Putting your robots to work: Security Automation @Twitter

Transcript

1. @salesforce April 23, 2013 Putting Your Robots to Work Security

   Automation at Twitter

2. @salesforce April 2013 @alsmola | @ndm | @presidentbeef The future

3. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

4. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

5. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

6. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

7. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

8. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

9. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

10. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

11. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Philosophical Guidelines

12. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Get the

    right information to the right people

13. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Find bugs

    as quickly as possible

14. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat

    your mistakes

15. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Analyze from

    many angles

16. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Let people

    prove you wrong

17. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Help people

    help themselves

18. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automate dumb

    work

19. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Keep it

    tailored

20. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automating Security

21. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    tasks Code review External reports Pen testing

22. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Automated security

    tasks Code review External reports Pen testing Static analysis tools Dynamic analysis tools CSP

23. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    workflow Run tool Wait for it... Interpret reports Fix stuff

24. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security

    workflow Run tool Wait for it... Interpret reports Fix stuff Repeat

25. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Put your

    robots to work! Code committed Run dynamic tools Run static analysis tools Gather reports Issue notifications Automate dumb work

26. @salesforce April 2013 @alsmola | @ndm | @presidentbeef After automation

27. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Jenkins CI

28. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Security Automation

    Dashboard (SADB)

29. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

30. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

31. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Open Source

    Static analysis for Ruby on Rails ! brakemanscanner.org

32. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Write Code

    Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Save Code Find bugs as quickly as possible

33. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Developer Mesos

    + Brakeman Code Repository SADB Push Code Pull Code Send Report Send EmailGet the right information to the right people

34. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends

    2007 2008 2009 2010 2011 2012 2013

35. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends

    Twitter starts using Brakeman 2007 2008 2009 2010 2011 2012 2013

36. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Reports

37. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Warning message

38. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning When warning first reported

39. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Code location, link to repo

40. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Code snippet

41. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning Rails-specific information Help people help themselves

42. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of

    a warning False positive report button Let people prove you wrong

43. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

44. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

45. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

46. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Mixed-content Sensitive

    forms posting over HTTP Old, vulnerable versions of jQuery Forms without authenticity tokens What does it look for?

47. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat

    your mistakes

48. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

49. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Phantom-gang 2.0

50. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

51. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

52. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Detecting XSS

    Analyze from many angles

53. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

54. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

55. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

56. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Implementing CSP

    is not trivial

57. @salesforce April 2013 @alsmola | @ndm | @presidentbeef HTTP Strict

    Transport Security

58. @salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Frame-Options

59. @salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Xss-Protection X-Content-Type-Options

    ! X-Xss-Protection

60. @salesforce April 2013 @alsmola | @ndm | @presidentbeef

61. @salesforce April 2013 @alsmola | @ndm | @presidentbeef SecureHeaders Automate

    dumb work

62. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Header status

    page

63. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

64. @salesforce April 2013 @alsmola | @ndm | @presidentbeef ThreatDeck

65. @salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman

    ThreatDeck Phantom Gang Roshambo Email developers Email security

66. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Review all

    the things

67. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo

68. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo

69. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo Needs

    to be reviewed Automate dumb work

70. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Our journey

    thus far Manual tasks Low visibility Late problem discovery Automated tasks Trends and reports Automatic notifications

71. @salesforce April 2013 @alsmola | @ndm | @presidentbeef Tools in

    this presentation