pragmatic security and rugged devops - sxsw 2015

PRAGMATIC SECURITY AND RUGGED DEVOPS

WORKSHOP

@WICKETT // @MATTJAY

#SXSW #RUGGEDCODE

CONVERSATION

#SXSW + #RUGGED CODE

#SXSW #RUGGEDCODE

50% OFF GAUNTLT BOOK FOR SXSW ATTENDEES!

leanpub.com/hands-on-gauntlt/c/50percentoff

#SXSW #RUGGEDCODE63% HANDS ON LABS!

APPLIEDTHEORY

#SXSW #RUGGEDCODE

WORKSHOP PLEDGE

#SXSW #RUGGEDCODE

@WICKETT // @MATTJAY You/Me

I will not attempt to access my neighbor’s computer

I will not hack the wifi

I will be friendly to those around me

#SXSW #RUGGEDCODE

TWO 5-MINUTE BREAK

#SXSW #RUGGEDCODE

HANDS-ON LABS

~8 Mini Labs lasting 5 to 10 minutes each

Let us know if you are having a problem, and we will help

We will also be around after the class to help as well

#SXSW #RUGGEDCODE

TIPS FOR THE LABS

Open the labs folder in your browser to follow along to benefit from markdown display

Run all commands from the ~/gauntlt-demo

#SXSW #RUGGEDCODE

WHY ARE YOU HERE?

#SXSW #RUGGEDCODE

OUR GOAL: EQUIP YOU WITH PRAGMATIC APPROACHES TO

SECURITY THAT CAN HELP YOU MAKE A DIFFERENCE

#SXSW #RUGGEDCODE

WHO ARE WE?

#SXSW #RUGGEDCODE

JAMES WICKETTSr. Engineer at Signal Sciences

Austin, TX

Gauntlt Core Team

DevOps Days Austin Organizer

Velocity, LASCON, ISC2, AppSecUSA, B-Sides, …

signalsciences.com

#SXSW #RUGGEDCODE

MATT JOHANSEN

Houston, TX

Sr. Manager, TRC WhiteHat Security

BlackHat, DEFCON, RSA, more++

Wannabe Dev (node.js, angularjs)

I’m hiring

#SXSW #RUGGEDCODE

WHY DOES THIS MATTER?

#SXSW #RUGGEDCODE

SONY, SONY, SONY, SONY, SONY SONY, SONY, SONY, SONY, SONY SONY, SONY, SONY, SONY, SONY SONY, SONY, SONY, SONY, SONY SONY, SONY, SONY, SONY, SONY SONY, SONY, SONY, SONY, SONY

#SXSW #RUGGEDCODE

HUMANS OPTIMIZE FOR THE PROBABLE

#SXSW #RUGGEDCODE

WE OPTIMIZE FOR THE PROBABLE

#SXSW #RUGGEDCODE

UNIT TESTING

#SXSW #RUGGEDCODE

INTEGRATION TESTING

#SXSW #RUGGEDCODE

HAPPY PATH ENGINEERING

#SXSW #RUGGEDCODE

WE OPTIMIZE FOR THE POSSIBLE

#SXSW #RUGGEDCODE

OVER ENGINEERING

#SXSW #RUGGEDCODE

STRESS AND LOAD TESTING

#SXSW #RUGGEDCODE

WE OPTIMIZE FOR THE PERCEIVED PROBABLE

#SXSW #RUGGEDCODE

HOW DO WE PERCEIVE WHAT IS PROBABLE?

#SXSW #RUGGEDCODE

EPISTEMOLOGICAL PROBLEM OF SOFTWARE DEVELOPMENT

#SXSW #RUGGEDCODE

WE ATTEMPT TO SOLVE IT BY GATHERING DATA OR RHETORIC

#SXSW #RUGGEDCODE

3 APPROACHES TO SOLVE THE EPISTEMOLOGICAL PROBLEM OF

SOFTWARE DEVELOPMENT

#SXSW #RUGGEDCODE

ARC 1: AGILE

#SXSW #RUGGEDCODE

AGILE SIDE-STEPS THE PROBLEM

#SXSW #RUGGEDCODE

AGILE SAYS WE DON’T KNOW WHAT WE ARE BUILDING

#SXSW #RUGGEDCODE

SOLUTION: RELEASE FEATURES TO CUSTOMERS RAPIDLY

#SXSW #RUGGEDCODE

JUST SHIP IT!

#SXSW #RUGGEDCODE

BEHAVIOR DRIVEN DEV

#SXSW #RUGGEDCODE

BEHAVIOR DRIVEN DEVELOPMENT IS A SECOND-GENERATION, OUTSIDE–IN, PULL-BASED,

MULTIPLE-STAKEHOLDER, MULTIPLE-SCALE, HIGH-AUTOMATION, AGILE METHODOLOGY. IT DESCRIBES A CYCLE OF INTERACTIONS WITH WELL-DEFINED

OUTPUTS, RESULTING IN THE DELIVERY OF WORKING, TESTED SOFTWARE THAT MATTERS.

DAN NORTH , 2009

#SXSW #RUGGEDCODE

AMPLIFY THE

FEEDBACK LOOP

#SXSW #RUGGEDCODE

RAPID ITERATIONS WIN

#SXSW #RUGGEDCODE

AGILE IS OUR

GUIDING LIGHT

#SXSW #RUGGEDCODE

PEOPLE MATTER

#SXSW #RUGGEDCODE

WE DON'T SELL CD’S ANYMORE

#SXSW #RUGGEDCODE

SOFTWARE AS A SERVICE

#SXSW #RUGGEDCODE

THE LAST 15 YEARS HAVE BROUGHT A COMPLETE CHANGE IN OUR

DELIVERY CADENCE, DISTRIBUTION, AND REVENUE MODELS

#SXSW #RUGGEDCODE

DEVOPS IS THE APPLICATION OF AGILE METHODOLOGY TO SYSTEM

ADMINISTRATION - THE PRACTICE OF CLOUD SYSTEM ADMINISTRATION BOOK

#SXSW #RUGGEDCODEARC 2: DEVOPS

#SXSW #RUGGEDCODE

AGILE INFRASTRUCTURE

http://itrevolution.com/the-history-of-devops/

#SXSW #RUGGEDCODE

http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr

#SXSW #RUGGEDCODE

FIRST DEVOPS DAYS, GHENT 2009

@PATRICKDEBOIS

#SXSW #RUGGEDCODE

THE OPPOSITE OF DEVOPS IS DESPAIR - GENE KIM

#SXSW #RUGGEDCODE

http://dev2ops.org/blog/2010/2/22/what-is-devops.html

#SXSW #RUGGEDCODE

DEVOPS REALIZED THAT OPS DOESN'T KNOW WHAT DEVS KNOW

AND VICE VERSA

#SXSW #RUGGEDCODE

DEV : OPS 10 : 1

#SXSW #RUGGEDCODE

DEVOPS IS AN EPISTEMOLOGICAL BREAKTHROUGH JOINING DISPARATE

PEOPLE AROUND A COMMON PROBLEM

#SXSW #RUGGEDCODE

DEVOPS IS AN INCLUSIVE MOVEMENT THAT CODIFIES A CULTURE

- ADAM JACOBS

#SXSW #RUGGEDCODE

CULTURE IS THE MOST IMPORTANT ASPECT TO DEVOPS SUCCEEDING IN

THE ENTERPRISE

#SXSW #RUGGEDCODE

WHAT WE VALUE DETERMINES OUR

CULTURE

#SXSW #RUGGEDCODE

MUTUAL UNDERSTANDING SHARED LANGUAGE

OPENNESS VISUALIZATION

TOOLING

#SXSW #RUGGEDCODE

DEVOPS IS THE INEVITABLE RESULT OF NEEDING TO DO EFFICIENT OPERATIONS IN A [DISTRIBUTED

COMPUTING AND CLOUD] ENVIRONMENT. - TOM LIMONCELLI

#SXSW #RUGGEDCODE

DEVOPS IS NOT A TECHNOLOGICAL PROBLEM. DEVOPS IS A BUSINESS PROBLEM.

- DAMON EDWARDS

#SXSW #RUGGEDCODE

http://puppetlabs.com/sites/default/files/2014-state-of-devops-report.pdf

#SXSW #RUGGEDCODE

THE FIRST SCIENTIFIC STUDY OF THE RELATIONSHIP BETWEEN

ORGANIZATIONAL PERFORMANCE, IT PERFORMANCE

AND DEVOPS PRACTICES

#SXSW #RUGGEDCODE

DEVOPS PRACTICES IMPROVE IT PERFORMANCE

#SXSW #RUGGEDCODE

CULTURE AUTOMATION

MEASUREMENT SHARING

@BOTCHAGALUPE @DAMONEDWARDS

#SXSW #RUGGEDCODE

ANTIPATTERN: REBRAND YOUR

OPS TEAM TO DEVOPS TEAM

#SXSW #RUGGEDCODE

ANTIPATTERN: MANUAL

CONFIG OF PRODUCTION

ENVIRONMENT#SXSW

#RUGGEDCODE

#SXSW #RUGGEDCODE

CHEF, PUPPET, ANSIBLE, CFENGINE RUNDECK, MCOLLECTIVE

JENKINS, TRAVIS, KITCHEN CUCUMBER, GAUNTLT, SERVERSPEC

VAGRANT, DOCKER

#SXSW #RUGGEDCODE

BEWARE OF THE

DEVOPS SOFTWARE SOLUTION

#SXSW #RUGGEDCODE

“THAT THE WORD #DEVOPS GETS REDUCED TO TECHNOLOGY IS A MANIFESTATION OF HOW

BADLY WE NEED A CULTURAL SHIFT” - @PATRICKDEBOIS

http://www.slideshare.net/cm6051/london-devops-31-5-years-of-devops

#SXSW #RUGGEDCODE

BUSINESS METRICS EVENT CORRELATION

USAGE BASED MONITORING

#SXSW #RUGGEDCODE

ARC 3: CONTINUOUS

DELIVERY

#SXSW #RUGGEDCODE

CONTINUOUS DELIVERY IS NOT MERELY HOW OFTEN YOU DELIVER BUT HOW LITTLE YOU CAN DELIVER AT A TIME

#SXSW #RUGGEDCODE

BATCH SIZE OF 1

#SXSW #RUGGEDCODE

OLD WAY

CHANGES BREAK STUFF, SO LIMIT THEM AND BATCH THEM ALL TOGETHER

#SXSW #RUGGEDCODE

NEW WAY

DELIVERY OF ONE CHANGE AT A TIME REDUCES OUTAGES,

INCREASES PERFORMANCE, AND LIMITS TECHNICAL DEBT

#SXSW #RUGGEDCODE

NEVER PASS DEFECTS TO THE NEXT STEP

The Practice of Cloud System Administration

#SXSW #RUGGEDCODE

YOU MUST DEPLOY YOUR STUFF

#SXSW #RUGGEDCODE

LET THE BOTS TROLL THE USERS FOR THE LOLZ.

#SXSW #RUGGEDCODE

ALLOCATE TIME TO ENHANCE THE BUILD, TEST AND DEPLOY SYSTEM

The Practice of Cloud System Administration

#SXSW #RUGGEDCODE

REDUCE CODE LATENCY AND INCREASE CODE VELOCITY

#SXSW #RUGGEDCODE

THE NEXT ARC: SECURITYRugged

#SXSW #RUGGEDCODE

“… THOSE STUPID DEVELOPERS” - SECURITY PERSON

#SXSW #RUGGEDCODE

“SECURITY PREFERS A SYSTEM POWERED OFF AND UNPLUGGED”

- DEVELOPER

#SXSW #RUGGEDCODE

CULTURAL UNREST WITH SECURITY IN AN ORGANIZATION

#SXSW #RUGGEDCODE

COMPLIANCE DRIVEN CULTURE: PCI, SOX, …

#SXSW #RUGGEDCODE

“[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED

INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED

SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK”

#SXSW #RUGGEDCODE

RATIO PROBLEM DEVS : OPS : SECURITY

100 : 10 : 1

#SXSW #RUGGEDCODE

SECURITY TOOLS ARE RUN OUT-OF-BAND

#SXSW #RUGGEDCODE

SECURITY TOOLS ARE CONFUSING

#SXSW #RUGGEDCODE

AND WHEN THEY ARE DONE THEY GIVE YOU THIS LOVELY GEM

#SXSW #RUGGEDCODE

THE TIDE IS CHANGING

#SXSW #RUGGEDCODE

RESILIENCY ENGINEERING

#SXSW #RUGGEDCODE

THE INFAMOUS NETFLIX CHAOS

MONKEY

#SXSW #RUGGEDCODE

RUGGED

#SXSW #RUGGEDCODE

THE RUGGED MANIFESTO (EXCERPTS)

#SXSW #RUGGEDCODE

I AM RUGGED AND, MORE IMPORTANTLY, MY CODE IS RUGGED.

I RECOGNIZE THAT SOFTWARE HAS BECOME A FOUNDATION OF OUR MODERN WORLD.

I RECOGNIZE THE AWESOME RESPONSIBILITY THAT COMES WITH THIS FOUNDATIONAL ROLE.

#SXSW #RUGGEDCODE

I AM RUGGED BECAUSE MY CODE CAN FACE THESE CHALLENGES AND PERSIST IN SPITE

OF THEM.

#SXSW #RUGGEDCODE

#RUGGEDDEVOPS #DEVOPSSEC

#SXSW #RUGGEDCODE

http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain

#SXSW #RUGGEDCODE

RUGGED JOURNEY

#SXSW #RUGGEDCODE

http://videos.2012.appsecusa.org/video/54250716

#SXSW #RUGGEDCODE

http://www.youtube.com/watch?v=jQblKuMuS0Y

#SXSW #RUGGEDCODE

https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring

#SXSW #RUGGEDCODE

HTTPS://SPEAKERDECK.COM/MKONDA/APPSECUSA-2013-INSECURE-EXPECTATIONS

http://vimeo.com/75930344

#SXSW #RUGGEDCODE

SECURITY TOOLING TO DELIVERY PIPELINE

#SXSW #RUGGEDCODE

…TO INFLUENCE CULTURE, AUTOMATION, MEASUREMENT AND

SHARING

#SXSW #RUGGEDCODE

RUGGED WEB APPS

#SXSW #RUGGEDCODE

VULNERABLE CODE IS EVERYWHERE

#SXSW #RUGGEDCODE

CROSS SITE SCRIPTING [XSS]

#SXSW #RUGGEDCODE

WHAT IS IT? [XSS]

#SXSW #RUGGEDCODE

REFLECTIVE [XSS]

#SXSW #RUGGEDCODE

PERSISTENT [XSS]

#SXSW #RUGGEDCODE

DOM BASED [XSS]

#SXSW #RUGGEDCODE

WHY IS IT BAD? [XSS]

#SXSW #RUGGEDCODE

DOCUMENT.COOKIE [XSS]

#SXSW #RUGGEDCODE

DOCUMENT.LOCATION [XSS]

#SXSW #RUGGEDCODE

HOW DO I FIX IT? [XSS]

#SXSW #RUGGEDCODE

GOOD: INPUT SANITIZATION [XSS]

#SXSW #RUGGEDCODE

BLACKLIST :( [XSS]

#SXSW #RUGGEDCODE

WHITELIST :) [XSS]

#SXSW #RUGGEDCODE

BETTER: OUTPUT ENCODING [XSS]

#SXSW #RUGGEDCODE

< > BECOME &LT; &GT; [XSS]

#SXSW #RUGGEDCODE

SQL INJECTION [SQLi]

#SXSW #RUGGEDCODE

WHAT IS IT? [SQLi]

#SXSW #RUGGEDCODE

WHY IS IT BAD? [SQLi]

#SXSW #RUGGEDCODE

CREDIT: XKCD

#SXSW #RUGGEDCODE

HOW WOULD YOU EXPLOIT?

#SXSW #RUGGEDCODE

HOW DO I FIX IT? [SQLi]

#SXSW #RUGGEDCODE

PARAMETERIZED QUERIES [SQLi]

#SXSW #RUGGEDCODE

PARAMETERIZED QUERIES (PHP) [SQLi]

#SXSW #RUGGEDCODE

PARAMETERIZED QUERIES (JAVA) [SQLi]

#SXSW #RUGGEDCODE

CROSS SITE REQUEST FORGERY [CSRF]

#SXSW #RUGGEDCODE

WHAT IS IT? [CSRF]

#SXSW #RUGGEDCODE

WHY IS IT BAD? [CSRF]

#SXSW #RUGGEDCODE

HOW DO I FIX IT? [CSRF]

#SXSW #RUGGEDCODE

TOKENS! [CSRF]

#SXSW #RUGGEDCODE

IMAGE CREDIT: DOTNETBIPS.COM

#SXSW #RUGGEDCODE

AGAIN… VULNERABLE CODE IS EVERYWHERE

#SXSW #RUGGEDCODE

GETS FIXED SLOWLY

#SXSW #RUGGEDCODE

GETS FIXED SLOWLY

#SXSW #RUGGEDCODE

…IF EVER

#SXSW #RUGGEDCODE

OWASP TOP 10

#SXSW #RUGGEDCODE

LAB #1 - SETUP

#SXSW #RUGGEDCODE

github.com/gauntlt/gauntlt-demo

Open the Labs in your browser > https://github.com/gauntlt/gauntlt-demo/tree/master/labs/sxsw-2015

You need Vagrant and VirtualBox installed on your laptop

#SXSW #RUGGEDCODE

LAB INSTRUCTIONS

For this lab, you will complete:├── 01_Overview.md

├── 02_Setup using Vagrant.md

#SXSW #RUGGEDCODE

5-MINUTE BREAK

#SXSW #RUGGEDCODE

LAB #2 - WEB APP HACKING

#SXSW #RUGGEDCODE

XSS DEMO

#SXSW #RUGGEDCODE

FIND THE VULN

#SXSW #RUGGEDCODE

FIND THE VULN

#SXSW #RUGGEDCODE

LAB INSTRUCTIONS

For this lab, you will complete:├── 04_Start up Vulnerable Target.md

#SXSW #RUGGEDCODE

For this lab, poke around and try to find a second XSS vulnerability

Let us know when you find it…

#SXSW #RUGGEDCODE

INTRO TO GAUNTLT

#SXSW #RUGGEDCODE

WOULDN’T IT BE GREAT IF WE COULD AUTOMATE OUR SECURITY

TESTS…

#SXSW #RUGGEDCODE

http://static.hothdwallpaper.net/51b8e4ee5a5ae19808.jpg

#SXSW #RUGGEDCODE

GAUNTLT IS AN OPINIONATED FRAMEWORK TO DO RUGGED TESTING

#SXSW #RUGGEDCODE

GAUNTLT IS OPEN SOURCE MIT LICENSED

#SXSW #RUGGEDCODE

GAUNTLT AUTOMATES SECURITY TOOLS

#SXSW #RUGGEDCODE

GAUNTLT = SECURITY + CUCUMBER

#SXSW #RUGGEDCODE

GARMR NMAP CURL ARACHNI

#SXSW #RUGGEDCODE

GARMR NMAP CURL ARACHNI

#SXSW #RUGGEDCODE

BUILT ON CUCUMBER

#SXSW #RUGGEDCODE

GAUNTLT PHILOSOPHYGauntlt comes with pre-canned steps that hook security testing tools

Gauntlt does not install tools

Gauntlt wants to be part of the CI/CD pipeline

Be a good citizen of exit status and stdout/stderr

#SXSW #RUGGEDCODE

GAUNTLT IS COLLABORATION

#SXSW #RUGGEDCODE

*.attack

something.attackelse.attack

GAUNTLT IN ACTION

#SXSW #RUGGEDCODE

FeatureBackground

Scenario

DescriptionSetup

ATTACK STRUCTURE

#SXSW #RUGGEDCODE

ATTACK LOGIC

#SXSW #RUGGEDCODE

Given “arachni” is installed

Setup steps

Check Resource Available

ATTACK STEP: GIVEN

#SXSW #RUGGEDCODE

ATTACK STEP: WHEN

Action steps

When I launch an “arachni-xss” attack

#SXSW #RUGGEDCODE

ATTACK STEP: THEN

Parsing Steps

Then the output should not contain “fail”

#SXSW #RUGGEDCODE

LET’S PUT IT ALL TOGETHER

#SXSW #RUGGEDCODE

LAB #3 - HELLO WORLD

#SXSW #RUGGEDCODE

LAB INSTRUCTIONS

For this lab, you will complete:├── 05_Hello World with Gauntlt.md

#SXSW #RUGGEDCODE

HELLO WORLD

#SXSW #RUGGEDCODE

LAB #4 - BASIC PORT CHECK

#SXSW #RUGGEDCODE

LAB INSTRUCTIONS

For this lab, you will complete:├── 06_Port Check.md

#SXSW #RUGGEDCODE

$ nmap -F localhost $ nmap -F scanme.nmap.org

TRY OUT NMAP

#SXSW #RUGGEDCODE

@challenge @slow Feature: check to make sure the right ports are open on our server

Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <host> """ # Then ... # TODO: figure out a way to parse the output and determine what is passing # For hints consult the README.md

#SXSW #RUGGEDCODE

$ bundle exec gauntlt --allsteps

@final @slow Feature: check to make sure the right ports are open on our server

Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <host> """ Then the output should contain: """ 8008 """

SOLUTION

#SXSW #RUGGEDCODE

LAB #5 - CLI AND REGEX

#SXSW #RUGGEDCODE

LAB INSTRUCTIONS

For this lab, you will complete:├── 07_Working with Gauntlt CLI.md

├── 08_Regex.md

#SXSW #RUGGEDCODE

Open 07_Working with Gauntlt CLI.md and run the following:

#SXSW #RUGGEDCODE

08_Regex.md

#SXSW #RUGGEDCODE

Then the output should match: """ 8008\/tcp\s+open """ Then the output should not match /3001.tcp\s+open/

SOLUTION

#SXSW #RUGGEDCODE

LAB #6 - GARMR

#SXSW #RUGGEDCODE

LAB INSTRUCTIONS

For this lab, you will complete:├── 09_Garmr and Web Security.md

#SXSW #RUGGEDCODE

WHAT IS GARMR?

#SXSW #RUGGEDCODE

GARMR IS A SCRIPT FROM MOZILLA THAT CHECKS FOR A

BUNCH OF SECURITY POLICIES IN WEB APPS

#SXSW #RUGGEDCODE

MOZILLA SECURITY POLICY DISTILLED FOR THE REST OF US

#SXSW #RUGGEDCODE

LAB #7 - XSS WITH ARACHNI

#SXSW #RUGGEDCODE

LAB INSTRUCTIONS

For this lab, you will complete:├── 10_Arachni and XSS testing.md

#SXSW #RUGGEDCODE

XSS LAB!

#SXSW #RUGGEDCODE

arachni --modules=xss --depth=1 \ --link-count=10 --auto-redundant=2 \ scanme.nmap.org

TRY OUT ARACHNI

#SXSW #RUGGEDCODE

BONUS POINTS, FIND THE VULN!

#SXSW #RUGGEDCODE

Hint….

When I launch an "arachni-full_xss" attack

#SXSW #RUGGEDCODE

LET US KNOW WHEN YOU HAVE FOUND IT

#SXSW #RUGGEDCODE

Arachni found XSS in Gruyere, Oh noes!localhost:8008/signup/<script>alert(1)</script>

#SXSW #RUGGEDCODE

LAB #8 - ADVANCED GAUNTLT

#SXSW #RUGGEDCODE

LAB INSTRUCTIONS

For this lab, you will complete:├── 11_Assert Network.md

├── 12_Output to HTML.md

└── 13_Working with Environment Variables.md

#SXSW #RUGGEDCODE

bundle exec gauntlt --format html > out.html

HTML OUTPUT

out.html

#SXSW #RUGGEDCODE

RUGGED TESTING ON EVERY COMMIT

#SXSW #RUGGEDCODE

WE HAVE BEEN DOING CONTINUOUS INTEGRATION WITH GAUNTLT THIS

WHOLE TIME WITH THE LABS!

#SXSW #RUGGEDCODE

SAHWEET!

#SXSW #RUGGEDCODE

YOU VERY OWN BUILD SYSTEM

#SXSW #RUGGEDCODE

bit.ly/secure-pipeline-lab0

#SXSW #RUGGEDCODE

YOU NEED: GITHUB ACCOUNT

TRAVIS CI ACCOUNT

#SXSW #RUGGEDCODE

FORK THE REPO

#SXSW #RUGGEDCODE

YOU SHOULD HAVE: A FORK OF THE REPO

UNDERSTANDING OF TRAVIS.YML

#SXSW #RUGGEDCODE

bit.ly/secure-pipeline-lab1

#SXSW #RUGGEDCODE

IN TRAVIS CI SET THE REPO TO ‘ON’

In Travis CI set the repo to ‘ON’

#SXSW #RUGGEDCODE

ADD THE TRAVIS BADGE IN README.md

#SXSW #RUGGEDCODE

ADD THE TRAVIS BADGE IN README.md

#SXSW #RUGGEDCODE

READ THE RAKEFILErails-travis-example/Rakefile

#SXSW #RUGGEDCODE

HOMEWORK / EXTRAS

#SXSW #RUGGEDCODE

http://localhost:3000

#SXSW #RUGGEDCODE

#SXSW #RUGGEDCODE

arachni http://localhost:3000 \ --plugin=autologin:url=http://localhost:3000/users/ sign_in,params='user[email]=test@test.com&user[passwo rd]=testtest',check='Logout \test@test.com' \ -e /users/sign_out

http://support.arachni-scanner.com/kb/general-use/logging-in-and-maintaining-a-valid-session

#SXSW #RUGGEDCODE

BRAKEMAN

#SXSW #RUGGEDCODE

NOW WHAT?

#SXSW #RUGGEDCODE

50% OFF GAUNTLT BOOK FOR SXSW ATTENDEES!

leanpub.com/hands-on-gauntlt/c/50percentoff

#SXSW #RUGGEDCODE

Google Group > groups.google.com/d/forum/gauntltWiki > github.com/gauntlt/gauntlt/wikiTwitter > @gauntltIRC > #gauntlt on freenodeIssue tracking > github.com/gauntlt/gauntlt

#SXSW #RUGGEDCODE

QUESTIONS?

pragmatic security and rugged devops - sxsw 2015

sony sony

sxsw attendees

ruggedcodewe attempt

labs folder

mini labs

perceived probable

ruggedcodewe dont sell

ruggedcodeintegration

Technology

sxsw proposal

pragmatic competence and pragmatic instruction in...

bing @ sxsw

social sxsw

thecompellingimage sxsw

sxsw learnings

life lessons from sxsw #sxsw #ogilvysxsw

sxsw 20090314

mdx expressions - pragmatic works - pragmatic works

tillamook sxsw

insider’s guide to sxsw interactive 2015: following the...

sxsw slidedeck

sxsw keynote

sxsw hotsheet: 360i recaps the best of sxsw interactive 2014

threespot sxsw

sxsw demandbase

sxsw presentation

sxsw recap

sxsw photos

sxsw panelpicker