GitHub AppSec: Keeping up with 111 prolific engineers

Transcript

1. GitHub a p p s e c - Started 2

   years ago - had fun pwning shit for a month - doesn’t scale

2. Ben Toews

3. 0b 95 ce 8e d9 5a f4 08 55 6d

   75 d9 8d cd 29 45 cd 26 6d 37 b9 fb 3b 5c 77 9d cd 9a 73 9b 5c 48 19 25 3e 60 d3 96 6c ee a3 26 e5 9b 34 4c 9d 6d c3 3a 99 86 97 8b 1e 3b 3a 3e ea 57 9d ed 37 15 8d 8b e0 0a 34 b3 bc ab c5 ac 1f b0 f4 99 ac 7f bb 1c 8e 3c 08 ef 73 45 33 e3 4b da 2e a5 95 6c a0 d3 dd 03 78 17 d0 b5 16 9e 1a 6c ec 6d 3b b6 ad d5 02 86 a6 06 f3 b8 00 48 15 eb 68 e3 53 83 75 c2 7d 93 d5 be b9 8d a2 9b 6e e3 04 d5 33 e1 95 ef a3 3a 77 8c f0 6e 51 8f 70 94 c6 7d 31 e6 30 d9 dc b6 69 d8 22 28 6a bb 15 48 99 50 35 30 b4 98 79 e0 12 2c 9e ee 67 cb 54 aa 8c c1 dc f7 a1 8a a8 7e bd d6 12 f6 52 8a 03 79 c7 04 6f b4 c7 fa 09 d7 94 41 cf 9d ae bf 7a ce a6 2f 0d a2 14 8d 79 f9 90 c6 84 04 3d 8a af 2b 5d 82 c0 76 ac 10 fe 09 89 fa 23 7b 5c e2 5f f6 65 18 06 44 26 18 29 63 30 1c dd 7d 0e c8 58 61 f5 a6 2d 09 c0 cb ef 4f 17 19 23 9a f9 c9 53 2f a5 24 ea 27 3e 85 2c 53 64 b6 ff 07 33 68 64 95 56 e1 86 70 c2 4a 2f 9d 6e 54 46 9f c1 06 21 c6 24 bc e2 25 4e 7c 40 cc be 54 16 40 b7 73 bd 13 f8 f1 ba 50 7a 93 cf 5b 35 62 c2 f7 52 05 78 f0 0d d8 7f 67 5f 5f 2d 2e cb bd 1b 94 2d 3c 60 78 21 ad 32 74 ed e9 e9 6f fa 1f 24 a4 09 72 ee b1 23 ea 85 35 21 f9 72 2b f4 09 0c e6 fa b5 d6 4f 3e d0 47 11 ae 6f 73 03 65 cc ab 93 73 60 5c 72 10 93 be f8 f5 f1 a8 4c 86 34 e1 96 51 6b b7 94 ec 7f ba 76 3b 43 ba 8e 13 a8 13 57 09 89 fc 60 ee af 88 d8 06 0e 5d ed 59 66 0f c1 92 49 78 75 5e 54 0b ed e1 3f ac f1 ba 3e 25 e4 2e de b1 23 2f ae dc a1 df d0 7b 9a 54 e3 f6 2d 3f 05 cb e1 a5 cb af 73 b2 b9 be 87 75 df 5a 9c 3a 42 80 5f e0 e0 18 a2 81 4e e5 02 94 b4 74 0b a1 4c d8 d7 bb 7c b6 80 e5 46 ea 50 e8 ca 2a 0e 81 38 b5 c1 f3 fe 88 be f1 2a 66 d1 ac f1 9e b3 72 0f 55 b7 d4 1e c0 94 e5 c4 59 72 09 37 16 b4 de b3 97 e7 f1 c5 9f 50 ac 05 74 1d 6d 6d e4 56 b6 1c ee 2e 14 01 e7 3b d6 44 11 16 c7 39 ff 73 e4 cd 05 ee 64 77 cd 12 80 a3 63 69 a0 07 0c d3 96 ce 0a 20 fa 47 67 9d 1c 7f f0 3c ff 9f 95 c6 c0 fe db ea 2b 2d b3 77 7e e0 d2 fd 85 1a c4 a7 4e 6d 0f ef 17 e8 da da 2c 3e f4 66 11 34 26 7a db cb b5 35 5a 2b a2 1b fa d6 d1 ff f0 cd 81 cb 68 a9 55 78 ae d5 2a 0b cb 20 8f 43 0a 0a 38 50 19 63 3a 34 93 a1 4c 13 a2 3d aa 07 d0 11 ee 10 38 10 f3 79 8d 04 b4 c3 f1 48 52 2d cb 59 e8 9f 87 9d d5 3b 10 ae af 78 77 e4 8d 6d 10 5a e8 b1 f2 bf 69 3e 43 7e 92 f7 72 ef 57 b2 75 ff 2e 94 2f bc ce 22 b5 2c 55 a1 1c 5a a9 08 7e dd 37 f9 95 4c fb 2d b0 d7 9d 96 a9 ab 4e 84 10 93 98 2c 40 f6 7d b6 c3 cd 84 09 e2 ee 6a 35 9e 3a 04 41 42 9f 2a ad 4a ec 22 de 78 b9 2b 9e c0 4d cd 69 29 30 bb 6a d3 43 aa 57 22 70 fc 8a 33 4e 26 e2 26 23 96 43 c8 fa 9d 8f e6 e1 17 f8 12 7e 1b 8b 5d 4f 76 5f 10 aa fa c3 40 f4 9a 4b bc f6 7c b9 47 25 c4 26 46 40 6e f5 23 b4 d2 0d 91 01 44 3d 0f 7c b3 c2 9e 8e 24 53 16 99 94 8b 4e 60 b8 ed d9 1b 6a 58 13 93 70 b5 32 ae 88 1f 34 2f d5 81 b3 d4 41 f9 ae 0b d6 ce 41 0c f2 5a 4b 3a 65 c6 38 e7 18 7c c0 28 ba 0d 56 b6 02 97 ba f0 49 40 bd 66 41 32 fe 15 8f 4e c0 b0 28 15 31 24 64 da 7d 10 f4 c4 9a 4c 97 aa 0b 9d 37 ed 50 5a 64 46 20 0a 50 4f 74 37 38 43 d3 88 44 73 9e b8 0f 410b 95 ce 8e d9 5a f4 08 55 6d 75 d9 8d cd 29 45 cd 26 6d 37 b9 fb 3b 5c 77 9d cd 9a 73 9b 5c 48 19 25 3e 60 d3 96 6c ee a3 26 e5 9b 34 4c 9d 6d c3 3a 99 86 97 8b 1e 3b 3a 3e ea 57 9d ed 37 15 8d 8b e0 0a 34 b3 bc ab c5 ac 1f b0 f4 99 ac 7f bb 1c 8e 3c 08 ef 73 45 33 e3 4b da 2e a5 95 6c a0 d3 dd 03 78 17 lots of code - GitHub writes lots of code - Culture of shipping

4. - That’s just github/github though - Across all repos -

   23089 commits - 3607 pulls stats as of 2014/11/11

5. friction - GitHub culture is very opposed to friction -

   Can’t stop people’s work for security https://www.flickr.com/photos/j-maxx/10312338993/

6. !" - With those limitations in place, how do we

   do appsec?

7. good dev - We start out with the best developers

   - Senior people - We treat them like adults - Always had a culture of security - Leadership cares about security - Devs care about security - We build a culture of trust - We encourage questions and CCs - No formal developer training - We write docs - We defer to devs where they’re the experts - We aren’t afraid of saying “we don’t know” https://www.flickr.com/photos/27147/3210109272

8. #" - Manual code review - People ask us for

   review - Production readiness reviews - Things flagged by static analysis https://www.flickr.com/photos/revamptramp/7418429900

9. #" $$$ - Consultants - Helps to scale manual review

   - Why do it yourself when you can pay someone else 10x to do a worse job - Seriously though, fresh eyes are good - Can hire experts (Golang) for small jobs https://www.flickr.com/photos/revamptramp/7418429900

10. bounty - Bounty Program - January 30, 2014 https://www.flickr.com/photos/sergioavatara/3415238118

11. $46,90o 1605 submissions 51 paid 9 months - Bounty Program

    - January 30, 2014 - 9.3 months - ~600 flagged as spam stats as of 2014/11/11 https://www.flickr.com/photos/sergioavatara/3415238118

12. weeks since launch number of submissions - 2 weeks of

    hell - *totally* worth it

13. they’re coming… - Robots will inherit the earth - Static

    analysis - Sentinel - Brakeman - Regexes - Push hooks - Diffed between commits - Inline diff comments http://www.famouscutouts.com/images/detailed/1/952-K-9.jpg

14. demo - Demo sentinel diff comments http://www.famouscutouts.com/images/detailed/1/952-K-9.jpg

15. security is hard - Review - good devs - manual

    review - static analysis - bug bounty - Decent coverage

16. @mastahyeti - Thanks