Lock in $30 Savings on PRO—Offer Ends Soon! ⏳
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Putting your robots to work: Security Automatio...
Search
Neil Matatall
September 12, 2014
Programming
2
180
Putting your robots to work: Security Automation @Twitter
This talk introduces @SADB, the security automation dashboard.
Neil Matatall
September 12, 2014
Tweet
Share
More Decks by Neil Matatall
See All by Neil Matatall
Twubhubbook - It's like appsec, but for startups (with notes)
oreoshake
0
140
Twubhubbook - it's like appsec, but for startups (without notes)
oreoshake
0
130
Automatic Application Security v2
oreoshake
0
150
JRubyFX For Web Developers
oreoshake
0
250
Automatic Application Security
oreoshake
0
160
How CSP Will (maybe) Solve the XSS Problem
oreoshake
0
160
BSidesLA Managing Content Security Policy
oreoshake
3
1.1k
Other Decks in Programming
See All in Programming
愛される翻訳の秘訣
kishikawakatsumi
3
330
脳の「省エネモード」をデバッグする ~System 1(直感)と System 2(論理)の切り替え~
panda728
PRO
0
110
「コードは上から下へ読むのが一番」と思った時に、思い出してほしい話
panda728
PRO
39
26k
Deno Tunnel を使ってみた話
kamekyame
0
150
ZOZOにおけるAI活用の現在 ~モバイルアプリ開発でのAI活用状況と事例~
zozotech
PRO
9
5.8k
実は歴史的なアップデートだと思う AWS Interconnect - multicloud
maroon1st
0
230
Microservices rules: What good looks like
cer
PRO
0
1.5k
dotfiles 式年遷宮 令和最新版
masawada
1
800
ViewファーストなRailsアプリ開発のたのしさ
sugiwe
0
500
Context is King? 〜Verifiability時代とコンテキスト設計 / Beyond "Context is King"
rkaga
10
1.3k
認証・認可の基本を学ぼう後編
kouyuume
0
240
大規模Cloud Native環境におけるFalcoの運用
owlinux1000
0
160
Featured
See All Featured
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
9.8k
First, design no harm
axbom
PRO
1
1k
Making Projects Easy
brettharned
120
6.5k
Navigating Algorithm Shifts & AI Overviews - #SMXNext
aleyda
0
1k
How to optimise 3,500 product descriptions for ecommerce in one day using ChatGPT
katarinadahlin
PRO
0
3.3k
Large-scale JavaScript Application Architecture
addyosmani
515
110k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
55
3.2k
How to Get Subject Matter Experts Bought In and Actively Contributing to SEO & PR Initiatives.
livdayseo
0
27
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
17k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
35
2.3k
Building Experiences: Design Systems, User Experience, and Full Site Editing
marktimemedia
0
320
Intergalactic Javascript Robots from Outer Space
tanoku
273
27k
Transcript
@salesforce April 23, 2013 Putting Your Robots to Work Security
Automation at Twitter
@salesforce April 2013 @alsmola | @ndm | @presidentbeef The future
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Philosophical Guidelines
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Get the
right information to the right people
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Find bugs
as quickly as possible
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat
your mistakes
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Analyze from
many angles
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Let people
prove you wrong
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Help people
help themselves
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Automate dumb
work
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Keep it
tailored
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Automating Security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security
tasks Code review External reports Pen testing
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Automated security
tasks Code review External reports Pen testing Static analysis tools Dynamic analysis tools CSP
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security
workflow Run tool Wait for it... Interpret reports Fix stuff
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security
workflow Run tool Wait for it... Interpret reports Fix stuff Repeat
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Put your
robots to work! Code committed Run dynamic tools Run static analysis tools Gather reports Issue notifications Automate dumb work
@salesforce April 2013 @alsmola | @ndm | @presidentbeef After automation
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Jenkins CI
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Security Automation
Dashboard (SADB)
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Open Source
Static analysis for Ruby on Rails ! brakemanscanner.org
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Write Code
Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Save Code Find bugs as quickly as possible
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Developer Mesos
+ Brakeman Code Repository SADB Push Code Pull Code Send Report Send EmailGet the right information to the right people
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends
2007 2008 2009 2010 2011 2012 2013
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends
Twitter starts using Brakeman 2007 2008 2009 2010 2011 2012 2013
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Reports
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning Warning message
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning When warning first reported
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning Code location, link to repo
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning Code snippet
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning Rails-specific information Help people help themselves
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of
a warning False positive report button Let people prove you wrong
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Mixed-content Sensitive
forms posting over HTTP Old, vulnerable versions of jQuery Forms without authenticity tokens What does it look for?
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat
your mistakes
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Phantom-gang 2.0
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Detecting XSS
Analyze from many angles
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Implementing CSP
is not trivial
@salesforce April 2013 @alsmola | @ndm | @presidentbeef HTTP Strict
Transport Security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Frame-Options
@salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Xss-Protection X-Content-Type-Options
! X-Xss-Protection
@salesforce April 2013 @alsmola | @ndm | @presidentbeef
@salesforce April 2013 @alsmola | @ndm | @presidentbeef SecureHeaders Automate
dumb work
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Header status
page
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef ThreatDeck
@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman
ThreatDeck Phantom Gang Roshambo Email developers Email security
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Review all
the things
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo Needs
to be reviewed Automate dumb work
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Our journey
thus far Manual tasks Low visibility Late problem discovery Automated tasks Trends and reports Automatic notifications
@salesforce April 2013 @alsmola | @ndm | @presidentbeef Tools in
this presentation
oreoshake
kishikawakatsumi
panda728
kamekyame
zozotech
maroon1st
cer
masawada
sugiwe
rkaga
kouyuume
owlinux1000
eileencodes
axbom
brettharned
aleyda
katarinadahlin
addyosmani
tammyeverts
livdayseo
afnizarnur
marcduiker
marktimemedia
tanoku
