$30 off During Our Annual Pro Sale. View Details »

Security Automation at Twitter - Rise of the Machines

Security Automation at Twitter - Rise of the Machines

A sequel/remake of the AppSec USA 2012 talk "Put Your Robots to Work: Security Automation at Twitter". Presented at http://devopsenterprise.io/ 2015.

In 2009, multiple security incidents at Twitter resulted in an investigation by the Federal Trade Commission (FTC). As part of its 2010 decision, the FTC instructed Twitter to form and maintain an effective information security program. By 2012, Twitter had exploded with hundreds of millions of Tweets sent every day and a rapidly growing engineering force. The amount of new code being written quickly outpaced the security team, leading them to consider ways of reducing their workload by automating tools and processes.

Security automation at Twitter started with a desire to automate a single static analysis tool. From there we started to see more opportunities to write code to prevent security vulnerabilities, instead of manually to find vulnerabilities. This talk will cover that journey, our philosophy for unobtrusive continuous security, the simple yet effective tools we used, and the general approach I believe works for multiplying impact through automated security.

Justin Collins

October 20, 2015
Tweet

More Decks by Justin Collins

Other Decks in Technology

Transcript

  1. View Slide

  2. Alex Smolen
    Neil Matatall
    Me
    Nick Green

    View Slide

  3. Secure by Default
    Detect via Tests

    View Slide

  4. Don’t Fix Vulnerabilities
    Prevent Them

    View Slide

  5. Is Twitter a Unicorn?

    View Slide

  6. 2009-2010

    View Slide

  7. View Slide

  8. No company-provided email accounts
    No admin password complexity requirements
    No separate administrative login page
    No limit on failed admin login attempts
    No admin password rotation enforcement
    No access controls on admin actions
    No IP restrictions on admin logins

    View Slide

  9. Also...
    Every employee is an admin!

    View Slide

  10. View Slide

  11. Incident 01
    Employee password brute-forced

    View Slide

  12. Incident 01
    Employee password brute-forced
    Password:

    View Slide

  13. Incident 01
    Employee password brute-forced
    Password: happiness

    View Slide

  14. View Slide

  15. View Slide

  16. View Slide

  17. Incident 02
    Attacker gains access to employee’s email account

    View Slide

  18. Incident 02
    Attacker gains access to employee’s email account
    Finds two passwords, over six months old

    View Slide

  19. Incident 02
    Attacker gains access to employee’s email account
    Finds two passwords, over six months old
    Infers current password

    View Slide

  20. FTC Order

    View Slide

  21. FTC Order

    View Slide

  22. Tweets per Day

    View Slide

  23. About Me

    View Slide

  24. About Machines

    View Slide

  25. Tool Cycle
    Run Tool Wait Interpret Results Fix Issues

    View Slide

  26. Tool Cycle
    Run Tool Wait Interpret Results Fix Issues
    Repeat

    View Slide

  27. View Slide

  28. Philosophy of Automation

    View Slide

  29. Right Information
    to the
    Right People

    View Slide

  30. Find Bugs as
    Quickly as Possible

    View Slide

  31. Don’t Repeat
    Your Mistakes

    View Slide

  32. Analyze from
    Many Angles

    View Slide

  33. Let People
    Prove You Wrong

    View Slide

  34. Help People
    Help Themselves

    View Slide

  35. Automate Dumb Work

    View Slide

  36. Keep It Tailored

    View Slide

  37. Legend of SADB

    View Slide

  38. Brakeman

    View Slide

  39. Using Brakeman
    Run Tool Wait Interpret Results Fix Issues
    Repeat

    View Slide

  40. Automated Brakeman

    View Slide

  41. Automated Brakeman
    Push Code

    View Slide

  42. Automated Brakeman
    Push Code
    Pull Code

    View Slide

  43. Automated Brakeman
    Push Code
    Pull Code Send Results

    View Slide

  44. Automated Brakeman
    Push Code
    Pull Code Send Results
    Send Emails

    View Slide

  45. View Slide

  46. Warnings Over Time

    View Slide

  47. Warnings Over Time
    Started using Brakeman

    View Slide

  48. View Slide

  49. View Slide

  50. Legacy of SADB

    View Slide

  51. Automated Reviews
    Pattern
    Match
    Comment
    on Review

    View Slide

  52. 01 Identify Problem
    Repeated incident?
    Opt-in code security?
    Repetitive work?

    View Slide

  53. 02 Solve In Code
    Write a library
    Make it safe by default
    Enforce library use in CI

    View Slide

  54. 04 Detect Statically
    Determine fingerprint of issue
    Identify suspect code
    Alert during code review

    View Slide

  55. 05 Detect Dynamically
    Write Selenium tests
    Write a crawler

    View Slide

  56. 06 Use Browser Security
    Content Security Policy
    Strict Transport Security
    Public Key Pinning
    Subresource Integrity

    View Slide

  57. Secure by Default
    Detect via Tests

    View Slide

  58. Don’t Fix Vulnerabilities
    Prevent Them

    View Slide

  59. View Slide

  60. View Slide