Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Putting your robots to work: Security Automatio...
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Neil Matatall
September 12, 2014
Programming
2
190
Putting your robots to work: Security Automation @Twitter
This talk introduces @SADB, the security automation dashboard.
Neil Matatall
September 12, 2014
Tweet
Share
More Decks by Neil Matatall
See All by Neil Matatall
Twubhubbook - It's like appsec, but for startups (with notes)
oreoshake
0
140
Twubhubbook - it's like appsec, but for startups (without notes)
oreoshake
0
130
Automatic Application Security v2
oreoshake
0
150
JRubyFX For Web Developers
oreoshake
0
250
Automatic Application Security
oreoshake
0
160
How CSP Will (maybe) Solve the XSS Problem
oreoshake
0
160
BSidesLA Managing Content Security Policy
oreoshake
3
1.1k
Other Decks in Programming
See All in Programming
Basic Architectures
denyspoltorak
0
650
高速開発のためのコード整理術
sutetotanuki
1
370
AI時代の認知負荷との向き合い方
optfit
0
130
2年のAppleウォレットパス開発の振り返り
muno92
PRO
0
200
今から始めるClaude Code超入門
448jp
7
8k
KIKI_MBSD Cybersecurity Challenges 2025
ikema
0
1.3k
コントリビューターによるDenoのすゝめ / Deno Recommendations by a Contributor
petamoriken
0
200
Implementation Patterns
denyspoltorak
0
270
Fragmented Architectures
denyspoltorak
0
140
Rust 製のコードエディタ “Zed” を使ってみた
nearme_tech
PRO
0
110
CSC307 Lecture 05
javiergs
PRO
0
490
CSC307 Lecture 04
javiergs
PRO
0
650
Featured
See All Featured
New Earth Scene 8
popppiees
1
1.5k
How to build a perfect <img>
jonoalderson
1
4.9k
Unsuck your backbone
ammeep
671
58k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
17k
Build your cross-platform service in a week with App Engine
jlugia
234
18k
Fantastic passwords and where to find them - at NoRuKo
philnash
52
3.6k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
54k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
133
19k
Agile Actions for Facilitating Distributed Teams - ADO2019
mkilby
0
110
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
9
1.2k
[RailsConf 2023] Rails as a piece of cake
palkan
59
6.3k
B2B Lead Gen: Tactics, Traps & Triumph
marketingsoph
0
52
Transcript
@salesforce April 23, 2013 Putting Your Robots to Work Security
Automation at Twitter
@salesforce April 2013 @alsmola | @ndm | @presidentbeef The future
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Philosophical Guidelines
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Get the
right information to the right people
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Find bugs
as quickly as possible
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat
your mistakes
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Analyze from
many angles
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Let people
prove you wrong
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Help people
help themselves
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Automate dumb
work
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Keep it
tailored
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Automating Security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security
tasks Code review External reports Pen testing
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Automated security
tasks Code review External reports Pen testing Static analysis tools Dynamic analysis tools CSP
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security
workflow Run tool Wait for it... Interpret reports Fix stuff
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security
workflow Run tool Wait for it... Interpret reports Fix stuff Repeat
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Put your
robots to work! Code committed Run dynamic tools Run static analysis tools Gather reports Issue notifications Automate dumb work
@salesforce April 2013 @alsmola | @ndm | @presidentbeef After automation
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Jenkins CI
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Security Automation
Dashboard (SADB)
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Open Source
Static analysis for Ruby on Rails ! brakemanscanner.org
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Write Code
Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Save Code Find bugs as quickly as possible
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Developer Mesos
+ Brakeman Code Repository SADB Push Code Pull Code Send Report Send EmailGet the right information to the right people
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends
2007 2008 2009 2010 2011 2012 2013
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends
Twitter starts using Brakeman 2007 2008 2009 2010 2011 2012 2013
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Reports
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning Warning message
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning When warning first reported
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning Code location, link to repo
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning Code snippet
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning Rails-specific information Help people help themselves
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning False positive report button Let people prove you wrong
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Mixed-content Sensitive
forms posting over HTTP Old, vulnerable versions of jQuery Forms without authenticity tokens What does it look for?
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat
your mistakes
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Phantom-gang 2.0
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Detecting XSS
Analyze from many angles
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Implementing CSP
is not trivial
@salesforce April 2013 @alsmola | @ndm | @presidentbeef HTTP Strict
Transport Security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Frame-Options
@salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Xss-Protection X-Content-Type-Options
! X-Xss-Protection
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef SecureHeaders Automate
dumb work
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Header status
page
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef ThreatDeck
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Review all
the things
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo Needs
to be reviewed Automate dumb work
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Our journey
thus far Manual tasks Low visibility Late problem discovery Automated tasks Trends and reports Automatic notifications
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Tools in
this presentation
SiteGround - Reliable hosting with speed, security, and support you can count on.
oreoshake
denyspoltorak
sutetotanuki
optfit
muno92
448jp
ikema
petamoriken
nearme_tech
javiergs
popppiees
jonoalderson
ammeep
afnizarnur
jlugia
philnash
destraynor
morganepeng
mkilby
irinanazarova
palkan
marketingsoph
