GAUNTLT:RUGGEDBY EXAMPLEJAMES WICKETTMANI TADAYONJEREMIAH SHIRKSG: JASON CHAN

WE WANT YOU TO BE SUCCESSFUL AND MAKE A DIFFERENCE

James Wickett

CISSP, GWAPT, CCSK, GSEC, GCFW

@wickett@RuggedDevOps

@gauntlt

A BRIEF HISTORY OFINFORMATION SECURITY

WE USED TO BE COOL

WE HADCINEMA

WE HAD HEROES

WE MADE FREEPHONE CALLS

WE WERE COOL

WE MADE IT INTO THEORGANIZATIONSWE HAD PREVIOUSLY FOUGHT

WE COULDN’T STOP THEVIRUSES AND WORMS

INSTEAD OF ENGINEERING INFOSEC BECAME ACTUARIES

WE BECAME EXPERTSIN BUYING INSURANCE POLICIES

“[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK” - MICHAL ZALEWSKI

SOMETHING ELSE HAPPENED GLOBALLY

DEVS BECAME COOL

ENTER DEVOPS

CODE BECAME SOCIAL

“I DON’T WANT YOU TO SEND ME AN INSTALLATION DVD”

WE SELL TIME NOW

WE SELL SOCIAL AND FRIENDSHIPS

“IS THIS SECURE?”-YOUR CUSTOMER

“ITS CERTIFIED”- YOU

WHY CAN’T YOU GIVE A BETTER ANSWER?

THE INEQUITABLE DISTRIBUTION OF LABOR IN SECURITY MIMICS THAT IN DEV/OPS

2% OF AN ENGINEERING DEV TEAM ARE WORKING ON SECURITY

- BSIMM 2012 data, http://bsimm.com/

-LEARNING FROM (PREFERABLY OTHER PEOPLE’S) MISTAKES

-DEVELOPING TOOLS TO CORRECT PROBLEMS

- PLANNING TO HAVE EVERYTHING COMPROMISED

ENTER RUGGED

Current Software

Rugged Software

ADVERSITY REQUIRES RUGGED SOLUTIONS

ADVERSITY IS REAL ORPERCEIVED NEGATIVEACTIONS AND EVENTS THAT PROHIBIT NORMALFUNCTION AND OPERATION.

RUGGEDIZATION THEORY

Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.

NO PAIN, NO GAIN

"Secondly, our network got a lot stronger as a result of the LulzSec

attacks." -Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012

by CloudFlare team

RUGGED BY DESIGN,DEVOPS BY CULTURE

RUGGED DEVOPS

REPEATABLE – NO MANUAL STEPS, CIRELIABLE - NO DOS HEREREVIEWABLE – AKA AUDIT, INFRA AS CODERAPID – FAST TO BUILD, DEPLOY, RESTORERESILIENT – AUTOMATED RECONFIGURATION REDUCED - LIMITED ATTACK SURFACE

ENTER GAUNTLT

Put your code through the GAUNTLT

GAUNTLET, N. AN ATTACK FROM

ALL SIDES

Your web app

w3af

fuzzers

nmap

nessus

sqlmapmetasploit

You

dirbustercustom attacks

gauntlt is built for doing security testing in a DevOps world

GAUNTLT IS

AN ALWAYS-ATTACKING ENVIRONMENT FOR DEVELOPERS

WITH ATTACKS WRITTEN IN EASY-TO-READ LANGUAGE

ACCESSIBLE TO EVERYONE INVOLVED IN DEV, OPS, TESTING, SECURITY, ...

WHY GAUNTLT?

SECURITY DOMAIN KNOWLEDGE IS GENERALLY A MYSTERY TO DEV TEAMS

GAUNTLT ALLOWS DEV AND OPS AND SECURITY TO

COMMUNICATE

GAUNTLT JOINSTHE PHILOSOPHY OFRUGGED SOFTWARE& CONTINUOUS INTEGRATION

HTTPS://GITHUB.COM/THEGAUNTLET/GAUNTLT

$ gem install gauntlt# download attacks$ gauntlt

$ gem install gauntlt

# download example attacks from github# customize the example attacks # now you can run gauntlt

$ gauntlt

install gauntlt

Examples > https://github.com/thegauntlet/gauntlt/tree/master/examples

LETS LOOK INSIDE A COUPLE OF THESE FILES

GAUNTLT ATTACKS

@slow

Feature: nmap attacks for example.com Background: Given "nmap" is installed And the target hostname is "www.example.com" And the target tcp_ping_ports are "22,25,80,443"

Scenario: Verify server is open on expected set of ports using the nmap fast flag When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open https """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """

nmap.attack

wickett$ gauntlt

@slowFeature: nmap attacks for example.com

Background: Given "nmap" is installed And the target hostname is "www.example.com" And the target tcp_ping_ports are "22,25,80,443" Scenario: Verify server is open on expected set of ports using the nmap fast flag When I launch an "nmap" attack with: """ nmap -F www-stage.cloudsourcery.com """ Then the output should contain: """ 443/tcp open https """

1 scenario (1 failed)5 steps (1 failed, 4 passed)0m18.341s

running gauntlt with failing tests

wickett$ gauntlt

@slowFeature: nmap attacks for example.com

Background: Given "nmap" is installed And the target hostname is "www.example.com" And the target tcp_ping_ports are "22,25,80,443" Scenario: Verify server is open on expected set of ports using the nmap fast flag When I launch an "nmap" attack with: """ nmap -F www-stage.cloudsourcery.com """ Then the output should contain: """ 443/tcp open https """

1 scenario (1 passed)5 steps (5 passed)0m18.341s

running gauntlt with passing tests

gauntlt: Netflix Use Case

Problem Statement

• Netflix is a heavy AWS user, and we provide self-service deployment for dev teams

• AWS’ Elastic Load Balancer (ELB) provides cross-datacenter traffic balancing, but no security controls (if your cluster is attached to an ELB, it is available to the Internet)

• Engineers may misunderstand use cases for ELBs, security features, and/or other measures that can be used to protect ELB-fronted clusters

How do we ensure the 100s of clusters associated with ELBs are configured

and protected as intended?

Solution: Use gauntlt to organize and perform

ELB testing

gauntlt test: What response will an ELB provide to an arbitrary Internet node, and is

it expected?

Process

1. Launch gauntlt test runner instance, loaded with “master list” of ELBs and expected state

2. Determine “target list” of current ELBs to evaluate

3. Generate per-ELB listener gauntlt attack files

4. Execute attacks

5. Alert on failures and new ELBs

6. Triage findings and update ELB master list

gauntlt Attack Template• Uses gauntlt curl feature

• Sub in protocol, port, hostname, and response code from ELB master and target list

GAUNTLTA VERY SHORT INTRODUCTION

• Mani Tadayon

• Senior Software Engineer, ZestFinance

• Lots of experience in web development, ruby and test automation

• Learning Clojure

ABOUT MANI

CONWAY’S LAW

Any organization that designs a system ... will inevitably produce a design whose structure is a copy of the organization's communication structure.

Melvin E. Conway, 1968

BEHAVIOR-DRIVEN DEVELOPMENT

BDD is a second-generation, outside–in, pull-based, multiple-stakeholder, multiple-scale, high-automation, agile methodology. It describes a cycle of interactions with well-defined outputs, resulting in the delivery of working, tested software that matters.

Dan North , 2009

CUCUMBER

ATTACK FILE

• Plain text file

• Gherkin syntax:

• Given

• When

• Then

Feature: Run sqlmap against a target

Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """

Feature: Run sqlmap against a target

Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """

setup steps

verify tool

set config

Feature: Run sqlmap against a target

Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """

attack!

env param

getconfig

Feature: Run sqlmap against a target

Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """

assert

needle

haystack

ATTACK ADAPTER

• Step definition for attack file

• Support code in ruby or java

• Support shell script

Given /^"sqlmap" is installed$/ do ensure_python_script_installed('sqlmap')end

When /^I launch an? "sqlmap" attack with:$/ do |command| sqlmap_path = path_to_python_script("sqlmap")

command.gsub!('<target_url>', target_url) command.gsub!('<sqlmap_path>', sqlmap_path) run commandend

step definition ruby

Given /^"sqlmap" is installed$/ do ensure_python_script_installed('sqlmap')end

When /^I launch an? "sqlmap" attack with:$/ do |command| sqlmap_path = path_to_python_script("sqlmap")

command.gsub!('<target_url>', target_url) command.gsub!('<sqlmap_path>', sqlmap_path) run commandend

step definition

execute

GAUNTLT DESIGN

• Simple

• Extensible

• UNIX™ : stdin, stdout, exit status

• Minimum features yield maximum utility

UPCOMING FEATURES

• More output parsers

• More attack adapters

• More goats

• Better support for JRuby & Java

• Anything you want:

https://github.com/thegauntlet/gauntlt/issues

GauntltUsing the Gauntlt Starter Kit

About me

• Jeremiah Shirk

• Application & Infrastructure Manager, Kansas State University

• 18 years doing unix admin, security, and some open source contributions

• Keeper of tiny flocks

KSU 55 - WVU 14

Gauntlt Starter Kit

Dependencies

VirtualBox Vagrant

Download

• https://www.virtualbox.org/

• http://vagrantup.com/

Starter Kit on GitHub

• The starter kit is on GitHub at https://github.com/thegauntlet/gauntlt-starter-kit

• Or, download a copy from:

www.gauntlt.org/...

Base box

$ vagrant box add precise32 http://files.vagrantup.com/precise32.box[vagrant] Downloading with Vagrant::Downloaders::HTTP...[vagrant] Downloading box: http://files.vagrantup.com/precise32.box[vagrant] Extracting box...[vagrant] Verifying box...[vagrant] Cleaning up downloaded box...$

Start the VM

$ cd gauntlt-starter-kit/vagrant/gauntlt$ vagrant up[default] Importing base box 'precise32'...[default] Matching MAC address for NAT networking...[default] Clearing any previously set forwarded ports...[default] Forwarding ports...[default] -- 22 => 2222 (adapter 1)[default] Creating shared folders metadata...[default] Clearing any previously set network interfaces...[default] Booting VM...[default] Waiting for VM to boot. This can take a few minutes....

VagrantfileVagrant::Config.run do |config| config.ssh.private_key_path = "~/.ssh/id_rsa" config.vm.box = "precise32" config.vm.box_url = "http://files.vagrantup.com/precise32.box" # config.vm.network :hostonly, "33.33.33.10" # config.vm.network :bridged # config.vm.forward_port 80, 8080 # config.vm.share_folder "v-data", "/vagrant_data", "../data" config.vm.provision :chef_solo do |chef| chef.cookbooks_path = ["cookbooks", "site-cookbooks"] chef.add_recipe "vagrant_main" endend

SSH to the VM

$ vagrant ssh

Secure SSH Keys

$ vagrant ssh-config | grep Port Port 2222

$ scp -i ~/.vagrant.d/insecure_private_key -P 2222 \~/.ssh/ id_rsa.pub vagrant@localhost:~/.ssh/authorized_keys

vagrant@precise32:~$ gauntlt attacks/nmapFeature: simple nmap attack (sanity check)

Background: Given "nmap" is installed And the target hostname is "google.com"

Scenario: Verify server is available on standard web ports When I launch an "nmap" attack with: """ nmap -p 80,443 google.com """ Then the output should contain: """ 80/tcp open http 443/tcp open https """

1 scenario (1 passed)4 steps (4 passed)0m0.112svagrant@precise32:~$

vagrant@precise32:~$ gauntlt attacks/sslyze Feature: Run sslyze against a target

Background: # attacks/sslyze:3 Given "sslyze" is installed # gauntlt-0.0.8/lib/gauntlt/attack_adapters/sslyze.rb:1 And the target hostname is "google.com" # gauntlt-0.0.8/lib/gauntlt/attack_adapters/nmap.rb:7

Scenario: Ensure no anonymous certificates # attacks/sslyze:7 When I launch an "sslyze" attack with: # gauntlt-0.0.8/lib/gauntlt/attack_adapters/sslyze.rb:5 """ python /home/vagrant/sslyze/sslyze.py google.com:443 """ Then the output should not contain: # aruba-0.5.0/lib/aruba/cucumber.rb:111 """ Anon """

1 scenario (1 passed)4 steps (4 passed)0m0.736svagrant@precise32:~$

Try it yourselfhttp://gauntlt.org/

Office hours

Hotel bar

Tonight, 10 p.m.

Questions?