Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Putting your robots to work: Security Automatio...

Neil Matatall
September 12, 2014
Programming
2
170

Putting your robots to work: Security Automation @Twitter

This talk introduces @SADB, the security automation dashboard.

Neil Matatall

September 12, 2014
Tweet

More Decks by Neil Matatall

See All by Neil Matatall
Twubhubbook - It's like appsec, but for startups (with notes)
oreoshake
0
120
Twubhubbook - it's like appsec, but for startups (without notes)
oreoshake
0
110
Automatic Application Security v2
oreoshake
0
140
JRubyFX For Web Developers
oreoshake
0
240
Automatic Application Security
oreoshake
0
160
How CSP Will (maybe) Solve the XSS Problem
oreoshake
0
150
BSidesLA Managing Content Security Policy
oreoshake
3
1.1k

Other Decks in Programming

See All in Programming
カンファレンス動画鑑賞会のススメ / Osaka.swift #1
hironytic
0
170
Azure AI Foundryのご紹介
qt_luigi
1
210
php-conference-japan-2024
tasuku43
0
430
アクターシステムに頼らずEvent Sourcingする方法について
j5ik2o
6
700
ATDDで素早く安定した デリバリを実現しよう!
tonnsama
1
1.9k
ASP.NET Core の OpenAPIサポート
h455h1
0
120
ゼロからの、レトロゲームエンジンの作り方
tokujiros
3
1.1k
どうして手を動かすよりもチーム内のコードレビューを優先するべきなのか
okashoi
3
870
shadcn/uiを使ってReactでの開発を加速させよう!
lef237
0
300
見えないメモリを観測する: PHP 8.4 `pg_result_memory_size()` とSQL結果のメモリ管理
kentaroutakeda
0
940
BEエンジニアがFEの業務をできるようになるまでにやったこと
yoshida_ryushin
0
200
快速入門可觀測性
blueswen
0
500

Featured

See All Featured
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Statistics for Hackers
jakevdp
797
220k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Fashionably flexible responsive web design (full day workshop)
malarkey
406
66k
Building an army of robots
kneath
302
45k
Making Projects Easy
brettharned
116
6k
Building Your Own Lightsaber
phodgson
104
6.2k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
29
960
Learning to Love Humans: Emotional Interface Design
aarron
274
40k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
365
25k

Transcript

  1. @salesforce April 23, 2013 Putting Your Robots to Work Security

    Automation at Twitter

  2. @salesforce April 2013 @alsmola | @ndm | @presidentbeef The future

  3. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  4. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  5. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  6. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  7. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  8. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  9. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  10. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  11. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Philosophical Guidelines

  12. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Get the

    right information to the right people

  13. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Find bugs

    as quickly as possible

  14. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat

    your mistakes

  15. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Analyze from

    many angles

  16. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Let people

    prove you wrong

  17. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Help people

    help themselves

  18. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automate dumb

    work

  19. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Keep it

    tailored

  20. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automating Security

  21. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    tasks Code review External reports Pen testing

  22. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automated security

    tasks Code review External reports Pen testing Static analysis tools Dynamic analysis tools CSP

  23. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    workflow Run tool Wait for it... Interpret reports Fix stuff

  24. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    workflow Run tool Wait for it... Interpret reports Fix stuff Repeat

  25. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Put your

    robots to work! Code committed Run dynamic tools Run static analysis tools Gather reports Issue notifications Automate dumb work

  26. @salesforce April 2013 @alsmola | @ndm | @presidentbeef After automation

  27. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Jenkins CI

  28. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Security Automation

    Dashboard (SADB)

  29. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  30. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  31. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Open Source

    Static analysis for Ruby on Rails ! brakemanscanner.org

  32. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Write Code

    Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Save Code Find bugs as quickly as possible

  33. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Developer Mesos

    + Brakeman Code Repository SADB Push Code Pull Code Send Report Send EmailGet the right information to the right people

  34. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends

    2007 2008 2009 2010 2011 2012 2013

  35. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends

    Twitter starts using Brakeman 2007 2008 2009 2010 2011 2012 2013

  36. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Reports

  37. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Warning message

  38. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning When warning first reported

  39. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Code location, link to repo

  40. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Code snippet

  41. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Rails-specific information Help people help themselves

  42. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning False positive report button Let people prove you wrong

  43. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  44. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  45. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  46. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Mixed-content Sensitive

    forms posting over HTTP Old, vulnerable versions of jQuery Forms without authenticity tokens What does it look for?

  47. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat

    your mistakes

  48. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  49. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Phantom-gang 2.0

  50. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  51. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  52. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Detecting XSS

    Analyze from many angles

  53. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  54. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  55. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  56. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Implementing CSP

    is not trivial

  57. @salesforce April 2013 @alsmola | @ndm | @presidentbeef HTTP Strict

    Transport Security

  58. @salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Frame-Options

  59. @salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Xss-Protection X-Content-Type-Options

    ! X-Xss-Protection

  60. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  61. @salesforce April 2013 @alsmola | @ndm | @presidentbeef SecureHeaders Automate

    dumb work

  62. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Header status

    page

  63. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  64. @salesforce April 2013 @alsmola | @ndm | @presidentbeef ThreatDeck

  65. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  66. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Review all

    the things

  67. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo

  68. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo

  69. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo Needs

    to be reviewed Automate dumb work

  70. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Our journey

    thus far Manual tasks Low visibility Late problem discovery Automated tasks Trends and reports Automatic notifications

  71. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Tools in

    this presentation