SlideShare uma empresa Scribd logo

Be Mean to Your Code

James Wickett
James Wickett

The document discusses building secure code by rigorously testing it through automated attacks and verification. It introduces the concept of "ruggedization" where code is made resilient through repeated, automated testing against attacks. This helps code handle adversity in unexpected ways and provides unrealized value. It promotes using the Gauntlet framework to put code through extensive security testing with tools like nmap, metasploit, fuzzers and custom attacks to improve security.

Relação com investidoresTecnologiaNotícias e política
1 de 20
Baixar para ler offline
Be Mean to Your Code!
@wickett Sr. DevOps Engineer Mentor Graphics, Embedded Software Division CISSP, GWAPT, CCSK, GSEC, GCFW james@ruggeddevops.org ruggeddevops.org
I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
Ruggedization Theory Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.
"Secondly, our network got a lot stronger as a result of the LulzSec attacks." -Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012 by CloudFlare team
Security vs. Rugged • Absence of • Verification of Events quality • Cost • Benefit • Negative • Positive • FUD • Known values • Toxic • Affirming
“[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK” - MICHAL ZALEWSKI
RUGGED source: Jessica Allen, http://drbl.in/bgwy
REPEATABLE – NO MANUAL STEPS RELIABLE - NO DOS HERE REVIEWABLE – AKA AUDIT RAPID – FAST TO BUILD, DEPLOY, RESTORE RESILIENT – AUTOMATED RECONFIGURATION REDUCED - LIMITED ATTACK SURFACE
Put your code through the Gauntlet custom attacks dirbuster metasploit sqlmap fuzzers nessus w3af nmap
Put your code through the Gauntlet custom attacks dirbuster metasploit sqlmap fuzzers nessus w3af nmap Your web app You
GAUNTLT ALLOWS DEV AND OPS AND SECURITY TO COMMUNICATE
feature for nmap: nmap.feature @run Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: Given nmap is installed Scenario:Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """
feature for nmap: nmap.feature @run @webserver Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: #optional Given nmap is installed Scenario: Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """
step definition for nmap: nmap.rb Given /^nmap is installed$/ do steps %{ When I run `which nmap` Then the output should contain: """ nmap """ } end When /^I run nmap against the hostname in the profile on ports (d+),(d+)$/ do |arg2, arg3| steps %{ When I run `nmap "#{@hostname}" -p80,443` } end ...
running gauntlt with failing tests wickett$ gauntlt @gauntlet @run Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 8080,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 8080/tcp open http 443/tcp open https """ ... Failing Scenarios: cucumber features/nmap/nmap.feature:8 # Scenario:Verify server is available on standard web ports 1 scenario (1 failed) 4 steps (1 failed, 3 passed) 0m0.341s
running gauntlt with passing tests wickett$ gauntlt @gauntlet @run Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 80,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 80/tcp open http 443/tcp open https """ 1 scenario (1 passed) 4 steps (4 passed) 0m1.117s
HTTPS://GITHUB.COM/THEGAUNTLET/GAUNTLT
gauntlt team: James Wickett Mani Tadayon Roy Rapoport Jason Chan Matt Tesauro Tarek Moussa Jeremiah Shirk Luis De Leon Dan Cornell Scott Muc
Join Us • github > http://bit.ly/gauntlt_repo • google group > http://bit.ly/gauntlt_group • twitter: @gauntlt

Recomendados

Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 ...
Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 ...Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 ...
Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 ...
James Wickett
 
Be Mean to Your Code - OWASP San Antonio
Be Mean to Your Code - OWASP San Antonio Be Mean to Your Code - OWASP San Antonio
Be Mean to Your Code - OWASP San Antonio
James Wickett
 
Rugged by example with Gauntlt (Hacker Headshot)
Rugged by example with Gauntlt (Hacker Headshot)Rugged by example with Gauntlt (Hacker Headshot)
Rugged by example with Gauntlt (Hacker Headshot)
James Wickett
 
Be Mean to your Code with Gauntlt #txlf 2013
Be Mean to your Code with Gauntlt #txlf 2013Be Mean to your Code with Gauntlt #txlf 2013
Be Mean to your Code with Gauntlt #txlf 2013
James Wickett
 
Advanced Weapons Training for the Empire
Advanced Weapons Training for the EmpireAdvanced Weapons Training for the Empire
Advanced Weapons Training for the Empire
Jeremy Johnson
 
Gauntlt Rugged By Example
Gauntlt Rugged By Example Gauntlt Rugged By Example
Gauntlt Rugged By Example
James Wickett
 
Dhcp security #netseckh
Dhcp security #netseckhDhcp security #netseckh
Dhcp security #netseckh
HEM Sothon
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networks
guestf2e41
 

Recomendados

Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 ...
Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 ...Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 ...
Brining Harmony between Dev and Ops and Security Teams using Gauntlt at ISC2 ...
James Wickett
 
Be Mean to Your Code - OWASP San Antonio
Be Mean to Your Code - OWASP San Antonio Be Mean to Your Code - OWASP San Antonio
Be Mean to Your Code - OWASP San Antonio
James Wickett
 
Rugged by example with Gauntlt (Hacker Headshot)
Rugged by example with Gauntlt (Hacker Headshot)Rugged by example with Gauntlt (Hacker Headshot)
Rugged by example with Gauntlt (Hacker Headshot)
James Wickett
 
Be Mean to your Code with Gauntlt #txlf 2013
Be Mean to your Code with Gauntlt #txlf 2013Be Mean to your Code with Gauntlt #txlf 2013
Be Mean to your Code with Gauntlt #txlf 2013
James Wickett
 
Advanced Weapons Training for the Empire
Advanced Weapons Training for the EmpireAdvanced Weapons Training for the Empire
Advanced Weapons Training for the Empire
Jeremy Johnson
 
Gauntlt Rugged By Example
Gauntlt Rugged By Example Gauntlt Rugged By Example
Gauntlt Rugged By Example
James Wickett
 
Dhcp security #netseckh
Dhcp security #netseckhDhcp security #netseckh
Dhcp security #netseckh
HEM Sothon
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networks
guestf2e41
 
Gauntlt: Go Ahead, Be Mean to your Code
Gauntlt: Go Ahead, Be Mean to your CodeGauntlt: Go Ahead, Be Mean to your Code
Gauntlt: Go Ahead, Be Mean to your Code
James Wickett
 
Penetration Testing Resource Guide
Penetration Testing Resource Guide Penetration Testing Resource Guide
Penetration Testing Resource Guide
Bishop Fox
 
lightning talk proposal
lightning talk proposallightning talk proposal
lightning talk proposal
Alexander Lyamin
 
DDoS: Practical Survival Guide
DDoS: Practical Survival GuideDDoS: Practical Survival Guide
DDoS: Practical Survival Guide
HLL
 
FOSDEM 2012: Practical implementation of promise theory in CFEngine
FOSDEM 2012: Practical implementation of promise theory in CFEngineFOSDEM 2012: Practical implementation of promise theory in CFEngine
FOSDEM 2012: Practical implementation of promise theory in CFEngine
dottedmag
 
Bettercap
BettercapBettercap
Bettercap
Rajivarnan (Rajiv)
 
Dev Talk: Event Manipulation and Testing
Dev Talk: Event Manipulation and TestingDev Talk: Event Manipulation and Testing
Dev Talk: Event Manipulation and Testing
Jason Stanley
 
Mobile Api and Caching
Mobile Api and CachingMobile Api and Caching
Mobile Api and Caching
New Relic
 
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationDefcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Mauricio Velazco
 
Nagios Conference 2014 - Rob Hassing - How To Maintain Over 20 Monitoring App...
Nagios Conference 2014 - Rob Hassing - How To Maintain Over 20 Monitoring App...Nagios Conference 2014 - Rob Hassing - How To Maintain Over 20 Monitoring App...
Nagios Conference 2014 - Rob Hassing - How To Maintain Over 20 Monitoring App...
Nagios
 
Full Web Stack Security
Full Web Stack SecurityFull Web Stack Security
Full Web Stack Security
Drupal Portugal
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
Mauricio Velazco
 
Deploying Plack Web Applications: OSCON 2011
Deploying Plack Web Applications: OSCON 2011Deploying Plack Web Applications: OSCON 2011
Deploying Plack Web Applications: OSCON 2011
Tatsuhiko Miyagawa
 
(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014
(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014
(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014
Amazon Web Services
 
bivou.ac
bivou.acbivou.ac
bivou.ac
_martinS_
 
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Amazon Web Services
 
Monitoring a Vault and Consul cluster - 24th May 2018
Monitoring a Vault and Consul cluster - 24th May 2018Monitoring a Vault and Consul cluster - 24th May 2018
Monitoring a Vault and Consul cluster - 24th May 2018
Peter Souter
 
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack SimulationsBlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
Mauricio Velazco
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
Ravishankar Somasundaram
 
Multiple django applications on a single server with nginx
Multiple django applications on a single server with nginxMultiple django applications on a single server with nginx
Multiple django applications on a single server with nginx
roskakori
 
Adversity: Good for software
Adversity: Good for softwareAdversity: Good for software
Adversity: Good for software
James Wickett
 
Coding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE frameworkCoding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE framework
James Wickett
 

Mais conteúdo relacionado

Mais procurados

FOSDEM 2012: Practical implementation of promise theory in CFEngine
FOSDEM 2012: Practical implementation of promise theory in CFEngineFOSDEM 2012: Practical implementation of promise theory in CFEngine
FOSDEM 2012: Practical implementation of promise theory in CFEngine
dottedmag
 
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationDefcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Mauricio Velazco
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
Mauricio Velazco
 
Deploying Plack Web Applications: OSCON 2011
Deploying Plack Web Applications: OSCON 2011Deploying Plack Web Applications: OSCON 2011
Deploying Plack Web Applications: OSCON 2011
Tatsuhiko Miyagawa
 
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Amazon Web Services
 
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack SimulationsBlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
Mauricio Velazco
 

Mais procurados (20)

Gauntlt: Go Ahead, Be Mean to your Code
Gauntlt: Go Ahead, Be Mean to your CodeGauntlt: Go Ahead, Be Mean to your Code
Gauntlt: Go Ahead, Be Mean to your Code
 
Penetration Testing Resource Guide
Penetration Testing Resource Guide Penetration Testing Resource Guide
Penetration Testing Resource Guide
 
lightning talk proposal
lightning talk proposallightning talk proposal
lightning talk proposal
 
DDoS: Practical Survival Guide
DDoS: Practical Survival GuideDDoS: Practical Survival Guide
DDoS: Practical Survival Guide
 
FOSDEM 2012: Practical implementation of promise theory in CFEngine
FOSDEM 2012: Practical implementation of promise theory in CFEngineFOSDEM 2012: Practical implementation of promise theory in CFEngine
FOSDEM 2012: Practical implementation of promise theory in CFEngine
 
Bettercap
BettercapBettercap
Bettercap
 
Dev Talk: Event Manipulation and Testing
Dev Talk: Event Manipulation and TestingDev Talk: Event Manipulation and Testing
Dev Talk: Event Manipulation and Testing
 
Mobile Api and Caching
Mobile Api and CachingMobile Api and Caching
Mobile Api and Caching
 
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationDefcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
 
Nagios Conference 2014 - Rob Hassing - How To Maintain Over 20 Monitoring App...
Nagios Conference 2014 - Rob Hassing - How To Maintain Over 20 Monitoring App...Nagios Conference 2014 - Rob Hassing - How To Maintain Over 20 Monitoring App...
Nagios Conference 2014 - Rob Hassing - How To Maintain Over 20 Monitoring App...
 
Full Web Stack Security
Full Web Stack SecurityFull Web Stack Security
Full Web Stack Security
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
 
Deploying Plack Web Applications: OSCON 2011
Deploying Plack Web Applications: OSCON 2011Deploying Plack Web Applications: OSCON 2011
Deploying Plack Web Applications: OSCON 2011
 
(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014
(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014
(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014
 
bivou.ac
bivou.acbivou.ac
bivou.ac
 
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
 
Monitoring a Vault and Consul cluster - 24th May 2018
Monitoring a Vault and Consul cluster - 24th May 2018Monitoring a Vault and Consul cluster - 24th May 2018
Monitoring a Vault and Consul cluster - 24th May 2018
 
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack SimulationsBlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
 
Multiple django applications on a single server with nginx
Multiple django applications on a single server with nginxMultiple django applications on a single server with nginx
Multiple django applications on a single server with nginx
 

Destaque

Coding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE frameworkCoding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE framework
James Wickett
 
New Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application SecurityNew Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application Security
James Wickett
 

Destaque (7)

Adversity: Good for software
Adversity: Good for softwareAdversity: Good for software
Adversity: Good for software
 
Coding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE frameworkCoding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE framework
 
Dev Tooling for your Technohipster Startup using aws, docker, tmux, vim & ope...
Dev Tooling for your Technohipster Startup using aws, docker, tmux, vim & ope...Dev Tooling for your Technohipster Startup using aws, docker, tmux, vim & ope...
Dev Tooling for your Technohipster Startup using aws, docker, tmux, vim & ope...
 
DevOps for the Discouraged
DevOps for the Discouraged DevOps for the Discouraged
DevOps for the Discouraged
 
New Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application SecurityNew Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application Security
 
Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?
 
Tyranny of the SLA
Tyranny of the SLATyranny of the SLA
Tyranny of the SLA
 

Semelhante a Be Mean to Your Code

Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
A Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes SecurityA Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes Security
Gene Gotimer
 
Web scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannelWeb scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannel
purpleocean
 

Semelhante a Be Mean to Your Code (20)

Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainPutting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps Toolchain
 
Be Mean to Your Code - DevOps Days Austin 2013
Be Mean to Your Code - DevOps Days Austin 2013Be Mean to Your Code - DevOps Days Austin 2013
Be Mean to Your Code - DevOps Days Austin 2013
 
Run your code through the Gauntlt
Run your code through the GauntltRun your code through the Gauntlt
Run your code through the Gauntlt
 
Security testing with gauntlt
Security testing with gauntltSecurity testing with gauntlt
Security testing with gauntlt
 
Gauntlt Rugged By Example
Gauntlt Rugged By ExampleGauntlt Rugged By Example
Gauntlt Rugged By Example
 
Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next Frontier
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Rugged Driven Development with Gauntlt
Rugged Driven Development with GauntltRugged Driven Development with Gauntlt
Rugged Driven Development with Gauntlt
 
Control your deployments with Capistrano
Control your deployments with CapistranoControl your deployments with Capistrano
Control your deployments with Capistrano
 
Nmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumerationNmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumeration
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Performance Profiling in Rust
Performance Profiling in RustPerformance Profiling in Rust
Performance Profiling in Rust
 
A Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes SecurityA Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes Security
 
Large-scaled Deploy Over 100 Servers in 3 Minutes
Large-scaled Deploy Over 100 Servers in 3 MinutesLarge-scaled Deploy Over 100 Servers in 3 Minutes
Large-scaled Deploy Over 100 Servers in 3 Minutes
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
 
Kubernetes Navigation Stories – DevOpsStage 2019, Kyiv
Kubernetes Navigation Stories – DevOpsStage 2019, KyivKubernetes Navigation Stories – DevOpsStage 2019, Kyiv
Kubernetes Navigation Stories – DevOpsStage 2019, Kyiv
 
Web scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannelWeb scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannel
 
Sinatra for REST services
Sinatra for REST servicesSinatra for REST services
Sinatra for REST services
 

Mais de James Wickett

A Way to Think about DevSecOps: MEASURE
A Way to Think about DevSecOps: MEASUREA Way to Think about DevSecOps: MEASURE
A Way to Think about DevSecOps: MEASURE
James Wickett
 
A Tale of Woe, Chaos, and Business
A Tale of Woe, Chaos, and BusinessA Tale of Woe, Chaos, and Business
A Tale of Woe, Chaos, and Business
James Wickett
 
A DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleA DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and People
James Wickett
 
DevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS LaneDevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS Lane
James Wickett
 

Mais de James Wickett (20)

A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SRE
 
A Way to Think about DevSecOps: MEASURE
A Way to Think about DevSecOps: MEASUREA Way to Think about DevSecOps: MEASURE
A Way to Think about DevSecOps: MEASURE
 
The Security, DevOps, and Chaos Playbook to Change the World
The Security, DevOps, and Chaos Playbook to Change the WorldThe Security, DevOps, and Chaos Playbook to Change the World
The Security, DevOps, and Chaos Playbook to Change the World
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
A Tale of Woe, Chaos, and Business
A Tale of Woe, Chaos, and BusinessA Tale of Woe, Chaos, and Business
A Tale of Woe, Chaos, and Business
 
A DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleA DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and People
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019
 
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsNewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
 
The New Ways of Chaos, Security, and DevOps
The New Ways of Chaos, Security, and DevOpsThe New Ways of Chaos, Security, and DevOps
The New Ways of Chaos, Security, and DevOps
 
DevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS LaneDevOpsDays Austin: Security in the FaaS Lane
DevOpsDays Austin: Security in the FaaS Lane
 
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpThe Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOp
 
Security in the FaaS Lane
Security in the FaaS LaneSecurity in the FaaS Lane
Security in the FaaS Lane
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real World
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
The State of DevSecOps in 2018
The State of DevSecOps in 2018The State of DevSecOps in 2018
The State of DevSecOps in 2018
 

Último

Dubai Call Girls/// Hot Afternoon O525547819 Call Girls In Dubai
Dubai Call Girls/// Hot Afternoon O525547819 Call Girls In DubaiDubai Call Girls/// Hot Afternoon O525547819 Call Girls In Dubai
Dubai Call Girls/// Hot Afternoon O525547819 Call Girls In Dubai
kojalkojal131
 
Jual obat aborsi Tawangmangu ( 085657271886 ) Cytote pil telat bulan penggugu...
Jual obat aborsi Tawangmangu ( 085657271886 ) Cytote pil telat bulan penggugu...Jual obat aborsi Tawangmangu ( 085657271886 ) Cytote pil telat bulan penggugu...
Jual obat aborsi Tawangmangu ( 085657271886 ) Cytote pil telat bulan penggugu...
Klinik kandungan
 
Terna - 1Q 2024 Consolidated Results Presentation
Terna - 1Q 2024 Consolidated Results PresentationTerna - 1Q 2024 Consolidated Results Presentation
Terna - 1Q 2024 Consolidated Results Presentation
Terna SpA
 
Corporate Presentation Probe Canaccord Conference 2024.pdf
Corporate Presentation Probe Canaccord Conference 2024.pdfCorporate Presentation Probe Canaccord Conference 2024.pdf
Corporate Presentation Probe Canaccord Conference 2024.pdf
Probe Gold
 
一比一原版(Acadia毕业证书)加拿大阿卡迪亚大学毕业证学历认证可查认证
一比一原版(Acadia毕业证书)加拿大阿卡迪亚大学毕业证学历认证可查认证一比一原版(Acadia毕业证书)加拿大阿卡迪亚大学毕业证学历认证可查认证
一比一原版(Acadia毕业证书)加拿大阿卡迪亚大学毕业证学历认证可查认证
xzxvi5zp
 

Último (20)

Teekay Corporation Q1-24 Earnings Results
Teekay Corporation Q1-24 Earnings ResultsTeekay Corporation Q1-24 Earnings Results
Teekay Corporation Q1-24 Earnings Results
 
Osisko Gold Royalties Ltd - Q1 2024 Results
Osisko Gold Royalties Ltd - Q1 2024 ResultsOsisko Gold Royalties Ltd - Q1 2024 Results
Osisko Gold Royalties Ltd - Q1 2024 Results
 
Dubai Call Girls/// Hot Afternoon O525547819 Call Girls In Dubai
Dubai Call Girls/// Hot Afternoon O525547819 Call Girls In DubaiDubai Call Girls/// Hot Afternoon O525547819 Call Girls In Dubai
Dubai Call Girls/// Hot Afternoon O525547819 Call Girls In Dubai
 
Osisko Development - Investor Presentation - May 2024
Osisko Development - Investor Presentation - May 2024Osisko Development - Investor Presentation - May 2024
Osisko Development - Investor Presentation - May 2024
 
ITAU EQUITY_STRATEGY_WARM_UP_20240505 DHG.pdf
ITAU EQUITY_STRATEGY_WARM_UP_20240505 DHG.pdfITAU EQUITY_STRATEGY_WARM_UP_20240505 DHG.pdf
ITAU EQUITY_STRATEGY_WARM_UP_20240505 DHG.pdf
 
countries with the highest gold reserves in 2024
countries with the highest gold reserves in 2024countries with the highest gold reserves in 2024
countries with the highest gold reserves in 2024
 
SME IPO Opportunity and Trends of May 2024
SME IPO Opportunity and Trends of May 2024SME IPO Opportunity and Trends of May 2024
SME IPO Opportunity and Trends of May 2024
 
Teekay Tankers Q1-24 Earnings Presentation
Teekay Tankers Q1-24 Earnings PresentationTeekay Tankers Q1-24 Earnings Presentation
Teekay Tankers Q1-24 Earnings Presentation
 
Osisko Gold Royalties Ltd - Corporate Presentation, May 2024
Osisko Gold Royalties Ltd - Corporate Presentation, May 2024Osisko Gold Royalties Ltd - Corporate Presentation, May 2024
Osisko Gold Royalties Ltd - Corporate Presentation, May 2024
 
Camil Institutional Presentation_Mai24.pdf
Camil Institutional Presentation_Mai24.pdfCamil Institutional Presentation_Mai24.pdf
Camil Institutional Presentation_Mai24.pdf
 
Jual obat aborsi Tawangmangu ( 085657271886 ) Cytote pil telat bulan penggugu...
Jual obat aborsi Tawangmangu ( 085657271886 ) Cytote pil telat bulan penggugu...Jual obat aborsi Tawangmangu ( 085657271886 ) Cytote pil telat bulan penggugu...
Jual obat aborsi Tawangmangu ( 085657271886 ) Cytote pil telat bulan penggugu...
 
AMG Quarterly Investor Presentation May 2024
AMG Quarterly Investor Presentation May 2024AMG Quarterly Investor Presentation May 2024
AMG Quarterly Investor Presentation May 2024
 
Terna - 1Q 2024 Consolidated Results Presentation
Terna - 1Q 2024 Consolidated Results PresentationTerna - 1Q 2024 Consolidated Results Presentation
Terna - 1Q 2024 Consolidated Results Presentation
 
Premium Call Girls In Kapurthala} 9332606886❤️VVIP Sonya Call Girls
Premium Call Girls In Kapurthala} 9332606886❤️VVIP Sonya Call GirlsPremium Call Girls In Kapurthala} 9332606886❤️VVIP Sonya Call Girls
Premium Call Girls In Kapurthala} 9332606886❤️VVIP Sonya Call Girls
 
Western Copper and Gold - May 2024 Presentation
Western Copper and Gold - May 2024 PresentationWestern Copper and Gold - May 2024 Presentation
Western Copper and Gold - May 2024 Presentation
 
Corporate Presentation Probe Canaccord Conference 2024.pdf
Corporate Presentation Probe Canaccord Conference 2024.pdfCorporate Presentation Probe Canaccord Conference 2024.pdf
Corporate Presentation Probe Canaccord Conference 2024.pdf
 
The Leonardo 1Q 2024 Results Presentation
The Leonardo 1Q 2024 Results PresentationThe Leonardo 1Q 2024 Results Presentation
The Leonardo 1Q 2024 Results Presentation
 
一比一原版(Acadia毕业证书)加拿大阿卡迪亚大学毕业证学历认证可查认证
一比一原版(Acadia毕业证书)加拿大阿卡迪亚大学毕业证学历认证可查认证一比一原版(Acadia毕业证书)加拿大阿卡迪亚大学毕业证学历认证可查认证
一比一原版(Acadia毕业证书)加拿大阿卡迪亚大学毕业证学历认证可查认证
 
Gorakhpur Call Girls 8250092165 Low Price Escorts Service in Your Area
Gorakhpur Call Girls 8250092165 Low Price Escorts Service in Your AreaGorakhpur Call Girls 8250092165 Low Price Escorts Service in Your Area
Gorakhpur Call Girls 8250092165 Low Price Escorts Service in Your Area
 
Camil Institutional Presentation_Mai24.pdf
Camil Institutional Presentation_Mai24.pdfCamil Institutional Presentation_Mai24.pdf
Camil Institutional Presentation_Mai24.pdf
 

Be Mean to Your Code

  • 1. Be Mean to Your Code!
  • 2. @wickett Sr. DevOps Engineer Mentor Graphics, Embedded Software Division CISSP, GWAPT, CCSK, GSEC, GCFW james@ruggeddevops.org ruggeddevops.org
  • 3. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
  • 4. Ruggedization Theory Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.
  • 5. "Secondly, our network got a lot stronger as a result of the LulzSec attacks." -Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012 by CloudFlare team
  • 6. Security vs. Rugged • Absence of • Verification of Events quality • Cost • Benefit • Negative • Positive • FUD • Known values • Toxic • Affirming
  • 7. “[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK” - MICHAL ZALEWSKI
  • 8. RUGGED source: Jessica Allen, http://drbl.in/bgwy
  • 9. REPEATABLE – NO MANUAL STEPS RELIABLE - NO DOS HERE REVIEWABLE – AKA AUDIT RAPID – FAST TO BUILD, DEPLOY, RESTORE RESILIENT – AUTOMATED RECONFIGURATION REDUCED - LIMITED ATTACK SURFACE
  • 10. Put your code through the Gauntlet custom attacks dirbuster metasploit sqlmap fuzzers nessus w3af nmap
  • 11. Put your code through the Gauntlet custom attacks dirbuster metasploit sqlmap fuzzers nessus w3af nmap Your web app You
  • 12. GAUNTLT ALLOWS DEV AND OPS AND SECURITY TO COMMUNICATE
  • 13. feature for nmap: nmap.feature @run Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: Given nmap is installed Scenario:Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """
  • 14. feature for nmap: nmap.feature @run @webserver Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: #optional Given nmap is installed Scenario: Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """
  • 15. step definition for nmap: nmap.rb Given /^nmap is installed$/ do steps %{ When I run `which nmap` Then the output should contain: """ nmap """ } end When /^I run nmap against the hostname in the profile on ports (d+),(d+)$/ do |arg2, arg3| steps %{ When I run `nmap "#{@hostname}" -p80,443` } end ...
  • 16. running gauntlt with failing tests wickett$ gauntlt @gauntlet @run Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 8080,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 8080/tcp open http 443/tcp open https """ ... Failing Scenarios: cucumber features/nmap/nmap.feature:8 # Scenario:Verify server is available on standard web ports 1 scenario (1 failed) 4 steps (1 failed, 3 passed) 0m0.341s
  • 17. running gauntlt with passing tests wickett$ gauntlt @gauntlet @run Feature: Run nmap against a target and pass the value of the hostname from the profile.xml. Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2 Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 80,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 80/tcp open http 443/tcp open https """ 1 scenario (1 passed) 4 steps (4 passed) 0m1.117s
  • 19. gauntlt team: James Wickett Mani Tadayon Roy Rapoport Jason Chan Matt Tesauro Tarek Moussa Jeremiah Shirk Luis De Leon Dan Cornell Scott Muc
  • 20. Join Us • github > http://bit.ly/gauntlt_repo • google group > http://bit.ly/gauntlt_group • twitter: @gauntlt