Post on 06-May-2015
description
transcript
RUGGED SOFTWARE USING RUGGED DRIVEN
DEVELOPMENT
@wickett // @iteration1 // @mattjay
$ wget http://bit.ly/rugged-sxsw-box
AND !
Install Virtual Box and Vagrant
BE RUGGED AND BE MEAN TO YOUR CODE
#RUGGED #BEMEAN
Use this one to troll SXSW
Official tag
#SXSW +
63% HANDS ON LABS!
APPLIEDTHEORY
WORKSHOP PLEDGE
You/Me
I will not attempt to access my neighbor’s computer
!
I will not hack the wifi!
I will be friendly to those around me
ONE 5-MINUTE BREAK
HANDS-ON LABS
8 Mini Labs lasting 5 to 15 minutes each
Let us know if you are having a problem, and we will help
We will also be around after the class to help as well
VIRTUAL BOX AND VAGRANT
TIPS FOR THE LABS
Open the labs folder in your browser to follow along to benefit from markdown display
Run all commands from the ~/gauntlt-demo
LOOKING FOR THE 5’S
WHY ARE YOU HERE?
OUR GOAL: EQUIP YOU WITH THE THEORY, EXAMPLES AND TOOLING
SO THAT YOU CAN BEGIN YOUR RUGGED JOURNEY
WHO ARE WE?
JAMES WICKETTAustin, TX
Sr. DevOps Engr, Mentor Graphics
Gauntlt Core Team
DevOps Days Austin Organizer
Velocity, LASCON, ISC2, AppSecUSA, B-Sides, …
MATT JOHANSEN
Houston, TX
Sr. Manager, TRC WhiteHat Security
BlackHat, DEFCON, RSA, more++
Wannabe Dev (node.js, angularjs)
I’m hiring
KARTHIK GAEKWAD
Austin, TX
Sr. Software Engr, Mentor Graphics
DevOps Days Austin Organizer
Agile, LASCON, DevOps Days, AppSecUSA, …
WHY DOES THIS MATTER?
SNOWDEN, NSA, NATION-STATE ACTORS, …
PEOPLE MATTER
PEOPLE MATTER
THE BROKEN WINDOW FALLACY &
THE PRISONER’S DILEMMA
BREACHES CAUSE CYNICISM, DISTRUST AND LOSS
SOFTWARE HAS CHANGED
SOFTWARE AS A SERVICE
SOFTWARE AS BRICOLAGE
BOLT ON FEATURE
APPROACH
FRAGILE CODE AS A SERVICE
DEPLOY TIMELINES HAVE CHANGED
DEV AND OPS HAVE TEAMED UP IN THIS NEW WORLD
CONTINUOUS DELIVERY IS A THING
http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
DEVOPS IS 5 YEARS OLD NOW
SECURITY IS STUCK IN 1997 … MOSTLY
WHY IS THAT?
COMPLIANCE DRIVEN CULTURE: PCI, SOX, …
RATIO PROBLEM DEVS / OPS / SECURITY
100 / 10 / 1
SECURITY TOOLS ARE CONFUSING
BUT, THERE IS HOPE
https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring
THE RUGGED MANIFESTO
I AM RUGGED AND, MORE IMPORTANTLY, MY CODE IS RUGGED.
!
I RECOGNIZE THAT SOFTWARE HAS BECOME A FOUNDATION OF OUR MODERN WORLD.
!
I RECOGNIZE THE AWESOME RESPONSIBILITY THAT COMES WITH THIS FOUNDATIONAL ROLE.
I RECOGNIZE THAT MY CODE WILL BE USED IN WAYS I CANNOT ANTICIPATE, IN WAYS IT WAS NOT
DESIGNED, AND FOR LONGER THAN IT WAS EVER INTENDED.
!
I RECOGNIZE THAT MY CODE WILL BE ATTACKED BY TALENTED AND PERSISTENT ADVERSARIES WHO
THREATEN OUR PHYSICAL, ECONOMIC AND NATIONAL SECURITY.
I RECOGNIZE THESE THINGS – AND I CHOOSE TO BE RUGGED.
!
I AM RUGGED BECAUSE I REFUSE TO BE A SOURCE OF VULNERABILITY OR WEAKNESS.
!
I AM RUGGED BECAUSE I ASSURE MY CODE WILL SUPPORT ITS MISSION.
I AM RUGGED BECAUSE MY CODE CAN FACE THESE CHALLENGES AND PERSIST IN SPITE
OF THEM. !
I AM RUGGED, NOT BECAUSE IT IS EASY, BUT BECAUSE IT IS NECESSARY AND I AM UP FOR
THE CHALLENGE.
DEV / OPS / SEC JOIN FORCES
#RUGGEDDEVOPS
http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
LET’S BUILD RUGGED SOFTWARE
RUGGED WEB APPS
VULNERABLE CODE IS EVERYWHERE
CROSS SITE SCRIPTING [XSS]
WHAT IS IT? [XSS]
REFLECTIVE [XSS]
PERSISTENT [XSS]
DOM BASED [XSS]
WHY IS IT BAD? [XSS]
DOCUMENT.COOKIE [XSS]
DOCUMENT.LOCATION [XSS]
HOW DO I FIX IT? [XSS]
GOOD: INPUT SANITIZATION [XSS]
BLACKLIST :( [XSS]
WHITELIST :) [XSS]
BETTER: OUTPUT ENCODING [XSS]
< > BECOME < > [XSS]
SQL INJECTION [SQLi]
WHAT IS IT? [SQLi]
WHY IS IT BAD? [SQLi]
CREDIT: XKCD
HOW WOULD YOU EXPLOIT?
‘;
PWNED
HOW DO I FIX IT? [SQLi]
PARAMETERIZED QUERIES [SQLi]
PARAMETERIZED QUERIES (PHP) [SQLi]
PARAMETERIZED QUERIES (JAVA) [SQLi]
CROSS SITE REQUEST FORGERY [CSRF]
WHAT IS IT? [CSRF]
WHY IS IT BAD? [CSRF]
HOW DO I FIX IT? [CSRF]
TOKENS! [CSRF]
AGAIN… VULNERABLE CODE IS EVERYWHERE
GETS FIXED SLOWLY
GETS FIXED SLOWLY
…IF EVER
OWASP TOP 10
LAB #1 - SETUP
SETUP
github.com/gauntlt/gauntlt-demo
Open the Labs in your browser > https://github.com/gauntlt/gauntlt-demo/tree/master/labs/sxsw-2014
You need Vagrant and VirtualBox installed on your laptop
LAB INSTRUCTIONS
For this lab, you will complete:├── 01_Overview.md
├── 02_Setup using Vagrant.md
5-MINUTE BREAK
LAB #2 - WEB APP HACKING
XSS DEMO
FIND THE VULN
FIND THE VULN
FIND THE VULN
LAB INSTRUCTIONS
For this lab, you will complete:├── 04_Start up Vulnerable Target.md
For this lab, poke around and try to find a second XSS vulnerability
!
Let us know when you find it…
INTRO TO GAUNTLT
WOULDN’T IT BE GREAT IF WE COULD AUTOMATE OUR SECURITY
TESTS…
http://static.hothdwallpaper.net/51b8e4ee5a5ae19808.jpg
GAUNTLT IS AN OPINIONATED FRAMEWORK TO DO RUGGED TESTING
GAUNTLT IS OPEN SOURCE MIT LICENSED
GAUNTLT AUTOMATES SECURITY TOOLS
GAUNTLT = SECURITY + CUCUMBER
CODE
GARMR NMAP CURL ARACHNI
GARMR NMAP CURL ARACHNI
CODE
BUILT ON CUCUMBER
GAUNTLT PHILOSOPHYGauntlt comes with pre-canned steps that hook security testing tools
Gauntlt does not install tools
Gauntlt wants to be part of the CI/CD pipeline
Be a good citizen of exit status and stdout/stderr
GAUNTLT IS COLLABORATION
*.attack
something.attackelse.attack
GAUNTLT IN ACTION
FeatureBackground
Scenario
DescriptionSetup
Logic
ATTACK STRUCTURE
ATTACK LOGIC
Given
When
Then
Given “arachni” is installed
Setup steps
Check Resource Available
ATTACK STEP: GIVEN
ATTACK STEP: WHEN
Action steps
When I launch an “arachni-xss” attack
ATTACK STEP: THEN
Parsing Steps
Then the output should not contain “fail”
LET’S PUT IT ALL TOGETHER
LAB #3 - HELLO WORLD
LAB INSTRUCTIONS
For this lab, you will complete:├── 05_Hello World with Gauntlt.md
HELLO WORLD
LAB #4 - BASIC PORT CHECK
LAB INSTRUCTIONS
For this lab, you will complete:├── 06_Port Check.md
@challenge @slow Feature: check to make sure the right ports are open on our server ! Background: Given "nmap" is installed And the following profile: | name | value | | host | localhost | ! Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <host> """ # Then ... # TODO: figure out a way to parse the output and determine what is passing # For hints consult the README.md
$ bundle exec gauntlt --allsteps
TRUST THE PIPE
@final @slow Feature: check to make sure the right ports are open on our server ! Background: Given "nmap" is installed And the following profile: | name | value | | host | localhost | ! Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <host> """ Then the output should contain: """ 8008 """
SOLUTION
LAB #5 - CLI AND REGEX
LAB INSTRUCTIONS
For this lab, you will complete:├── 07_Working with Gauntlt CLI.md
├── 08_Regex.md
Open 07_Working with Gauntlt CLI.md and run the following:
08_Regex.md
Then the output should match: """ 8008\/tcp\s+open """ Then the output should not match /3001.tcp\s+open/
SOLUTION
LAB #6 - GARMR
LAB INSTRUCTIONS
For this lab, you will complete:├── 09_Garmr and Web Security.md
WHAT IS GARMR?
GARMR IS A SCRIPT FROM MOZILLA THAT CHECKS FOR A
BUNCH OF SECURITY POLICIES IN WEB APPS
MOZILLA SECURITY POLICY DISTILLED FOR THE REST OF US
LAB #7 - XSS WITH ARACHNI
LAB INSTRUCTIONS
For this lab, you will complete:├── 10_Arachni and XSS testing.md
XSS LAB!
arachni --modules=xss --depth=1 \ --link-count=10 --auto-redundant=2 \ scanme.nmap.org
TRY OUT ARACHNI
BONUS POINTS, FIND THE VULN!
Hint….!
When I launch an "arachni-full_xss" attack
LET US KNOW WHEN YOU HAVE FOUND IT
Arachni found XSS in Gruyere, Oh noes!!
localhost:8008/signup/<script>alert(1)</script>
LAB #8 - ADVANCED GAUNTLT
LAB INSTRUCTIONS
For this lab, you will complete:├── 11_Assert Network.md
├── 12_Output to HTML.md
└── 13_Working with Environment Variables.md
bundle exec gauntlt --format html > out.html
HTML OUTPUT
out.html
RUGGED TESTING ON EVERY COMMIT
YOU PROMISED CI/CD PIPELINE…
THIS DEFINITELY IS 5 STAR TERRITORY
TRAVIS CI PARSES CONFIG AND THEN RUNS RAKE
require 'gauntlt' !task :gauntlt do sh "cd ./vendor/gruyere && ./manual_launch.sh && cd ../.." sh "cd ./examples && bundle exec gauntlt --tags @final && cd .." sh "cd ./vendor/gruyere && ./manual_kill.sh && cd ../.." end
RAKEFILE
language: ruby rvm: - 1.9.3 before_install: - git submodule update --init --recursive before_script: - sudo apt-get install nmap - sudo apt-get install wget - sudo apt-get install libcurl4-openssl-dev - 'pwd' - export SSLYZE_PATH="/home/travis/build/gauntlt/gauntlt-demo/vendor/sslyze/sslyze.py" - export SQLMAP_PATH="/home/travis/build/gauntlt/gauntlt-demo/vendor/sqlmap/sqlmap.py" - 'cd vendor/Garmr && sudo python setup.py install && cd ../..' - 'cd vendor && wget http://downloads.sourceforge.net/project/dirb/dirb/2.03/dirb203.tar.gz && tar xvfz dirb203.tar.gz && cd dirb && ./configure && make && sudo cp dirb /usr/local/bin/ && cd ../../' - export DIRB_WORDLISTS="/home/travis/build/gauntlt/gauntlt/vendor/dirb/wordlists" notifications: irc: channels: - "chat.freenode.net#gauntlt" use_notice: true
gauntlt-demo/.travis.yml
WE HAVE BEEN DOING CONTINUOUS INTEGRATION WITH GAUNTLT THIS
WHOLE TIME WITH THE LABS!
SAHWEET!
NOW WHAT?
• Google Group > https://groups.google.com/d/forum/gauntlt
• Wiki > https://github.com/gauntlt/gauntlt/wiki• Twitter > @gauntlt• IRC > #gauntlt on freenode• Weekly hangout > http://bit.ly/gauntlt-hangout• Issue tracking > http://github.com/gauntlt/gauntlt
FREE GAUNTLT BETA BOOK FOR SXSW ATTENDEES!
http://leanpub.com/hands-on-gauntlt/c/SXSW
Caveat Emptor: No content at the moment!
Valid until March 11th
GAUNTLT-SERVER COMING SOON!
WILL YOU GIVE US THE 5’S?
QUESTIONS?