Gauntlt: Rugged by Example

Presented at AppSec USA 2012, Oct. 25, 2012, 10 a.m. (45 minutes)

"Be Mean to Your Code" is the concept behind the ruggedization framework called Gauntlt (pronounced like gauntlet) which aims to bring the benefits of Behaviour Driven Development to the realms of automated security testing, application hardening and ruggedization. Gauntlt is an open source ruggedization framework using cucumber and written in ruby. Gauntlt has been developed in collaboration with Netflix to fulfill the role of the "Security Monkey" in their Simian Army--most popularly known for the Chaos Monkey. Gauntlt is meant to be used by security experts with interest in automation as well as developers with interest in security. It can be used to deliver the results of a security audit or penetration test via failing gauntlt attacks (tests) which can in turn be added to the continuous delivery test suite. Developers know when they have resolved a particular vulnerability when gauntlt no longer reports a failure. Gauntlt can be used in regression tests to detect when a previously resolved vulnerability has been re-introduced. The creators of Gauntlt, James Wickett, Mani Tadayon and Roy Rapoport, will talk about the history of the project, current roadmap and the planned security testing tools being added to Gauntlt. As part of this talk we will do a hands on demo where we will walk the audience through getting started using gauntlt pre-built attacks and then move to writing their own gauntlt attacks. Come find out how to start being "rugged by example" and how to get started with Gauntlt. Note: Jeremiah Shirk is filling in for Roy Rapoport. Gauntlt is MIT Licensed and hosted on github at http://github.com/thegauntlet/gauntlt.

Presenters:

• Jeremiah Shirk - Engineering Manager - Venmo
• Mani Tadayon - Senior Software Engineer - ZestFinance
  I love programming and am now learning Clojure, Lisp and Emacs. Since 2001, I've worked in web development, constantly updating my skills to keep up with new technologies, moving from .NET to php to ruby and beyond. At the same time, I've discovered the importance of strong foundations and continue to re-learn c, html and javascript. My educational background is broad: a bachelor's in Chinese, Japanese & German from UC Berkeley and a second bachelor's in Computer Science (with a minor in Math) from CSU Hayward. Currently, I am a graduate student in Geography at CSU Northridge. My current interests are in functional programming, logic and philosophy. I hope to pursue academic research in these fields alongside my career as a programmer. I took a small step down that path with my recently published paper on the philosophy of AVP: Alien vs. Predator.
• James Wickett - Sr. Engineer - Signal Sciences Corp
  James is an innovative thought leader in the DevOps and InfoSec communities and has a passion for helping big companies work like startups to deliver products in the cloud. He got his start in technology when he ran a Web startup company as a student at University of Oklahoma and since then has worked in environments ranging from large, web-scale enterprises to small, rapidly growth startups. As a Senior DevOps Engineer, James is currently working on launching cloud based-products for the Embedded Software division of Mentor Graphics.James is a dynamic speaker on topics in cloud computing, cloud security and Rugged DevOps. He is the creator and founder of the Lonestar Application Security Conference which is the largest annual security conference in Austin, TX. He holds the following security certifications: CISSP, GWAPT, GCFW, GSEC and CCSK.James lives in Austin, Texas with his wife Laura and daughter Lydia.

Links:

• https://appsecusa2012.sched.com/event/150mCG3/gauntlt-rugged-by-example
• https://infocon.org/cons/OWASP/AppSecUSA 2012/Gauntlt - Rugged by Example.mp4