Security Automation at Twitter - Rise of the Machines

Security Automation at Twitter - Rise of the Machines

A sequel/remake of the AppSec USA 2012 talk "Put Your Robots to Work: Security Automation at Twitter". Presented at http://devopsenterprise.io/ 2015.

In 2009, multiple security incidents at Twitter resulted in an investigation by the Federal Trade Commission (FTC). As part of its 2010 decision, the FTC instructed Twitter to form and maintain an effective information security program. By 2012, Twitter had exploded with hundreds of millions of Tweets sent every day and a rapidly growing engineering force. The amount of new code being written quickly outpaced the security team, leading them to consider ways of reducing their workload by automating tools and processes.

Security automation at Twitter started with a desire to automate a single static analysis tool. From there we started to see more opportunities to write code to prevent security vulnerabilities, instead of manually to find vulnerabilities. This talk will cover that journey, our philosophy for unobtrusive continuous security, the simple yet effective tools we used, and the general approach I believe works for multiplying impact through automated security.

711272a06d435ca5139b50874351cdbf?s=128

Justin Collins

October 20, 2015
Tweet

Transcript

  1. None
  2. Alex Smolen Neil Matatall Me Nick Green

  3. Secure by Default Detect via Tests

  4. Don’t Fix Vulnerabilities Prevent Them

  5. Is Twitter a Unicorn?

  6. 2009-2010

  7. None
  8. No company-provided email accounts No admin password complexity requirements No

    separate administrative login page No limit on failed admin login attempts No admin password rotation enforcement No access controls on admin actions No IP restrictions on admin logins
  9. Also... Every employee is an admin!

  10. None
  11. Incident 01 Employee password brute-forced

  12. Incident 01 Employee password brute-forced Password:

  13. Incident 01 Employee password brute-forced Password: happiness

  14. None
  15. None
  16. None
  17. Incident 02 Attacker gains access to employee’s email account

  18. Incident 02 Attacker gains access to employee’s email account Finds

    two passwords, over six months old
  19. Incident 02 Attacker gains access to employee’s email account Finds

    two passwords, over six months old Infers current password
  20. FTC Order

  21. FTC Order

  22. Tweets per Day

  23. About Me

  24. About Machines

  25. Tool Cycle Run Tool Wait Interpret Results Fix Issues

  26. Tool Cycle Run Tool Wait Interpret Results Fix Issues Repeat

  27. None
  28. Philosophy of Automation

  29. Right Information to the Right People

  30. Find Bugs as Quickly as Possible

  31. Don’t Repeat Your Mistakes

  32. Analyze from Many Angles

  33. Let People Prove You Wrong

  34. Help People Help Themselves

  35. Automate Dumb Work

  36. Keep It Tailored

  37. Legend of SADB

  38. Brakeman

  39. Using Brakeman Run Tool Wait Interpret Results Fix Issues Repeat

  40. Automated Brakeman

  41. Automated Brakeman Push Code

  42. Automated Brakeman Push Code Pull Code

  43. Automated Brakeman Push Code Pull Code Send Results

  44. Automated Brakeman Push Code Pull Code Send Results Send Emails

  45. None
  46. Warnings Over Time

  47. Warnings Over Time Started using Brakeman

  48. None
  49. None
  50. Legacy of SADB

  51. Automated Reviews Pattern Match Comment on Review

  52. 01 Identify Problem Repeated incident? Opt-in code security? Repetitive work?

  53. 02 Solve In Code Write a library Make it safe

    by default Enforce library use in CI
  54. 04 Detect Statically Determine fingerprint of issue Identify suspect code

    Alert during code review
  55. 05 Detect Dynamically Write Selenium tests Write a crawler

  56. 06 Use Browser Security Content Security Policy Strict Transport Security

    Public Key Pinning Subresource Integrity
  57. Secure by Default Detect via Tests

  58. Don’t Fix Vulnerabilities Prevent Them

  59. None
  60. None