Talk given at ISC2 Secure SDLC event in Austin, TX
The release velocity for our applications is increasing, often leaving security testing behind. In some cases, the security team ends up being the bottleneck. That's bad. In an idyllic world, security testing would happen earlier in the development lifecycle, but lets do one better. Lets do security testing on every code change. Using automation tooling and DevOps practices, this talk will help you tune security testing to your release cadence and more importantly help you deliver more rugged software.
2. Goal: Equip you with the
Theory, Examples and Tooling
so that you can begin Your
rugged journey with an
attacking pipeline you can
lovingly call your very own
10. …in 2 years with an
expensive, bloated project
that is so fragile that we
can only make changes to
it 4 times a year and only
after the sacred upgrade
rituals are performed
49. Continuous Integration Options
On premise: Jenkins
Cloud hosted: Travis CI, Circle CI,
CloudBees, Wercker, Shippable,
Drone.io…
Or a mix: DotCI
50.
51. Attacking Pipeline Guide
Check your app/service/thing into a github repo
Create some security tests
Setup Travis CI to talk to your repo
Create a .travis.yml file
Write code, write moar security tests…
54. What is gauntlt-demo
Contains vulnerable web apps written in
python and ruby on rails
Easy hooks for spinning up the apps
Contains labs and examples for writing attacks
An attacking pipeline Travis CI to attack the
web apps
58. Attacking Pipeline Guide
Check your app/service/thing into a github repo
Create some security tests
Setup Travis CI to talk to your repo
Create a .travis.yml file
Write code, write moar security tests…
65. Gauntlt Philosophy
Gauntlt comes with pre-canned steps that hook
security testing tools
Gauntlt does not install tools
Gauntlt can be part of the CI/CD pipeline
Be a good citizen of exit status and stdout/stderr
MIT Open Source License
75. Rake
require 'gauntlt'
task :gauntlt do
sh "cd ./vendor/gruyere && ./manual_launch.sh && cd ../.."
sh "cd ./examples && bundle exec gauntlt --tags @final &&
cd .."
sh "cd ./vendor/gruyere && ./manual_kill.sh && cd ../.."
end
76. Attacking Pipeline Guide
Check your app/service/thing into a github repo
Create some security tests
Setup Travis CI to talk to your repo
Create a .travis.yml file
Write code, write moar security tests…
78. Setup Travis CI
Go to travis-ci.org, login with github credentials
Find the repo you cloned (might need to sync)
Flip the switch ‘on’
79.
80. Attacking Pipeline Guide
Check your app/service/thing into a github repo
Create some security tests
Setup Travis CI to talk to your repo
Create a .travis.yml file
Write code, write moar security tests…
90. Attacking Pipeline Guide
Check your app/service/thing into a github repo
Create some security tests
Setup Travis CI to talk to your repo
Create a .travis.yml file
Write code, write moar security tests…
92. more on gauntlt
• Google Group > https://groups.google.com/d/
forum/gauntlt
• Wiki > https://github.com/gauntlt/gauntlt/wiki
• Twitter > @gauntlt
• IRC > #gauntlt on freenode
• Issue tracking > http://github.com/gauntlt/gauntlt