Date post: | 16-Jan-2015 |
Category: |
Technology |
Upload: | james-wickett |
View: | 1,669 times |
Download: | 0 times |
PUTTING RUGGED INTOYOUR DEVOPS TOOLCHAIN
JAMES WICKETT, @WICKETT
I WANT YOU TO BE SUCCESSFUL AND MAKE A DIFFERENCE
James Wickett
CISSP, GWAPT, CCSK, GSEC, GCFW
@wickett@RuggedDevOps
@gauntlt
A BRIEF HISTORY OFINFORMATION SECURITY
WE USED TO BE COOL
WE HADCINEMA
WE HAD HEROES
WE MADE FREEPHONE CALLS
WE WERE COOL
WE MADE IT INTO THEORGANIZATIONSWE HAD PREVIOUSLY FOUGHT
WE HELD CONFERENCESIN FANCY HOTELSWHERE WE CLAIMED WE HAD NO BUSINESS SUPPORT
WE HAVE BUSINESS CARDS WITH TITLES LIKE CISO ON THEM
ONCE IN THE ORGINFOSEC MADEBIG CLAIMS
WE COULDN’T STOP THEVIRUSES AND WORMS
ENTER RISKASSESSMENT
INSTEAD OF ENGINEERING INFOSEC BECAME ACTUARIES
WE BECAME EXPERTSIN BUYING INSURANCE POLICIES
“[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK” - MICHAL ZALEWSKI
WE MADE A SIGNIFICANT
ERROR
WE THOUGHT THIS WAS TRUE:EVERY SECURITY EVENTRESULTS IN A FINANCIAL LOSS
TJX H@CK3D!
THE STOCK PRICE DIDN’T DROP
OUR ASSUMPTION WAS INCOMPLETE
INFOSEC ALSO MADE A SECOND BIG MISTAKE
IT STAYED IN INFORMATION TECHNOLOGY
IT WAS A COST CENTER AND NOT IN A POSITION TO ADD VALUE
SOMETHING ELSE HAPPENED GLOBALLY
DEVS BECAME COOL
CODE BECAME SOCIAL
“I DON’T WANT YOU TO SEND ME AN INSTALLATION DVD”
WE SELL TIME NOW
WE SELL SOCIAL AND FRIENDSHIPS
“IS THIS SECURE?”-YOUR CUSTOMER
“ITS CERTIFIED”- YOU
WHY CAN’T YOU GIVE A BETTER ANSWER?
THE INEQUITABLE DISTRIBUTION OF LABOR IN SECURITY MIMICS THAT IN DEV/OPS
source: Gene Kim, “When IT says No @SXSW 2012”
Security sees...
• They give advice that goes unheeded
• Business decisions made w/o regard of risk
• Irrelevancy in the organization
• Constant bearer of bad news
• Feels ignored by their peers (you know, those devops guys)
• Inequitable distribution of labor
2% OF AN ENGINEERING DEV TEAM ARE WORKING ON SECURITY
- BSIMM 2012 data, http://bsimm.com/
HOW DO WE FIX THESE PROBLEMS?
-LEARNING FROM (PREFERABLY OTHER PEOPLE’S) MISTAKES
-DEVELOPING TOOLS TO CORRECT PROBLEMS
- PLANNING TO HAVE EVERYTHING COMPROMISED
UNDERSTANDING
TOOLINGARCHITECTURE
OPEN WEB APPLICATION SECURITY PROJECT
Current Software
Rugged Software
Current Software
Rugged Software
Current Software
Rugged Software
ADVERSITY REQUIRES RUGGED SOLUTIONS
ADVERSITY IS REAL ORPERCEIVED NEGATIVEACTIONS AND EVENTS THAT PROHIBIT NORMALFUNCTION AND OPERATION.
RUGGEDIZATION THEORY
Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.
NO PAIN, NO GAIN
"Secondly, our network got a lot stronger as a result of the LulzSec
attacks." -Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012
by CloudFlare team
REPEATABLE – NO MANUAL STEPSRELIABLE - NO DOS HEREREVIEWABLE – AKA AUDITRAPID – FAST TO BUILD, DEPLOY, RESTORERESILIENT – AUTOMATED RECONFIGURATION REDUCED - LIMITED ATTACK SURFACE
RUGGED BY DESIGN,DEVOPS BY CULTURE
RUGGED DEVOPS
Put your code through the gauntlt
GAUNTLET, N. AN ATTACK FROM ALL SIDES
Your web app
w3af
fuzzers
nmap
nessus
sqlmapmetasploit
You
dirbustercustom attacks
gauntlt is built for doing security testing in a DevOps world
GAUNTLT IS
AN ALWAYS-ATTACKING ENVIRONMENT FOR DEVELOPERS
WITH ATTACKS WRITTEN IN EASY-TO-READ LANGUAGE
ACCESSIBLE TO EVERYONE INVOLVED IN DEV, OPS, TESTING, SECURITY, ...
MEET THE GAUNTLT TEAM
MANI TADAYON
"SOFTWARE - WAR = SOFTE"
@BWSR_SR
ROY RAPOPORT“I PICKED UP THE TEE SHIRTS”
@ROYRAPOPORT
BILL BURNS@X509V3
“SMITHERS, RELEASE THE MONKEYS!”
JOSHUA CORMAN@JOSHCORMAN@RUGGEDSOFTWARE
“HONEY BADGER DOES CARE”
JASON CHAN
@CHANJBS
NOT PICTURED:MATT TESAUROTAREK MOUSSA
WHY GAUNTLT?
SECURITY DOMAIN KNOWLEDGE IS GENERALLY A MYSTERY TO DEV TEAMS
GAUNTLT ALLOWS DEV AND OPS AND SECURITY TO
COMMUNICATE
GAUNTLT JOINSTHE PHILOSOPHY OFRUGGED SOFTWARE& CONTINUOUS INTEGRATION
HTTPS://GITHUB.COM/THEGAUNTLET/GAUNTLT
LETS LOOK INSIDE A COUPLE OF THESE FILES
@gauntlet @run
Feature: Run nmap against a target and pass the value of the hostname from the profile.xml.
Background: Given nmap is installed
Scenario: Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """
feature for nmap:nmap.feature
Given /^nmap is installed$/ do steps %{ When I run `which nmap` Then the output should contain: """ nmap """ } end
When /^I run nmap against the hostname in the profile on ports (\d+),(\d+)$/ do |arg2, arg3| steps %{ When I run `nmap \"#{@hostname}\" -p80,443` }end
step definition for nmap:nmap.rb
wickett$ gauntlt
@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml.
Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2
Scenario: Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 8080,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 8080/tcp open http 443/tcp open https """...
Failing Scenarios:cucumber features/nmap/nmap.feature:8 # Scenario: Verify server is available on standard web ports
1 scenario (1 failed)4 steps (1 failed, 3 passed)0m0.341s
running gauntlt with failing tests
wickett$ gauntlt
@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml.
Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2
Scenario: Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 80,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 80/tcp open http 443/tcp open https """
1 scenario (1 passed)4 steps (4 passed)0m1.117s
running gauntlt with passing tests
RESOURCES
WANT TO JOIN THE GAUNTLT TEAM?EMAIL [email protected]
Please get in touch with me:
@wickett@RuggedDevOps@gauntlt