Security testing is often done at the cadence of auditors and not at the pace of the development team which hurts delivery time in agile teams. Rugged Driven Development (RDD) utilizes security and other stress testing methodologies during the development process to impact the end product so that you create software that is secure, reliable and resilient.
Using the Gauntlt open source framework to help implement RDD you will find it fun to live by the Gauntlt motto, “be mean to your code.” You will be equipped to deliver and release ruggedized software faster as well as span the communication gaps that exist between dev, ops and security teams. This talk will help you implement RDD your projects with plenty of real world examples.
At the end of the workshop, you should:
Be Rugged Driven Dev savvy and ready to ruggedize your next project with some new practices and tooling
Know how to use gauntlt and the security tools it hooks into
Take some of the pre-built gauntlt attacks and modify them to your own project
Write your own gauntlt attacks and put them in practice
8. HANDS-ON LABS
8 Mini Labs lasting 5 to 15 minutes each
Let us know if you are having a problem, and we
will help
We will also be around after the class to help as
well
46. I AM RUGGED AND, MORE IMPORTANTLY, MY CODE IS
RUGGED.
!
I RECOGNIZE THAT SOFTWARE HAS BECOME A
FOUNDATION OF OUR MODERN WORLD.
!
I RECOGNIZE THE AWESOME RESPONSIBILITY THAT
COMES WITH THIS FOUNDATIONAL ROLE.
47. I RECOGNIZE THAT MY CODE WILL BE USED IN WAYS
I CANNOT ANTICIPATE, IN WAYS IT WAS NOT
DESIGNED, AND FOR LONGER THAN IT WAS EVER
INTENDED.
!
I RECOGNIZE THAT MY CODE WILL BE ATTACKED BY
TALENTED AND PERSISTENT ADVERSARIES WHO
THREATEN OUR PHYSICAL, ECONOMIC AND
NATIONAL SECURITY.
48. I RECOGNIZE THESE THINGS – AND I CHOOSE
TO BE RUGGED.
!
I AM RUGGED BECAUSE I REFUSE TO BE A
SOURCE OF VULNERABILITY OR WEAKNESS.
!
I AM RUGGED BECAUSE I ASSURE MY CODE
WILL SUPPORT ITS MISSION.
49. I AM RUGGED BECAUSE MY CODE CAN FACE
THESE CHALLENGES AND PERSIST IN SPITE
OF THEM.
!
I AM RUGGED, NOT BECAUSE IT IS EASY, BUT
BECAUSE IT IS NECESSARY AND I AM UP FOR
THE CHALLENGE.
100. github.com/gauntlt/gauntlt-demo
Open the Labs in your browser > https://
github.com/gauntlt/gauntlt-demo/tree/master/labs/
sxsw-2014
You need Vagrant and VirtualBox installed on your
laptop
SETUP
101.
102. For this lab, you will complete:
├── 01_Overview.md
├── 02_Setup using Vagrant.md
LAB INSTRUCTIONS
132. GAUNTLT PHILOSOPHY
Gauntlt comes with pre-canned steps that hook
security testing tools
Gauntlt does not install tools
Gauntlt wants to be part of the CI/CD pipeline
Be a good citizen of exit status and stdout/stderr
151. @challenge @slow
Feature: check to make sure the right ports are
open on our server
!
!
Background:
Given "nmap" is installed
And the following profile:
| name
| value
| host
| localhost
|
|
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <host>
"""
#
Then ...
# TODO: figure out a way to parse the output and
determine what is passing
# For hints consult the README.md
154. SOLUTION
@final @slow
Feature: check to make sure the right ports are open
on our server
!
Background:
Given "nmap" is installed
And the following profile:
| name
| value
|
| host
| localhost
|
!
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <host>
"""
Then the output should contain:
"""
8008
"""
196. FREE GAUNTLT BETA BOOK
FOR SXSW ATTENDEES!
http://leanpub.com/hands-on-gauntlt/c/SXSW
Valid until March 11th
Caveat Emptor:
No content at
the moment!