Security testing is often done at the cadence of auditors and not at the pace of the development team which hurts delivery time in agile teams. Rugged Driven Development (RDD) utilizes security and other stress testing methodologies during the development process to impact the end product so that you create software that is secure, reliable and resilient. Using the Gauntlt open source framework to help implement RDD you will find it fun to live by the Gauntlt motto, “be mean to your code.” You will be equipped to deliver and release ruggedized software faster as well as span the communication gaps that exist between dev, ops and security teams. This talk will help you implement RDD your projects with plenty of real world examples. At the end of the workshop, you should: Be Rugged Driven Dev savvy and ready to ruggedize your next project with some new practices and tooling Know how to use gauntlt and the security tools it hooks into Take some of the pre-built gauntlt attacks and modify them to your own project Write your own gauntlt attacks and put them in practice

1. RUGGED SOFTWARE
USING RUGGED DRIVEN
DEVELOPMENT
@wickett // @iteration1 // @mattjay

2. $ wget http://bit.ly/rugged-sxsw-box
AND
!
Install Virtual Box and Vagrant

3. BE RUGGED AND
BE MEAN TO YOUR CODE
#RUGGED
#SXSW +
#BEMEAN
Use this one
to troll SXSW
Official tag

4. THEORY
APPLIED
63% HANDS ON LABS!

5. WORKSHOP PLEDGE

6. I will not attempt to access
my neighbor’s computer
!
I will not hack the wifi
!
I will be friendly to those
around me
You/Me

7. ONE 5-MINUTE BREAK

8. HANDS-ON LABS
8 Mini Labs lasting 5 to 15 minutes each
Let us know if you are having a problem, and we
will help
We will also be around after the class to help as
well

9. VIRTUAL BOX AND VAGRANT

10. TIPS FOR THE LABS
Open the labs folder in your browser to
follow along to benefit from markdown
display
Run all commands from the ~/gauntlt-demo

12. LOOKING FOR THE 5’S

13. WHY ARE YOU HERE?

15. OUR GOAL: EQUIP YOU WITH THE
THEORY, EXAMPLES AND TOOLING
SO THAT YOU CAN BEGIN YOUR
RUGGED JOURNEY

16. WHO ARE WE?

17. JAMES WICKETT
Austin, TX
Sr. DevOps Engr, Mentor Graphics
Gauntlt Core Team
DevOps Days Austin Organizer
Velocity, LASCON, ISC2, AppSecUSA,
B-Sides, …

18. MATT JOHANSEN
Houston, TX
Sr. Manager, TRC WhiteHat Security
BlackHat, DEFCON, RSA, more++
Wannabe Dev (node.js, angularjs)
I’m hiring

19. KARTHIK GAEKWAD
Austin, TX
Sr. Software Engr, Mentor Graphics
DevOps Days Austin Organizer
Agile, LASCON, DevOps Days,
AppSecUSA, …

20. WHY DOES THIS MATTER?

21. SNOWDEN, NSA, NATION-STATE
ACTORS, …

22. PEOPLE MATTER

23. PEOPLE MATTER

24. THE BROKEN WINDOW FALLACY
&
THE PRISONER’S DILEMMA

25. BREACHES CAUSE CYNICISM,
DISTRUST AND LOSS

26. SOFTWARE HAS CHANGED

27. SOFTWARE AS A SERVICE

28. SOFTWARE AS
BRICOLAGE

29. BOLT ON
FEATURE
APPROACH

30. FRAGILE CODE AS A SERVICE

31. DEPLOY TIMELINES HAVE
CHANGED

32. DEV AND OPS HAVE TEAMED UP
IN THIS NEW WORLD

33. CONTINUOUS DELIVERY
IS A THING

34. http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr

35. DEVOPS IS 5 YEARS OLD NOW

36. SECURITY IS STUCK IN 1997
… MOSTLY

37. WHY IS THAT?

38. COMPLIANCE DRIVEN CULTURE:
PCI, SOX, …

39. RATIO PROBLEM
DEVS / OPS / SECURITY
100 / 10 / 1

40. SECURITY TOOLS ARE
CONFUSING

41. BUT, THERE IS HOPE

42. https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring

43. http://www.youtube.com/watch?v=jQblKuMuS0Y

45. THE RUGGED MANIFESTO

46. I AM RUGGED AND, MORE IMPORTANTLY, MY CODE IS
RUGGED.
!
I RECOGNIZE THAT SOFTWARE HAS BECOME A
FOUNDATION OF OUR MODERN WORLD.
!
I RECOGNIZE THE AWESOME RESPONSIBILITY THAT
COMES WITH THIS FOUNDATIONAL ROLE.

47. I RECOGNIZE THAT MY CODE WILL BE USED IN WAYS
I CANNOT ANTICIPATE, IN WAYS IT WAS NOT
DESIGNED, AND FOR LONGER THAN IT WAS EVER
INTENDED.
!
I RECOGNIZE THAT MY CODE WILL BE ATTACKED BY
TALENTED AND PERSISTENT ADVERSARIES WHO
THREATEN OUR PHYSICAL, ECONOMIC AND
NATIONAL SECURITY.

48. I RECOGNIZE THESE THINGS – AND I CHOOSE
TO BE RUGGED.
!
I AM RUGGED BECAUSE I REFUSE TO BE A
SOURCE OF VULNERABILITY OR WEAKNESS.
!
I AM RUGGED BECAUSE I ASSURE MY CODE
WILL SUPPORT ITS MISSION.

49. I AM RUGGED BECAUSE MY CODE CAN FACE
THESE CHALLENGES AND PERSIST IN SPITE
OF THEM.
!
I AM RUGGED, NOT BECAUSE IT IS EASY, BUT
BECAUSE IT IS NECESSARY AND I AM UP FOR
THE CHALLENGE.

50. DEV / OPS / SEC JOIN FORCES

51. #RUGGEDDEVOPS

52. http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain

53. LET’S BUILD RUGGED SOFTWARE

54. RUGGED WEB APPS

55. VULNERABLE CODE IS
EVERYWHERE

56. CROSS SITE SCRIPTING
[XSS]

57. WHAT IS IT?
[XSS]

58. REFLECTIVE
[XSS]

60. PERSISTENT
[XSS]

61. DOM BASED
[XSS]

62. WHY IS IT BAD?
[XSS]

63. DOCUMENT.COOKIE
[XSS]

65. DOCUMENT.LOCATION
[XSS]

66. HOW DO I FIX IT?
[XSS]

67. GOOD: INPUT SANITIZATION
[XSS]

68. BLACKLIST :(
[XSS]

69. WHITELIST :)
[XSS]

70. BETTER: OUTPUT ENCODING
[XSS]

71. < > BECOME &LT; &GT;
[XSS]

72. SQL INJECTION
[SQLi]

73. WHAT IS IT?
[SQLi]

74. WHY IS IT BAD?
[SQLi]

77. CREDIT: XKCD

78. HOW WOULD YOU EXPLOIT?

79. ‘;

80. PWNED

81. HOW DO I FIX IT?
[SQLi]

82. PARAMETERIZED QUERIES
[SQLi]

83. PARAMETERIZED QUERIES (PHP)
[SQLi]

84. PARAMETERIZED QUERIES (JAVA)
[SQLi]

85. CROSS SITE REQUEST FORGERY
[CSRF]

86. WHAT IS IT?
[CSRF]

87. WHY IS IT BAD?
[CSRF]

90. HOW DO I FIX IT?
[CSRF]

92. TOKENS!
[CSRF]

93. IMAGE CREDIT: DOTNETBIPS.COM

94. AGAIN… VULNERABLE
CODE IS EVERYWHERE

95. GETS FIXED SLOWLY

96. GETS FIXED SLOWLY

97. …IF EVER

98. OWASP TOP 10

99. LAB #1 - SETUP

100. github.com/gauntlt/gauntlt-demo
Open the Labs in your browser > https://
github.com/gauntlt/gauntlt-demo/tree/master/labs/
sxsw-2014
You need Vagrant and VirtualBox installed on your
laptop
SETUP

102. For this lab, you will complete:
├── 01_Overview.md
├── 02_Setup using Vagrant.md
LAB INSTRUCTIONS

106. 5-MINUTE BREAK

107. LAB #2 - WEB APP HACKING

108. XSS DEMO

111. FIND THE VULN

112. FIND THE VULN

113. FIND THE VULN

114. For this lab, you will complete:
├── 04_Start up Vulnerable Target.md
LAB INSTRUCTIONS

116. For this lab, poke around and try to
find a second XSS vulnerability
!
Let us know when you find it…

117. INTRO TO GAUNTLT

118. WOULDN’T IT BE GREAT IF WE
COULD AUTOMATE OUR SECURITY
TESTS…

119. http://static.hothdwallpaper.net/51b8e4ee5a5ae19808.jpg

120. GAUNTLT IS AN
OPINIONATED
FRAMEWORK TO DO
RUGGED TESTING

121. GAUNTLT IS
OPEN SOURCE
MIT LICENSED

122. GAUNTLT AUTOMATES
SECURITY TOOLS

123. GAUNTLT = SECURITY + CUCUMBER

128. GARMR
CODE
NMAP
CURL
ARACHNI

129. GARMR
NMAP
CURL
CODE
ARACHNI

131. BUILT ON CUCUMBER

132. GAUNTLT PHILOSOPHY
Gauntlt comes with pre-canned steps that hook
security testing tools
Gauntlt does not install tools
Gauntlt wants to be part of the CI/CD pipeline
Be a good citizen of exit status and stdout/stderr

133. GAUNTLT IS COLLABORATION

134. *.attack
something.attack
else.attack
GAUNTLT IN ACTION

135. Feature
Description
Background
Setup
Scenario
Logic
ATTACK STRUCTURE

136. Given
When
Then
ATTACK LOGIC

137. Setup steps
Check Resource Available
Given “arachni” is installed
ATTACK STEP: GIVEN

138. Action steps
When I launch an
“arachni-xss” attack
ATTACK STEP: WHEN

139. Parsing Steps
Then the output should
not contain “fail”
ATTACK STEP: THEN

140. LET’S PUT IT ALL TOGETHER

142. LAB #3 - HELLO WORLD

143. For this lab, you will complete:
├── 05_Hello World with Gauntlt.md
LAB INSTRUCTIONS

144. HELLO WORLD

146. LAB #4 - BASIC PORT CHECK

147. For this lab, you will complete:
├── 06_Port Check.md
LAB INSTRUCTIONS

149. TRY OUT NMAP
$ nmap -F localhost
$ nmap -F scanme.nmap.org

151. @challenge @slow
Feature: check to make sure the right ports are
open on our server
!
!
Background:
Given "nmap" is installed
And the following profile:
| name
| value
| host
| localhost
|
|
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <host>
"""
#
Then ...
# TODO: figure out a way to parse the output and
determine what is passing
# For hints consult the README.md

152. $ bundle exec gauntlt --allsteps

153. TRUST THE PIPE

154. SOLUTION
@final @slow
Feature: check to make sure the right ports are open
on our server
!
Background:
Given "nmap" is installed
And the following profile:
| name
| value
|
| host
| localhost
|
!
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <host>
"""
Then the output should contain:
"""
8008
"""

155. LAB #5 - CLI AND REGEX

156. For this lab, you will complete:
├── 07_Working with Gauntlt CLI.md
├── 08_Regex.md
LAB INSTRUCTIONS

157. Open 07_Working with Gauntlt CLI.md and run the following:

158. 08_Regex.md

159. SOLUTION
Then the output should match:
"""
8008/tcps+open
"""
Then the output should not match /3001.tcps+open/

160. LAB #6 - GARMR

161. For this lab, you will complete:
├── 09_Garmr and Web Security.md
LAB INSTRUCTIONS

162. WHAT IS GARMR?

163. GARMR IS A SCRIPT FROM
MOZILLA THAT CHECKS FOR A
BUNCH OF SECURITY POLICIES IN
WEB APPS

164. MOZILLA SECURITY POLICY
DISTILLED FOR THE REST OF US

166. LAB #7 - XSS WITH ARACHNI

167. For this lab, you will complete:
├── 10_Arachni and XSS testing.md
LAB INSTRUCTIONS

168. XSS LAB!

169. TRY OUT ARACHNI
arachni --modules=xss --depth=1
--link-count=10 --auto-redundant=2
scanme.nmap.org

170. BONUS POINTS, FIND THE VULN!

171. Hint….
!
When I launch an "arachni-full_xss" attack

172. LET US KNOW WHEN YOU HAVE
FOUND IT

173. Arachni found XSS in Gruyere, Oh noes!
!
localhost:8008/signup/<script>alert(1)</script>

174. LAB #8 - ADVANCED GAUNTLT

175. For this lab, you will complete:
├── 11_Assert Network.md
├── 12_Output to HTML.md
└── 13_Working with Environment Variables.md
LAB INSTRUCTIONS

177. HTML OUTPUT
bundle exec gauntlt --format html > out.html

178. out.html

180. RUGGED TESTING
ON EVERY COMMIT

181. YOU PROMISED CI/CD
PIPELINE…

183. THIS DEFINITELY IS
5 STAR TERRITORY

185. TRAVIS CI PARSES CONFIG
AND THEN RUNS RAKE

186. RAKEFILE
require 'gauntlt'
!
task
sh
sh
sh
end
:gauntlt do
"cd ./vendor/gruyere && ./manual_launch.sh && cd ../.."
"cd ./examples && bundle exec gauntlt --tags @final && cd .."
"cd ./vendor/gruyere && ./manual_kill.sh && cd ../.."

187. gauntlt-demo/.travis.yml
language: ruby
rvm:
- 1.9.3
before_install:
- git submodule update --init --recursive
before_script:
- sudo apt-get install nmap
- sudo apt-get install wget
- sudo apt-get install libcurl4-openssl-dev
- 'pwd'
- export SSLYZE_PATH="/home/travis/build/gauntlt/gauntlt-demo/vendor/sslyze/
sslyze.py"
- export SQLMAP_PATH="/home/travis/build/gauntlt/gauntlt-demo/vendor/sqlmap/
sqlmap.py"
- 'cd vendor/Garmr && sudo python setup.py install && cd ../..'
- 'cd vendor && wget http://downloads.sourceforge.net/project/dirb/dirb/2.03/
dirb203.tar.gz && tar xvfz dirb203.tar.gz && cd dirb && ./configure && make &&
sudo cp dirb /usr/local/bin/ && cd ../../'
- export DIRB_WORDLISTS="/home/travis/build/gauntlt/gauntlt/vendor/dirb/
wordlists"
notifications:
irc:
channels:
- "chat.freenode.net#gauntlt"
use_notice: true

188. WE HAVE BEEN DOING CONTINUOUS
INTEGRATION WITH GAUNTLT THIS
WHOLE TIME WITH THE LABS!

191. SAHWEET!

192. NOW WHAT?

193. THESE SLIDES
http://bit.ly/gauntlt-sxsw-slides

194. • Google Group > https://groups.google.com/d/
•
•
•
•
•
forum/gauntlt
Wiki > https://github.com/gauntlt/gauntlt/wiki
Twitter > @gauntlt
IRC > #gauntlt on freenode
Weekly hangout > http://bit.ly/gauntlt-hangout
Issue tracking > http://github.com/gauntlt/gauntlt

195. https://vimeo.com/79797907

196. FREE GAUNTLT BETA BOOK
FOR SXSW ATTENDEES!
http://leanpub.com/hands-on-gauntlt/c/SXSW
Valid until March 11th
Caveat Emptor:
No content at
the moment!

197. GAUNTLT-SERVER COMING SOON!

198. WILL YOU GIVE US THE 5’S?

200. QUESTIONS?