James Wickett, from Gauntlt core team, gave a tutorial at Velocity Conf London about integrating security testing in the continuous integration cycle for early feedback on application security level. James stressed the importance of regularly checking for security as release delivery rates increase with continuous delivery. Post-release security checks and lengthy reports from external audits are no longer good enough, according to James. Continuous feedback both for Ops and Devs is required to keep applications safe and avoid security regressions.
Gauntlt is thus meant to put this idea into practice by providing an automated security test framework based on the popular Cucumber tool typically used for behaviour-driven-development and a set of open source security testing tools. Gauntlt is available as a Ruby gem so tests can be run as part of a continuous integration/delivery pipeline with a Ruby environment. This example generates an HTML test report similar to Cucumber’s:
bundle exec gauntlt --format html > out.html
Gauntlt comes packaged with a set of pre-canned attacks using a pre-defined set of “attack adapters” that rely map the steps to the security tools that can run each type of attack:
- Arachni (testing for XSS)
- Garmr (testing for new login pages or insecure references in login flows)
- SQLmap (testing for SQL injection attacks)
- dirb (testing for misconfigured web objects)
- SSlyze (testing for misconfigured SSL servers)
- NMap (testing for unexpected open ports)
At the moment the tool set can only be extended by indicating a binary command line invocation using a special pre-canned step and checking the output of its execution.
port-check.attack might use nmap for verifying that there are no unexpected ports open in a given host:
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
James sums up Gauntlt as an opinionated framework for application security testing inspired by the Rugged software manifesto. Its ultimate goal is to promote communication between Dev, Ops and Security teams. The need to include security concerns and monitoring within DevOps was also mentioned by DevOps Weekly founder Gareth Rushgrove’s in his talk on security monitoring.