Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Putting your robots to work: Security Automation @Twitter

E0fdc1036537c1308400fc8ba6e987b0?s=47 Neil Matatall
September 12, 2014

Putting your robots to work: Security Automation @Twitter

This talk introduces @SADB, the security automation dashboard.

E0fdc1036537c1308400fc8ba6e987b0?s=128

Neil Matatall

September 12, 2014
Tweet

Transcript

  1. @salesforce April 23, 2013 Putting Your Robots to Work Security

    Automation at Twitter
  2. @salesforce April 2013 @alsmola | @ndm | @presidentbeef The future

  3. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  4. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  5. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  6. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  7. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  8. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  9. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  10. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  11. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Philosophical Guidelines

  12. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Get the

    right information to the right people
  13. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Find bugs

    as quickly as possible
  14. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat

    your mistakes
  15. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Analyze from

    many angles
  16. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Let people

    prove you wrong
  17. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Help people

    help themselves
  18. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automate dumb

    work
  19. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Keep it

    tailored
  20. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automating Security

  21. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    tasks Code review External reports Pen testing
  22. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automated security

    tasks Code review External reports Pen testing Static analysis tools Dynamic analysis tools CSP
  23. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    workflow Run tool Wait for it... Interpret reports Fix stuff
  24. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    workflow Run tool Wait for it... Interpret reports Fix stuff Repeat
  25. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Put your

    robots to work! Code committed Run dynamic tools Run static analysis tools Gather reports Issue notifications Automate dumb work
  26. @salesforce April 2013 @alsmola | @ndm | @presidentbeef After automation

  27. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Jenkins CI

  28. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Security Automation

    Dashboard (SADB)
  29. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security
  30. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security
  31. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Open Source

    Static analysis for Ruby on Rails ! brakemanscanner.org
  32. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Write Code

    Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Save Code Find bugs as quickly as possible
  33. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Developer Mesos

    + Brakeman Code Repository SADB Push Code Pull Code Send Report Send EmailGet the right information to the right people
  34. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends

    2007 2008 2009 2010 2011 2012 2013
  35. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends

    Twitter starts using Brakeman 2007 2008 2009 2010 2011 2012 2013
  36. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Reports

  37. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Warning message
  38. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning When warning first reported
  39. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Code location, link to repo
  40. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Code snippet
  41. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Rails-specific information Help people help themselves
  42. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning False positive report button Let people prove you wrong
  43. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  44. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  45. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security
  46. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Mixed-content Sensitive

    forms posting over HTTP Old, vulnerable versions of jQuery Forms without authenticity tokens What does it look for?
  47. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat

    your mistakes
  48. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  49. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Phantom-gang 2.0

  50. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security
  51. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  52. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Detecting XSS

    Analyze from many angles
  53. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  54. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  55. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  56. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Implementing CSP

    is not trivial
  57. @salesforce April 2013 @alsmola | @ndm | @presidentbeef HTTP Strict

    Transport Security
  58. @salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Frame-Options

  59. @salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Xss-Protection X-Content-Type-Options

    ! X-Xss-Protection
  60. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  61. @salesforce April 2013 @alsmola | @ndm | @presidentbeef SecureHeaders Automate

    dumb work
  62. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Header status

    page
  63. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security
  64. @salesforce April 2013 @alsmola | @ndm | @presidentbeef ThreatDeck

  65. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security
  66. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Review all

    the things
  67. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo

  68. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo

  69. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo Needs

    to be reviewed Automate dumb work
  70. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Our journey

    thus far Manual tasks Low visibility Late problem discovery Automated tasks Trends and reports Automatic notifications
  71. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Tools in

    this presentation