Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Putting your robots to work: Security Automatio...
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Neil Matatall
September 12, 2014
Programming
190
2
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Putting your robots to work: Security Automation @Twitter
This talk introduces @SADB, the security automation dashboard.
Neil Matatall
September 12, 2014
More Decks by Neil Matatall
See All by Neil Matatall
Twubhubbook - It's like appsec, but for startups (with notes)
oreoshake
0
150
Twubhubbook - it's like appsec, but for startups (without notes)
oreoshake
0
130
Automatic Application Security v2
oreoshake
0
160
JRubyFX For Web Developers
oreoshake
0
260
Automatic Application Security
oreoshake
0
170
How CSP Will (maybe) Solve the XSS Problem
oreoshake
0
170
BSidesLA Managing Content Security Policy
oreoshake
3
1.1k
Other Decks in Programming
See All in Programming
代数的データ型って何が嬉しいの? #frontend_phpcon_do
kajitack
8
3.8k
LLM本来の能力を解き放つサンドボックス技術とAI民主化への適用
yukukotani
3
4.6k
IBM Bobを活用したレガシーアプリの最新化
oniak3ibm
PRO
1
220
Snowflake Summitでの新機能 CoCo / CoWork / snowflake-summit-2026-overall-what-new-coco
tatsuhiro
1
190
才能?センス?知らん、 続けたもん勝ちだ。-- 結婚・出産・癌を越えてなお、私がプロダクトを創り続ける理由
16bitidol
1
440
気圧・高度・GPSを記録&可視化するアプリ「Koudo」を作った話
hjmkth
1
320
Developing with AI Agents — Codex, Claude Code & Cowork Practical Guide
x5gtrn
PRO
0
1.3k
Contextとはなにか
chiroruxx
1
370
技術的負債解消で開発者の未来を開く- AIの力でコード刷新
kmd2kmd
0
120
[2026年度第1回ORセミナー] 計画最適化ベンチャーと競技プログラミング人材
terryu16
0
270
Webフレームワークの ベンチマークについて
yusukebe
0
180
キャリア迷子上等 ─ "ない道"は自分で作ればいい
16bitidol
3
2.3k
Featured
See All Featured
Google's AI Overviews - The New Search
badams
0
1k
Mind Mapping
helmedeiros
PRO
1
260
Building a Modern Day E-commerce SEO Strategy
aleyda
45
9.1k
Utilizing Notion as your number one productivity tool
mfonobong
4
330
It's Worth the Effort
3n
188
29k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
133
19k
The untapped power of vector embeddings
frankvandijk
2
1.8k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
28
3.5k
Un-Boring Meetings
codingconduct
0
320
Statistics for Hackers
jakevdp
799
230k
Design in an AI World
tapps
1
250
How Software Deployment tools have changed in the past 20 years
geshan
0
34k
Transcript
@salesforce April 23, 2013 Putting Your Robots to Work Security
Automation at Twitter
@salesforce April 2013 @alsmola | @ndm | @presidentbeef The future
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Philosophical Guidelines
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Get the
right information to the right people
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Find bugs
as quickly as possible
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat
your mistakes
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Analyze from
many angles
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Let people
prove you wrong
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Help people
help themselves
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Automate dumb
work
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Keep it
tailored
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Automating Security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security
tasks Code review External reports Pen testing
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Automated security
tasks Code review External reports Pen testing Static analysis tools Dynamic analysis tools CSP
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security
workflow Run tool Wait for it... Interpret reports Fix stuff
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security
workflow Run tool Wait for it... Interpret reports Fix stuff Repeat
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Put your
robots to work! Code committed Run dynamic tools Run static analysis tools Gather reports Issue notifications Automate dumb work
@salesforce April 2013 @alsmola | @ndm | @presidentbeef After automation
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Jenkins CI
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Security Automation
Dashboard (SADB)
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Open Source
Static analysis for Ruby on Rails ! brakemanscanner.org
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Write Code
Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Save Code Find bugs as quickly as possible
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Developer Mesos
+ Brakeman Code Repository SADB Push Code Pull Code Send Report Send EmailGet the right information to the right people
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends
2007 2008 2009 2010 2011 2012 2013
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends
Twitter starts using Brakeman 2007 2008 2009 2010 2011 2012 2013
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Reports
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning Warning message
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning When warning first reported
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning Code location, link to repo
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning Code snippet
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning Rails-specific information Help people help themselves
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning False positive report button Let people prove you wrong
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Mixed-content Sensitive
forms posting over HTTP Old, vulnerable versions of jQuery Forms without authenticity tokens What does it look for?
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat
your mistakes
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Phantom-gang 2.0
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Detecting XSS
Analyze from many angles
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Implementing CSP
is not trivial
@salesforce April 2013 @alsmola | @ndm | @presidentbeef HTTP Strict
Transport Security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Frame-Options
@salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Xss-Protection X-Content-Type-Options
! X-Xss-Protection
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef SecureHeaders Automate
dumb work
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Header status
page
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef ThreatDeck
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Review all
the things
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo Needs
to be reviewed Automate dumb work
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Our journey
thus far Manual tasks Low visibility Late problem discovery Automated tasks Trends and reports Automatic notifications
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Tools in
this presentation