From SXSW Interactive 2015
Writing code that works is hard. Writing rugged code that can stand the test of time is even harder. This difficulty is often compounded by crunched timelines and fast cycles that prioritize new features. Add in evolving business needs and new technology and it becomes confusing to know what to do and how to integrate security into your application.
This workshop brings in some of the top developers and application security practitioners to help you ruggedize your end-to-end development lifecycle from code commit to running system.
Three Takeaways:
1. You will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines.
2. Armed with tools and ideas for monitoring your operational and runtime security.
3. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.
http://schedule.sxsw.com/2015/events/event_IAP35935
6. #SXSW
#RUGGEDCODE
@WICKETT // @MATTJAY You/Me
I will not attempt to access
my neighbor’s computer
I will not hack the wifi
I will be friendly to those
around me
8. #SXSW
#RUGGEDCODE
@WICKETT // @MATTJAY
HANDS-ON LABS
~8 Mini Labs lasting 5 to 10 minutes each
Let us know if you are having a problem, and we
will help
We will also be around after the class to help as
well
9. #SXSW
#RUGGEDCODE
@WICKETT // @MATTJAY
TIPS FOR THE LABS
Open the labs folder in your browser to
follow along to benefit from markdown
display
Run all commands from the ~/gauntlt-demo
38. #SXSW
#RUGGEDCODE
BEHAVIOR DRIVEN DEVELOPMENT IS A SECOND-
GENERATION, OUTSIDE–IN, PULL-BASED,
MULTIPLE-STAKEHOLDER, MULTIPLE-SCALE, HIGH-
AUTOMATION, AGILE METHODOLOGY. IT DESCRIBES
A CYCLE OF INTERACTIONS WITH WELL-DEFINED
OUTPUTS, RESULTING IN THE DELIVERY OF
WORKING, TESTED SOFTWARE THAT MATTERS.
DAN NORTH , 2009
63. #SXSW
#RUGGEDCODE
DEVOPS IS THE INEVITABLE RESULT OF NEEDING
TO DO EFFICIENT OPERATIONS IN A [DISTRIBUTED
COMPUTING AND CLOUD] ENVIRONMENT.
- TOM LIMONCELLI
73. #SXSW
#RUGGEDCODE
“THAT THE WORD #DEVOPS GETS REDUCED TO
TECHNOLOGY IS A MANIFESTATION OF HOW
BADLY WE NEED A CULTURAL SHIFT”
- @PATRICKDEBOIS
http://www.slideshare.net/cm6051/london-devops-31-5-years-of-devops
92. #SXSW
#RUGGEDCODE
“[RISK ASSESSMENT] INTRODUCES A
DANGEROUS FALLACY: THAT STRUCTURED
INADEQUACY IS ALMOST AS GOOD AS
ADEQUACY AND THAT UNDERFUNDED
SECURITY EFFORTS PLUS RISK
MANAGEMENT ARE ABOUT AS GOOD AS
PROPERLY FUNDED SECURITY WORK”
105. #SXSW
#RUGGEDCODE
I AM RUGGED AND, MORE IMPORTANTLY, MY CODE
IS RUGGED.
I RECOGNIZE THAT SOFTWARE HAS BECOME A
FOUNDATION OF OUR MODERN WORLD.
I RECOGNIZE THE AWESOME RESPONSIBILITY THAT
COMES WITH THIS FOUNDATIONAL ROLE.
194. #SXSW
#RUGGEDCODE
@WICKETT // @MATTJAY
GAUNTLT PHILOSOPHY
Gauntlt comes with pre-canned steps that hook
security testing tools
Gauntlt does not install tools
Gauntlt wants to be part of the CI/CD pipeline
Be a good citizen of exit status and stdout/stderr
213. @challenge @slow
Feature: check to make sure the right ports are
open on our server
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| host | localhost |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <host>
"""
# Then ...
# TODO: figure out a way to parse the output and
determine what is passing
# For hints consult the README.md
215. @final @slow
Feature: check to make sure the right ports are open
on our server
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| host | localhost |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <host>
"""
Then the output should contain:
"""
8008
"""
SOLUTION
236. #SXSW
#RUGGEDCODE
@WICKETT // @MATTJAY
LAB INSTRUCTIONS
For this lab, you will complete:
├── 11_Assert Network.md
├── 12_Output to HTML.md
└── 13_Working with Environment Variables.md