Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Putting your robots to work: Security Automatio...
Search
Neil Matatall
September 12, 2014
Programming
2
180
Putting your robots to work: Security Automation @Twitter
This talk introduces @SADB, the security automation dashboard.
Neil Matatall
September 12, 2014
Tweet
Share
More Decks by Neil Matatall
See All by Neil Matatall
Twubhubbook - It's like appsec, but for startups (with notes)
oreoshake
0
130
Twubhubbook - it's like appsec, but for startups (without notes)
oreoshake
0
120
Automatic Application Security v2
oreoshake
0
140
JRubyFX For Web Developers
oreoshake
0
250
Automatic Application Security
oreoshake
0
160
How CSP Will (maybe) Solve the XSS Problem
oreoshake
0
160
BSidesLA Managing Content Security Policy
oreoshake
3
1.1k
Other Decks in Programming
See All in Programming
Rails産でないDBを Railsに引っ越すHACK - Omotesando.rb #110
lnit
1
160
第9回 情シス転職ミートアップ 株式会社IVRy(アイブリー)の紹介
ivry_presentationmaterials
1
170
イベントストーミングから始めるドメイン駆動設計
jgeem
4
860
CursorはMCPを使った方が良いぞ
taigakono
0
100
Go1.25からのGOMAXPROCS
kuro_kurorrr
1
760
Javaに鉄道指向プログラミング (Railway Oriented Pro gramming) のエッセンスを取り入れる/Bringing the Essence of Railway-Oriented Programming to Java
cocet33000
2
580
機械学習って何? 5分で解説頑張ってみる
kuroneko2828
0
210
ReadMoreTextView
fornewid
1
450
WindowInsetsだってテストしたい
ryunen344
1
190
AIコーディング道場勉強会#2 君(エンジニア)たちはどう生きるか
misakiotb
1
230
今ならAmazon ECSのサービス間通信をどう選ぶか / Selection of ECS Interservice Communication 2025
tkikuc
7
1.3k
A2A プロトコルを試してみる
azukiazusa1
2
610
Featured
See All Featured
Become a Pro
speakerdeck
PRO
28
5.4k
We Have a Design System, Now What?
morganepeng
52
7.6k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
Rebuilding a faster, lazier Slack
samanthasiow
81
9k
Designing for Performance
lara
609
69k
Producing Creativity
orderedlist
PRO
346
40k
Balancing Empowerment & Direction
lara
1
330
GraphQLの誤解/rethinking-graphql
sonatard
71
11k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
KATA
mclloyd
29
14k
Scaling GitHub
holman
459
140k
Transcript
@salesforce April 23, 2013 Putting Your Robots to Work Security
Automation at Twitter
@salesforce April 2013 @alsmola | @ndm | @presidentbeef The future
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Philosophical Guidelines
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Get the
right information to the right people
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Find bugs
as quickly as possible
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat
your mistakes
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Analyze from
many angles
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Let people
prove you wrong
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Help people
help themselves
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Automate dumb
work
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Keep it
tailored
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Automating Security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security
tasks Code review External reports Pen testing
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Automated security
tasks Code review External reports Pen testing Static analysis tools Dynamic analysis tools CSP
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security
workflow Run tool Wait for it... Interpret reports Fix stuff
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security
workflow Run tool Wait for it... Interpret reports Fix stuff Repeat
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Put your
robots to work! Code committed Run dynamic tools Run static analysis tools Gather reports Issue notifications Automate dumb work
@salesforce April 2013 @alsmola | @ndm | @presidentbeef After automation
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Jenkins CI
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Security Automation
Dashboard (SADB)
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Open Source
Static analysis for Ruby on Rails ! brakemanscanner.org
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Write Code
Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Save Code Find bugs as quickly as possible
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Developer Mesos
+ Brakeman Code Repository SADB Push Code Pull Code Send Report Send EmailGet the right information to the right people
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends
2007 2008 2009 2010 2011 2012 2013
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends
Twitter starts using Brakeman 2007 2008 2009 2010 2011 2012 2013
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Reports
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning Warning message
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning When warning first reported
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning Code location, link to repo
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning Code snippet
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning Rails-specific information Help people help themselves
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning False positive report button Let people prove you wrong
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Mixed-content Sensitive
forms posting over HTTP Old, vulnerable versions of jQuery Forms without authenticity tokens What does it look for?
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat
your mistakes
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Phantom-gang 2.0
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Detecting XSS
Analyze from many angles
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Implementing CSP
is not trivial
@salesforce April 2013 @alsmola | @ndm | @presidentbeef HTTP Strict
Transport Security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Frame-Options
@salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Xss-Protection X-Content-Type-Options
! X-Xss-Protection
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef SecureHeaders Automate
dumb work
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Header status
page
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef ThreatDeck
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Review all
the things
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo Needs
to be reviewed Automate dumb work
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Our journey
thus far Manual tasks Low visibility Late problem discovery Automated tasks Trends and reports Automatic notifications
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Tools in
this presentation
oreoshake
lnit
ivry_presentationmaterials
jgeem
taigakono
kuro_kurorrr
cocet33000
kuroneko2828
fornewid
ryunen344
misakiotb
tkikuc
azukiazusa1
speakerdeck
morganepeng
samlambert
cassininazir
samanthasiow
lara
orderedlist
sonatard
marcelosomers
mclloyd
holman
