putting rugged into your devops toolchain

PUTTING RUGGED INTOYOUR DEVOPS TOOLCHAIN

JAMES WICKETT, @WICKETT

I WANT YOU TO BE SUCCESSFUL AND MAKE A DIFFERENCE

James Wickett

CISSP, GWAPT, CCSK, GSEC, GCFW

@wickett@RuggedDevOps

@gauntlt

HTTP://BIT.LY/RUGGED-DEVOPS

A BRIEF HISTORY OFINFORMATION SECURITY

WE USED TO BE COOL

WE HADCINEMA

WE HAD HEROES

WE MADE FREEPHONE CALLS

WE WERE COOL

WE MADE IT INTO THEORGANIZATIONSWE HAD PREVIOUSLY FOUGHT

WE HELD CONFERENCESIN FANCY HOTELSWHERE WE CLAIMED WE HAD NO BUSINESS SUPPORT

WE HAVE BUSINESS CARDS WITH TITLES LIKE CISO ON THEM

ONCE IN THE ORGINFOSEC MADEBIG CLAIMS

WE COULDN’T STOP THEVIRUSES AND WORMS

ENTER RISKASSESSMENT

INSTEAD OF ENGINEERING INFOSEC BECAME ACTUARIES

WE BECAME EXPERTSIN BUYING INSURANCE POLICIES

“[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK” - MICHAL ZALEWSKI

WE MADE A SIGNIFICANT

ERROR

WE THOUGHT THIS WAS TRUE:EVERY SECURITY EVENTRESULTS IN A FINANCIAL LOSS

TJX H@CK3D!

THE STOCK PRICE DIDN’T DROP

OUR ASSUMPTION WAS INCOMPLETE

INFOSEC ALSO MADE A SECOND BIG MISTAKE

IT STAYED IN INFORMATION TECHNOLOGY

IT WAS A COST CENTER AND NOT IN A POSITION TO ADD VALUE

SOMETHING ELSE HAPPENED GLOBALLY

DEVS BECAME COOL

CODE BECAME SOCIAL

“I DON’T WANT YOU TO SEND ME AN INSTALLATION DVD”

WE SELL TIME NOW

WE SELL SOCIAL AND FRIENDSHIPS

“IS THIS SECURE?”-YOUR CUSTOMER

“ITS CERTIFIED”- YOU

WHY CAN’T YOU GIVE A BETTER ANSWER?

THE INEQUITABLE DISTRIBUTION OF LABOR IN SECURITY MIMICS THAT IN DEV/OPS

source: Gene Kim, “When IT says No @SXSW 2012”

Security sees...

• They give advice that goes unheeded

• Business decisions made w/o regard of risk

• Irrelevancy in the organization

• Constant bearer of bad news

• Feels ignored by their peers (you know, those devops guys)

• Inequitable distribution of labor

2% OF AN ENGINEERING DEV TEAM ARE WORKING ON SECURITY

- BSIMM 2012 data, http://bsimm.com/

HOW DO WE FIX THESE PROBLEMS?

-LEARNING FROM (PREFERABLY OTHER PEOPLE’S) MISTAKES

-DEVELOPING TOOLS TO CORRECT PROBLEMS

- PLANNING TO HAVE EVERYTHING COMPROMISED

UNDERSTANDING

TOOLINGARCHITECTURE

OPEN WEB APPLICATION SECURITY PROJECT

Current Software

Rugged Software

Current Software

Rugged Software

Current Software

Rugged Software

ADVERSITY REQUIRES RUGGED SOLUTIONS

ADVERSITY IS REAL ORPERCEIVED NEGATIVEACTIONS AND EVENTS THAT PROHIBIT NORMALFUNCTION AND OPERATION.

RUGGEDIZATION THEORY

Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.

NO PAIN, NO GAIN

"Secondly, our network got a lot stronger as a result of the LulzSec

attacks." -Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012

by CloudFlare team

REPEATABLE – NO MANUAL STEPSRELIABLE - NO DOS HEREREVIEWABLE – AKA AUDITRAPID – FAST TO BUILD, DEPLOY, RESTORERESILIENT – AUTOMATED RECONFIGURATION REDUCED - LIMITED ATTACK SURFACE

RUGGED BY DESIGN,DEVOPS BY CULTURE

RUGGED DEVOPS

Put your code through the gauntlt

GAUNTLET, N. AN ATTACK FROM ALL SIDES

Your web app

w3af

fuzzers

nmap

nessus

sqlmapmetasploit

You

dirbustercustom attacks

gauntlt is built for doing security testing in a DevOps world

GAUNTLT IS

AN ALWAYS-ATTACKING ENVIRONMENT FOR DEVELOPERS

WITH ATTACKS WRITTEN IN EASY-TO-READ LANGUAGE

ACCESSIBLE TO EVERYONE INVOLVED IN DEV, OPS, TESTING, SECURITY, ...

MEET THE GAUNTLT TEAM

MANI TADAYON

"SOFTWARE - WAR = SOFTE"

@BWSR_SR

ROY RAPOPORT“I PICKED UP THE TEE SHIRTS”

@ROYRAPOPORT

BILL BURNS@X509V3

“SMITHERS, RELEASE THE MONKEYS!”

JOSHUA CORMAN@JOSHCORMAN@RUGGEDSOFTWARE

“HONEY BADGER DOES CARE” 

JASON CHAN

@CHANJBS

NOT PICTURED:MATT TESAUROTAREK MOUSSA

WHY GAUNTLT?

SECURITY DOMAIN KNOWLEDGE IS GENERALLY A MYSTERY TO DEV TEAMS

GAUNTLT ALLOWS DEV AND OPS AND SECURITY TO

COMMUNICATE

GAUNTLT JOINSTHE PHILOSOPHY OFRUGGED SOFTWARE& CONTINUOUS INTEGRATION

HTTPS://GITHUB.COM/THEGAUNTLET/GAUNTLT

LETS LOOK INSIDE A COUPLE OF THESE FILES

@gauntlet @run

Feature: Run nmap against a target and pass the value of the hostname from the profile.xml.

Background: Given nmap is installed

Scenario: Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """

feature for nmap:nmap.feature

Given /^nmap is installed$/ do steps %{ When I run `which nmap` Then the output should contain: """ nmap """ } end

When /^I run nmap against the hostname in the profile on ports (\d+),(\d+)$/ do |arg2, arg3| steps %{ When I run `nmap \"#{@hostname}\" -p80,443` }end

step definition for nmap:nmap.rb

wickett$ gauntlt

@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml.

Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2

Scenario: Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 8080,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 8080/tcp open http 443/tcp open https """...

Failing Scenarios:cucumber features/nmap/nmap.feature:8 # Scenario: Verify server is available on standard web ports

1 scenario (1 failed)4 steps (1 failed, 3 passed)0m0.341s

running gauntlt with failing tests

wickett$ gauntlt

@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml.

Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2

Scenario: Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 80,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 80/tcp open http 443/tcp open https """

1 scenario (1 passed)4 steps (4 passed)0m1.117s

running gauntlt with passing tests

RESOURCES

WANT TO JOIN THE GAUNTLT TEAM?EMAIL JAMES@RUGGEDDEVOPS.ORG

Please get in touch with me:

@wickett@RuggedDevOps@gauntlt