Jay Taylor's notes
back to listing indexGAUNTLT - Go Ahead, Be Mean To Your Code - Security and Rugged Testing
[web search]Gauntlt provides hooks to a variety of security tools and puts them within reach of security, dev and ops teams to collaborate to build rugged software. It is built to facilitate testing and communication between groups and create actionable tests that can be hooked into your deploy and testing processes.
Features
- Gauntlt attacks are written in a easy-to-read language
- Easily hooks into your org's testing tools and processes
- Security tool adapters come with gauntlt
- Uses unix standard error and standard out to pass status
Join the community
There are several ways to get involved:
- Google Group for gauntlt
- IRC: #gauntlt on freenode this is the best way to get help, and now you can reach us straight from the web IRC client.
- Github organization
There are two ways to get started with gauntlt. You can use the gem install method which will require you to download and setup the security tools (don't worry gauntlt walks you through it) or you can use the Gauntlt Starter Kit which is a vagrant script that will bootstrap the tools for you automagically.
Get started using in 3 easy steps
-
Install the gem
$ gem install gauntlt
-
Download example attacks and customize. Here is a very simple network attack using the nmap adapter.
# nmap-simple.attack Feature: simple nmap attack to check for open ports Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | Scenario: Check standard web ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should match /80.tcp\s+open/ Then the output should not match: """ 25\/tcp\s+open """
-
Run gauntlt to launch the attack defined above
$ gauntlt # equivalent to gauntlt ./**/*.attack # you can also specify one or more paths yourself: $ gauntlt my_attacks/nmap-simple.attack # other commands to help $ gauntlt --list # the list option will show you the tools that are # available to use with gauntlt $ gauntlt --steps # the steps option will show the gauntlt specific # steps you can use in your attacks $ gauntlt --allsteps # the allsteps option will show all steps including # aruba file operations and parsing steps that are # available to use in attacks $ gauntlt --help # when all else fails use the help
For more attack examples, refer to the examples.
Get started with the Gauntlt Starter Kit
If you don't want to bother with installing ruby on your local box or you dont want to bother setting up all the security tools that gauntlt hooks for running tests, then this is the way to go. Simply follow along with the video and you can have a running virtual machine that includes gauntlt's dependencies, gauntlt itself and a variety of security tools that gauntlt uses to run its tests.
Watch this video to help you get started:
Security testing is usually done on the auditors' schedule and that testing output isn't always actionable. Because of this, often regressions for fixed issues find their way back into the code. Thats not good. It should be different.
© Copyright 2012 - MIT License | GitHub Repo for GAUNTLT