BT

Your opinion matters! Please fill in the InfoQ Survey!

Continuous Security Testing With Gauntlt

| by Manuel Pais Follow 8 Followers on Nov 30, 2013. Estimated reading time: 2 minutes |

A note to our readers: As per your request we have developed a set of features that allow you to reduce the noise, while not losing sight of anything that is important. Get email and web notifications by choosing the topics you are interested in.

James Wickett, from Gauntlt core team, gave a tutorial at Velocity Conf London about integrating security testing in the continuous integration cycle for early feedback on application security level. James stressed the importance of regularly checking for security as release delivery rates increase with continuous delivery. Post-release security checks and lengthy reports from external audits are no longer good enough, according to James. Continuous feedback both for Ops and Devs is required to keep applications safe and avoid security regressions.

Gauntlt is thus meant to put this idea into practice by providing an automated security test framework based on the popular Cucumber tool typically used for behaviour-driven-development and a set of open source security testing tools. Gauntlt is available as a Ruby gem so tests can be run as part of a continuous integration/delivery pipeline with a Ruby environment. This example generates an HTML test report similar to Cucumber’s:

bundle exec gauntlt --format html > out.html

Gauntlt comes packaged with a set of pre-canned attacks using a pre-defined set of “attack adapters” that rely map the steps to the security tools that can run each type of attack:

  • Arachni (testing for XSS)
  • Garmr (testing for new login pages or insecure references in login flows)
  • SQLmap (testing for SQL injection attacks)
  • dirb (testing for misconfigured web objects)
  • SSlyze (testing for misconfigured SSL servers)         
  • NMap (testing for unexpected open ports)

At the moment the tool set can only be extended by indicating a binary command line invocation using a special pre-canned step and checking the output of its execution.

 Under the hoods Gauntlt is running Cucumber. Thus Gauntlt attack files are transformed into Cucumber feature files where each scenario is a specific attack. An example attack file port-check.attack might use nmap for verifying that there are no unexpected ports open in a given host:

 

Feature: nmap attacks for example.com

    Background:

      Given "nmap" is installed

      And the following profile:

      | name     | value       |

      | hostname | example.com |

    Scenario: Verify that there are no unexpected ports open

      When I launch an "nmap" attack with:

         """

         nmap -F <hostname>

         """

      Then the output should not contain:

         """

         25/tcp

         """

James sums up Gauntlt as an opinionated framework for application security testing inspired by the Rugged software manifesto. Its ultimate goal is to promote communication between Dev, Ops and Security teams. The need to include security concerns and monitoring within DevOps was also mentioned by DevOps Weekly founder Gareth Rushgroves in his talk on security monitoring.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Security Early in the Dev Process by Mark Troester

Nice article and solution for integrating security earlier in the process. This is definitely key to building and delivering secure applications. And with the use of open source components, another effective tool is to provide information to the developers about the best components and component versions. Ideally, this would be information that is available directly in the IDE. While that is a good starting point, developers need guidance throughout the lifecycle - ensuring that the applications have components that meet your security, licensing and architecture guidelines as part of the release process as well.

Mark Troester
Sonatype
@mtroester

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

1 Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT