presented at DevOps Days Austin 2013

1. Be Mean toYour Code
with Gauntlt

2. free phone calls

3. 1337 tools

4. “[RISK ASSESSMENT] INTRODUCES A
DANGEROUS FALLACY:THAT
STRUCTURED INADEQUACY IS
ALMOST AS GOOD AS ADEQUACY
AND THAT UNDERFUNDED
SECURITY EFFORTS PLUS RISK
MANAGEMENT ARE ABOUT AS
GOOD AS PROPERLY FUNDED
SECURITY WORK” - MICHAL ZALEWSKI

5. “Is this Secure?”
-Your Customer
“It’s Certified”
-You

6. there’s a better way

7. Your app
sslyze
dirb
nmap
curl
sqlmapgarmr
You
generic
Put your code through the Gauntlet

8. security tools are confusing

9. Gauntlt allows dev and ops and
security to communicate

10. $ gem install gauntlt
install gauntlt

11. Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
| tcp_ping_ports | 22,25,80,443 |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open https
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
Given
When
Then
When
Then

12. $ gauntlt
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
| tcp_ping_ports | 22,25,80,443 |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F www.example.com
"""
Then the output should contain:
"""
443/tcp open https
"""
1 scenario (1 failed)
5 steps (1 failed, 4 passed)
0m18.341s
running gauntlt with failing tests

13. $ gauntlt
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
| tcp_ping_ports | 22,25,80,443 |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F www.example.com
"""
Then the output should contain:
"""
443/tcp open https
"""
1 scenario (1 passed)
5 steps (5 passed)
0m18.341s
running gauntlt with passing tests

14. Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
| tcp_ping_ports | 22,25,80,443 |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open https
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
setup steps
verify
tool
set
config

15. Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
| tcp_ping_ports | 22,25,80,443 |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open https
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
attack
get
config

16. Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
| tcp_ping_ports | 22,25,80,443 |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open https
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
assert
needle
haystack

17. Supported Tools
curl
nmap
sslyze
Garmr
dirb
generic

18. get started with gauntlt
github/gauntlt
gauntlt.org
videos
tutorials
@gauntlt
IRC #gauntlt
we
help!
start here
cool
vids!

19. be mean to your code
and win!
slideshare.com/wickett