Putting your robots to work: security automation at Twitter

Transcript

1. #appsecusa #sadb October 25, 2012 Putting Your Robots to Work

   Security Automation at Twitter Sunday, October 28, 12

2. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef The future Sunday,

   October 28, 12

3. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Sunday, October 28,

   12

4. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Sunday, October 28,

   12

5. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Sunday, October 28,

   12

6. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Sunday, October 28,

   12

7. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Sunday, October 28,

   12

8. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Sunday, October 28,

   12

9. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Sunday, October 28,

   12

10. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Sunday, October 28,

    12

11. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Sunday, October 28,

    12

12. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Sunday, October 28,

    12

13. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Sunday, October 28,

    12

14. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Philosophical Guidelines Sunday,

    October 28, 12

15. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Get the right

    information to the right people Sunday, October 28, 12

16. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Find bugs as

    quickly as possible Sunday, October 28, 12

17. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Don't repeat your

    mistakes Sunday, October 28, 12

18. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Analyze from many

    angles Sunday, October 28, 12

19. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Let people prove

    you wrong Sunday, October 28, 12

20. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Help people help

    themselves Sunday, October 28, 12

21. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Automate dumb work

    Sunday, October 28, 12

22. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Keep it tailored

    Sunday, October 28, 12

23. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Automating Security Sunday,

    October 28, 12

24. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Manual security tasks

    Code review External reports Pen testing Sunday, October 28, 12

25. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Automated security tasks

    Code review External reports Pen testing Static analysis tools Dynamic analysis tools CSP Sunday, October 28, 12

26. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Manual security workflow

    Run tool Wait for it... Interpret reports Fix stuff Sunday, October 28, 12

27. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Manual security workflow

    Run tool Wait for it... Interpret reports Fix stuff Repeat Sunday, October 28, 12

28. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Put your robots

    to work! Code committed Run dynamic tools Run static analysis tools Gather reports Issue notifications Sunday, October 28, 12

29. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Put your robots

    to work! Code committed Run dynamic tools Run static analysis tools Gather reports Issue notifications Automate dumb work Sunday, October 28, 12

30. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef After automation Sunday,

    October 28, 12

31. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Jenkins CI Sunday,

    October 28, 12

32. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Security Automation Dashboard

    (SADB) Sunday, October 28, 12

33. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef CSP Brakeman ThreatDeck

    Phantom Gang Roshambo Email developers Email security Sunday, October 28, 12

34. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef CSP Brakeman ThreatDeck

    Phantom Gang Roshambo Email developers Email security Sunday, October 28, 12

35. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Static analysis for

    Ruby on Rails Sunday, October 28, 12

36. Since AppSecUSA 2011 0.8.0 1.8.2 25 releases 10 contributors 752

    files changed 60,102 insertions 34,869 deletions #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Since AppSecUSA 2011 Sunday, October 28, 12

37. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Write Code Run

    Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Sunday, October 28, 12

38. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Write Code Run

    Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Sunday, October 28, 12

39. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Write Code Run

    Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Sunday, October 28, 12

40. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Write Code Run

    Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Sunday, October 28, 12

41. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Write Code Run

    Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Sunday, October 28, 12

42. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Write Code Run

    Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Sunday, October 28, 12

43. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Write Code Run

    Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Sunday, October 28, 12

44. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Write Code Run

    Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Save Code Sunday, October 28, 12

45. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Write Code Run

    Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Save Code Find bugs as quickly as possible Sunday, October 28, 12

46. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Developer Mesos +

    Brakeman Code Repository SADB Sunday, October 28, 12

47. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Developer Mesos +

    Brakeman Code Repository SADB Push Code Sunday, October 28, 12

48. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Developer Mesos +

    Brakeman Code Repository SADB Pull Code Sunday, October 28, 12

49. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Developer Mesos +

    Brakeman Code Repository SADB Send Report Sunday, October 28, 12

50. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Developer Mesos +

    Brakeman Code Repository SADB Send Email Sunday, October 28, 12

51. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Developer Mesos +

    Brakeman Code Repository SADB Send Email Get the right information to the right people Sunday, October 28, 12

52. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Historical trends Sunday,

    October 28, 12

53. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Historical trends Twitter

    starts using Brakeman Sunday, October 28, 12

54. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Historical trends Brakeman

    1.6.1 Sunday, October 28, 12

55. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Historical trends Brakeman

    1.7.0 Sunday, October 28, 12

56. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Reports Sunday, October

    28, 12

57. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Anatomy of a

    warning Warning message Sunday, October 28, 12

58. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Anatomy of a

    warning When warning first reported Sunday, October 28, 12

59. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Anatomy of a

    warning Code location, link to repo Sunday, October 28, 12

60. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Anatomy of a

    warning Code snippet Sunday, October 28, 12

61. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Anatomy of a

    warning Rails-specific information Sunday, October 28, 12

62. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Anatomy of a

    warning Rails-specific information Help people help themselves Sunday, October 28, 12

63. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Anatomy of a

    warning False positive report button Sunday, October 28, 12

64. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Anatomy of a

    warning False positive report button Let people prove you wrong Sunday, October 28, 12

65. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Sunday, October 28,

    12

66. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef CSP Brakeman ThreatDeck

    Phantom Gang Roshambo Email developers Email security Sunday, October 28, 12

67. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef What does it

    look for? Sunday, October 28, 12

68. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Mixed-content What does

    it look for? Sunday, October 28, 12

69. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Mixed-content Sensitive forms

    posting over HTTP What does it look for? Sunday, October 28, 12

70. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Mixed-content Sensitive forms

    posting over HTTP Old, vulnerable versions of jQuery What does it look for? Sunday, October 28, 12

71. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Mixed-content Sensitive forms

    posting over HTTP Old, vulnerable versions of jQuery Forms without authenticity tokens What does it look for? Sunday, October 28, 12

72. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Sunday, October 28,

    12

73. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Don't repeat your

    mistakes Sunday, October 28, 12

74. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Sunday, October 28,

    12

75. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Sunday, October 28,

    12

76. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Sunday, October 28,

    12

77. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Sunday, October 28,

    12

78. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Sunday, October 28,

    12

79. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Phantom-gang 2.0 Sunday,

    October 28, 12

80. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef CSP Brakeman ThreatDeck

    Phantom Gang Roshambo Email developers Email security Sunday, October 28, 12

81. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Detecting XSS Sunday,

    October 28, 12

82. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Detecting XSS Analyze

    from many angles Sunday, October 28, 12

83. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Sunday, October 28,

    12

84. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Sunday, October 28,

    12

85. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef HTTP Strict Transport

    Security Sunday, October 28, 12

86. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef X-Frame-Options Sunday, October

    28, 12

87. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef X-Xss-Protection X-Content-Type-Options X-Xss-Protection

    Sunday, October 28, 12

88. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Sunday, October 28,

    12

89. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Automate dumb work

    Sunday, October 28, 12

90. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef CSP Brakeman ThreatDeck

    Phantom Gang Roshambo Email developers Email security Sunday, October 28, 12

91. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef ThreatDeck Sunday, October

    28, 12

92. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef CSP Brakeman ThreatDeck

    Phantom Gang Roshambo Email developers Email security Sunday, October 28, 12

93. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Review all the

    things Sunday, October 28, 12

94. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Ro-Sham-Bo Sunday, October

    28, 12

95. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Our journey thus

    far Manual tasks Low visibility Late problem discovery Automated tasks Trends and reports Automatic notifications Sunday, October 28, 12

96. #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef Tools in this

    presentation Sunday, October 28, 12