Post on 15-Jan-2015
description
@salesforceApril 23, 2013
Putting Your Robots to WorkSecurity Automation at Twitter
@salesforce April 2013@alsmola | @ndm | @presidentbeef
The future
@salesforce April 2013@alsmola | @ndm | @presidentbeef
@salesforce April 2013@alsmola | @ndm | @presidentbeef
@salesforce April 2013@alsmola | @ndm | @presidentbeef
@salesforce April 2013@alsmola | @ndm | @presidentbeef
@salesforce April 2013@alsmola | @ndm | @presidentbeef
@salesforce April 2013@alsmola | @ndm | @presidentbeef
@salesforce April 2013@alsmola | @ndm | @presidentbeef
@salesforce April 2013@alsmola | @ndm | @presidentbeef
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Philosophical Guidelines
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Get the right information to the right people
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Find bugs as quickly as possible
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Don't repeat your mistakes
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Analyze from many angles
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Let people prove you wrong
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Help people help themselves
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Automate dumb work
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Keep it tailored
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Automating Security
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Manual security tasks
Code review
External reports
Pen testing
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Automated security tasks
Code review
External reports
Pen testing
Static analysis tools
Dynamic analysis tools
CSP
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Manual security workflow
Run tool Wait for it...
Interpretreports
Fix stuff
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Manual security workflow
Run tool Wait for it...
Interpretreports
Fix stuff
Repeat
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Put your robots to work!
Code committed
Run dynamictools
Run static analysis tools
Gatherreports
Issuenotifications
Automate dumb work
@salesforce April 2013@alsmola | @ndm | @presidentbeef
After automation
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Jenkins CI
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Security Automation Dashboard (SADB)
@salesforce April 2013@alsmola | @ndm | @presidentbeef
CSP
Brakeman
ThreatDeckPhantom Gang
Roshambo
Emaildevelopers
Emailsecurity
@salesforce April 2013@alsmola | @ndm | @presidentbeef
CSP
Brakeman
ThreatDeckPhantom Gang
Roshambo
Emaildevelopers
Emailsecurity
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Open SourceStatic analysis for Ruby on Rails
brakemanscanner.org
@salesforce April 2013@alsmola | @ndm | @presidentbeef
WriteCode
RunTests
CommitCode
Push to CI
CodeReview
QA DeployCode
Brakeman can run anytime
SaveCode
Find bugs as quickly as possible
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Developer
Mesos +Brakeman
CodeRepository SADB
Push Code
Pull Code
Send Report
Send EmailGet the right information to
the right people
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Historical trends
2007 2008 2009 2010 2011 2012 2013
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Historical trendsTwitter starts using Brakeman
2007 2008 2009 2010 2011 2012 2013
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Reports
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Anatomy of a warning
Warning message
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Anatomy of a warning
When warning first reported
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Anatomy of a warning
Code location, link to repo
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Anatomy of a warning
Code snippet
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Anatomy of a warning
Rails-specific information
Help people help themselves
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Anatomy of a warningFalse positive report button
Let people prove you wrong
@salesforce April 2013@alsmola | @ndm | @presidentbeef
QuickTime™ and aH.264 decompressor
are needed to see this picture.
@salesforce April 2013@alsmola | @ndm | @presidentbeef
@salesforce April 2013@alsmola | @ndm | @presidentbeef
CSP
Brakeman
ThreatDeckPhantom Gang
Roshambo
Emaildevelopers
Emailsecurity
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Mixed-content Sensitive forms posting over HTTPOld, vulnerable versions of jQueryForms without authenticity tokens
What does it look for?
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Don't repeat your mistakes
@salesforce April 2013@alsmola | @ndm | @presidentbeef
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Phantom-gang 2.0
@salesforce April 2013@alsmola | @ndm | @presidentbeef
CSP
Brakeman
ThreatDeckPhantom Gang
Roshambo
Emaildevelopers
Emailsecurity
@salesforce April 2013@alsmola | @ndm | @presidentbeef
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Detecting XSS
Analyze from many angles
@salesforce April 2013@alsmola | @ndm | @presidentbeef
@salesforce April 2013@alsmola | @ndm | @presidentbeef
QuickTime™ and aH.264 decompressor
are needed to see this picture.
@salesforce April 2013@alsmola | @ndm | @presidentbeef
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Implementing CSP is not trivial
@salesforce April 2013@alsmola | @ndm | @presidentbeef
HTTP Strict Transport Security
@salesforce April 2013@alsmola | @ndm | @presidentbeef
X-Frame-Options
@salesforce April 2013@alsmola | @ndm | @presidentbeef
X-Xss-Protection
X-Content-Type-OptionsX-Xss-Protection
@salesforce April 2013@alsmola | @ndm | @presidentbeef
@salesforce April 2013@alsmola | @ndm | @presidentbeef
SecureHeaders
Automate dumb work
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Header status page
@salesforce April 2013@alsmola | @ndm | @presidentbeef
CSP
Brakeman
ThreatDeckPhantom Gang
Roshambo
Emaildevelopers
Emailsecurity
@salesforce April 2013@alsmola | @ndm | @presidentbeef
ThreatDeck
@salesforce April 2013@alsmola | @ndm | @presidentbeef
CSP
Brakeman
ThreatDeckPhantom Gang
Roshambo
Emaildevelopers
Emailsecurity
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Review all the things
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Ro-Sham-Bo
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Ro-Sham-Bo
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Ro-Sham-Bo
Needs to be reviewed
Automate dumb work
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Our journey thus far
Manual tasksLow visibility
Late problem discovery
Automated tasksTrends and reports
Automatic notifications
@salesforce April 2013@alsmola | @ndm | @presidentbeef
Tools in this presentation