Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Data Driven Web Application Security

Data Driven Web Application Security

The security posture of an application is directly proportional to the amount of information that is known about the application. How can we, as web application security practitioners, take advantage of application metrics to improve the security posture of our product? This talk will explore the ways that application data and metrics can be taken advantage of to create effective defenses for web applications today. We’ll outline the fundamental classes of web application security mechanisms and once an understanding of the domain is established, we’ll explore several specific examples that outline how Etsy’s security team uses metrics, analytics and big data every day to solve hard, interesting problems and create a safer experience for millions of users all over the world.

Mike Arpaia

August 30, 2013
Tweet

More Decks by Mike Arpaia

Other Decks in Technology

Transcript

  1. Disk Performance 0 500 1000 1500 2000 1998 1999 2000

    2001 2002 2003 2004 2005 2006 2007 2008 Capacity in GB
  2. Disk Performance 0 500 1000 1500 2000 1998 1999 2000

    2001 2002 2003 2004 2005 2006 2007 2008 Capacity in GB Transfer Rate in GB/s
  3. Let’s add disks! 0 275 550 825 1100 1 2

    3 4 5 6 7 8 9 10 Seconds it takes to read 1 TB of data at 1 GB/s
  4. Real-time event monitoring and alerting Events that trigger immediate response

    You always query the same data and you do it often
  5. Ad-hoc analysis of a large dataset Driven by an event

    or incident You’re not going to do it more than once Needs to be fast
  6. Gather data to create reactive security mechanisms Gather data to

    create proactive security mechanisms Directly create a new proactive security mechanism Perform incident response
  7. Gather data to create reactive security mechanisms Gather data to

    create proactive security mechanisms Directly create a new proactive security mechanism Perform incident response
  8. Gather data to create reactive security mechanisms Gather data to

    create proactive security mechanisms Directly create new proactive security mechanisms Perform incident response
  9. Gather data to create reactive security mechanisms Gather data to

    create proactive security mechanisms Directly create new proactive security mechanisms Perform incident response
  10. analytics_cascade do analytics_flow do analytics_source 'event_logs' tap_db_snapshot 'users_index' assembly 'event_logs'

    do group_by 'user_id', 'scheme' do count 'value' end end assembly 'users_index' do project 'user_id', 'is_seller' end assembly 'ssl_traffic' do project 'user_id', 'is_seller', 'scheme', 'value' group_by 'is_seller', 'scheme' do count 'value' end end analytics_sink 'ssl_traffic' end end
  11. analytics_cascade do analytics_flow do analytics_source 'access_logs' assembly 'incident_response' do query_event

    'timestamp', 'request_uri', 'useragent', 'ip' where '"/bad_url.php'".equals(request_uri:string) group_by ’url’ do count 'value' end end analytics_sink 'incident_response' end end