be mean to your code: rugged development & you

BE MEAN TO YOUR CODE RUGGED DEVELOPMENT & YOU

MATT JOHANSEN JAMES WICKETT

@mattjay

The Beard of Destiny

Gauntlt Cheerleader

Head of WhiteHat Threat Research

Center

BlackHat, DEFCON, RSA, SXSW, more++

@wickett

Gauntlt Project Lead

Founder of LASCON

Sr. Engineer at Signal Sciences

We’re making AppSec effective and practical

signalsciences.com

#RUGGEDCODE

AUDIENCE SURVEY

Cloud or Metal?

DevOps? Agile? Flavors?

How does code get to production?

How often do you do code changes?

Do you do security testing in the build/deploy pipeline?

#RUGGEDCODE

PRINCIPLES FOR A MODERN SECURITY

TEAM

#RUGGEDCODE

OSSM

On Demand

Scalable

Self-Service

Measured

Source: Dave Neilsen

#RUGGEDCODE

OLD DECISION MATRIXFunction

Features

Gartner Magic Quadrant

Trial Eval

TCO

#RUGGEDCODE

NEW DECISION MATRIX

API and Integrations

Service Billing

Half Decent?

#RUGGEDCODE

PLAY NICE AND INTEGRATE WITH

OTHERS

PRINCIPLE #1

#RUGGEDCODE

PEOPLE PROCESS

TECHNOLOGY

#RUGGEDCODE

INFLUENCE THE PEOPLE

PRINCIPLE #2

#RUGGEDCODE

DEVOPS

#RUGGEDCODE

CAMSCulture

Lean*

Automation

Measurement

Sharing

Source: @botchagalupe @damonedwards

#RUGGEDCODE

#RUGGEDCODE

WHAT WE VALUE IS DETERMINED BY OUR

CULTURE

PRINCIPLE #3

#RUGGEDCODE

#RUGGEDCODE

CONTINUOUS DELIVERY IS KING

PRINCIPLE #4

#RUGGEDCODE

THERE ARE TWO PATHS TO WINNING FOR

SECURITY

#RUGGEDCODE

THE DEVELOPMENT AND BUILD PIPELINE

#RUGGEDCODE

OPERATIONAL RUNTIME STATE AND

MONITORING

#RUGGEDCODE

WE ARE FOCUSING ON DEV/BUILD PIPELINE IN

THIS PRESENTATION

#RUGGEDCODE

DETECT AND FIX IN DEVELOPMENT

#RUGGEDCODE

WHY DOES THIS MATTER?

VULNERABLE CODE IS EVERYWHERE

#RUGGEDCODE

#RUGGEDCODE

HOW DO I FIX XSS?

#RUGGEDCODE

GOOD: INPUT SANITIZATION

[XSS]

#RUGGEDCODE

BLACKLIST :( [XSS]

#RUGGEDCODE

WHITELIST :) [XSS]

#RUGGEDCODE

BETTER: OUTPUT ENCODING

[XSS]

#RUGGEDCODE

< > BECOME &LT; &GT; [XSS]

#RUGGEDCODE

SQL INJECTION [SQLi]

#RUGGEDCODE

#RUGGEDCODE

#RUGGEDCODE

CREDIT: XKCD

#RUGGEDCODE

HOW DO I FIX IT? [SQLi]

#RUGGEDCODE

PARAMETERIZED QUERIES

[SQLi]

#RUGGEDCODE

PARAMETERIZED QUERIES (PHP) [SQLi]

#RUGGEDCODE

PARAMETERIZED QUERIES (JAVA) [SQLi]

#RUGGEDCODE

CROSS SITE REQUEST FORGERY

[CSRF]

#RUGGEDCODE

#RUGGEDCODE

#RUGGEDCODE

HOW DO I FIX IT? [CSRF]

#RUGGEDCODE

#RUGGEDCODE

TOKENS! [CSRF]

#RUGGEDCODE IMAGE CREDIT: DOTNETBIPS.COM

#RUGGEDCODE

AGAIN… VULNERABLE CODE IS EVERYWHERE

#RUGGEDCODE

GETS FIXED SLOWLY

#RUGGEDCODE GETS FIXED SLOWLY

#RUGGEDCODE

…IF EVER

#RUGGEDCODE

OWASP TOP 10

#RUGGEDCODE

#RUGGEDCODE

YOU HAVE A BUILD PIPELINE

TELL ME MORE ABOUT HOW SPECIAL YOU ARE

#RUGGEDCODE

GAUNTLT

#RUGGEDCODE

BUILT ON CUCUMBER

#RUGGEDCODE

GAUNTLT PRINCIPLES AND PHILOSOPHY

Gauntlt comes with pre-canned steps that hook security testing toolsGauntlt does not install toolsGauntlt can be part of the CI/CD pipelineBe a good citizen of exit status and stdout/stderrMIT Open Source License

#RUGGEDCODE

#RUGGEDCODE

GAUNTLT RESOURCES

• Google Group > https://groups.google.com/d/forum/gauntlt

• Wiki > https://github.com/gauntlt/gauntlt/wiki• Twitter > @gauntlt• IRC > #gauntlt on freenode• Issue tracking > http://github.com/gauntlt/

gauntlt

#RUGGEDCODE

THE GAUNTLT BOOK

FREE FOR LASCON!

book@gauntlt.org

#RUGGEDCODE

#RUGGEDCODE

./velocity/lab_3/.travis.yml

#RUGGEDCODE

./velocity/lab_3/.travis.yml

#RUGGEDCODE

./Rakefile

#RUGGEDCODE

./test/attacks/email_leakage.attack

#RUGGEDCODE

./test/attacks/email_leakage.attack

#RUGGEDCODE

./test/attacks/backdoors.attack

#RUGGEDCODE

./test/attacks/sql_injection.attack

#RUGGEDCODE

DEMO

#RUGGEDCODE

@MATTJAY @WICKETT