You got DevOpsed! Your sysadmin team got renamed as the DevOps team. Developers got prod access. Code deploys to prod happen multiple times a day now. In the eyes of the business, things are great. Yet, the security team continues to be left out and really nothing seems to be better. In fact it feels worse.
Time to learn how to hack some devops for great good.
This talk will equip you with advice and tools to join in on the devops. You will also leave with a sample continuous delivery pipeline that is armed to dangerous and ready to identify security issues in a typical web application stack.
We'll use a range of open source technology including OWASP ZAP, gauntlt, brakeman, nmap, sqlmap, arachni and more.
5. If you find
yourself in
Austin, stop by!
Austin OWASP (last
Tuesday of the month)
LASCON Oct 22-23
6. Conclusions
It is easy to get discouraged in our industry, but
there is hope!
Agile, DevOps and Continuous Delivery practices
have an impact for AppSec / InfoSec
InfoSec is behind but has a unique opportunity to
add value
7. Conclusions continued
Integrating into the build pipeline and operational
tooling wins
Unit and Integration tests are not enough, we need
testing that focuses on attack tooling
33. Behavior Driven Development is a second-
generation, outside–in, pull-based,
multiple-stakeholder, multiple-scale, high-
automation, agile methodology. It
describes a cycle of interactions with well-
defined outputs, resulting in the delivery
of working, tested software that matters.
Dan North , 2009
56. “That the word #devops gets
reduced to technology is a
manifestation of how badly
we need a cultural shift”
- @patrickdebois
http://www.slideshare.net/cm6051/london-devops-31-5-years-of-devops
57. Culture is the most
important aspect to DevOps
succeeding in the enterprise
67. Culture Influencers
Decrease time from development to release
Blameless post-mortems
Reward failure and have a high emphasis on
testing
Unite different disciplines (like dev + ops) to solve
problems
http://www.slideshare.net/wickett/the-devops-way-of-delivering-results-in-the-enterprise
97. “[risk assessment] introduces a
dangerous fallacy: that
structured inadequacy is almost
as good as adequacy and that
underfunded security efforts
plus risk management are about
as good as properly funded
security work”
111. I am rugged and, more importantly,
my code is rugged.
I recognize that software has become
a foundation of our modern world.
I recognize the awesome
responsibility that comes with this
foundational role.
112. I am rugged because my code
can face these challenges and
persist in spite of them.
132. Gauntlt Philosophy
Gauntlt comes with pre-canned steps that hook
security testing and attack tooling
Gauntlt functions as part of the CI/CD pipeline
Gauntlt is a good citizen of exit status and stdout/
stderr
Gauntlt does not install tools
MIT Open Source License
141. more on gauntlt
• Google Group > https://groups.google.com/d/
forum/gauntlt
• Wiki > https://github.com/gauntlt/gauntlt/wiki
• Twitter > @gauntlt
• IRC > #gauntlt on freenode
• Issue tracking > http://github.com/gauntlt/gauntlt
155. Gauntlt Next steps
Gauntlt currently doesn't install attack tooling, we
are working on a gauntlt docker container to
change that
Integrate into Kali distro
163. Conclusions
It is easy to get discouraged in our industry, but
there is hope!
Agile, DevOps and Continuous Delivery practices
have an impact for AppSec / InfoSec
InfoSec is behind but has a unique opportunity to
add value
164. Conclusions continued
Integrating into the build pipeline and operational
tooling wins
Unit and Integration tests are not enough, we need
testing that focuses on attack tooling