@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Manual security workflow
Run tool Wait for
it...
Interpret
reports
Fix stuff
Slide 24
Slide 24 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Manual security workflow
Run tool Wait for
it...
Interpret
reports
Fix stuff
Repeat
Slide 25
Slide 25 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Put your robots to work!
Code
committed
Run dynamic
tools
Run static
analysis tools
Gather
reports
Issue
notifications
Automate dumb work
Slide 26
Slide 26 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
After automation
Slide 27
Slide 27 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Jenkins CI
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
CSP
Brakeman
ThreatDeck
Phantom Gang
Roshambo
Email
developers
Email
security
Slide 30
Slide 30 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
CSP
Brakeman
ThreatDeck
Phantom Gang
Roshambo
Email
developers
Email
security
Slide 31
Slide 31 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Open Source
Static analysis for Ruby on Rails
!
brakemanscanner.org
Slide 32
Slide 32 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Write
Code
Run
Tests
Commit
Code
Push to
CI
Code
Review
QA Deploy
Code
Brakeman can run anytime
Save
Code
Find bugs as quickly as
possible
Slide 33
Slide 33 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Developer
Mesos +
Brakeman
Code
Repository SADB
Push Code
Pull Code
Send
Report
Send
EmailGet the right information to
the right people
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Reports
Slide 37
Slide 37 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Anatomy of a warning
Warning message
Slide 38
Slide 38 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Anatomy of a warning
When warning first reported
Slide 39
Slide 39 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Anatomy of a warning
Code location, link to repo
Slide 40
Slide 40 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Anatomy of a warning
Code snippet
Slide 41
Slide 41 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Anatomy of a warning
Rails-specific information
Help people help
themselves
Slide 42
Slide 42 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Anatomy of a warning
False positive report button
Let people prove you
wrong
Slide 43
Slide 43 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Slide 44
Slide 44 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Slide 45
Slide 45 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
CSP
Brakeman
ThreatDeck
Phantom Gang
Roshambo
Email
developers
Email
security
Slide 46
Slide 46 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Mixed-content
Sensitive forms posting over HTTP
Old, vulnerable versions of jQuery
Forms without authenticity tokens
What does it look for?
Slide 47
Slide 47 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Don't repeat your mistakes
Slide 48
Slide 48 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Slide 49
Slide 49 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Phantom-gang 2.0
Slide 50
Slide 50 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
CSP
Brakeman
ThreatDeck
Phantom Gang
Roshambo
Email
developers
Email
security
Slide 51
Slide 51 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Slide 52
Slide 52 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Detecting XSS
Analyze from many angles
Slide 53
Slide 53 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Slide 54
Slide 54 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Slide 55
Slide 55 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Slide 56
Slide 56 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
Implementing CSP is not trivial
Slide 57
Slide 57 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
HTTP Strict Transport Security
Slide 58
Slide 58 text
@salesforce April 2013
@alsmola | @ndm | @presidentbeef
X-Frame-Options