Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Putting your robots to work: Security Automatio...

Neil Matatall
September 12, 2014
Programming
2
180

Putting your robots to work: Security Automation @Twitter

This talk introduces @SADB, the security automation dashboard.

Neil Matatall

September 12, 2014
Tweet

More Decks by Neil Matatall

See All by Neil Matatall
Twubhubbook - It's like appsec, but for startups (with notes)
oreoshake
0
130
Twubhubbook - it's like appsec, but for startups (without notes)
oreoshake
0
120
Automatic Application Security v2
oreoshake
0
140
JRubyFX For Web Developers
oreoshake
0
240
Automatic Application Security
oreoshake
0
160
How CSP Will (maybe) Solve the XSS Problem
oreoshake
0
160
BSidesLA Managing Content Security Policy
oreoshake
3
1.1k

Other Decks in Programming

See All in Programming
サービスレベルを管理してアジャイルを加速しよう!! / slm-accelerate-agility
tomoyakitaura
1
170
ベクトル検索システムの気持ち
monochromegane
31
9.9k
AIコードエディタの基盤となるLLMのFlutter性能評価
alquist4121
0
200
AI Coding Agent Enablement - エージェントを自走させよう
yukukotani
13
5.8k
MCP調べてみました! / Exploring MCP
uhzz
2
2.2k
SQL Server ベクトル検索
odashinsuke
0
170
海外のアプリで見かけたかっこいいTransitionを真似てみる
shogotakasaki
1
160
PHPで書いたAPIをGoに書き換えてみた 〜パフォーマンス改善の可能性を探る実験レポート〜
koguuum
0
140
Devin入門と最近のアップデートから見るDevinの進化 / Introduction to Devin and the Evolution of Devin as Seen in Recent Update
rkaga
9
4.8k
RuboCop: Modularity and AST Insights
koic
0
110
[NG India] Event-Based State Management with NgRx SignalStore
markostanimirovic
1
110
Defying Front-End Inertia: Inertia.js on Rails
skryukov
0
460

Featured

See All Featured
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
34
2.9k
Practical Orchestrator
shlominoach
186
10k
Into the Great Unknown - MozCon
thekraken
37
1.7k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
5
520
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
45
7.2k
Why Our Code Smells
bkeepers
PRO
336
57k
Automating Front-end Workflow
addyosmani
1369
200k
Why You Should Never Use an ORM
jnunemaker
PRO
55
9.3k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
Music & Morning Musume
bryan
47
6.5k
Faster Mobile Websites
deanohume
306
31k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
41
2.2k

Transcript

  1. @salesforce April 23, 2013 Putting Your Robots to Work Security

    Automation at Twitter

  2. @salesforce April 2013 @alsmola | @ndm | @presidentbeef The future

  3. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  4. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  5. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  6. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  7. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  8. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  9. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  10. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  11. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Philosophical Guidelines

  12. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Get the

    right information to the right people

  13. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Find bugs

    as quickly as possible

  14. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat

    your mistakes

  15. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Analyze from

    many angles

  16. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Let people

    prove you wrong

  17. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Help people

    help themselves

  18. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automate dumb

    work

  19. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Keep it

    tailored

  20. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automating Security

  21. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    tasks Code review External reports Pen testing

  22. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automated security

    tasks Code review External reports Pen testing Static analysis tools Dynamic analysis tools CSP

  23. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    workflow Run tool Wait for it... Interpret reports Fix stuff

  24. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    workflow Run tool Wait for it... Interpret reports Fix stuff Repeat

  25. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Put your

    robots to work! Code committed Run dynamic tools Run static analysis tools Gather reports Issue notifications Automate dumb work

  26. @salesforce April 2013 @alsmola | @ndm | @presidentbeef After automation

  27. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Jenkins CI

  28. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Security Automation

    Dashboard (SADB)

  29. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  30. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  31. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Open Source

    Static analysis for Ruby on Rails ! brakemanscanner.org

  32. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Write Code

    Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Save Code Find bugs as quickly as possible

  33. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Developer Mesos

    + Brakeman Code Repository SADB Push Code Pull Code Send Report Send EmailGet the right information to the right people

  34. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends

    2007 2008 2009 2010 2011 2012 2013

  35. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends

    Twitter starts using Brakeman 2007 2008 2009 2010 2011 2012 2013

  36. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Reports

  37. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Warning message

  38. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning When warning first reported

  39. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Code location, link to repo

  40. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Code snippet

  41. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Rails-specific information Help people help themselves

  42. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning False positive report button Let people prove you wrong

  43. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  44. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  45. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  46. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Mixed-content Sensitive

    forms posting over HTTP Old, vulnerable versions of jQuery Forms without authenticity tokens What does it look for?

  47. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat

    your mistakes

  48. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  49. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Phantom-gang 2.0

  50. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  51. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  52. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Detecting XSS

    Analyze from many angles

  53. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  54. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  55. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  56. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Implementing CSP

    is not trivial

  57. @salesforce April 2013 @alsmola | @ndm | @presidentbeef HTTP Strict

    Transport Security

  58. @salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Frame-Options

  59. @salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Xss-Protection X-Content-Type-Options

    ! X-Xss-Protection

  60. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  61. @salesforce April 2013 @alsmola | @ndm | @presidentbeef SecureHeaders Automate

    dumb work

  62. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Header status

    page

  63. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  64. @salesforce April 2013 @alsmola | @ndm | @presidentbeef ThreatDeck

  65. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  66. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Review all

    the things

  67. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo

  68. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo

  69. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo Needs

    to be reviewed Automate dumb work

  70. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Our journey

    thus far Manual tasks Low visibility Late problem discovery Automated tasks Trends and reports Automatic notifications

  71. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Tools in

    this presentation