BE MEAN TO YOUR CODE RUGGED DEVELOPMENT & YOU MATT JOHANSEN JAMES WICKETT
Jul 07, 2015
BE MEAN TO YOUR CODE RUGGED DEVELOPMENT & YOU
MATT JOHANSEN JAMES WICKETT
@mattjay
The Beard of Destiny
Gauntlt Cheerleader
Head of WhiteHat Threat Research
Center
BlackHat, DEFCON, RSA, SXSW, more++
@wickett
Gauntlt Project Lead
Founder of LASCON
Sr. Engineer at Signal Sciences
#RUGGEDCODE
AUDIENCE SURVEY
Cloud or Metal?
DevOps? Agile? Flavors?
How does code get to production?
How often do you do code changes?
Do you do security testing in the build/deploy pipeline?
#RUGGEDCODE
PRINCIPLES FOR A MODERN SECURITY
TEAM
#RUGGEDCODE
OSSM
On Demand
Scalable
Self-Service
Measured
Source: Dave Neilsen
#RUGGEDCODE
OLD DECISION MATRIXFunction
Features
Gartner Magic Quadrant
Trial Eval
TCO
#RUGGEDCODE
NEW DECISION MATRIX
API and Integrations
Service Billing
Half Decent?
#RUGGEDCODE
PLAY NICE AND INTEGRATE WITH
OTHERS
PRINCIPLE #1
#RUGGEDCODE
PEOPLE PROCESS
TECHNOLOGY
#RUGGEDCODE
INFLUENCE THE PEOPLE
PRINCIPLE #2
#RUGGEDCODE
DEVOPS
#RUGGEDCODE
CAMSCulture
Lean*
Automation
Measurement
Sharing
Source: @botchagalupe @damonedwards
#RUGGEDCODE
#RUGGEDCODE
WHAT WE VALUE IS DETERMINED BY OUR
CULTURE
PRINCIPLE #3
#RUGGEDCODE
#RUGGEDCODE
CONTINUOUS DELIVERY IS KING
PRINCIPLE #4
#RUGGEDCODE
THERE ARE TWO PATHS TO WINNING FOR
SECURITY
#RUGGEDCODE
THE DEVELOPMENT AND BUILD PIPELINE
#RUGGEDCODE
OPERATIONAL RUNTIME STATE AND
MONITORING
#RUGGEDCODE
WE ARE FOCUSING ON DEV/BUILD PIPELINE IN
THIS PRESENTATION
#RUGGEDCODE
DETECT AND FIX IN DEVELOPMENT
#RUGGEDCODE
WHY DOES THIS MATTER?
VULNERABLE CODE IS EVERYWHERE
#RUGGEDCODE
#RUGGEDCODE
HOW DO I FIX XSS?
#RUGGEDCODE
GOOD: INPUT SANITIZATION
[XSS]
#RUGGEDCODE
BLACKLIST :( [XSS]
#RUGGEDCODE
WHITELIST :) [XSS]
#RUGGEDCODE
BETTER: OUTPUT ENCODING
[XSS]
#RUGGEDCODE
< > BECOME < > [XSS]
#RUGGEDCODE
SQL INJECTION [SQLi]
#RUGGEDCODE
#RUGGEDCODE
#RUGGEDCODE
CREDIT: XKCD
#RUGGEDCODE
HOW DO I FIX IT? [SQLi]
#RUGGEDCODE
PARAMETERIZED QUERIES
[SQLi]
#RUGGEDCODE
PARAMETERIZED QUERIES (PHP) [SQLi]
#RUGGEDCODE
PARAMETERIZED QUERIES (JAVA) [SQLi]
#RUGGEDCODE
CROSS SITE REQUEST FORGERY
[CSRF]
#RUGGEDCODE
#RUGGEDCODE
#RUGGEDCODE
HOW DO I FIX IT? [CSRF]
#RUGGEDCODE
#RUGGEDCODE
TOKENS! [CSRF]
#RUGGEDCODE IMAGE CREDIT: DOTNETBIPS.COM
#RUGGEDCODE
AGAIN… VULNERABLE CODE IS EVERYWHERE
#RUGGEDCODE
GETS FIXED SLOWLY
#RUGGEDCODE GETS FIXED SLOWLY
#RUGGEDCODE
…IF EVER
#RUGGEDCODE
OWASP TOP 10
#RUGGEDCODE
#RUGGEDCODE
YOU HAVE A BUILD PIPELINE
TELL ME MORE ABOUT HOW SPECIAL YOU ARE
#RUGGEDCODE
GAUNTLT
#RUGGEDCODE
BUILT ON CUCUMBER
#RUGGEDCODE
GAUNTLT PRINCIPLES AND PHILOSOPHY
Gauntlt comes with pre-canned steps that hook security testing toolsGauntlt does not install toolsGauntlt can be part of the CI/CD pipelineBe a good citizen of exit status and stdout/stderrMIT Open Source License
#RUGGEDCODE
#RUGGEDCODE
GAUNTLT RESOURCES
• Google Group > https://groups.google.com/d/forum/gauntlt
• Wiki > https://github.com/gauntlt/gauntlt/wiki• Twitter > @gauntlt• IRC > #gauntlt on freenode• Issue tracking > http://github.com/gauntlt/
gauntlt
#RUGGEDCODE
#RUGGEDCODE
./velocity/lab_3/.travis.yml
#RUGGEDCODE
./velocity/lab_3/.travis.yml
#RUGGEDCODE
./Rakefile
#RUGGEDCODE
./test/attacks/email_leakage.attack
#RUGGEDCODE
./test/attacks/email_leakage.attack
#RUGGEDCODE
./test/attacks/backdoors.attack
#RUGGEDCODE
./test/attacks/sql_injection.attack
#RUGGEDCODE
DEMO
#RUGGEDCODE
@MATTJAY @WICKETT