Date post: | 08-May-2015 |
Category: |
Technology |
Upload: | james-wickett |
View: | 1,030 times |
Download: | 4 times |
GAUNTLT:RUGGEDBY EXAMPLEJAMES WICKETTMANI TADAYONJEREMIAH SHIRKSG: JASON CHAN
WE WANT YOU TO BE SUCCESSFUL AND MAKE A DIFFERENCE
James Wickett
CISSP, GWAPT, CCSK, GSEC, GCFW
@wickett@RuggedDevOps
@gauntlt
A BRIEF HISTORY OFINFORMATION SECURITY
WE USED TO BE COOL
WE HADCINEMA
WE HAD HEROES
WE MADE FREEPHONE CALLS
WE WERE COOL
WE MADE IT INTO THEORGANIZATIONSWE HAD PREVIOUSLY FOUGHT
WE COULDN’T STOP THEVIRUSES AND WORMS
INSTEAD OF ENGINEERING INFOSEC BECAME ACTUARIES
WE BECAME EXPERTSIN BUYING INSURANCE POLICIES
“[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK” - MICHAL ZALEWSKI
SOMETHING ELSE HAPPENED GLOBALLY
DEVS BECAME COOL
ENTER DEVOPS
CODE BECAME SOCIAL
“I DON’T WANT YOU TO SEND ME AN INSTALLATION DVD”
WE SELL TIME NOW
WE SELL SOCIAL AND FRIENDSHIPS
“IS THIS SECURE?”-YOUR CUSTOMER
“ITS CERTIFIED”- YOU
WHY CAN’T YOU GIVE A BETTER ANSWER?
THE INEQUITABLE DISTRIBUTION OF LABOR IN SECURITY MIMICS THAT IN DEV/OPS
2% OF AN ENGINEERING DEV TEAM ARE WORKING ON SECURITY
- BSIMM 2012 data, http://bsimm.com/
-LEARNING FROM (PREFERABLY OTHER PEOPLE’S) MISTAKES
-DEVELOPING TOOLS TO CORRECT PROBLEMS
- PLANNING TO HAVE EVERYTHING COMPROMISED
ENTER RUGGED
Current Software
Rugged Software
ADVERSITY REQUIRES RUGGED SOLUTIONS
ADVERSITY IS REAL ORPERCEIVED NEGATIVEACTIONS AND EVENTS THAT PROHIBIT NORMALFUNCTION AND OPERATION.
RUGGEDIZATION THEORY
Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.
NO PAIN, NO GAIN
"Secondly, our network got a lot stronger as a result of the LulzSec
attacks." -Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012
by CloudFlare team
RUGGED BY DESIGN,DEVOPS BY CULTURE
RUGGED DEVOPS
REPEATABLE – NO MANUAL STEPS, CIRELIABLE - NO DOS HEREREVIEWABLE – AKA AUDIT, INFRA AS CODERAPID – FAST TO BUILD, DEPLOY, RESTORERESILIENT – AUTOMATED RECONFIGURATION REDUCED - LIMITED ATTACK SURFACE
ENTER GAUNTLT
Put your code through the GAUNTLT
GAUNTLET, N. AN ATTACK FROM
ALL SIDES
Your web app
w3af
fuzzers
nmap
nessus
sqlmapmetasploit
You
dirbustercustom attacks
gauntlt is built for doing security testing in a DevOps world
GAUNTLT IS
AN ALWAYS-ATTACKING ENVIRONMENT FOR DEVELOPERS
WITH ATTACKS WRITTEN IN EASY-TO-READ LANGUAGE
ACCESSIBLE TO EVERYONE INVOLVED IN DEV, OPS, TESTING, SECURITY, ...
WHY GAUNTLT?
SECURITY DOMAIN KNOWLEDGE IS GENERALLY A MYSTERY TO DEV TEAMS
GAUNTLT ALLOWS DEV AND OPS AND SECURITY TO
COMMUNICATE
GAUNTLT JOINSTHE PHILOSOPHY OFRUGGED SOFTWARE& CONTINUOUS INTEGRATION
HTTPS://GITHUB.COM/THEGAUNTLET/GAUNTLT
$ gem install gauntlt# download attacks$ gauntlt
$ gem install gauntlt
# download example attacks from github# customize the example attacks # now you can run gauntlt
$ gauntlt
install gauntlt
Examples > https://github.com/thegauntlet/gauntlt/tree/master/examples
LETS LOOK INSIDE A COUPLE OF THESE FILES
GAUNTLT ATTACKS
@slow
Feature: nmap attacks for example.com Background: Given "nmap" is installed And the target hostname is "www.example.com" And the target tcp_ping_ports are "22,25,80,443"
Scenario: Verify server is open on expected set of ports using the nmap fast flag When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open https """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """
nmap.attack
wickett$ gauntlt
@slowFeature: nmap attacks for example.com
Background: Given "nmap" is installed And the target hostname is "www.example.com" And the target tcp_ping_ports are "22,25,80,443" Scenario: Verify server is open on expected set of ports using the nmap fast flag When I launch an "nmap" attack with: """ nmap -F www-stage.cloudsourcery.com """ Then the output should contain: """ 443/tcp open https """
1 scenario (1 failed)5 steps (1 failed, 4 passed)0m18.341s
running gauntlt with failing tests
wickett$ gauntlt
@slowFeature: nmap attacks for example.com
Background: Given "nmap" is installed And the target hostname is "www.example.com" And the target tcp_ping_ports are "22,25,80,443" Scenario: Verify server is open on expected set of ports using the nmap fast flag When I launch an "nmap" attack with: """ nmap -F www-stage.cloudsourcery.com """ Then the output should contain: """ 443/tcp open https """
1 scenario (1 passed)5 steps (5 passed)0m18.341s
running gauntlt with passing tests
gauntlt: Netflix Use Case
Problem Statement
• Netflix is a heavy AWS user, and we provide self-service deployment for dev teams
• AWS’ Elastic Load Balancer (ELB) provides cross-datacenter traffic balancing, but no security controls (if your cluster is attached to an ELB, it is available to the Internet)
• Engineers may misunderstand use cases for ELBs, security features, and/or other measures that can be used to protect ELB-fronted clusters
How do we ensure the 100s of clusters associated with ELBs are configured
and protected as intended?
Solution: Use gauntlt to organize and perform
ELB testing
gauntlt test: What response will an ELB provide to an arbitrary Internet node, and is
it expected?
Process
1. Launch gauntlt test runner instance, loaded with “master list” of ELBs and expected state
2. Determine “target list” of current ELBs to evaluate
3. Generate per-ELB listener gauntlt attack files
4. Execute attacks
5. Alert on failures and new ELBs
6. Triage findings and update ELB master list
gauntlt Attack Template• Uses gauntlt curl feature
• Sub in protocol, port, hostname, and response code from ELB master and target list
GAUNTLTA VERY SHORT INTRODUCTION
• Mani Tadayon
• Senior Software Engineer, ZestFinance
• Lots of experience in web development, ruby and test automation
• Learning Clojure
ABOUT MANI
CONWAY’S LAW
Any organization that designs a system ... will inevitably produce a design whose structure is a copy of the organization's communication structure.
Melvin E. Conway, 1968
BEHAVIOR-DRIVEN DEVELOPMENT
BDD is a second-generation, outside–in, pull-based, multiple-stakeholder, multiple-scale, high-automation, agile methodology. It describes a cycle of interactions with well-defined outputs, resulting in the delivery of working, tested software that matters.
Dan North , 2009
CUCUMBER
ATTACK FILE
• Plain text file
• Gherkin syntax:
• Given
• When
• Then
Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """
Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """
setup steps
verify tool
set config
Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """
attack!
env param
getconfig
Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """
assert
needle
haystack
ATTACK ADAPTER
• Step definition for attack file
• Support code in ruby or java
• Support shell script
Given /^"sqlmap" is installed$/ do ensure_python_script_installed('sqlmap')end
When /^I launch an? "sqlmap" attack with:$/ do |command| sqlmap_path = path_to_python_script("sqlmap")
command.gsub!('<target_url>', target_url) command.gsub!('<sqlmap_path>', sqlmap_path) run commandend
step definition ruby
Given /^"sqlmap" is installed$/ do ensure_python_script_installed('sqlmap')end
When /^I launch an? "sqlmap" attack with:$/ do |command| sqlmap_path = path_to_python_script("sqlmap")
command.gsub!('<target_url>', target_url) command.gsub!('<sqlmap_path>', sqlmap_path) run commandend
step definition
execute
GAUNTLT DESIGN
• Simple
• Extensible
• UNIX™ : stdin, stdout, exit status
• Minimum features yield maximum utility
UPCOMING FEATURES
• More output parsers
• More attack adapters
• More goats
• Better support for JRuby & Java
• Anything you want:
https://github.com/thegauntlet/gauntlt/issues
GauntltUsing the Gauntlt Starter Kit
About me
• Jeremiah Shirk
• Application & Infrastructure Manager, Kansas State University
• 18 years doing unix admin, security, and some open source contributions
• Keeper of tiny flocks
KSU 55 - WVU 14
Gauntlt Starter Kit
Dependencies
VirtualBox Vagrant
Download
• https://www.virtualbox.org/
• http://vagrantup.com/
Starter Kit on GitHub
• The starter kit is on GitHub at https://github.com/thegauntlet/gauntlt-starter-kit
• Or, download a copy from:
www.gauntlt.org/...
Base box
$ vagrant box add precise32 http://files.vagrantup.com/precise32.box[vagrant] Downloading with Vagrant::Downloaders::HTTP...[vagrant] Downloading box: http://files.vagrantup.com/precise32.box[vagrant] Extracting box...[vagrant] Verifying box...[vagrant] Cleaning up downloaded box...$
Start the VM
$ cd gauntlt-starter-kit/vagrant/gauntlt$ vagrant up[default] Importing base box 'precise32'...[default] Matching MAC address for NAT networking...[default] Clearing any previously set forwarded ports...[default] Forwarding ports...[default] -- 22 => 2222 (adapter 1)[default] Creating shared folders metadata...[default] Clearing any previously set network interfaces...[default] Booting VM...[default] Waiting for VM to boot. This can take a few minutes....
VagrantfileVagrant::Config.run do |config| config.ssh.private_key_path = "~/.ssh/id_rsa" config.vm.box = "precise32" config.vm.box_url = "http://files.vagrantup.com/precise32.box" # config.vm.network :hostonly, "33.33.33.10" # config.vm.network :bridged # config.vm.forward_port 80, 8080 # config.vm.share_folder "v-data", "/vagrant_data", "../data" config.vm.provision :chef_solo do |chef| chef.cookbooks_path = ["cookbooks", "site-cookbooks"] chef.add_recipe "vagrant_main" endend
SSH to the VM
$ vagrant ssh
Secure SSH Keys
$ vagrant ssh-config | grep Port Port 2222
$ scp -i ~/.vagrant.d/insecure_private_key -P 2222 \~/.ssh/ id_rsa.pub vagrant@localhost:~/.ssh/authorized_keys
vagrant@precise32:~$ gauntlt attacks/nmapFeature: simple nmap attack (sanity check)
Background: Given "nmap" is installed And the target hostname is "google.com"
Scenario: Verify server is available on standard web ports When I launch an "nmap" attack with: """ nmap -p 80,443 google.com """ Then the output should contain: """ 80/tcp open http 443/tcp open https """
1 scenario (1 passed)4 steps (4 passed)0m0.112svagrant@precise32:~$
vagrant@precise32:~$ gauntlt attacks/sslyze Feature: Run sslyze against a target
Background: # attacks/sslyze:3 Given "sslyze" is installed # gauntlt-0.0.8/lib/gauntlt/attack_adapters/sslyze.rb:1 And the target hostname is "google.com" # gauntlt-0.0.8/lib/gauntlt/attack_adapters/nmap.rb:7
Scenario: Ensure no anonymous certificates # attacks/sslyze:7 When I launch an "sslyze" attack with: # gauntlt-0.0.8/lib/gauntlt/attack_adapters/sslyze.rb:5 """ python /home/vagrant/sslyze/sslyze.py google.com:443 """ Then the output should not contain: # aruba-0.5.0/lib/aruba/cucumber.rb:111 """ Anon """
1 scenario (1 passed)4 steps (4 passed)0m0.736svagrant@precise32:~$
Office hours
Hotel bar
Tonight, 10 p.m.
Questions?