Rugged Software Using Rugged Driven Development

100 %
0 %
Information about Rugged Software Using Rugged Driven Development
Technology

Published on March 10, 2014

Author: wickett

Source: slideshare.net

Description

Security testing is often done at the cadence of auditors and not at the pace of the development team which hurts delivery time in agile teams. Rugged Driven Development (RDD) utilizes security and other stress testing methodologies during the development process to impact the end product so that you create software that is secure, reliable and resilient.

Using the Gauntlt open source framework to help implement RDD you will find it fun to live by the Gauntlt motto, “be mean to your code.” You will be equipped to deliver and release ruggedized software faster as well as span the communication gaps that exist between dev, ops and security teams. This talk will help you implement RDD your projects with plenty of real world examples.

At the end of the workshop, you should:

Be Rugged Driven Dev savvy and ready to ruggedize your next project with some new practices and tooling
Know how to use gauntlt and the security tools it hooks into
Take some of the pre-built gauntlt attacks and modify them to your own project

Write your own gauntlt attacks and put them in practice

RUGGED SOFTWARE USING RUGGED DRIVEN DEVELOPMENT @wickett // @iteration1 // @mattjay

$ wget http://bit.ly/rugged-sxsw-box AND ! Install Virtual Box and Vagrant

BE RUGGED AND BE MEAN TO YOUR CODE #RUGGED #SXSW + #BEMEAN Use this one to troll SXSW Official tag

THEORY APPLIED 63% HANDS ON LABS!

WORKSHOP PLEDGE

I will not attempt to access my neighbor’s computer ! I will not hack the wifi ! I will be friendly to those around me You/Me

ONE 5-MINUTE BREAK

HANDS-ON LABS 8 Mini Labs lasting 5 to 15 minutes each Let us know if you are having a problem, and we will help We will also be around after the class to help as well

VIRTUAL BOX AND VAGRANT

TIPS FOR THE LABS Open the labs folder in your browser to follow along to benefit from markdown display Run all commands from the ~/gauntlt-demo

LOOKING FOR THE 5’S

WHY ARE YOU HERE?

OUR GOAL: EQUIP YOU WITH THE THEORY, EXAMPLES AND TOOLING SO THAT YOU CAN BEGIN YOUR RUGGED JOURNEY

WHO ARE WE?

JAMES WICKETT Austin, TX Sr. DevOps Engr, Mentor Graphics Gauntlt Core Team DevOps Days Austin Organizer Velocity, LASCON, ISC2, AppSecUSA, B-Sides, …

MATT JOHANSEN Houston, TX Sr. Manager, TRC WhiteHat Security BlackHat, DEFCON, RSA, more++ Wannabe Dev (node.js, angularjs) I’m hiring

KARTHIK GAEKWAD Austin, TX Sr. Software Engr, Mentor Graphics DevOps Days Austin Organizer Agile, LASCON, DevOps Days, AppSecUSA, …

WHY DOES THIS MATTER?

SNOWDEN, NSA, NATION-STATE ACTORS, …

PEOPLE MATTER

PEOPLE MATTER

THE BROKEN WINDOW FALLACY & THE PRISONER’S DILEMMA

BREACHES CAUSE CYNICISM, DISTRUST AND LOSS

SOFTWARE HAS CHANGED

SOFTWARE AS A SERVICE

SOFTWARE AS BRICOLAGE

BOLT ON FEATURE APPROACH

FRAGILE CODE AS A SERVICE

DEPLOY TIMELINES HAVE CHANGED

DEV AND OPS HAVE TEAMED UP IN THIS NEW WORLD

CONTINUOUS DELIVERY IS A THING

http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr

DEVOPS IS 5 YEARS OLD NOW

SECURITY IS STUCK IN 1997 … MOSTLY

WHY IS THAT?

COMPLIANCE DRIVEN CULTURE: PCI, SOX, …

RATIO PROBLEM DEVS / OPS / SECURITY 100 / 10 / 1

SECURITY TOOLS ARE CONFUSING

BUT, THERE IS HOPE

https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring

http://www.youtube.com/watch?v=jQblKuMuS0Y

THE RUGGED MANIFESTO

I AM RUGGED AND, MORE IMPORTANTLY, MY CODE IS RUGGED. ! I RECOGNIZE THAT SOFTWARE HAS BECOME A FOUNDATION OF OUR MODERN WORLD. ! I RECOGNIZE THE AWESOME RESPONSIBILITY THAT COMES WITH THIS FOUNDATIONAL ROLE.

I RECOGNIZE THAT MY CODE WILL BE USED IN WAYS I CANNOT ANTICIPATE, IN WAYS IT WAS NOT DESIGNED, AND FOR LONGER THAN IT WAS EVER INTENDED. ! I RECOGNIZE THAT MY CODE WILL BE ATTACKED BY TALENTED AND PERSISTENT ADVERSARIES WHO THREATEN OUR PHYSICAL, ECONOMIC AND NATIONAL SECURITY.

I RECOGNIZE THESE THINGS – AND I CHOOSE TO BE RUGGED. ! I AM RUGGED BECAUSE I REFUSE TO BE A SOURCE OF VULNERABILITY OR WEAKNESS. ! I AM RUGGED BECAUSE I ASSURE MY CODE WILL SUPPORT ITS MISSION.

I AM RUGGED BECAUSE MY CODE CAN FACE THESE CHALLENGES AND PERSIST IN SPITE OF THEM. ! I AM RUGGED, NOT BECAUSE IT IS EASY, BUT BECAUSE IT IS NECESSARY AND I AM UP FOR THE CHALLENGE.

DEV / OPS / SEC JOIN FORCES

#RUGGEDDEVOPS

http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain

LET’S BUILD RUGGED SOFTWARE

RUGGED WEB APPS

VULNERABLE CODE IS EVERYWHERE

CROSS SITE SCRIPTING [XSS]

WHAT IS IT? [XSS]

REFLECTIVE [XSS]

PERSISTENT [XSS]

DOM BASED [XSS]

WHY IS IT BAD? [XSS]

DOCUMENT.COOKIE [XSS]

DOCUMENT.LOCATION [XSS]

HOW DO I FIX IT? [XSS]

GOOD: INPUT SANITIZATION [XSS]

BLACKLIST :( [XSS]

WHITELIST :) [XSS]

BETTER: OUTPUT ENCODING [XSS]

< > BECOME &LT; &GT; [XSS]

SQL INJECTION [SQLi]

WHAT IS IT? [SQLi]

WHY IS IT BAD? [SQLi]

CREDIT: XKCD

HOW WOULD YOU EXPLOIT?

‘;

PWNED

HOW DO I FIX IT? [SQLi]

PARAMETERIZED QUERIES [SQLi]

PARAMETERIZED QUERIES (PHP) [SQLi]

PARAMETERIZED QUERIES (JAVA) [SQLi]

CROSS SITE REQUEST FORGERY [CSRF]

WHAT IS IT? [CSRF]

WHY IS IT BAD? [CSRF]

HOW DO I FIX IT? [CSRF]

TOKENS! [CSRF]

IMAGE CREDIT: DOTNETBIPS.COM

AGAIN… VULNERABLE CODE IS EVERYWHERE

GETS FIXED SLOWLY

GETS FIXED SLOWLY

…IF EVER

OWASP TOP 10

LAB #1 - SETUP

github.com/gauntlt/gauntlt-demo Open the Labs in your browser > https:// github.com/gauntlt/gauntlt-demo/tree/master/labs/ sxsw-2014 You need Vagrant and VirtualBox installed on your laptop SETUP

For this lab, you will complete: ├── 01_Overview.md ├── 02_Setup using Vagrant.md LAB INSTRUCTIONS

5-MINUTE BREAK

LAB #2 - WEB APP HACKING

XSS DEMO

FIND THE VULN

FIND THE VULN

FIND THE VULN

For this lab, you will complete: ├── 04_Start up Vulnerable Target.md LAB INSTRUCTIONS

For this lab, poke around and try to find a second XSS vulnerability ! Let us know when you find it…

INTRO TO GAUNTLT

WOULDN’T IT BE GREAT IF WE COULD AUTOMATE OUR SECURITY TESTS…

http://static.hothdwallpaper.net/51b8e4ee5a5ae19808.jpg

GAUNTLT IS AN OPINIONATED FRAMEWORK TO DO RUGGED TESTING

GAUNTLT IS OPEN SOURCE MIT LICENSED

GAUNTLT AUTOMATES SECURITY TOOLS

GAUNTLT = SECURITY + CUCUMBER

GARMR CODE NMAP CURL ARACHNI

GARMR NMAP CURL CODE ARACHNI

BUILT ON CUCUMBER

GAUNTLT PHILOSOPHY Gauntlt comes with pre-canned steps that hook security testing tools Gauntlt does not install tools Gauntlt wants to be part of the CI/CD pipeline Be a good citizen of exit status and stdout/stderr

GAUNTLT IS COLLABORATION

*.attack something.attack else.attack GAUNTLT IN ACTION

Feature Description Background Setup Scenario Logic ATTACK STRUCTURE

Given When Then ATTACK LOGIC

Setup steps Check Resource Available Given “arachni” is installed ATTACK STEP: GIVEN

Action steps When I launch an “arachni-xss” attack ATTACK STEP: WHEN

Parsing Steps Then the output should not contain “fail” ATTACK STEP: THEN

LET’S PUT IT ALL TOGETHER

LAB #3 - HELLO WORLD

For this lab, you will complete: ├── 05_Hello World with Gauntlt.md LAB INSTRUCTIONS

HELLO WORLD

LAB #4 - BASIC PORT CHECK

For this lab, you will complete: ├── 06_Port Check.md LAB INSTRUCTIONS

TRY OUT NMAP $ nmap -F localhost $ nmap -F scanme.nmap.org

@challenge @slow Feature: check to make sure the right ports are open on our server ! ! Background: Given "nmap" is installed And the following profile: | name | value | host | localhost | | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <host> """ # Then ... # TODO: figure out a way to parse the output and determine what is passing # For hints consult the README.md

$ bundle exec gauntlt --allsteps

TRUST THE PIPE

SOLUTION @final @slow Feature: check to make sure the right ports are open on our server ! Background: Given "nmap" is installed And the following profile: | name | value | | host | localhost | ! Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <host> """ Then the output should contain: """ 8008 """

LAB #5 - CLI AND REGEX

For this lab, you will complete: ├── 07_Working with Gauntlt CLI.md ├── 08_Regex.md LAB INSTRUCTIONS

Open 07_Working with Gauntlt CLI.md and run the following:

08_Regex.md

SOLUTION Then the output should match: """ 8008/tcps+open """ Then the output should not match /3001.tcps+open/

LAB #6 - GARMR

For this lab, you will complete: ├── 09_Garmr and Web Security.md LAB INSTRUCTIONS

WHAT IS GARMR?

GARMR IS A SCRIPT FROM MOZILLA THAT CHECKS FOR A BUNCH OF SECURITY POLICIES IN WEB APPS

MOZILLA SECURITY POLICY DISTILLED FOR THE REST OF US

LAB #7 - XSS WITH ARACHNI

For this lab, you will complete: ├── 10_Arachni and XSS testing.md LAB INSTRUCTIONS

XSS LAB!

TRY OUT ARACHNI arachni --modules=xss --depth=1 --link-count=10 --auto-redundant=2 scanme.nmap.org

BONUS POINTS, FIND THE VULN!

Hint…. ! When I launch an "arachni-full_xss" attack

LET US KNOW WHEN YOU HAVE FOUND IT

Arachni found XSS in Gruyere, Oh noes! ! localhost:8008/signup/<script>alert(1)</script>

LAB #8 - ADVANCED GAUNTLT

For this lab, you will complete: ├── 11_Assert Network.md ├── 12_Output to HTML.md └── 13_Working with Environment Variables.md LAB INSTRUCTIONS

HTML OUTPUT bundle exec gauntlt --format html > out.html

out.html

RUGGED TESTING ON EVERY COMMIT

YOU PROMISED CI/CD PIPELINE…

THIS DEFINITELY IS 5 STAR TERRITORY

TRAVIS CI PARSES CONFIG AND THEN RUNS RAKE

RAKEFILE require 'gauntlt' ! task sh sh sh end :gauntlt do "cd ./vendor/gruyere && ./manual_launch.sh && cd ../.." "cd ./examples && bundle exec gauntlt --tags @final && cd .." "cd ./vendor/gruyere && ./manual_kill.sh && cd ../.."

gauntlt-demo/.travis.yml language: ruby rvm: - 1.9.3 before_install: - git submodule update --init --recursive before_script: - sudo apt-get install nmap - sudo apt-get install wget - sudo apt-get install libcurl4-openssl-dev - 'pwd' - export SSLYZE_PATH="/home/travis/build/gauntlt/gauntlt-demo/vendor/sslyze/ sslyze.py" - export SQLMAP_PATH="/home/travis/build/gauntlt/gauntlt-demo/vendor/sqlmap/ sqlmap.py" - 'cd vendor/Garmr && sudo python setup.py install && cd ../..' - 'cd vendor && wget http://downloads.sourceforge.net/project/dirb/dirb/2.03/ dirb203.tar.gz && tar xvfz dirb203.tar.gz && cd dirb && ./configure && make && sudo cp dirb /usr/local/bin/ && cd ../../' - export DIRB_WORDLISTS="/home/travis/build/gauntlt/gauntlt/vendor/dirb/ wordlists" notifications: irc: channels: - "chat.freenode.net#gauntlt" use_notice: true

WE HAVE BEEN DOING CONTINUOUS INTEGRATION WITH GAUNTLT THIS WHOLE TIME WITH THE LABS!

SAHWEET!

NOW WHAT?

THESE SLIDES http://bit.ly/gauntlt-sxsw-slides

• Google Group > https://groups.google.com/d/ • • • • • forum/gauntlt Wiki > https://github.com/gauntlt/gauntlt/wiki Twitter > @gauntlt IRC > #gauntlt on freenode Weekly hangout > http://bit.ly/gauntlt-hangout Issue tracking > http://github.com/gauntlt/gauntlt

https://vimeo.com/79797907

FREE GAUNTLT BETA BOOK FOR SXSW ATTENDEES! http://leanpub.com/hands-on-gauntlt/c/SXSW Valid until March 11th Caveat Emptor: No content at the moment!

GAUNTLT-SERVER COMING SOON!

WILL YOU GIVE US THE 5’S?

QUESTIONS?

Add a comment

Related presentations

Related pages

SXSW PanelPicker

Rugged Software Using Rugged Driven Development. Security testing is often done at the cadence of auditors and not at the pace of the development team ...
Read more

Schedule | sxsw.com

Rugged Software Using Rugged Driven Development. Tweet. #sxsw #rugged. ATTENTION: You must signup in advance to attend this ... Rugged Driven Development ...
Read more

Acknowledgements - ruggedsoftware.org

We believe that using Rugged across the enterprise will ... Whether your software project is driven by ... practice rugged software development, ...
Read more

About Rugged - OREKIT

... software. Rugged is freely available ... Development. Rugged has been in development since 2014 ... The Rugged project is driven according to ...
Read more

The Rugged Implementation Guide - Rugged Software

The Rugged Implementation Guide ... with modern software development and describes ... Rugged Culture Rugged software development is intended to evolve ...
Read more

rugged driven development - Mentor Graphics

Embedded Software; Blog; tag: rugged driven development; ... Applying rugged development for internet of things (IoT) cloud based services. Posted by ...
Read more

GOTO London 2015 “Agile, Lean and Rugged” - OpenCredo

... now is the time to buy a ticket to the GOTO London software development ... GOTO London 2015 “Agile, Lean and Rugged ... driven feature development ...
Read more

Rugged Circuits Ruggeduino — Rugged Circuits

Rugged electronics, development kits, engineering tools. Ruggeduino and Rugged MEGA. Home; ... a transistor circuit rather than being driven directly from ...
Read more

Tablets Lift Productivity For Aircraft Services Company ...

Tablets Lift Productivity For Aircraft Services ... Aviation Corp. has automated its fuel management processes using custom software and rugged, ...
Read more