Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Putting your robots to work: Security Automatio...

Neil Matatall
September 12, 2014
Programming
2
170

Putting your robots to work: Security Automation @Twitter

This talk introduces @SADB, the security automation dashboard.

Neil Matatall

September 12, 2014
Tweet

More Decks by Neil Matatall

See All by Neil Matatall
Twubhubbook - It's like appsec, but for startups (with notes)
oreoshake
0
120
Twubhubbook - it's like appsec, but for startups (without notes)
oreoshake
0
110
Automatic Application Security v2
oreoshake
0
140
JRubyFX For Web Developers
oreoshake
0
240
Automatic Application Security
oreoshake
0
160
How CSP Will (maybe) Solve the XSS Problem
oreoshake
0
150
BSidesLA Managing Content Security Policy
oreoshake
3
1.1k

Other Decks in Programming

See All in Programming
アクターシステムに頼らずEvent Sourcingする方法について
j5ik2o
4
220
HTTP compression in PHP and Symfony apps
dunglas
2
1.7k
LLM Supervised Fine-tuningの理論と実践
datanalyticslabo
3
1.1k
useSyncExternalStoreを使いまくる
ssssota
6
1k
fs2-io を試してたらバグを見つけて直した話
chencmd
0
220
モバイルアプリにおける自動テストの導入戦略
ostk0069
0
110
クリエイティブコーディングとRuby学習 / Creative Coding and Learning Ruby
chobishiba
0
3.9k
見えないメモリを観測する: PHP 8.4 `pg_result_memory_size()` とSQL結果のメモリ管理
kentaroutakeda
0
300
快速入門可觀測性
blueswen
0
340
急成長期の品質とスピードを両立するフロントエンド技術基盤
soarteclab
0
930
CQRS+ES の力を使って効果を感じる / Feel the effects of using the power of CQRS+ES
seike460
PRO
0
120
あれやってみてー駆動から成長を加速させる / areyattemite-driven
nashiusagi
1
200

Featured

See All Featured
Making the Leap to Tech Lead
cromwellryan
133
9k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
26
1.9k
BBQ
matthewcrist
85
9.4k
How STYLIGHT went responsive
nonsquared
95
5.2k
What's in a price? How to price your products and services
michaelherold
243
12k
The Cost Of JavaScript in 2023
addyosmani
45
7k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
48
2.2k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
The Pragmatic Product Professional
lauravandoore
32
6.3k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
127
18k

Transcript

  1. @salesforce April 23, 2013 Putting Your Robots to Work Security

    Automation at Twitter

  2. @salesforce April 2013 @alsmola | @ndm | @presidentbeef The future

  3. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  4. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  5. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  6. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  7. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  8. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  9. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  10. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  11. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Philosophical Guidelines

  12. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Get the

    right information to the right people

  13. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Find bugs

    as quickly as possible

  14. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat

    your mistakes

  15. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Analyze from

    many angles

  16. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Let people

    prove you wrong

  17. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Help people

    help themselves

  18. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automate dumb

    work

  19. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Keep it

    tailored

  20. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automating Security

  21. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    tasks Code review External reports Pen testing

  22. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automated security

    tasks Code review External reports Pen testing Static analysis tools Dynamic analysis tools CSP

  23. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    workflow Run tool Wait for it... Interpret reports Fix stuff

  24. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    workflow Run tool Wait for it... Interpret reports Fix stuff Repeat

  25. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Put your

    robots to work! Code committed Run dynamic tools Run static analysis tools Gather reports Issue notifications Automate dumb work

  26. @salesforce April 2013 @alsmola | @ndm | @presidentbeef After automation

  27. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Jenkins CI

  28. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Security Automation

    Dashboard (SADB)

  29. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  30. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  31. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Open Source

    Static analysis for Ruby on Rails ! brakemanscanner.org

  32. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Write Code

    Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Save Code Find bugs as quickly as possible

  33. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Developer Mesos

    + Brakeman Code Repository SADB Push Code Pull Code Send Report Send EmailGet the right information to the right people

  34. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends

    2007 2008 2009 2010 2011 2012 2013

  35. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends

    Twitter starts using Brakeman 2007 2008 2009 2010 2011 2012 2013

  36. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Reports

  37. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Warning message

  38. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning When warning first reported

  39. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Code location, link to repo

  40. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Code snippet

  41. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Rails-specific information Help people help themselves

  42. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning False positive report button Let people prove you wrong

  43. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  44. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  45. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  46. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Mixed-content Sensitive

    forms posting over HTTP Old, vulnerable versions of jQuery Forms without authenticity tokens What does it look for?

  47. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat

    your mistakes

  48. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  49. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Phantom-gang 2.0

  50. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  51. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  52. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Detecting XSS

    Analyze from many angles

  53. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  54. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  55. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  56. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Implementing CSP

    is not trivial

  57. @salesforce April 2013 @alsmola | @ndm | @presidentbeef HTTP Strict

    Transport Security

  58. @salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Frame-Options

  59. @salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Xss-Protection X-Content-Type-Options

    ! X-Xss-Protection

  60. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  61. @salesforce April 2013 @alsmola | @ndm | @presidentbeef SecureHeaders Automate

    dumb work

  62. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Header status

    page

  63. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  64. @salesforce April 2013 @alsmola | @ndm | @presidentbeef ThreatDeck

  65. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  66. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Review all

    the things

  67. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo

  68. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo

  69. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo Needs

    to be reviewed Automate dumb work

  70. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Our journey

    thus far Manual tasks Low visibility Late problem discovery Automated tasks Trends and reports Automatic notifications

  71. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Tools in

    this presentation