BT
x Your opinion matters! Please fill in the InfoQ Survey about your reading habits!

Continuous Security Testing With Gauntlt

by Manuel Pais on Nov 30, 2013 |

James Wickett, from Gauntlt core team, gave a tutorial at Velocity Conf London about integrating security testing in the continuous integration cycle for early feedback on application security level. James stressed the importance of regularly checking for security as release delivery rates increase with continuous delivery. Post-release security checks and lengthy reports from external audits are no longer good enough, according to James. Continuous feedback both for Ops and Devs is required to keep applications safe and avoid security regressions.

Gauntlt is thus meant to put this idea into practice by providing an automated security test framework based on the popular Cucumber tool typically used for behaviour-driven-development and a set of open source security testing tools. Gauntlt is available as a Ruby gem so tests can be run as part of a continuous integration/delivery pipeline with a Ruby environment. This example generates an HTML test report similar to Cucumber’s:

bundle exec gauntlt --format html > out.html

Gauntlt comes packaged with a set of pre-canned attacks using a pre-defined set of “attack adapters” that rely map the steps to the security tools that can run each type of attack:

  • Arachni (testing for XSS)
  • Garmr (testing for new login pages or insecure references in login flows)
  • SQLmap (testing for SQL injection attacks)
  • dirb (testing for misconfigured web objects)
  • SSlyze (testing for misconfigured SSL servers)         
  • NMap (testing for unexpected open ports)

At the moment the tool set can only be extended by indicating a binary command line invocation using a special pre-canned step and checking the output of its execution.

 Under the hoods Gauntlt is running Cucumber. Thus Gauntlt attack files are transformed into Cucumber feature files where each scenario is a specific attack. An example attack file port-check.attack might use nmap for verifying that there are no unexpected ports open in a given host:

 

Feature: nmap attacks for example.com

    Background:

      Given "nmap" is installed

      And the following profile:

      | name     | value       |

      | hostname | example.com |

    Scenario: Verify that there are no unexpected ports open

      When I launch an "nmap" attack with:

         """

         nmap -F <hostname>

         """

      Then the output should not contain:

         """

         25/tcp

         """

James sums up Gauntlt as an opinionated framework for application security testing inspired by the Rugged software manifesto. Its ultimate goal is to promote communication between Dev, Ops and Security teams. The need to include security concerns and monitoring within DevOps was also mentioned by DevOps Weekly founder Gareth Rushgroves in his talk on security monitoring.

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Security Early in the Dev Process by Mark Troester

Nice article and solution for integrating security earlier in the process. This is definitely key to building and delivering secure applications. And with the use of open source components, another effective tool is to provide information to the developers about the best components and component versions. Ideally, this would be information that is available directly in the IDE. While that is a good starting point, developers need guidance throughout the lifecycle - ensuring that the applications have components that meet your security, licensing and architecture guidelines as part of the release process as well.

Mark Troester
Sonatype
@mtroester

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

1 Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2014 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT