Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Putting your robots to work: security automatio...

Putting your robots to work: security automation at Twitter

SADB: The security automation dashboard. A centralized source of information for known issues in our web applications. An aggregation of static analysis, dynamic analysis, and other tools to help protect our users.

Avatar for Neil Matatall

Neil Matatall

October 28, 2012
Tweet

More Decks by Neil Matatall

Other Decks in Technology

Transcript

  1. #appsecusa #sadb October 25, 2012 Putting Your Robots to Work

    Security Automation at Twitter Sunday, October 28, 12
  2. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Get the right

    information to the right people Sunday, October 28, 12
  3. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Manual security tasks

    Code review External reports Pen testing Sunday, October 28, 12
  4. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Automated security tasks

    Code review External reports Pen testing Static analysis tools Dynamic analysis tools CSP Sunday, October 28, 12
  5. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Manual security workflow

    Run tool Wait for it... Interpret reports Fix stuff Sunday, October 28, 12
  6. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Manual security workflow

    Run tool Wait for it... Interpret reports Fix stuff Repeat Sunday, October 28, 12
  7. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Put your robots

    to work! Code committed Run dynamic tools Run static analysis tools Gather reports Issue notifications Sunday, October 28, 12
  8. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Put your robots

    to work! Code committed Run dynamic tools Run static analysis tools Gather reports Issue notifications Automate dumb work Sunday, October 28, 12
  9. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef CSP Brakeman ThreatDeck

    Phantom Gang Roshambo Email developers Email security Sunday, October 28, 12
  10. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef CSP Brakeman ThreatDeck

    Phantom Gang Roshambo Email developers Email security Sunday, October 28, 12
  11. Since AppSecUSA 2011 0.8.0 1.8.2 25 releases 10 contributors 752

    files changed 60,102 insertions 34,869 deletions #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Since AppSecUSA 2011 Sunday, October 28, 12
  12. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Write Code Run

    Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Sunday, October 28, 12
  13. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Write Code Run

    Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Sunday, October 28, 12
  14. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Write Code Run

    Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Sunday, October 28, 12
  15. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Write Code Run

    Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Sunday, October 28, 12
  16. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Write Code Run

    Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Sunday, October 28, 12
  17. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Write Code Run

    Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Sunday, October 28, 12
  18. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Write Code Run

    Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Sunday, October 28, 12
  19. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Write Code Run

    Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Save Code Sunday, October 28, 12
  20. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Write Code Run

    Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Save Code Find bugs as quickly as possible Sunday, October 28, 12
  21. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Developer Mesos +

    Brakeman Code Repository SADB Sunday, October 28, 12
  22. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Developer Mesos +

    Brakeman Code Repository SADB Push Code Sunday, October 28, 12
  23. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Developer Mesos +

    Brakeman Code Repository SADB Pull Code Sunday, October 28, 12
  24. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Developer Mesos +

    Brakeman Code Repository SADB Send Report Sunday, October 28, 12
  25. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Developer Mesos +

    Brakeman Code Repository SADB Send Email Sunday, October 28, 12
  26. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Developer Mesos +

    Brakeman Code Repository SADB Send Email Get the right information to the right people Sunday, October 28, 12
  27. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Anatomy of a

    warning Warning message Sunday, October 28, 12
  28. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Anatomy of a

    warning When warning first reported Sunday, October 28, 12
  29. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Anatomy of a

    warning Code location, link to repo Sunday, October 28, 12
  30. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Anatomy of a

    warning Rails-specific information Sunday, October 28, 12
  31. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Anatomy of a

    warning Rails-specific information Help people help themselves Sunday, October 28, 12
  32. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Anatomy of a

    warning False positive report button Sunday, October 28, 12
  33. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Anatomy of a

    warning False positive report button Let people prove you wrong Sunday, October 28, 12
  34. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef CSP Brakeman ThreatDeck

    Phantom Gang Roshambo Email developers Email security Sunday, October 28, 12
  35. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Mixed-content Sensitive forms

    posting over HTTP What does it look for? Sunday, October 28, 12
  36. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Mixed-content Sensitive forms

    posting over HTTP Old, vulnerable versions of jQuery What does it look for? Sunday, October 28, 12
  37. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Mixed-content Sensitive forms

    posting over HTTP Old, vulnerable versions of jQuery Forms without authenticity tokens What does it look for? Sunday, October 28, 12
  38. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef CSP Brakeman ThreatDeck

    Phantom Gang Roshambo Email developers Email security Sunday, October 28, 12
  39. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef CSP Brakeman ThreatDeck

    Phantom Gang Roshambo Email developers Email security Sunday, October 28, 12
  40. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef CSP Brakeman ThreatDeck

    Phantom Gang Roshambo Email developers Email security Sunday, October 28, 12
  41. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Our journey thus

    far Manual tasks Low visibility Late problem discovery Automated tasks Trends and reports Automatic notifications Sunday, October 28, 12