Jay Taylor's notes

back to listing index

GAUNTLT - Go Ahead, Be Mean To Your Code - Security and Rugged Testing

[web search]
Original source (gauntlt.org)
Tags: testing gauntlt.org
Clipped on: 2016-01-14

Image (Asset 1/1) alt=

GAUNTLT

BE MEAN TO YOUR CODE AND LIKE IT

Join the mailing list for the lastest updates

Gauntlt provides hooks to a variety of security tools and puts them within reach of security, dev and ops teams to collaborate to build rugged software. It is built to facilitate testing and communication between groups and create actionable tests that can be hooked into your deploy and testing processes.

Features

  • Gauntlt attacks are written in a easy-to-read language
  • Easily hooks into your org's testing tools and processes
  • Security tool adapters come with gauntlt
  • Uses unix standard error and standard out to pass status

Gauntlt includes attack adapters for these tools:

Join the community

There are several ways to get involved:

There are two ways to get started with gauntlt. You can use the gem install method which will require you to download and setup the security tools (don't worry gauntlt walks you through it) or you can use the Gauntlt Starter Kit which is a vagrant script that will bootstrap the tools for you automagically.

Get started using in 3 easy steps

  1. Install the gem

    
    $ gem install gauntlt
    		    
  2. Download example attacks and customize. Here is a very simple network attack using the nmap adapter.

    
    # nmap-simple.attack
    Feature: simple nmap attack to check for open ports
    
      Background:
        Given "nmap" is installed
        And the following profile:
          | name     | value       |
          | hostname | example.com |
    
      Scenario: Check standard web ports
        When I launch an "nmap" attack with:
          """
          nmap -F <hostname>
          """
        Then the output should match /80.tcp\s+open/
        Then the output should not match:
          """
          25\/tcp\s+open
          """
    
  3. Run gauntlt to launch the attack defined above

    
    $ gauntlt
      # equivalent to gauntlt ./**/*.attack
      # you can also specify one or more paths yourself:
    $ gauntlt my_attacks/nmap-simple.attack
      # other commands to help
    $ gauntlt --list
      # the list option will show you the tools that are 
      # available to use with gauntlt
    $ gauntlt --steps
      # the steps option will show the gauntlt specific 
      # steps you can use in your attacks
    $ gauntlt --allsteps
      # the allsteps option will show all steps including 
      # aruba file operations and parsing steps that are 
      # available to use in attacks
    $ gauntlt --help
      # when all else fails use the help
    		

    For more attack examples, refer to the examples.

Get started with the Gauntlt Starter Kit

If you don't want to bother with installing ruby on your local box or you dont want to bother setting up all the security tools that gauntlt hooks for running tests, then this is the way to go. Simply follow along with the video and you can have a running virtual machine that includes gauntlt's dependencies, gauntlt itself and a variety of security tools that gauntlt uses to run its tests.

Watch this video to help you get started:

twitter feed

Security testing is usually done on the auditors' schedule and that testing output isn't always actionable. Because of this, often regressions for fixed issues find their way back into the code. Thats not good. It should be different.

© Copyright 2012 - MIT License | GitHub Repo for GAUNTLT