Be Mean to Your Code

20
Be Mean to Your Code!

TAGS:

description

Be Mean to Your Code - The gauntlt project was created to help you do just that!

Transcript of Be Mean to Your Code

Page 1: Be Mean to Your Code

Be Mean to Your Code!

Page 2: Be Mean to Your Code

@wickettSr. DevOps Engineer

Mentor Graphics, Embedded Software Division

CISSP, GWAPT, CCSK, GSEC, GCFW

[email protected]

ruggeddevops.org

mailto:[email protected]
mailto:[email protected]
Page 3: Be Mean to Your Code

I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.

Page 4: Be Mean to Your Code

Ruggedization Theory

Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.

Page 5: Be Mean to Your Code

"Secondly, our network got a lot stronger as a result of the LulzSec

attacks." -Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012

by CloudFlare team

Page 6: Be Mean to Your Code

Security vs. Rugged

• Absence of Events

• Cost

• Negative

• FUD

• Toxic

• Verification of quality

• Benefit

• Positive

• Known values

• Affirming

Page 7: Be Mean to Your Code

“[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK” - MICHAL ZALEWSKI

Page 8: Be Mean to Your Code

RUGGED

source: Jessica Allen, http://drbl.in/bgwy

http://drbl.in/bgwy
http://drbl.in/bgwy
Page 9: Be Mean to Your Code

REPEATABLE – NO MANUAL STEPSRELIABLE - NO DOS HEREREVIEWABLE – AKA AUDITRAPID – FAST TO BUILD, DEPLOY, RESTORERESILIENT – AUTOMATED RECONFIGURATION REDUCED - LIMITED ATTACK SURFACE

Page 10: Be Mean to Your Code

w3af

fuzzers

nmap

nessus

sqlmapmetasploit

dirbustercustom attacks

Put your code through the Gauntlet

Page 11: Be Mean to Your Code

Your web app

w3af

fuzzers

nmap

nessus

sqlmapmetasploit

You

dirbustercustom attacks

Put your code through the Gauntlet

Page 12: Be Mean to Your Code

GAUNTLT ALLOWS DEV AND OPS AND SECURITY TO

COMMUNICATE

Page 13: Be Mean to Your Code

@run

Feature: Run nmap against a target and pass the value of the hostname from the profile.xml.

Background: Given nmap is installed

Scenario: Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """

feature for nmap:nmap.feature

Page 14: Be Mean to Your Code

@run @webserver

Feature: Run nmap against a target and pass the value of the hostname from the profile.xml.

Background: #optional Given nmap is installed

Scenario: Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """

feature for nmap:nmap.feature

Page 15: Be Mean to Your Code

Given /^nmap is installed$/ do steps %{ When I run `which nmap` Then the output should contain: """ nmap """ } end

When /^I run nmap against the hostname in the profile on ports (\d+),(\d+)$/ do |arg2, arg3| steps %{ When I run `nmap \"#{@hostname}\" -p80,443` }end

...

step definition for nmap:nmap.rb

Page 16: Be Mean to Your Code

wickett$ gauntlt

@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml.

Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2

Scenario: Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 8080,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 8080/tcp open http 443/tcp open https """...

Failing Scenarios:cucumber features/nmap/nmap.feature:8 # Scenario: Verify server is available on standard web ports

1 scenario (1 failed)4 steps (1 failed, 3 passed)0m0.341s

running gauntlt with failing tests

Page 17: Be Mean to Your Code

wickett$ gauntlt

@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml.

Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2

Scenario: Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 80,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 80/tcp open http 443/tcp open https """

1 scenario (1 passed)4 steps (4 passed)0m1.117s

running gauntlt with passing tests

Page 18: Be Mean to Your Code

HTTPS://GITHUB.COM/THEGAUNTLET/GAUNTLT

https://github.com/thegauntlet/gauntlt
https://github.com/thegauntlet/gauntlt
Page 19: Be Mean to Your Code

gauntlt team:James WickettMani TadayonRoy Rapoport

Jason ChanMatt TesauroTarek MoussaJeremiah ShirkLuis De LeonDan CornellScott Muc

Page 20: Be Mean to Your Code

Join Us

• github > http://bit.ly/gauntlt_repo

• google group > http://bit.ly/gauntlt_group

• twitter: @gauntlt

http://bit.ly/gauntlt_repo
http://bit.ly/gauntlt_repo

pebblebrookhigh.typepad.com...Find out the Mean, the Variance, and the Standard Deviation. Your first step is to find the Mean: (coo _ Your first step is to find the Mean: Answer:

pebblebrookhigh.typepad.com...Find out the Mean, the Variance, and the Standard Deviation. Your first step is to find the Mean: (coo _ Your first step is to find the Mean: Answer:

What does LCFF mean for your school?

What does LCFF mean for your school?

Budget Bill FY 2022 2022 Budget B… · — For the purpose of this bill: 2 “Governor” shall mean the Governor of the State of West Virginia. 3 “Code” shall mean the Code

Budget Bill FY 2022 2022 Budget B… · — For the purpose of this bill: 2 “Governor” shall mean the Governor of the State of West Virginia. 3 “Code” shall mean the Code

Techniques For Managing Change - Your Communication Strategy - Say What You Mean And Mean What You

Techniques For Managing Change - Your Communication Strategy - Say What You Mean And Mean What You

Being Mean To Your Code: Integrating Security Tools into ... · Being Mean To Your Code: Integrating Security Tools into Your DevOps Pipeline Boston Code Camp 26 November 19, 2016

Being Mean To Your Code: Integrating Security Tools into ... · Being Mean To Your Code: Integrating Security Tools into Your DevOps Pipeline Boston Code Camp 26 November 19, 2016

Craigslist Code Words: Do You Know What They Really Mean?

Craigslist Code Words: Do You Know What They Really Mean?

Budget Bill FY 2019 · 2 “Governor” shall mean the Governor of the State of West Virginia. 3 “Code” shall mean the Code of West Virginia, one thousand nine hundred thirty-one,

Budget Bill FY 2019 · 2 “Governor” shall mean the Governor of the State of West Virginia. 3 “Code” shall mean the Code of West Virginia, one thousand nine hundred thirty-one,

What does ESOS mean for your business?

What does ESOS mean for your business?

Your Entity, Your Code

Your Entity, Your Code

2014-15 NATIONAL ACHIEVEMENT TEST - GRADE VI ... Code Mean SD MPS Mean SD MPS Mean SD MPS Mean SD MPS Mean SD MPS Mean SD MPS Science HEKASI OVERALL 2014-15 NATIONAL ACHIEVEMENT TEST

2014-15 NATIONAL ACHIEVEMENT TEST - GRADE VI ... Code Mean SD MPS Mean SD MPS Mean SD MPS Mean SD MPS Mean SD MPS Mean SD MPS Science HEKASI OVERALL 2014-15 NATIONAL ACHIEVEMENT TEST

UNDERSTANDING AND INTERPRETING YOUR This … Your STARS Score.pdf · UNDERSTANDING AND INTERPRETING YOUR This would mean that ... mean score is determined from the sets of scores

UNDERSTANDING AND INTERPRETING YOUR This … Your STARS Score.pdf · UNDERSTANDING AND INTERPRETING YOUR This would mean that ... mean score is determined from the sets of scores

What your IQ test Results Mean?

What your IQ test Results Mean?

Spending Within Your Mean - museum.bnm.gov.my

Spending Within Your Mean - museum.bnm.gov.my

Green HUD-Code & Modular Manufactured Housing: What Does It Mean?

Green HUD-Code & Modular Manufactured Housing: What Does It Mean?

What Does Your Credit Score Actually Mean?

What Does Your Credit Score Actually Mean?

Social Recruitment- Your next post could mean your next job!

Social Recruitment- Your next post could mean your next job!

What Do Your Cat's Gestures Mean

What Do Your Cat's Gestures Mean

2014 Oregon Mechanical Specialty Code Compilation of All ......3 the purpose of the Oregon Mechanical Specialty Code, fire code shall mean those portions of the Oregon Fire Code. which

2014 Oregon Mechanical Specialty Code Compilation of All ......3 the purpose of the Oregon Mechanical Specialty Code, fire code shall mean those portions of the Oregon Fire Code. which

Be Mean to Your Code - DevOps Days Austin 2013

Be Mean to Your Code - DevOps Days Austin 2013

Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop

Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Workshop