Attacking Pipelines--Security meets Continuous Delivery
23 likes6,265 views
The document outlines the concept of an 'attacking pipeline' for security testing in software development, encouraging a more integrated approach with DevOps practices. It emphasizes the need for automation and continuous integration, using tools like Travis CI and Gauntlt to help developers write and implement security tests efficiently. The author provides guidance on setting up repositories, creating security tests, and integrating them into the deployment pipeline to foster a culture of quality and transparency.
Attacking Pipelines--Security meets Continuous Delivery
- 2. Goal: Equip you with the Theory, Examples and Tooling so that you can begin Your rugged journey with an attacking pipeline you can lovingly call your very own
- 4. James Wickett [email protected] Austin, TX Gauntlt Core Team DevOps Days Austin Organizer Velocity, LASCON, ISC2, AppSecUSA, B-Sides, …
- 5. Why does this matter?
- 7. “I want to solve a problem so we can make awesome” - Business
- 10. …in 2 years with an expensive, bloated project that is so fragile that we can only make changes to it 4 times a year and only after the sacred upgrade rituals are performed
- 11. CISO say whut?
- 13. Biz say whut?
- 14. Just Ship It!
- 15. SPOILER ALERT!
- 19. How did we get here?
- 21. Software as a Service
- 24. Fragile Code as a Service
- 26. Dev and Ops have teamed up in this new world
- 28. DevOps is 5 years old now
- 29. The security organization is stuck in 1997 … mostly
- 30. Why is that?
- 31. Compliance Driven Culture: PCI, SOX, …
- 32. Ratio Problem Devs / Ops / Security 100 / 10 / 1
- 33. Security Tools are run out-of-band
- 34. But, there is hope
- 37. The Society of Rugged Developers ! ruggeddev.org
- 40. #RuggedDevOps
- 42. Pipelines!
- 44. commit -> test -> deploy
- 45. github -> travis -> s3
- 46. git -> jenkins -> rundeck
- 47. you can now answer the question of what is deployed and how it was tested
- 48. Simple is better
- 49. Continuous Integration Options On premise: Jenkins Cloud hosted: Travis CI, Circle CI, CloudBees, Wercker, Shippable, Drone.io… Or a mix: DotCI
- 51. Attacking Pipeline Guide Check your app/service/thing into a github repo Create some security tests Setup Travis CI to talk to your repo Create a .travis.yml file Write code, write moar security tests…
- 52. Try this at home
- 54. What is gauntlt-demo Contains vulnerable web apps written in python and ruby on rails Easy hooks for spinning up the apps Contains labs and examples for writing attacks An attacking pipeline Travis CI to attack the web apps
- 55. Installation $ git clone https://github.com/gauntlt/ gauntlt-demo $ cd ./gauntlt-demo $ git submodule update --init --recursive $ bundle
- 56. $ bundle exec start_services config/gruyere.rb
- 58. Attacking Pipeline Guide Check your app/service/thing into a github repo Create some security tests Setup Travis CI to talk to your repo Create a .travis.yml file Write code, write moar security tests…
- 59. Security Testing Static Code Analysis Dynamic Testing Virus Scanning Code Signing Checks Business logic/flow testing
- 60. convert thy pdf to tests!
- 61. Wouldn’t it be great if we could automate our security tests…
- 63. Security + Cucumber = Gauntlt
- 65. Gauntlt Philosophy Gauntlt comes with pre-canned steps that hook security testing tools Gauntlt does not install tools Gauntlt can be part of the CI/CD pipeline Be a good citizen of exit status and stdout/stderr MIT Open Source License
- 71. Garmr is Mozilla Security policy distilled for the rest of us
- 73. Check for XSS
- 75. Rake require 'gauntlt' task :gauntlt do sh "cd ./vendor/gruyere && ./manual_launch.sh && cd ../.." sh "cd ./examples && bundle exec gauntlt --tags @final && cd .." sh "cd ./vendor/gruyere && ./manual_kill.sh && cd ../.." end
- 76. Attacking Pipeline Guide Check your app/service/thing into a github repo Create some security tests Setup Travis CI to talk to your repo Create a .travis.yml file Write code, write moar security tests…
- 77. Let’s set up the pipeline
- 78. Setup Travis CI Go to travis-ci.org, login with github credentials Find the repo you cloned (might need to sync) Flip the switch ‘on’
- 80. Attacking Pipeline Guide Check your app/service/thing into a github repo Create some security tests Setup Travis CI to talk to your repo Create a .travis.yml file Write code, write moar security tests…
- 81. .travis.yml language: ruby rvm: - 1.9.3 before_install: - git submodule update --init -- recursive
- 82. .travis.yml before_script: - sudo apt-get install nmap - export SSLYZE_PATH="/home/travis/build/ gauntlt/gauntlt-demo/vendor/sslyze/sslyze.py" - export SQLMAP_PATH="/home/travis/build/ gauntlt/gauntlt-demo/vendor/sqlmap/sqlmap.py" - 'cd vendor/Garmr && sudo python setup.py install && cd ../..'
- 83. .travis.yml script: bundle exec rake
- 85. .travis.yml deploy: provider: s3 access_key_id: ASDBDSABDASDBDSDASD secret_access_key: secure:dasjdkla;sdjsakdsadasd bucket: build-artifacts
- 89. Sahweet!
- 90. Attacking Pipeline Guide Check your app/service/thing into a github repo Create some security tests Setup Travis CI to talk to your repo Create a .travis.yml file Write code, write moar security tests…
- 92. more on gauntlt • Google Group > https://groups.google.com/d/ forum/gauntlt • Wiki > https://github.com/gauntlt/gauntlt/wiki • Twitter > @gauntlt • IRC > #gauntlt on freenode • Issue tracking > http://github.com/gauntlt/gauntlt
- 94. 50% off Gauntlt Book leanpub.com/hands-on-gauntlt/c/austin-sdlc Caveat Emptor: Under development! Valid until June 15th