Putting your robots to work: Security Automation @Twitter

E0fdc1036537c1308400fc8ba6e987b0?s=47 Neil Matatall
September 12, 2014
Programming
2
140

Putting your robots to work: Security Automation @Twitter

This talk introduces @SADB, the security automation dashboard.

E0fdc1036537c1308400fc8ba6e987b0?s=128

Neil Matatall

September 12, 2014
Tweet

Want more?

E0fdc1036537c1308400fc8ba6e987b0?s=48 oreoshake
0
87
E0fdc1036537c1308400fc8ba6e987b0?s=48 oreoshake
0
78
E0fdc1036537c1308400fc8ba6e987b0?s=48 oreoshake
0
75
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
7
330
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
1
200
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
0
130
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
6
250
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
5
190
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
3
280
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
3
510
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
1
140
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
4
230

Transcript

  1. 1.

    @salesforce April 23, 2013 Putting Your Robots to Work Security

    Automation at Twitter
  2. 2.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef The future

  3. 3.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  4. 4.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  5. 5.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  6. 6.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  7. 7.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  8. 8.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  9. 9.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  10. 10.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  11. 11.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Philosophical Guidelines

  12. 12.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Get the

    right information to the right people
  13. 13.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Find bugs

    as quickly as possible
  14. 14.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat

    your mistakes
  15. 15.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Analyze from

    many angles
  16. 16.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Let people

    prove you wrong
  17. 17.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Help people

    help themselves
  18. 18.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automate dumb

    work
  19. 19.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Keep it

    tailored
  20. 20.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automating Security

  21. 21.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    tasks Code review External reports Pen testing
  22. 22.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automated security

    tasks Code review External reports Pen testing Static analysis tools Dynamic analysis tools CSP
  23. 23.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    workflow Run tool Wait for it... Interpret reports Fix stuff
  24. 24.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    workflow Run tool Wait for it... Interpret reports Fix stuff Repeat
  25. 25.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Put your

    robots to work! Code committed Run dynamic tools Run static analysis tools Gather reports Issue notifications Automate dumb work
  26. 26.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef After automation

  27. 27.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Jenkins CI

  28. 28.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Security Automation

    Dashboard (SADB)
  29. 29.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security
  30. 30.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security
  31. 31.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Open Source

    Static analysis for Ruby on Rails ! brakemanscanner.org
  32. 32.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Write Code

    Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Save Code Find bugs as quickly as possible
  33. 33.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Developer Mesos

    + Brakeman Code Repository SADB Push Code Pull Code Send Report Send EmailGet the right information to the right people
  34. 34.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends

    2007 2008 2009 2010 2011 2012 2013
  35. 35.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends

    Twitter starts using Brakeman 2007 2008 2009 2010 2011 2012 2013
  36. 36.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Reports

  37. 37.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Warning message
  38. 38.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning When warning first reported
  39. 39.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Code location, link to repo
  40. 40.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Code snippet
  41. 41.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Rails-specific information Help people help themselves
  42. 42.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning False positive report button Let people prove you wrong
  43. 43.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  44. 44.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  45. 45.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security
  46. 46.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Mixed-content Sensitive

    forms posting over HTTP Old, vulnerable versions of jQuery Forms without authenticity tokens What does it look for?
  47. 47.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat

    your mistakes
  48. 48.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  49. 49.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Phantom-gang 2.0

  50. 50.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security
  51. 51.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  52. 52.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Detecting XSS

    Analyze from many angles
  53. 53.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  54. 54.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  55. 55.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  56. 56.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Implementing CSP

    is not trivial
  57. 57.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef HTTP Strict

    Transport Security
  58. 58.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Frame-Options

  59. 59.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Xss-Protection X-Content-Type-Options

    ! X-Xss-Protection
  60. 60.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef

  61. 61.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef SecureHeaders Automate

    dumb work
  62. 62.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Header status

    page
  63. 63.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security
  64. 64.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef ThreatDeck

  65. 65.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security
  66. 66.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Review all

    the things
  67. 67.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo

  68. 68.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo

  69. 69.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo Needs

    to be reviewed Automate dumb work
  70. 70.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Our journey

    thus far Manual tasks Low visibility Late problem discovery Automated tasks Trends and reports Automatic notifications
  71. 71.

    @salesforce April 2013 @alsmola | @ndm | @presidentbeef Tools in

    this presentation