+ All Categories
Home > Technology > Run your code through the Gauntlt

Run your code through the Gauntlt

Date post: 19-Oct-2014
Category:

Technology
View: 1,055 times
Download: 1 times
Download Report this document
Share this document with a friend
Description:
Presented at DevOps Days Silicon Valley 2013. Gauntlt is a rugged testing framework to integrate security testing into your process. It was spawned out of the Rugged DevOps movement.
Popular Tags:
443tcp open
expected ports
verify server
running gauntlt
nmap attacks
open
dirb
run
20
Run your code through the Gauntlt
Transcript
Page 1: Run your code through the Gauntlt

Run your code through

the

Gauntlt

Page 2: Run your code through the Gauntlt

we faced skilled

adversaries

Page 3: Run your code through the Gauntlt

we couldn’t win

Page 4: Run your code through the Gauntlt

Instead of

Engineering

InfoSec

became

Actuaries

Page 5: Run your code through the Gauntlt

“It’s

Certified”

-You

Page 6: Run your code through the Gauntlt

Your punch is soft,just like your heart

Page 7: Run your code through the Gauntlt
Page 8: Run your code through the Gauntlt

enterRugged DevOps

enter gauntlt

Philosophy

Tooling

Page 9: Run your code through the Gauntlt

$ gem install gauntlt

install gauntlt

Page 10: Run your code through the Gauntlt

gauntlt is

like this

Page 11: Run your code through the Gauntlt

sqlmap sslyze

dirbcurl

generic

nmap

your appgauntlt

exit status: 0

Page 12: Run your code through the Gauntlt

Codify your

knowledge

(cheat sheets)

Page 13: Run your code through the Gauntlt

security

testing on

every commit

Page 14: Run your code through the Gauntlt

gauntlt promotes

collaboration

Page 15: Run your code through the Gauntlt

running gauntlt with failing tests

$ gauntlt

Feature: nmap attacks for example.com

Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |

Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """

1 scenario (1 failed)5 steps (1 failed, 4 passed)0m18.341s

GivenWhenThen

http://www.example.com
http://www.example.com
Page 16: Run your code through the Gauntlt

$ gauntlt

Feature: nmap attacks for example.com

Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |

Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """

1 scenario (1 passed)4 steps (4 passed)0m18.341s

running gauntlt with passing tests

http://www.example.com
http://www.example.com
Page 17: Run your code through the Gauntlt

@slowFeature: Run dirb scan on a URL

Scenario: Run a dirb scan looking for common vulnerabilities in apache

Given "dirb" is installed And the following profile: | name | value | | hostname | http://example.com | | wordlist | vulns/apache.txt |

When I launch a "dirb" attack with: """ dirb <hostname> <dirb_wordlists_path>/<wordlist> """

Then the output should contain: """ FOUND: 0 """

.htaccess.htpasswd

.meta.web

access_logcgi

cgi-bincgi-pub

cgi-scriptdummyerror

error_loghtdocshttpd

httpd.pidicons

server-infoserver-status

logsmanualprintenvtest-cgi

tmp~bin~ftp

~nobody~root

https://google.com
https://google.com
Page 18: Run your code through the Gauntlt

gauntlt credits:

Creators:

Mani Tadayon

James Wickett

Community Wrangler: Jeremiah Shirk

Friends: Jason Chan, NetflixNeil Matatall, Twitter

Page 19: Run your code through the Gauntlt

my_first.attack

Start with the gauntlt.org tutorial

Add your config (hostname, login url, user)

Use examples from github

Repeat

#gauntlt on freenode

@gauntlt on twitter

Page 20: Run your code through the Gauntlt

@wickett

[email protected]

Be Mean to Your Code!

mailto:[email protected]
mailto:[email protected]

Recommended
How to run source code

How to run source code

Documents

RTL code for - University of Arizona · RTL code for operations C code C compiler RTL code for support routines data base C header file object code librarian run-time library RTL

RTL code for - University of Arizona · RTL code for operations C code C compiler RTL code for support routines data base C header file object code librarian run-time library RTL

Documents

Running Untrusted Application Code: Sandboxing. Running untrusted code We often need to run buggy/unstrusted code: programs from untrusted Internet sites:

Running Untrusted Application Code: Sandboxing. Running untrusted code We often need to run buggy/unstrusted code: programs from untrusted Internet sites:

Documents

Static Analysis in C/C++ code with Polyspace...17 Full list of run-time checks in Polyspace Code Prover C run-time checks Unreachable Code Out of Bounds Array Index Division by Zero

Static Analysis in C/C++ code with Polyspace...17 Full list of run-time checks in Polyspace Code Prover C run-time checks Unreachable Code Out of Bounds Array Index Division by Zero

Documents

Running Unreliable Code John Mitchell CS155. Topic uHow can you run code that could contain a dangerous bug or security vulnerability? uExamples: Run.

Running Unreliable Code John Mitchell CS155. Topic uHow can you run code that could contain a dangerous bug or security vulnerability? uExamples: Run.

Documents

Run-time organization and General Principles of Code ...artale/Compiler/Lectures/slide12-runtime.pdf · Run-time organization and General Principles of Code Generation Lecture 12

Run-time organization and General Principles of Code ...artale/Compiler/Lectures/slide12-runtime.pdf · Run-time organization and General Principles of Code Generation Lecture 12

Documents

CS5530 Mobile/Wireless Systems Android UI · 2017-03-09 · Running Android Code CS5530 6 Ref. CN5E, NT@UW, WUSTL •Run code on simulator •Run code on a real device o No license

CS5530 Mobile/Wireless Systems Android UI · 2017-03-09 · Running Android Code CS5530 6 Ref. CN5E, NT@UW, WUSTL •Run code on simulator •Run code on a real device o No license

Documents

Www.xactium.com Xactium xDSLs Run Models Not Code Tony Clark tony.clark@xactium.com.

Www.xactium.com Xactium xDSLs Run Models Not Code Tony Clark [email protected].

Documents

BarcelonaJUG2016: walkmod: how to run and design code transformations

BarcelonaJUG2016: walkmod: how to run and design code transformations

Software

Running Your Apps Through the "Gauntlt"

Running Your Apps Through the "Gauntlt"

Technology

Xactium xDSLs Run Models Not Code Tony Clark tony.clark@xactium

Xactium xDSLs Run Models Not Code Tony Clark tony.clark@xactium

Documents

"Making OpenCV Code Run Fast," a Presentation from Intel

"Making OpenCV Code Run Fast," a Presentation from Intel

Technology

201505 OWASP AppSecEU 2015 SecDevOps - Christian Schneider · Gauntlt in SecDevOps? BDD-based framework for executing many security tools/scanners: • Integrates scanners like Arachni,

201505 OWASP AppSecEU 2015 SecDevOps - Christian Schneider · Gauntlt in SecDevOps? BDD-based framework for executing many security tools/scanners: • Integrates scanners like Arachni,

Documents

Code Analysis-run time error prediction

Code Analysis-run time error prediction

Technology

Continuous Opportunity: DevOps & Security - … · OWASP Ames Continuous Opportunity: ... • OWASP Bricks • PHAN ... Running the Gauntlt. Continuous Opportunity: DevOps & Security

Continuous Opportunity: DevOps & Security - … · OWASP Ames Continuous Opportunity: ... • OWASP Bricks • PHAN ... Running the Gauntlt. Continuous Opportunity: DevOps & Security

Documents

JJw?-?7-23/8“-=,:>%%.. .. .. =:% ..~ · 2016. 10. 21. · Wind Code. STEP t m STEP 3: I. 1. Run HOTPLT (optional) Diffusion Code. STEP 6: STEP. 4: / /l Run RAPTADI. w. STEP & I.

JJw?-?7-23/8“-=,:>%%.. .. .. =:% ..~ · 2016. 10. 21. · Wind Code. STEP t m STEP 3: I. 1. Run HOTPLT (optional) Diffusion Code. STEP 6: STEP. 4: / /l Run RAPTADI. w. STEP & I.

Documents

Exceptions. Many problems in code are handled when the code is compiled, but not all Some are impossible to catch before the program is run Must run.

Exceptions. Many problems in code are handled when the code is compiled, but not all Some are impossible to catch before the program is run Must run.

Documents

Code Schemes Departmental Ledger. Objectives What is a code scheme? How to add a code scheme? How to update a code scheme? How to run a code scheme report?

Code Schemes Departmental Ledger. Objectives What is a code scheme? How to add a code scheme? How to update a code scheme? How to run a code scheme report?

Documents