Attacking Pipelines--Security meets Continuous Delivery

Goal: Equip you with the Theory, Examples and Tooling so that you can begin Your

rugged journey with an attacking pipeline you can lovingly call your very own

James Wickettjames@gauntlt.org

Austin, TX

Gauntlt Core Team

DevOps Days Austin Organizer

Velocity, LASCON, ISC2, AppSecUSA, B-Sides, …

Why does this matter?

“I want to solve a problem so we can make awesome”

- Business

CIO say whut?

…in 2 years with an expensive, bloated project that is so fragile that we

can only make changes to it 4 times a year and only after the sacred upgrade

rituals are performed

CISO say whut?

Biz say whut?

Just Ship It!

SPOILER ALERT!

the business wins

How did we get here?

Software has Changed

Software as a Service

Software as

Bricolage

Bolt on Feature

Approach

Fragile Code as a Service

Deploy Timelines Have Changed

Dev and Ops have teamed up in this new world

http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr

DevOps is 5 years old now

The security organization is stuck in 1997

… mostly

Why is that?

Compliance Driven Culture: PCI, SOX, …

Ratio Problem Devs / Ops / Security

100 / 10 / 1

Security Tools are run out-of-band

But, there is hope

https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring

http://www.youtube.com/watch?v=jQblKuMuS0Y

The Society of Rugged Developers

!

ruggeddev.org

Rugged Journey

Quality

Transparency

Value Creation

Culture infusion

#RuggedDevOps

http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain

Pipelines!

Continuous Integration

commit -> test -> deploy

github -> travis -> s3

git -> jenkins -> rundeck

you can now answer the question of what is deployed and how it

was tested

Simple is better

Continuous Integration Options

On premise: Jenkins

Cloud hosted: Travis CI, Circle CI, CloudBees, Wercker, Shippable, Drone.io…

Or a mix: DotCI

Attacking Pipeline Guide

Check your app/service/thing into a github repo

Create some security tests

Setup Travis CI to talk to your repo

Create a .travis.yml file

Write code, write moar security tests…

Try this at home

github.com/gauntlt/gauntlt-demo

Fork This

What is gauntlt-demoContains vulnerable web apps written in python and ruby on rails

Easy hooks for spinning up the apps

Contains labs and examples for writing attacks

An attacking pipeline Travis CI to attack the web apps

Installation

$ git clone https://github.com/gauntlt/gauntlt-demo

$ cd ./gauntlt-demo

$ git submodule update --init --recursive

$ bundle

$ bundle exec start_services\ config/gruyere.rb

http://localhost:8008/

Attacking Pipeline Guide

Check your app/service/thing into a github repo

Create some security tests

Setup Travis CI to talk to your repo

Create a .travis.yml file

Write code, write moar security tests…

Security Testing

Static Code Analysis

Dynamic Testing

Virus Scanning

Code Signing Checks

Business logic/flow testing

convert thy pdf to tests!

Wouldn’t it be great if we could automate our

security tests…

http://static.hothdwallpaper.net/51b8e4ee5a5ae19808.jpg

Security + Cucumber = Gauntlt

Built on Cucumber

Gauntlt PhilosophyGauntlt comes with pre-canned steps that hook security testing tools

Gauntlt does not install tools

Gauntlt can be part of the CI/CD pipeline

Be a good citizen of exit status and stdout/stderr

MIT Open Source License

Who uses Gauntlt?

TLDR; !

Gauntlt automates security tools

Attack Logic

GIVENWHENTHEN

Let’s automate two attacks

Garmr is Mozilla Security policy distilled for the rest

of us

Check for XSS

Rakerequire 'gauntlt'

task :gauntlt do

sh "cd ./vendor/gruyere && ./manual_launch.sh && cd ../.."

sh "cd ./examples && bundle exec gauntlt --tags @final && cd .."

sh "cd ./vendor/gruyere && ./manual_kill.sh && cd ../.."

end

Attacking Pipeline Guide

Check your app/service/thing into a github repo

Create some security tests

Setup Travis CI to talk to your repo

Create a .travis.yml file

Write code, write moar security tests…

Let’s set up the pipeline

Setup Travis CI

Go to travis-ci.org, login with github credentials

Find the repo you cloned (might need to sync)

Flip the switch ‘on’

Attacking Pipeline Guide

Check your app/service/thing into a github repo

Create some security tests

Setup Travis CI to talk to your repo

Create a .travis.yml file

Write code, write moar security tests…

.travis.ymllanguage: ruby

rvm:

- 1.9.3

before_install:

- git submodule update --init --recursive

.travis.ymlbefore_script:

- sudo apt-get install nmap

- export SSLYZE_PATH="/home/travis/build/gauntlt/gauntlt-demo/vendor/sslyze/sslyze.py"

- export SQLMAP_PATH="/home/travis/build/gauntlt/gauntlt-demo/vendor/sqlmap/sqlmap.py"

- 'cd vendor/Garmr && sudo python setup.py install && cd ../..'

.travis.yml

script: bundle exec rake

.travis.ymlnotifications:

irc:

channels:

- “chat.freenode.net#gauntlt"

use_notice: true

.travis.ymldeploy:

provider: s3

access_key_id: ASDBDSABDASDBDSDASD

secret_access_key:

secure:dasjdkla;sdjsakdsadasd

bucket: build-artifacts

Sahweet!

Attacking Pipeline Guide

Check your app/service/thing into a github repo

Create some security tests

Setup Travis CI to talk to your repo

Create a .travis.yml file

Write code, write moar security tests…

https://speakerdeck.com/mkonda/appsecusa-2013-insecure-expectations

http://vimeo.com/75930344

more on gauntlt

• Google Group > https://groups.google.com/d/forum/gauntlt

• Wiki > https://github.com/gauntlt/gauntlt/wiki• Twitter > @gauntlt• IRC > #gauntlt on freenode• Issue tracking > http://github.com/gauntlt/gauntlt

https://vimeo.com/79797907

50% off Gauntlt Bookleanpub.com/hands-on-gauntlt/c/austin-sdlc

Caveat Emptor: Under

development!

Valid until June 15th

Questions? !

twitter: @wickett email: james@gauntlt.org