Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Putting your robots to work: Security Automation @Twitter

E0fdc1036537c1308400fc8ba6e987b0?s=47 Neil Matatall
September 12, 2014
Programming
2
160

Putting your robots to work: Security Automation @Twitter

This talk introduces @SADB, the security automation dashboard.

E0fdc1036537c1308400fc8ba6e987b0?s=128

Neil Matatall

September 12, 2014
Tweet

More Decks by Neil Matatall

See All by Neil Matatall
E0fdc1036537c1308400fc8ba6e987b0?s=48 oreoshake
0
95
E0fdc1036537c1308400fc8ba6e987b0?s=48 oreoshake
0
85
E0fdc1036537c1308400fc8ba6e987b0?s=48 oreoshake
0
82
E0fdc1036537c1308400fc8ba6e987b0?s=48 oreoshake
0
150
E0fdc1036537c1308400fc8ba6e987b0?s=48 oreoshake
0
100
E0fdc1036537c1308400fc8ba6e987b0?s=48 oreoshake
0
110
E0fdc1036537c1308400fc8ba6e987b0?s=48 oreoshake
3
960

Other Decks in Programming

See All in Programming
06753262e041911692e9a771b1877036?s=48 chinen
0
630
Bd7bd8f154dbbbdc40af37d59baec53b?s=48 marushosummers
0
740
7437b838338581b08ca72340b05475b9?s=48 abt
0
220
9fdb3aa57e5fb99b3772976b0b903e53?s=48 chikuwait
8
1.8k
B05baacb6000fe55fe558ce75aa9bc74?s=48 jdkfx
0
110
4c76f001e0a3d59cc5a269df70940dfd?s=48 lmcinnes
0
210
7afd74181738991f61d6061562ff419d?s=48 hitsuji_haneta
2
660
Ab1b72230a5b6ddc97322af27ad91618?s=48 ohayoukenchan
0
410
8d7983d03db1fb756ccdbcbf7b760f98?s=48 yamada1826
0
210
B311713ff6de02a7b88c2e9f63d2ea45?s=48 mcavaliere
0
180
4578d99b560b2a470e05288ef6766ac2?s=48 paulk
5
2.1k
Aa5b922fefbf18bea89972521971dfea?s=48 yoshikiiida
20
7.8k

Featured

See All Featured
168ccec72eee0530b818d44f3fedaacf?s=48 shlominoach
177
7.9k
39488f9d172ab92fd352f2cd7b73258d?s=48 mza
82
4.3k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
PRO
55
4.6k
A0517b08532aec8ab2aae3f65d40ad86?s=48 hannesfritz
32
1.1k
88bc30284c6a424b63a92aad27d0ba36?s=48 jnunemaker
PRO
43
4.8k
245cee81a9c424266e5e401d844ea881?s=48 lara
594
61k
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
117
26k
56c4053438af8e8b90d6f53cbb7573be?s=48 jakevdp
777
200k
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
372
43k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
104
11k
C51b39fa3c79ccb99dcb8a076bc98287?s=48 brianwarren
85
5k
E14f55d3f939977cecbf51b64ff6f861?s=48 keithpitt
403
20k

Transcript

  1. @salesforce April 23, 2013 Putting Your Robots to Work Security

    Automation at Twitter

  2. @salesforce April 2013 @alsmola | @ndm | @presidentbeef The future

  3. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  4. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  5. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  6. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  7. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  8. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  9. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  10. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  11. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Philosophical Guidelines

  12. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Get the

    right information to the right people

  13. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Find bugs

    as quickly as possible

  14. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat

    your mistakes

  15. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Analyze from

    many angles

  16. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Let people

    prove you wrong

  17. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Help people

    help themselves

  18. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automate dumb

    work

  19. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Keep it

    tailored

  20. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automating Security

  21. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    tasks Code review External reports Pen testing

  22. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automated security

    tasks Code review External reports Pen testing Static analysis tools Dynamic analysis tools CSP

  23. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    workflow Run tool Wait for it... Interpret reports Fix stuff

  24. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    workflow Run tool Wait for it... Interpret reports Fix stuff Repeat

  25. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Put your

    robots to work! Code committed Run dynamic tools Run static analysis tools Gather reports Issue notifications Automate dumb work

  26. @salesforce April 2013 @alsmola | @ndm | @presidentbeef After automation

  27. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Jenkins CI

  28. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Security Automation

    Dashboard (SADB)

  29. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  30. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  31. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Open Source

    Static analysis for Ruby on Rails ! brakemanscanner.org

  32. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Write Code

    Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Save Code Find bugs as quickly as possible

  33. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Developer Mesos

    + Brakeman Code Repository SADB Push Code Pull Code Send Report Send EmailGet the right information to the right people

  34. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends

    2007 2008 2009 2010 2011 2012 2013

  35. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends

    Twitter starts using Brakeman 2007 2008 2009 2010 2011 2012 2013

  36. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Reports

  37. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Warning message

  38. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning When warning first reported

  39. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Code location, link to repo

  40. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Code snippet

  41. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Rails-specific information Help people help themselves

  42. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning False positive report button Let people prove you wrong

  43. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  44. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  45. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  46. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Mixed-content Sensitive

    forms posting over HTTP Old, vulnerable versions of jQuery Forms without authenticity tokens What does it look for?

  47. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat

    your mistakes

  48. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  49. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Phantom-gang 2.0

  50. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  51. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  52. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Detecting XSS

    Analyze from many angles

  53. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  54. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  55. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  56. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Implementing CSP

    is not trivial

  57. @salesforce April 2013 @alsmola | @ndm | @presidentbeef HTTP Strict

    Transport Security

  58. @salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Frame-Options

  59. @salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Xss-Protection X-Content-Type-Options

    ! X-Xss-Protection

  60. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  61. @salesforce April 2013 @alsmola | @ndm | @presidentbeef SecureHeaders Automate

    dumb work

  62. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Header status

    page

  63. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  64. @salesforce April 2013 @alsmola | @ndm | @presidentbeef ThreatDeck

  65. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

  66. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Review all

    the things

  67. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo

  68. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo

  69. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo Needs

    to be reviewed Automate dumb work

  70. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Our journey

    thus far Manual tasks Low visibility Late problem discovery Automated tasks Trends and reports Automatic notifications

  71. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Tools in

    this presentation