run your code through the gauntlt
Post on 19-Oct-2014
1.055 views
DESCRIPTION
Presented at DevOps Days Silicon Valley 2013. Gauntlt is a rugged testing framework to integrate security testing into your process. It was spawned out of the Rugged DevOps movement.TRANSCRIPT
![Page 1: Run your code through the Gauntlt](https://reader034.vdocument.in/reader034/viewer/2022051322/54445afab1af9f6c0a8b4880/html5/thumbnails/1.jpg)
Run your code through
the
Gauntlt
![Page 2: Run your code through the Gauntlt](https://reader034.vdocument.in/reader034/viewer/2022051322/54445afab1af9f6c0a8b4880/html5/thumbnails/2.jpg)
we faced skilled
adversaries
![Page 3: Run your code through the Gauntlt](https://reader034.vdocument.in/reader034/viewer/2022051322/54445afab1af9f6c0a8b4880/html5/thumbnails/3.jpg)
we couldn’t win
![Page 4: Run your code through the Gauntlt](https://reader034.vdocument.in/reader034/viewer/2022051322/54445afab1af9f6c0a8b4880/html5/thumbnails/4.jpg)
Instead of
Engineering
InfoSec
became
Actuaries
![Page 5: Run your code through the Gauntlt](https://reader034.vdocument.in/reader034/viewer/2022051322/54445afab1af9f6c0a8b4880/html5/thumbnails/5.jpg)
“It’s
Certified”
-You
![Page 6: Run your code through the Gauntlt](https://reader034.vdocument.in/reader034/viewer/2022051322/54445afab1af9f6c0a8b4880/html5/thumbnails/6.jpg)
Your punch is soft,just like your heart
![Page 7: Run your code through the Gauntlt](https://reader034.vdocument.in/reader034/viewer/2022051322/54445afab1af9f6c0a8b4880/html5/thumbnails/7.jpg)
![Page 8: Run your code through the Gauntlt](https://reader034.vdocument.in/reader034/viewer/2022051322/54445afab1af9f6c0a8b4880/html5/thumbnails/8.jpg)
enterRugged DevOps
enter gauntlt
Philosophy
Tooling
![Page 9: Run your code through the Gauntlt](https://reader034.vdocument.in/reader034/viewer/2022051322/54445afab1af9f6c0a8b4880/html5/thumbnails/9.jpg)
$ gem install gauntlt
install gauntlt
![Page 10: Run your code through the Gauntlt](https://reader034.vdocument.in/reader034/viewer/2022051322/54445afab1af9f6c0a8b4880/html5/thumbnails/10.jpg)
gauntlt is
like this
![Page 11: Run your code through the Gauntlt](https://reader034.vdocument.in/reader034/viewer/2022051322/54445afab1af9f6c0a8b4880/html5/thumbnails/11.jpg)
sqlmap sslyze
dirbcurl
generic
nmap
your appgauntlt
exit status: 0
![Page 12: Run your code through the Gauntlt](https://reader034.vdocument.in/reader034/viewer/2022051322/54445afab1af9f6c0a8b4880/html5/thumbnails/12.jpg)
Codify your
knowledge
(cheat sheets)
![Page 13: Run your code through the Gauntlt](https://reader034.vdocument.in/reader034/viewer/2022051322/54445afab1af9f6c0a8b4880/html5/thumbnails/13.jpg)
security
testing on
every commit
![Page 14: Run your code through the Gauntlt](https://reader034.vdocument.in/reader034/viewer/2022051322/54445afab1af9f6c0a8b4880/html5/thumbnails/14.jpg)
gauntlt promotes
collaboration
![Page 15: Run your code through the Gauntlt](https://reader034.vdocument.in/reader034/viewer/2022051322/54445afab1af9f6c0a8b4880/html5/thumbnails/15.jpg)
running gauntlt with failing tests
$ gauntlt
Feature: nmap attacks for example.com
Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |
Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """
1 scenario (1 failed)5 steps (1 failed, 4 passed)0m18.341s
GivenWhenThen
![Page 16: Run your code through the Gauntlt](https://reader034.vdocument.in/reader034/viewer/2022051322/54445afab1af9f6c0a8b4880/html5/thumbnails/16.jpg)
$ gauntlt
Feature: nmap attacks for example.com
Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |
Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """
1 scenario (1 passed)4 steps (4 passed)0m18.341s
running gauntlt with passing tests
![Page 17: Run your code through the Gauntlt](https://reader034.vdocument.in/reader034/viewer/2022051322/54445afab1af9f6c0a8b4880/html5/thumbnails/17.jpg)
@slowFeature: Run dirb scan on a URL
Scenario: Run a dirb scan looking for common vulnerabilities in apache
Given "dirb" is installed And the following profile: | name | value | | hostname | http://example.com | | wordlist | vulns/apache.txt |
When I launch a "dirb" attack with: """ dirb <hostname> <dirb_wordlists_path>/<wordlist> """
Then the output should contain: """ FOUND: 0 """
.htaccess.htpasswd
.meta.web
access_logcgi
cgi-bincgi-pub
cgi-scriptdummyerror
error_loghtdocshttpd
httpd.pidicons
server-infoserver-status
logsmanualprintenvtest-cgi
tmp~bin~ftp
~nobody~root
![Page 18: Run your code through the Gauntlt](https://reader034.vdocument.in/reader034/viewer/2022051322/54445afab1af9f6c0a8b4880/html5/thumbnails/18.jpg)
gauntlt credits:
Creators:
Mani Tadayon
James Wickett
Community Wrangler: Jeremiah Shirk
Friends: Jason Chan, NetflixNeil Matatall, Twitter
![Page 19: Run your code through the Gauntlt](https://reader034.vdocument.in/reader034/viewer/2022051322/54445afab1af9f6c0a8b4880/html5/thumbnails/19.jpg)
my_first.attack
Start with the gauntlt.org tutorial
Add your config (hostname, login url, user)
Use examples from github
Repeat
#gauntlt on freenode
@gauntlt on twitter