BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Continuous Security Testing With Gauntlt

Continuous Security Testing With Gauntlt

This item in japanese

Lire ce contenu en français

Bookmarks

James Wickett, from Gauntlt core team, gave a tutorial at Velocity Conf London about integrating security testing in the continuous integration cycle for early feedback on application security level. James stressed the importance of regularly checking for security as release delivery rates increase with continuous delivery. Post-release security checks and lengthy reports from external audits are no longer good enough, according to James. Continuous feedback both for Ops and Devs is required to keep applications safe and avoid security regressions.

Gauntlt is thus meant to put this idea into practice by providing an automated security test framework based on the popular Cucumber tool typically used for behaviour-driven-development and a set of open source security testing tools. Gauntlt is available as a Ruby gem so tests can be run as part of a continuous integration/delivery pipeline with a Ruby environment. This example generates an HTML test report similar to Cucumber’s:

bundle exec gauntlt --format html > out.html

Gauntlt comes packaged with a set of pre-canned attacks using a pre-defined set of “attack adapters” that rely map the steps to the security tools that can run each type of attack:

  • Arachni (testing for XSS)
  • Garmr (testing for new login pages or insecure references in login flows)
  • SQLmap (testing for SQL injection attacks)
  • dirb (testing for misconfigured web objects)
  • SSlyze (testing for misconfigured SSL servers)         
  • NMap (testing for unexpected open ports)

At the moment the tool set can only be extended by indicating a binary command line invocation using a special pre-canned step and checking the output of its execution.

 Under the hoods Gauntlt is running Cucumber. Thus Gauntlt attack files are transformed into Cucumber feature files where each scenario is a specific attack. An example attack file port-check.attack might use nmap for verifying that there are no unexpected ports open in a given host:

 

Feature: nmap attacks for example.com

    Background:

      Given "nmap" is installed

      And the following profile:

      | name     | value       |

      | hostname | example.com |

    Scenario: Verify that there are no unexpected ports open

      When I launch an "nmap" attack with:

         """

         nmap -F <hostname>

         """

      Then the output should not contain:

         """

         25/tcp

         """

James sums up Gauntlt as an opinionated framework for application security testing inspired by the Rugged software manifesto. Its ultimate goal is to promote communication between Dev, Ops and Security teams. The need to include security concerns and monitoring within DevOps was also mentioned by DevOps Weekly founder Gareth Rushgroves in his talk on security monitoring.

Rate this Article

Adoption
Style

BT