Slide 1

Slide 1 text

@salesforce April 23, 2013 Putting Your Robots to Work Security Automation at Twitter

Slide 2

Slide 2 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef The future

Slide 3

Slide 3 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef

Slide 4

Slide 4 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef

Slide 5

Slide 5 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef

Slide 6

Slide 6 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef

Slide 7

Slide 7 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef

Slide 8

Slide 8 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef

Slide 9

Slide 9 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef

Slide 10

Slide 10 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef

Slide 11

Slide 11 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Philosophical Guidelines

Slide 12

Slide 12 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Get the right information to the right people

Slide 13

Slide 13 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Find bugs as quickly as possible

Slide 14

Slide 14 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat your mistakes

Slide 15

Slide 15 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Analyze from many angles

Slide 16

Slide 16 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Let people prove you wrong

Slide 17

Slide 17 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Help people help themselves

Slide 18

Slide 18 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Automate dumb work

Slide 19

Slide 19 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Keep it tailored

Slide 20

Slide 20 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Automating Security

Slide 21

Slide 21 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security tasks Code review External reports Pen testing

Slide 22

Slide 22 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Automated security tasks Code review External reports Pen testing Static analysis tools Dynamic analysis tools CSP

Slide 23

Slide 23 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security workflow Run tool Wait for it... Interpret reports Fix stuff

Slide 24

Slide 24 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Manual security workflow Run tool Wait for it... Interpret reports Fix stuff Repeat

Slide 25

Slide 25 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Put your robots to work! Code committed Run dynamic tools Run static analysis tools Gather reports Issue notifications Automate dumb work

Slide 26

Slide 26 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef After automation

Slide 27

Slide 27 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Jenkins CI

Slide 28

Slide 28 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Security Automation Dashboard (SADB)

Slide 29

Slide 29 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman ThreatDeck Phantom Gang Roshambo Email developers Email security

Slide 30

Slide 30 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman ThreatDeck Phantom Gang Roshambo Email developers Email security

Slide 31

Slide 31 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Open Source Static analysis for Ruby on Rails ! brakemanscanner.org

Slide 32

Slide 32 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Write Code Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Save Code Find bugs as quickly as possible

Slide 33

Slide 33 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Developer Mesos + Brakeman Code Repository SADB Push Code Pull Code Send Report Send EmailGet the right information to the right people

Slide 34

Slide 34 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends 2007 2008 2009 2010 2011 2012 2013

Slide 35

Slide 35 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Historical trends Twitter starts using Brakeman 2007 2008 2009 2010 2011 2012 2013

Slide 36

Slide 36 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Reports

Slide 37

Slide 37 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of a warning Warning message

Slide 38

Slide 38 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of a warning When warning first reported

Slide 39

Slide 39 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of a warning Code location, link to repo

Slide 40

Slide 40 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of a warning Code snippet

Slide 41

Slide 41 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of a warning Rails-specific information Help people help themselves

Slide 42

Slide 42 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Anatomy of a warning False positive report button Let people prove you wrong

Slide 43

Slide 43 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef

Slide 44

Slide 44 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef

Slide 45

Slide 45 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman ThreatDeck Phantom Gang Roshambo Email developers Email security

Slide 46

Slide 46 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Mixed-content Sensitive forms posting over HTTP Old, vulnerable versions of jQuery Forms without authenticity tokens What does it look for?

Slide 47

Slide 47 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Don't repeat your mistakes

Slide 48

Slide 48 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef

Slide 49

Slide 49 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Phantom-gang 2.0

Slide 50

Slide 50 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman ThreatDeck Phantom Gang Roshambo Email developers Email security

Slide 51

Slide 51 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef

Slide 52

Slide 52 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Detecting XSS Analyze from many angles

Slide 53

Slide 53 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef

Slide 54

Slide 54 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef

Slide 55

Slide 55 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef

Slide 56

Slide 56 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Implementing CSP is not trivial

Slide 57

Slide 57 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef HTTP Strict Transport Security

Slide 58

Slide 58 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Frame-Options

Slide 59

Slide 59 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef X-Xss-Protection X-Content-Type-Options ! X-Xss-Protection

Slide 60

Slide 60 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef

Slide 61

Slide 61 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef SecureHeaders Automate dumb work

Slide 62

Slide 62 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Header status page

Slide 63

Slide 63 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman ThreatDeck Phantom Gang Roshambo Email developers Email security

Slide 64

Slide 64 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef ThreatDeck

Slide 65

Slide 65 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef CSP Brakeman ThreatDeck Phantom Gang Roshambo Email developers Email security

Slide 66

Slide 66 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Review all the things

Slide 67

Slide 67 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo

Slide 68

Slide 68 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo

Slide 69

Slide 69 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Ro-Sham-Bo Needs to be reviewed Automate dumb work

Slide 70

Slide 70 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Our journey thus far Manual tasks Low visibility Late problem discovery Automated tasks Trends and reports Automatic notifications

Slide 71

Slide 71 text

@salesforce April 2013 @alsmola | @ndm | @presidentbeef Tools in this presentation