BE MEAN TO YOUR CODE AND LIKE IT
Gauntlt provides hooks to a variety of security tools and puts them within reach of security, dev and ops teams to collaborate to build rugged software. It is built to facilitate testing and communication between groups and create actionable tests that can be hooked into your deploy and testing processes.
There are several ways to get involved:
There are two ways to get started with gauntlt. You can use the gem install method which will require you to download and setup the security tools (don't worry gauntlt walks you through it) or you can use the Gauntlt Starter Kit which is a vagrant script that will bootstrap the tools for you automagically.
Install the gem
$ gem install gauntlt
Download example attacks and customize. Here is a very simple network attack using the nmap adapter.
# nmap-simple.attack Feature: simple nmap attack to check for open ports Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | Scenario: Check standard web ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should match /80.tcp\s+open/ Then the output should not match: """ 25\/tcp\s+open """
Run gauntlt to launch the attack defined above
$ gauntlt # equivalent to gauntlt ./**/*.attack # you can also specify one or more paths yourself: $ gauntlt my_attacks/nmap-simple.attack # other commands to help $ gauntlt --list # the list option will show you the tools that are # available to use with gauntlt $ gauntlt --steps # the steps option will show the gauntlt specific # steps you can use in your attacks $ gauntlt --allsteps # the allsteps option will show all steps including # aruba file operations and parsing steps that are # available to use in attacks $ gauntlt --help # when all else fails use the help
For more attack examples, refer to the examples.
If you don't want to bother with installing ruby on your local box or you dont want to bother setting up all the security tools that gauntlt hooks for running tests, then this is the way to go. Simply follow along with the video and you can have a running virtual machine that includes gauntlt's dependencies, gauntlt itself and a variety of security tools that gauntlt uses to run its tests.
Watch this video to help you get started:
Security testing is usually done on the auditors' schedule and that testing output isn't always actionable. Because of this, often regressions for fixed issues find their way back into the code. Thats not good. It should be different.
© Copyright 2012 - MIT License | GitHub Repo for GAUNTLT