODE
JUST SHIP IT!

#SXSW
#RUGGEDCODE
BEHAVIOR DRIVEN DEV

#SXSW
#RUGGEDCODE
BEHAVIOR DRIVEN DEVELOPMENT IS A SECOND-
GENERATION, OUTSIDE–IN, PULL-BASED,
MULTIPLE-STAKEHOLDER, MULTIPLE-SCALE, HIGH-
AUTOMATION, AGILE METHODOLOGY. IT DESCRIBES
A CYCLE OF INTERACTIONS WITH WELL-DEFINED
OUTPUTS, RESULTING IN THE DELIVERY OF
WORKING, TESTED SOFTWARE THAT MATTERS.
DAN NORTH , 2009

#SXSW
#RUGGEDCODE
AMPLIFY
THE
FEEDBACK
LOOP

#SXSW
#RUGGEDCODE
TLDR
RAPID ITERATIONS WIN

#SXSW
#RUGGEDCODE
AGILE IS
OUR
GUIDING
LIGHT

#SXSW
#RUGGEDCODE
PEOPLE MATTER

#SXSW
#RUGGEDCODE
WE DON'T SELL CD’S ANYMORE
#SXSW
#RUGGEDCODE

#SXSW
#RUGGEDCODE
SOFTWARE AS A SERVICE

#SXSW
#RUGGEDCODE
THE LAST 15 YEARS HAVE BROUGHT
A COMPLETE CHANGE IN OUR
DELIVERY CADENCE, DISTRIBUTION,
AND REVENUE MODELS

#SXSW
#RUGGEDCODE
DEVOPS IS THE APPLICATION OF
AGILE METHODOLOGY TO SYSTEM
ADMINISTRATION
- THE PRACTICE OF CLOUD SYSTEM ADMINISTRATION BOOK

#SXSW
#RUGGEDCODEARC 2: DEVOPS

#SXSW
#RUGGEDCODE
AGILE INFRASTRUCTURE
http://itrevolution.com/the-history-of-devops/

#SXSW
#RUGGEDCODE
http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-ﬂickr

#SXSW
#RUGGEDCODE
FIRST DEVOPS DAYS, GHENT 2009
@PATRICKDEBOIS

#SXSW
#RUGGEDCODE
THE OPPOSITE OF DEVOPS IS DESPAIR
- GENE KIM
#SXSW
#RUGGEDCODE

#SXSW
#RUGGEDCODE
http://dev2ops.org/blog/2010/2/22/what-is-devops.html

#SXSW
#RUGGEDCODE
DEVOPS REALIZED THAT OPS
DOESN'T KNOW WHAT DEVS KNOW
AND VICE VERSA

#SXSW
#RUGGEDCODE
DEV : OPS
10 : 1

#SXSW
#RUGGEDCODE
DEVOPS IS AN EPISTEMOLOGICAL
BREAKTHROUGH JOINING DISPARATE
PEOPLE AROUND A COMMON PROBLEM

#SXSW
#RUGGEDCODE
DEVOPS IS AN INCLUSIVE MOVEMENT
THAT CODIFIES A CULTURE
- ADAM JACOBS

#SXSW
#RUGGEDCODE
CULTURE IS THE MOST IMPORTANT
ASPECT TO DEVOPS SUCCEEDING IN
THE ENTERPRISE

#SXSW
#RUGGEDCODE
WHAT WE VALUE
DETERMINES OUR
CULTURE

#SXSW
#RUGGEDCODE
#SXSW
#RUGGEDCODE

#SXSW
#RUGGEDCODE
MUTUAL UNDERSTANDING
SHARED LANGUAGE
OPENNESS
VISUALIZATION
TOOLING

#SXSW
#RUGGEDCODE
DEVOPS IS THE INEVITABLE RESULT OF NEEDING
TO DO EFFICIENT OPERATIONS IN A [DISTRIBUTED
COMPUTING AND CLOUD] ENVIRONMENT.
- TOM LIMONCELLI

#SXSW
#RUGGEDCODE
DEVOPS IS NOT A TECHNOLOGICAL PROBLEM.
DEVOPS IS A BUSINESS PROBLEM.
- DAMON EDWARDS

#SXSW
#RUGGEDCODE
http://puppetlabs.com/sites/default/ﬁles/2014-state-of-devops-report.pdf

#SXSW
#RUGGEDCODE
THE FIRST SCIENTIFIC STUDY OF THE
RELATIONSHIP BETWEEN
ORGANIZATIONAL
PERFORMANCE, IT PERFORMANCE
AND DEVOPS PRACTICES

#SXSW
#RUGGEDCODE
DEVOPS PRACTICES IMPROVE
IT PERFORMANCE

#SXSW
#RUGGEDCODE
CULTURE
AUTOMATION
MEASUREMENT
SHARING
@BOTCHAGALUPE
@DAMONEDWARDS

#SXSW
#RUGGEDCODE
ANTIPATTERN:
REBRAND YOUR
OPS TEAM TO
DEVOPS TEAM

#SXSW
#RUGGEDCODE
ANTIPATTERN:
MANUAL
CONFIG OF
PRODUCTION
ENVIRONMENT
#SXSW
#RUGGEDCODE

#SXSW
#RUGGEDCODE
CHEF, PUPPET, ANSIBLE, CFENGINE
RUNDECK, MCOLLECTIVE
JENKINS, TRAVIS, KITCHEN
CUCUMBER, GAUNTLT, SERVERSPEC
VAGRANT, DOCKER

#SXSW
#RUGGEDCODE
BEWARE OF THE
DEVOPS
SOFTWARE
SOLUTION

#SXSW
#RUGGEDCODE
“THAT THE WORD #DEVOPS GETS REDUCED TO
TECHNOLOGY IS A MANIFESTATION OF HOW
BADLY WE NEED A CULTURAL SHIFT”
- @PATRICKDEBOIS
http://www.slideshare.net/cm6051/london-devops-31-5-years-of-devops

#SXSW
#RUGGEDCODE
BUSINESS METRICS
EVENT CORRELATION
USAGE BASED MONITORING

#SXSW
#RUGGEDCODE
ARC 3:
CONTINUOUS
DELIVERY

#SXSW
#RUGGEDCODE
CONTINUOUS DELIVERY IS NOT MERELY
HOW OFTEN YOU DELIVER BUT HOW
LITTLE YOU CAN DELIVER AT A TIME

#SXSW
#RUGGEDCODE
BATCH SIZE OF 1

#SXSW
#RUGGEDCODE
OLD WAY
CHANGES BREAK STUFF, SO LIMIT
THEM AND BATCH THEM ALL TOGETHER

#SXSW
#RUGGEDCODE
NEW WAY
DELIVERY OF ONE CHANGE AT A
TIME REDUCES OUTAGES,
INCREASES PERFORMANCE, AND
LIMITS TECHNICAL DEBT

#SXSW
#RUGGEDCODE
NEVER PASS DEFECTS TO THE
NEXT STEP
The Practice of Cloud System Administration

#SXSW
#RUGGEDCODE
YOU MUST DEPLOY YOUR STUFF
#SXSW
#RUGGEDCODE

#SXSW
#RUGGEDCODE
LET THE BOTS TROLL THE USERS
FOR THE LOLZ.

#SXSW
#RUGGEDCODE
ALLOCATE TIME TO ENHANCE THE
BUILD, TEST AND DEPLOY SYSTEM
The Practice of Cloud System Administration

#SXSW
#RUGGEDCODE
REDUCE CODE LATENCY AND
INCREASE CODE VELOCITY

#SXSW
#RUGGEDCODE
THE NEXT ARC: SECURITY
Rugged

#SXSW
#RUGGEDCODE
“… THOSE STUPID DEVELOPERS”
- SECURITY PERSON

#SXSW
#RUGGEDCODE
“SECURITY PREFERS A SYSTEM
POWERED OFF AND UNPLUGGED”
- DEVELOPER

#SXSW
#RUGGEDCODE
CULTURAL UNREST WITH
SECURITY IN AN ORGANIZATION

#SXSW
#RUGGEDCODE
COMPLIANCE DRIVEN CULTURE:
PCI, SOX, …

#SXSW
#RUGGEDCODE
“[RISK ASSESSMENT] INTRODUCES A
DANGEROUS FALLACY: THAT STRUCTURED
INADEQUACY IS ALMOST AS GOOD AS
ADEQUACY AND THAT UNDERFUNDED
SECURITY EFFORTS PLUS RISK
MANAGEMENT ARE ABOUT AS GOOD AS
PROPERLY FUNDED SECURITY WORK”

#SXSW
#RUGGEDCODE
RATIO PROBLEM
DEVS : OPS : SECURITY
100 : 10 : 1

#SXSW
#RUGGEDCODE
SECURITY TOOLS
ARE RUN OUT-OF-BAND

#SXSW
#RUGGEDCODE
SECURITY TOOLS ARE
CONFUSING

#SXSW
#RUGGEDCODE
AND WHEN THEY ARE DONE THEY
GIVE YOU THIS LOVELY GEM

#SXSW
#RUGGEDCODE
THE TIDE IS CHANGING

#SXSW
#RUGGEDCODE
RESILIENCY
ENGINEERING

#SXSW
#RUGGEDCODE
THE INFAMOUS
NETFLIX
CHAOS
MONKEY

#SXSW
#RUGGEDCODE
THE RUGGED MANIFESTO
(EXCERPTS)

#SXSW
#RUGGEDCODE
I AM RUGGED AND, MORE IMPORTANTLY, MY CODE
IS RUGGED.
I RECOGNIZE THAT SOFTWARE HAS BECOME A
FOUNDATION OF OUR MODERN WORLD.
I RECOGNIZE THE AWESOME RESPONSIBILITY THAT
COMES WITH THIS FOUNDATIONAL ROLE.

#SXSW
#RUGGEDCODE
I AM RUGGED BECAUSE MY CODE CAN FACE
THESE CHALLENGES AND PERSIST IN SPITE
OF THEM.

#SXSW
#RUGGEDCODE
#RUGGEDDEVOPS
#DEVOPSSEC

#SXSW
#RUGGEDCODE
http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain

#SXSW
#RUGGEDCODE
RUGGED JOURNEY

#SXSW
#RUGGEDCODE
http://videos.2012.appsecusa.org/video/54250716

#SXSW
#RUGGEDCODE
http://www.youtube.com/watch?v=jQblKuMuS0Y

#SXSW
#RUGGEDCODE
https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring

#SXSW
#RUGGEDCODE
HTTPS://SPEAKERDECK.COM/MKONDA/APPSECUSA-2013-INSECURE-EXPECTATIONS
http://vimeo.com/75930344

#SXSW
#RUGGEDCODE
SECURITY TOOLING TO DELIVERY
PIPELINE

#SXSW
#RUGGEDCODE
…TO INFLUENCE CULTURE,
AUTOMATION, MEASUREMENT AND
SHARING

#SXSW
#RUGGEDCODE
RUGGED WEB APPS

#SXSW
#RUGGEDCODE
VULNERABLE CODE IS EVERYWHERE

#SXSW
#RUGGEDCODE
CROSS SITE SCRIPTING
[XSS]

#SXSW
#RUGGEDCODE
WHAT IS IT?
[XSS]

#SXSW
#RUGGEDCODE
REFLECTIVE
[XSS]

#SXSW
#RUGGEDCODE

#SXSW
#RUGGEDCODE
PERSISTENT
[XSS]

#SXSW
#RUGGEDCODE
DOM BASED
[XSS]

#SXSW
#RUGGEDCODE
WHY IS IT BAD?
[XSS]

#SXSW
#RUGGEDCODE
DOCUMENT.COOKIE
[XSS]

#SXSW
#RUGGEDCODE
DOCUMENT.LOCATION
[XSS]

#SXSW
#RUGGEDCODE
HOW DO I FIX IT?
[XSS]

#SXSW
#RUGGEDCODE
GOOD: INPUT SANITIZATION
[XSS]

#SXSW
#RUGGEDCODE
BLACKLIST :(
[XSS]

#SXSW
#RUGGEDCODE
WHITELIST :)
[XSS]

#SXSW
#RUGGEDCODE
BETTER: OUTPUT ENCODING
[XSS]

#SXSW
#RUGGEDCODE
< > BECOME &LT; &GT;
[XSS]

#SXSW
#RUGGEDCODE
SQL INJECTION
[SQLi]

#SXSW
#RUGGEDCODE
WHAT IS IT?
[SQLi]

#SXSW
#RUGGEDCODE
WHY IS IT BAD?
[SQLi]

#SXSW
#RUGGEDCODE
CREDIT: XKCD

#SXSW
#RUGGEDCODE
HOW WOULD YOU EXPLOIT?

#SXSW
#RUGGEDCODE
‘;

#SXSW
#RUGGEDCODE
PWNED

#SXSW
#RUGGEDCODE
HOW DO I FIX IT?
[SQLi]

#SXSW
#RUGGEDCODE
PARAMETERIZED QUERIES
[SQLi]

#SXSW
#RUGGEDCODE
PARAMETERIZED QUERIES (PHP)
[SQLi]

#SXSW
#RUGGEDCODE
PARAMETERIZED QUERIES (JAVA)
[SQLi]

#SXSW
#RUGGEDCODE
CROSS SITE REQUEST FORGERY
[CSRF]

#SXSW
#RUGGEDCODE
WHAT IS IT?
[CSRF]

#SXSW
#RUGGEDCODE
WHY IS IT BAD?
[CSRF]

#SXSW
#RUGGEDCODE
HOW DO I FIX IT?
[CSRF]

#SXSW
#RUGGEDCODE
TOKENS!
[CSRF]

#SXSW
#RUGGEDCODE
IMAGE CREDIT: DOTNETBIPS.COM

#SXSW
#RUGGEDCODE
AGAIN… VULNERABLE CODE IS
EVERYWHERE

#SXSW
#RUGGEDCODE
GETS FIXED SLOWLY

#SXSW
#RUGGEDCODE
…IF EVER

#SXSW
#RUGGEDCODE
OWASP TOP 10

#SXSW
#RUGGEDCODE
LAB #1 - SETUP

#SXSW
#RUGGEDCODE
SETUP
github.com/gauntlt/gauntlt-demo

Open the Labs in your browser > https://
github.com/gauntlt/gauntlt-demo/tree/master/labs/
sxsw-2015

You need Vagrant and VirtualBox installed on your
laptop

#SXSW
#RUGGEDCODE
LAB INSTRUCTIONS
For this lab, you will complete:

├── 01_Overview.md
├── 02_Setup using Vagrant.md

├── 02_Setup using Vagrant.md

#SXSW
#RUGGEDCODE
5-MINUTE BREAK

#SXSW
#RUGGEDCODE
LAB #2 - WEB APP HACKING

#SXSW
#RUGGEDCODE
XSS DEMO

#SXSW
#RUGGEDCODE
FIND THE VULN

#SXSW
#RUGGEDCODE
LAB INSTRUCTIONS

├── 04_Start up Vulnerable Target.md

#SXSW
#RUGGEDCODE
For this lab, poke around and try to
ﬁnd a second XSS vulnerability

Let us know when you ﬁnd it…

#SXSW
#RUGGEDCODE
INTRO TO GAUNTLT

#SXSW
#RUGGEDCODE
WOULDN’T IT BE GREAT IF WE
COULD AUTOMATE OUR SECURITY
TESTS…

#SXSW
#RUGGEDCODE
http://static.hothdwallpaper.net/51b8e4ee5a5ae19808.jpg

#SXSW
#RUGGEDCODE
GAUNTLT IS AN
OPINIONATED
FRAMEWORK TO DO
RUGGED TESTING

#SXSW
#RUGGEDCODE
GAUNTLT IS
OPEN SOURCE
MIT LICENSED

#SXSW
#RUGGEDCODE
GAUNTLT AUTOMATES
SECURITY TOOLS

#SXSW
#RUGGEDCODE
GAUNTLT = SECURITY + CUCUMBER

#SXSW
#RUGGEDCODE
C O D E
GARMR NMAP CURL ARACHNI

#SXSW
#RUGGEDCODE
GARMR NMAP CURL ARACHNI
C O D E

#SXSW
#RUGGEDCODE
BUILT ON CUCUMBER

#SXSW
#RUGGEDCODE
GAUNTLT PHILOSOPHY
Gauntlt comes with pre-canned steps that hook
security testing tools

Gauntlt does not install tools

Gauntlt wants to be part of the CI/CD pipeline

Be a good citizen of exit status and stdout/stderr

#SXSW
#RUGGEDCODE
GAUNTLT IS COLLABORATION

#SXSW
#RUGGEDCODE
*.attack
something.attack
else.attack
GAUNTLT IN ACTION

#SXSW
#RUGGEDCODE
Feature
Background
Scenario
Description
Setup
Logic
ATTACK STRUCTURE

#SXSW
#RUGGEDCODE
ATTACK LOGIC
Given
When
Then

#SXSW
#RUGGEDCODE
Given “arachni” is installed
Setup steps
Check Resource Available
ATTACK STEP: GIVEN

#SXSW
#RUGGEDCODE
ATTACK STEP: WHEN
Action steps
When I launch an
“arachni-xss” attack

#SXSW
#RUGGEDCODE
ATTACK STEP: THEN
Parsing Steps
Then the output should
not contain “fail”

#SXSW
#RUGGEDCODE
LET’S PUT IT ALL TOGETHER

#SXSW
#RUGGEDCODE
LAB #3 - HELLO WORLD

#SXSW
#RUGGEDCODE
LAB INSTRUCTIONS

├── 05_Hello World with Gauntlt.md

#SXSW
#RUGGEDCODE
HELLO WORLD

#SXSW
#RUGGEDCODE
LAB #4 - BASIC PORT CHECK

#SXSW
#RUGGEDCODE
LAB INSTRUCTIONS

├── 06_Port Check.md

#SXSW
#RUGGEDCODE
$ nmap -F localhost
$ nmap -F scanme.nmap.org
TRY OUT NMAP

@challenge @slow
Feature: check to make sure the right ports are
open on our server
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| host | localhost |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <host>
"""
# Then ...
# TODO: figure out a way to parse the output and
determine what is passing
# For hints consult the README.md

#SXSW
#RUGGEDCODE
$ bundle exec gauntlt --allsteps

@final @slow
Feature: check to make sure the right ports are open
on our server
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| host | localhost |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <host>
"""
Then the output should contain:
"""
8008
"""
SOLUTION

#SXSW
#RUGGEDCODE
LAB #5 - CLI AND REGEX

#SXSW
#RUGGEDCODE
LAB INSTRUCTIONS

├── 07_Working with Gauntlt CLI.md
├── 08_Regex.md

#SXSW
#RUGGEDCODE
Open 07_Working with Gauntlt CLI.md and run the following:

#SXSW
#RUGGEDCODE
08_Regex.md

#SXSW
#RUGGEDCODE
Then the output should match:
"""
8008/tcps+open
"""
Then the output should not match /3001.tcps+open/
SOLUTION

#SXSW
#RUGGEDCODE
LAB #6 - GARMR

#SXSW
#RUGGEDCODE
LAB INSTRUCTIONS

├── 09_Garmr and Web Security.md

#SXSW
#RUGGEDCODE
WHAT IS GARMR?

#SXSW
#RUGGEDCODE
GARMR IS A SCRIPT FROM
MOZILLA THAT CHECKS FOR A
BUNCH OF SECURITY POLICIES IN
WEB APPS

#SXSW
#RUGGEDCODE
MOZILLA SECURITY POLICY
DISTILLED FOR THE REST OF US

#SXSW
#RUGGEDCODE
LAB #7 - XSS WITH ARACHNI

#SXSW
#RUGGEDCODE
LAB INSTRUCTIONS

├── 10_Arachni and XSS testing.md

#SXSW
#RUGGEDCODE
XSS LAB!

#SXSW
#RUGGEDCODE
arachni --modules=xss --depth=1
--link-count=10 --auto-redundant=2
scanme.nmap.org
TRY OUT ARACHNI

#SXSW
#RUGGEDCODE
BONUS POINTS, FIND THE VULN!

#SXSW
#RUGGEDCODE
Hint….

When I launch an "arachni-full_xss" attack

#SXSW
#RUGGEDCODE
LET US KNOW WHEN YOU HAVE
FOUND IT

#SXSW
#RUGGEDCODE
Arachni found XSS in Gruyere, Oh noes!

localhost:8008/signup/<script>alert(1)</script>

#SXSW
#RUGGEDCODE
LAB #8 - ADVANCED GAUNTLT

#SXSW
#RUGGEDCODE
LAB INSTRUCTIONS

├── 11_Assert Network.md
├── 12_Output to HTML.md
└── 13_Working with Environment Variables.md

#SXSW
#RUGGEDCODE
bundle exec gauntlt --format html > out.html
HTML OUTPUT

#SXSW
#RUGGEDCODE
RUGGED TESTING
ON EVERY COMMIT

#SXSW
#RUGGEDCODE
WE HAVE BEEN DOING CONTINUOUS
INTEGRATION WITH GAUNTLT THIS
WHOLE TIME WITH THE LABS!

#SXSW
#RUGGEDCODE
SAHWEET!

#SXSW
#RUGGEDCODE
YOU VERY OWN BUILD SYSTEM

#SXSW
#RUGGEDCODE
bit.ly/secure-pipeline-lab0

#SXSW
#RUGGEDCODE
YOU NEED:
GITHUB ACCOUNT
TRAVIS CI ACCOUNT

#SXSW
#RUGGEDCODE
FORK THE REPO

#SXSW
#RUGGEDCODE
YOU SHOULD HAVE:
A FORK OF THE REPO
UNDERSTANDING OF TRAVIS.YML

#SXSW
#RUGGEDCODE
bit.ly/secure-pipeline-lab1

#SXSW
#RUGGEDCODE
IN TRAVIS CI
SET THE REPO TO ‘ON’
In Travis CI set the repo to ‘ON’

#SXSW
#RUGGEDCODE
ADD THE TRAVIS BADGE IN
README.md

#SXSW
#RUGGEDCODE
READ THE RAKEFILE
rails-travis-example/Rakefile

#SXSW
#RUGGEDCODE
HOMEWORK / EXTRAS

#SXSW
#RUGGEDCODE
http://localhost:3000

#SXSW
#RUGGEDCODE
<script>alert('The Obligatory XSS Popup');</
script>

#SXSW
#RUGGEDCODE
arachni http://localhost:3000
--plugin=autologin:url=http://localhost:3000/users/
sign_in,params='user[email]=test@test.com&user[passwo
rd]=testtest',check='Logout test@test.com'
-e /users/sign_out
http://support.arachni-scanner.com/kb/general-use/logging-in-and-maintaining-a-valid-session

#SXSW
#RUGGEDCODE
BRAKEMAN

#SXSW
#RUGGEDCODE
Google Group > groups.google.com/d/forum/gauntlt

Wiki > github.com/gauntlt/gauntlt/wiki

Twitter > @gauntlt

IRC > #gauntlt on freenode

Issue tracking > github.com/gauntlt/gauntlt

Pragmatic Security and Rugged DevOps - SXSW 2015

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie Pragmatic Security and Rugged DevOps - SXSW 2015

Ähnlich wie Pragmatic Security and Rugged DevOps - SXSW 2015 (20)

Mehr von James Wickett

Mehr von James Wickett (13)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Pragmatic Security and Rugged DevOps - SXSW 2015