19. “[RISK ASSESSMENT] INTRODUCES A
DANGEROUS FALLACY: THAT
STRUCTURED INADEQUACY IS
ALMOST AS GOOD AS ADEQUACY
AND THAT UNDERFUNDED
SECURITY EFFORTS PLUS RISK
MANAGEMENT ARE ABOUT AS
GOOD AS PROPERLY FUNDED
SECURITY WORK” - MICHAL ZALEWSKI
40. Security sees...
• They give advice that goes unheeded
• Business decisions made w/o regard of risk
• Irrelevancy in the organization
• Constant bearer of bad news
• Feels ignored by their peers (you know,
those devops guys)
• Inequitable distribution of labor
41. 2% OF AN ENGINEERING
DEV TEAM ARE WORKING
ON SECURITY
- BSIMM 2012 data, http://bsimm.com/
56. ADVERSITY IS REAL OR
PERCEIVED NEGATIVE
ACTIONS AND EVENTS
THAT PROHIBIT NORMAL
FUNCTION AND OPERATION.
57. Building solutions to handle
adversity will cause
unintended, positive benefits
that will provide value that
would have been unrealized
otherwise.
RUGGEDIZATION
THEORY
59. "Secondly, our network
got a lot stronger as a
result of the LulzSec
attacks."
-Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012
by CloudFlare team
60.
61. REPEATABLE – NO MANUAL STEPS
RELIABLE - NO DOS HERE
REVIEWABLE – AKA AUDIT
RAPID – FAST TO BUILD, DEPLOY, RESTORE
RESILIENT – AUTOMATED RECONFIGURATION
REDUCED - LIMITED ATTACK SURFACE
88. feature for nmap:
nmap.feature
@gauntlet @run
Feature: Run nmap against a target and pass the value of the hostname from the profile.xml.
Background:
Given nmap is installed
Scenario:Verify server is available on standard web ports
Given the hostname in the profile.xml
When I run nmap against the hostname in the profile on ports 80,443
Then the output should contain:
"""
80/tcp open http
443/tcp open https
"""
89. step definition for nmap:
nmap.rb
Given /^nmap is installed$/ do
steps %{
When I run `which nmap`
Then the output should contain:
"""
nmap
"""
}
end
When /^I run nmap against the hostname in the profile on ports (d+),(d+)$/ do |arg2, arg3|
steps %{
When I run `nmap "#{@hostname}" -p80,443`
}
end
90. running gauntlt with failing tests
wickett$ gauntlt
@gauntlet @run
Feature: Run nmap against a target and pass the value of the hostname from the profile.xml.
Background: # features/nmap/nmap.feature:5
Given nmap is installed # features/step_definitions/nmap.rb:2
Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8
Given the hostname in the profile.xml # features/step_definitions/profile.rb:1
When I run nmap against the hostname in the profile on ports 8080,443 # features/step_definitions/nmap.rb:12
Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98
"""
8080/tcp open http
443/tcp open https
"""
...
Failing Scenarios:
cucumber features/nmap/nmap.feature:8 # Scenario:Verify server is available on standard web ports
1 scenario (1 failed)
4 steps (1 failed, 3 passed)
0m0.341s
91. running gauntlt with passing tests
wickett$ gauntlt
@gauntlet @run
Feature: Run nmap against a target and pass the value of the hostname from the profile.xml.
Background: # features/nmap/nmap.feature:5
Given nmap is installed # features/step_definitions/nmap.rb:2
Scenario:Verify server is available on standard web ports # features/nmap/nmap.feature:8
Given the hostname in the profile.xml # features/step_definitions/profile.rb:1
When I run nmap against the hostname in the profile on ports 80,443 # features/step_definitions/nmap.rb:12
Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98
"""
80/tcp open http
443/tcp open https
"""
1 scenario (1 passed)
4 steps (4 passed)
0m1.117s