Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Putting your robots to work: Security Automatio...

Neil Matatall
September 12, 2014
Programming
2
170

Putting your robots to work: Security Automation @Twitter

This talk introduces @SADB, the security automation dashboard.

Neil Matatall

September 12, 2014
Tweet

More Decks by Neil Matatall

See All by Neil Matatall
Twubhubbook - It's like appsec, but for startups (with notes)
oreoshake
0
120
Twubhubbook - it's like appsec, but for startups (without notes)
oreoshake
0
110
Automatic Application Security v2
oreoshake
0
140
JRubyFX For Web Developers
oreoshake
0
240
Automatic Application Security
oreoshake
0
160
How CSP Will (maybe) Solve the XSS Problem
oreoshake
0
150
BSidesLA Managing Content Security Policy
oreoshake
3
1k

Other Decks in Programming

See All in Programming
役立つログに取り組もう
irof
28
9.6k
どうして僕の作ったクラスが手続き型と言われなきゃいけないんですか
akikogoto
1
120
最新TCAキャッチアップ
0si43
0
140
Content Security Policy入門 セキュリティ設定と 違反レポートのはじめ方 / Introduction to Content Security Policy Getting Started with Security Configuration and Violation Reporting
uskey512
1
520
イベント駆動で成長して委員会
happymana
1
320
ActiveSupport::Notifications supporting instrumentation of Rails apps with OpenTelemetry
ymtdzzz
1
230
Contemporary Test Cases
maaretp
0
130
EventSourcingの理想と現実
wenas
6
2.3k
アジャイルを支えるテストアーキテクチャ設計/Test Architecting for Agile
goyoki
9
3.3k
C++でシェーダを書く
fadis
6
4.1k
Nurturing OpenJDK distribution: Eclipse Temurin Success History and plan
ivargrimstad
0
870
「今のプロジェクトいろいろ大変なんですよ、app/services とかもあって……」/After Kaigi on Rails 2024 LT Night
junk0612
5
2.1k

Featured

See All Featured
Optimising Largest Contentful Paint
csswizardry
33
2.9k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
A better future with KSS
kneath
238
17k
What's new in Ruby 2.0
geeforr
343
31k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
How STYLIGHT went responsive
nonsquared
95
5.2k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
840
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k

Transcript

  1. @salesforce April 23, 2013 Putting Your Robots to Work Security

    Automation at Twitter

  2. @salesforce April 2013 @alsmola | @ndm | @presidentbeef The future

  3. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  4. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  5. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  6. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  7. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  8. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  9. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  10. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  11. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Philosophical Guidelines

  12. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Get the

    right information to the right people

  13. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Find bugs

    as quickly as possible

  14. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat

    your mistakes

  15. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Analyze from

    many angles

  16. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Let people

    prove you wrong

  17. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Help people

    help themselves

  18. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automate dumb

    work

  19. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Keep it

    tailored

  20. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automating Security

  21. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    tasks Code review External reports Pen testing

  22. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automated security

    tasks Code review External reports Pen testing Static analysis tools Dynamic analysis tools CSP

  23. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    workflow Run tool Wait for it... Interpret reports Fix stuff

  24. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    workflow Run tool Wait for it... Interpret reports Fix stuff Repeat

  25. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Put your

    robots to work! Code committed Run dynamic tools Run static analysis tools Gather reports Issue notifications Automate dumb work

  26. @salesforce April 2013 @alsmola | @ndm | @presidentbeef After automation

  27. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Jenkins CI

  28. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Security Automation

    Dashboard (SADB)

  29. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  30. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  31. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Open Source

    Static analysis for Ruby on Rails ! brakemanscanner.org

  32. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Write Code

    Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Save Code Find bugs as quickly as possible

  33. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Developer Mesos

    + Brakeman Code Repository SADB Push Code Pull Code Send Report Send EmailGet the right information to the right people

  34. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends

    2007 2008 2009 2010 2011 2012 2013

  35. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends

    Twitter starts using Brakeman 2007 2008 2009 2010 2011 2012 2013

  36. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Reports

  37. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Warning message

  38. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning When warning first reported

  39. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Code location, link to repo

  40. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Code snippet

  41. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Rails-specific information Help people help themselves

  42. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning False positive report button Let people prove you wrong

  43. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  44. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  45. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  46. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Mixed-content Sensitive

    forms posting over HTTP Old, vulnerable versions of jQuery Forms without authenticity tokens What does it look for?

  47. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat

    your mistakes

  48. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  49. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Phantom-gang 2.0

  50. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  51. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  52. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Detecting XSS

    Analyze from many angles

  53. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  54. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  55. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  56. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Implementing CSP

    is not trivial

  57. @salesforce April 2013 @alsmola | @ndm | @presidentbeef HTTP Strict

    Transport Security

  58. @salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Frame-Options

  59. @salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Xss-Protection X-Content-Type-Options

    ! X-Xss-Protection

  60. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  61. @salesforce April 2013 @alsmola | @ndm | @presidentbeef SecureHeaders Automate

    dumb work

  62. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Header status

    page

  63. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  64. @salesforce April 2013 @alsmola | @ndm | @presidentbeef ThreatDeck

  65. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  66. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Review all

    the things

  67. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo

  68. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo

  69. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo Needs

    to be reviewed Automate dumb work

  70. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Our journey

    thus far Manual tasks Low visibility Late problem discovery Automated tasks Trends and reports Automatic notifications

  71. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Tools in

    this presentation