Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Putting your robots to work: Security Automatio...
Search
Neil Matatall
September 12, 2014
Programming
2
180
Putting your robots to work: Security Automation @Twitter
This talk introduces @SADB, the security automation dashboard.
Neil Matatall
September 12, 2014
Tweet
Share
More Decks by Neil Matatall
See All by Neil Matatall
Twubhubbook - It's like appsec, but for startups (with notes)
oreoshake
0
130
Twubhubbook - it's like appsec, but for startups (without notes)
oreoshake
0
120
Automatic Application Security v2
oreoshake
0
140
JRubyFX For Web Developers
oreoshake
0
250
Automatic Application Security
oreoshake
0
160
How CSP Will (maybe) Solve the XSS Problem
oreoshake
0
160
BSidesLA Managing Content Security Policy
oreoshake
3
1.1k
Other Decks in Programming
See All in Programming
株式会社 Sun terras カンパニーデック
sunterras
0
270
Django Ninja による API 開発効率化とリプレースの実践
kashewnuts
0
1.3k
The Past, Present, and Future of Enterprise Java
ivargrimstad
0
240
技術的負債の正体を知って向き合う / Facing Technical Debt
irof
0
150
Server Side Kotlin Meetup vol.16: 内部動作を理解して ハイパフォーマンスなサーバサイド Kotlin アプリケーションを書こう
ternbusty
2
170
Flutterで分数(Fraction)を表示する方法
koukimiura
0
130
Devvox Belgium - Agentic AI Patterns
kdubois
1
110
SpecKitでどこまでできる? コストはどれくらい?
leveragestech
0
680
Swift Concurrency - 状態監視の罠
objectiveaudio
2
510
どの様にAIエージェントと 協業すべきだったのか?
takefumiyoshii
2
640
アメ車でサンノゼを走ってきたよ!
s_shimotori
0
220
What's new in Spring Modulith?
olivergierke
1
140
Featured
See All Featured
The World Runs on Bad Software
bkeepers
PRO
71
11k
Bash Introduction
62gerente
615
210k
Testing 201, or: Great Expectations
jmmastey
45
7.7k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.5k
YesSQL, Process and Tooling at Scale
rocio
173
14k
The Straight Up "How To Draw Better" Workshop
denniskardys
237
140k
Stop Working from a Prison Cell
hatefulcrawdad
271
21k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
7
900
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
9.7k
Being A Developer After 40
akosma
91
590k
How STYLIGHT went responsive
nonsquared
100
5.8k
Transcript
@salesforce April 23, 2013 Putting Your Robots to Work Security
Automation at Twitter
@salesforce April 2013 @alsmola | @ndm | @presidentbeef The future
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Philosophical Guidelines
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Get the
right information to the right people
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Find bugs
as quickly as possible
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat
your mistakes
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Analyze from
many angles
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Let people
prove you wrong
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Help people
help themselves
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Automate dumb
work
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Keep it
tailored
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Automating Security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security
tasks Code review External reports Pen testing
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Automated security
tasks Code review External reports Pen testing Static analysis tools Dynamic analysis tools CSP
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security
workflow Run tool Wait for it... Interpret reports Fix stuff
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security
workflow Run tool Wait for it... Interpret reports Fix stuff Repeat
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Put your
robots to work! Code committed Run dynamic tools Run static analysis tools Gather reports Issue notifications Automate dumb work
@salesforce April 2013 @alsmola | @ndm | @presidentbeef After automation
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Jenkins CI
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Security Automation
Dashboard (SADB)
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Open Source
Static analysis for Ruby on Rails ! brakemanscanner.org
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Write Code
Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Save Code Find bugs as quickly as possible
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Developer Mesos
+ Brakeman Code Repository SADB Push Code Pull Code Send Report Send EmailGet the right information to the right people
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends
2007 2008 2009 2010 2011 2012 2013
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends
Twitter starts using Brakeman 2007 2008 2009 2010 2011 2012 2013
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Reports
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning Warning message
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning When warning first reported
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning Code location, link to repo
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning Code snippet
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning Rails-specific information Help people help themselves
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning False positive report button Let people prove you wrong
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Mixed-content Sensitive
forms posting over HTTP Old, vulnerable versions of jQuery Forms without authenticity tokens What does it look for?
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat
your mistakes
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Phantom-gang 2.0
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Detecting XSS
Analyze from many angles
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Implementing CSP
is not trivial
@salesforce April 2013 @alsmola | @ndm | @presidentbeef HTTP Strict
Transport Security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Frame-Options
@salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Xss-Protection X-Content-Type-Options
! X-Xss-Protection
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef SecureHeaders Automate
dumb work
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Header status
page
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef ThreatDeck
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Review all
the things
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo Needs
to be reviewed Automate dumb work
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Our journey
thus far Manual tasks Low visibility Late problem discovery Automated tasks Trends and reports Automatic notifications
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Tools in
this presentation
oreoshake
sunterras
kashewnuts
ivargrimstad
irof
ternbusty
koukimiura
.jpg){kind=avatar}
kdubois
leveragestech
objectiveaudio
takefumiyoshii
s_shimotori
olivergierke
bkeepers
62gerente
jmmastey
kastner
marktimemedia
rocio
denniskardys
hatefulcrawdad
addyosmani
eileencodes
akosma
nonsquared
