• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Neil Matatall "Automating Application Security + Continuous Delivery == <3">
 

Neil Matatall "Automating Application Security + Continuous Delivery == <3">

on

  • 615 views

Automating application security at any level can prove to be very helpful in continuous delivery environments. We will discuss the techniques used at Twitter to keep up with this pace including but ...

Automating application security at any level can prove to be very helpful in continuous delivery environments. We will discuss the techniques used at Twitter to keep up with this pace including but not limited to: automated workflows integrated w/ static/dynamic analysis, dynamic scanning (custom/vendor), manual code reviews, framework improvements, libraries, etc. This will include our lessons learned in the last year and how it fits in with our transition to a scala backend. Our documented wins and fails in each iteration along the way will paint a picture of our progress. This is a slightly technical discussion that is meant to paint the "big picture" and how all the pieces fit together, including what is/will be open sourced. It will have some language specific tools, but the content is meant to be generic to any technology stacks/shops.

Statistics

Views

Total Views
615
Views on SlideShare
615
Embed Views
0

Actions

Likes
2
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Neil Matatall "Automating Application Security + Continuous Delivery == <3"> Neil Matatall "Automating Application Security + Continuous Delivery == <3"> Presentation Transcript

    • #5hakacon June 27, 2013 Continuous Delivery and Security “Automation” Security Automation at Twitter 1
    • #5hakacon June 27, 2013 The History of XSS @twitter Security Automation at Twitter 2
    • #5hakacon June 2013 @ndm 3
    • #5hakacon June 2013 @ndm 4
    • #5hakacon June 2013 @ndm 5
    • #5hakacon June 2013 @ndm Philosophical Guidelines 6
    • #5hakacon June 2013 @ndm Get the right information to the right people 7
    • #5hakacon June 2013 @ndm Find bugs as quickly as possible 8
    • #5hakacon June 2013 @ndm Don't repeat your mistakes 9
    • #5hakacon June 2013 @ndm Analyze from many angles 10
    • #5hakacon June 2013 @ndm Help people help themselves 11
    • #5hakacon June 2013 @ndm Automate dumb work 12
    • #5hakacon June 2013 @ndm Keep it tailored 13
    • #5hakacon June 2013 @ndm Continuous Delivery 14
    • #5hakacon June 2013 @ndm WATERFALL LOL 15
    • #5hakacon June 2013 @ndm Security keeping up with development lol 2009 2010 2011 2012 “Infosec” Total Employees 16
    • Java / Scala Rails Javascript Python/twisted web, nodejs, this, that, the other Support Translation center Mobile Mobile-jp Admin ads.twitter.com internal apps Monrail Our whole backend :) PHP/Drupal (Gazebo) 17
    • #5hakacon June 2013 @ndm Only build/buy/integrate tools that make 18
    • #5hakacon June 2013 @ndm Only build/buy/integrate tools that make Is it useful? 18
    • #5hakacon June 2013 @ndm Only build/buy/integrate tools that make Is it useful? Does it scale? 18
    • #5hakacon June 2013 @ndm Only build/buy/integrate tools that make Is it useful? Does it scale? Are the results easily digestible? 18
    • #5hakacon June 2013 @ndm Only build/buy/integrate tools that make Is it useful? Does it scale? Are the results easily digestible? Can we 100% automate the use of a tool? 18
    • #5hakacon June 2013 @ndm Only build/buy/integrate tools that make Is it useful? Does it scale? Are the results easily digestible? Can we 100% automate the use of a tool? Keep it tailored 18
    • #5hakacon June 2013 @ndm Manual security workflow Run tool Wait for it... Interpret reports Fix stuff Repeat 19
    • #5hakacon June 2013 @ndm Put your robots to work! Code committed Run dynamic tools Run static analysis tools Gather reports Issue notifications 20
    • #5hakacon June 2013 @ndm Put your robots to work! Code committed Run dynamic tools Run static analysis tools Gather reports Issue notifications Automate dumb work 20
    • #5hakacon June 2013 @ndm Open Source Static Analysis Security Tool for Ruby on Rails @brakeman brakemanscanner.org 21
    • #5hakacon June 2013 @ndm It works 2007 2008 2009 2010 2011 2012 2013 22
    • #5hakacon June 2013 @ndm It works Twitter starts using Brakeman 2007 2008 2009 2010 2011 2012 2013 23
    • #5hakacon June 2013 @ndm Usually pretty fast Project Controllers Models Templates Scan Time Radiant 14 14 30 ~3 seconds Discourse 39 67 26 ~7 seconds GitLab HQ 62 38 318 ~22 seconds Redmine 46 83 290 ~47 seconds nVentory 63 55 664 ~55 seconds Webiva 53 154 380 ~1 minute 24
    • #5hakacon June 2013 @ndm Write Code Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime 25
    • #5hakacon June 2013 @ndm Write Code Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime 25
    • #5hakacon June 2013 @ndm Write Code Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime 25
    • #5hakacon June 2013 @ndm Write Code Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime 25
    • #5hakacon June 2013 @ndm Write Code Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime 25
    • #5hakacon June 2013 @ndm Write Code Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime 25
    • #5hakacon June 2013 @ndm Write Code Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime 25
    • #5hakacon June 2013 @ndm Write Code Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Save Code 25
    • #5hakacon June 2013 @ndm Write Code Run Tests Commit Code Push to CI Code Review QA Deploy Code Brakeman can run anytime Save Code Find bugs as quickly as possible 25
    • #5hakacon June 2013 @ndm 26
    • #5hakacon June 2013 @ndm Watching the master branch 27
    • #5hakacon June 2013 @ndm Deploy scripts 28
    • #5hakacon June 2013 @ndm During Code Review 29
    • #5hakacon June 2013 @ndm Security Automation Dashboard (SADB) 30
    • #5hakacon June 2013 @ndm Developer Mesos + Brakeman Code Repository @SADB 31
    • #5hakacon June 2013 @ndm Developer Mesos + Brakeman Code Repository @SADB Push Code 31
    • #5hakacon June 2013 @ndm Developer Mesos + Brakeman Code Repository @SADB Pull Code 31
    • #5hakacon June 2013 @ndm Developer Mesos + Brakeman Code Repository @SADB Send Report 31
    • #5hakacon June 2013 @ndm Developer Mesos + Brakeman Code Repository @SADB Send Email 31
    • #5hakacon June 2013 @ndm Developer Mesos + Brakeman Code Repository @SADB Send EmailGet the right information to the right people 31
    • #5hakacon June 2013 @ndm Reports 32
    • #5hakacon June 2013 @ndm Anatomy of a warning Warning message 33
    • #5hakacon June 2013 @ndm Anatomy of a warning When warning first reported 34
    • #5hakacon June 2013 @ndm Anatomy of a warning Code location, link to repo 35
    • #5hakacon June 2013 @ndm Anatomy of a warning Code snippet 36
    • #5hakacon June 2013 @ndm Anatomy of a warning Rails-specific information 37
    • #5hakacon June 2013 @ndm Anatomy of a warning Rails-specific information Help people help themselves 37
    • #5hakacon June 2013 @ndm Anatomy of a warning False positive report button 38
    • #5hakacon June 2013 @ndm Anatomy of a warning False positive report button Let people prove you wrong 38
    • #5hakacon June 2013 @ndm 39
    • #5hakacon June 2013 @ndm 39
    • #5hakacon June 2013 @ndm 40
    • #5hakacon June 2013 @ndm phantom-gang 41
    • #5hakacon June 2013 @ndm phantom-gang 41
    • #5hakacon June 2013 @ndm phantom-gang 41
    • #5hakacon June 2013 @ndm phantom-gang 41
    • #5hakacon June 2013 @ndm phantom-gang 41
    • #5hakacon June 2013 @ndm Static analysis worked so well for ruby... Why not Javascript? 42
    • jQuery is a sink $(user_input) == xss 43
    • #5hakacon June 2013 @ndm Chain the tools! <!doctype html><html itemscope="itemscope" itemtype="http://schema.org/ WebPage"><head><meta itemprop="image" content="/images/ google_favicon_128.png"><meta id="mref" name="referrer" content="origin"><title>scan - Google Search</title><script>(function(){var isat_=false;var isbb_=false;var cdr_=true;var ssr_=false;var eei_='- VTKUfqaFomciQKxjICIDQ';var b=isat_,e=isbb_,g=cdr_,h=ssr_,k=eei_;f unction l(a){var c="inner"+a,d="offset"+a;if(b) {if("width"==a.toLowerCase())return document.documentElement.offsetWidth;a =1;window.screen.width&&(a=window.scre en.height/window.screen.width); 0<a&&a<Number.MAX_VALUE||(a=1);return Math.round(document.documentElement.of fsetWidth*a)}return window[c]? s(:class,  :RepoController,  s(:const,  :ApplicationController),  s(:call,  nil,  :before_filter,   s(:lit,  :authorize)),  s(:defn,    :new,    s(:args),    s(:lasgn,      :scm,      s(:call,  s(:call,  nil,  :params),  :[],   s(:lit,  :repository_scm))),    s(:iasgn,      :@repo,      s(:call,   s(:const,  :Repository),  :factory,   s(:lvar,  :scm))),    s(:attrasgn,   s(:ivar,  :@repo),  :project=,   s(:ivar,  :@project))),  s(:defn,... Scan Source Code (coffee-break) Analyze Abstract Syntax Trees Report Potential Issues (@sadb) Crawl Pages (phantom-gang) 44
    • #5hakacon June 2013 @ndm Embrace the rebirth Rails Pre-phoenix Phoenix T1/Swift 45
    • #5hakacon June 2013 @ndm Owners 46
    • #5hakacon June 2013 @ndm Owners People/teams can be designated to be alerted on file changes 46
    • #5hakacon June 2013 @ndm Owners People/teams can be designated to be alerted on file changes Get the right information to the right people 46
    • #5hakacon June 2013 @ndm Decider 47
    • #5hakacon June 2013 @ndm Decider The kill switch 47
    • #5hakacon June 2013 @ndm Decider The kill switch The let’s dogfood this in production switch 47
    • #5hakacon June 2013 @ndm Decider The kill switch The let’s dogfood this in production switch The let’s roll this out slowly switch 47
    • #5hakacon June 2013 @ndm Making security opt-out 48
    • #5hakacon June 2013 @ndm Embrace the rebirth 49
    • #5hakacon June 2013 @ndm Embrace the rebirth Rails 49
    • #5hakacon June 2013 @ndm Embrace the rebirth Rails Pre-phoenix 49
    • #5hakacon June 2013 @ndm Embrace the rebirth Rails Pre-phoenix Phoenix 49
    • #5hakacon June 2013 @ndm Embrace the rebirth Rails Pre-phoenix Phoenix T1/Swift 49
    • #5hakacon June 2013 @ndm Embrace the rebirth Rails Pre-phoenix Phoenix T1/Swift Scala Macaw-swift 49
    • #5hakacon June 2013 @ndm Ubiquitous security 50
    • #5hakacon June 2013 @ndm Ubiquitous security Push security as far up (and down) the chain as possible 50
    • #5hakacon June 2013 @ndm Ubiquitous security Push security as far up (and down) the chain as possible Set security headers in your main reverse proxy 50
    • #5hakacon June 2013 @ndm Ubiquitous security Push security as far up (and down) the chain as possible Set security headers in your main reverse proxy Put capabilities in all of your core frameworks 50
    • #5hakacon June 2013 @ndm Ubiquitous security Push security as far up (and down) the chain as possible Set security headers in your main reverse proxy Put capabilities in all of your core frameworks Provide libraries 50
    • #5hakacon June 2013 @ndm Ubiquitous security Push security as far up (and down) the chain as possible Set security headers in your main reverse proxy Put capabilities in all of your core frameworks Provide libraries Help people help themselves 50
    • #5hakacon June 2013 @ndm Double stache good, triple stache bad 51
    • #5hakacon June 2013 @ndm Programmatic enforcement of controls 52
    • #5hakacon June 2013 @ndm Programmatic enforcement of controls Want unescaped output? (xss protection evasion)? 52
    • #5hakacon June 2013 @ndm Programmatic enforcement of controls Want unescaped output? (xss protection evasion)? You need to add the file/line number to a whiltelist 52
    • #5hakacon June 2013 @ndm Programmatic enforcement of controls Want unescaped output? (xss protection evasion)? You need to add the file/line number to a whiltelist This whitelist file is watched by security via the Owners mechanism 52
    • #5hakacon June 2013 @ndm Programmatic enforcement of controls Want unescaped output? (xss protection evasion)? You need to add the file/line number to a whiltelist This whitelist file is watched by security via the Owners mechanism Don’t want CSRF protection on your post? 52
    • #5hakacon June 2013 @ndm Programmatic enforcement of controls Want unescaped output? (xss protection evasion)? You need to add the file/line number to a whiltelist This whitelist file is watched by security via the Owners mechanism Don’t want CSRF protection on your post? Really? 52
    • #5hakacon June 2013 @ndm Programmatic enforcement of controls Want unescaped output? (xss protection evasion)? You need to add the file/line number to a whiltelist This whitelist file is watched by security via the Owners mechanism Don’t want CSRF protection on your post? Really? Reallllllly? 52
    • #5hakacon June 2013 @ndm Programmatic enforcement of controls Want unescaped output? (xss protection evasion)? You need to add the file/line number to a whiltelist This whitelist file is watched by security via the Owners mechanism Don’t want CSRF protection on your post? Really? Reallllllly? Same deal. We have to approve it. 52
    • #5hakacon June 2013 @ndm Programmatic enforcement of controls Want unescaped output? (xss protection evasion)? You need to add the file/line number to a whiltelist This whitelist file is watched by security via the Owners mechanism Don’t want CSRF protection on your post? Really? Reallllllly? Same deal. We have to approve it. Want to redirect somewhere other than a twitter property? 52
    • #5hakacon June 2013 @ndm Programmatic enforcement of controls Want unescaped output? (xss protection evasion)? You need to add the file/line number to a whiltelist This whitelist file is watched by security via the Owners mechanism Don’t want CSRF protection on your post? Really? Reallllllly? Same deal. We have to approve it. Want to redirect somewhere other than a twitter property? Sure, but document the use case in a a ticket and put it behind a kill switch 52
    • #5hakacon June 2013 @ndm Programmatic enforcement of controls Want unescaped output? (xss protection evasion)? You need to add the file/line number to a whiltelist This whitelist file is watched by security via the Owners mechanism Don’t want CSRF protection on your post? Really? Reallllllly? Same deal. We have to approve it. Want to redirect somewhere other than a twitter property? Sure, but document the use case in a a ticket and put it behind a kill switch Don't repeat your mistakes 52
    • #5hakacon June 2013 @ndm Contextual Escaping is an Anti-Pattern 53
    • #5hakacon June 2013 @ndm What about static analysis for scala???? 54
    • #5hakacon June 2013 @ndm Do you use these? Content security policy X-Frame-Options HTTP Strict Transport Security X-Xss-Protection X-Content-Type-Options 55
    • #5hakacon June 2013 @ndm Headers. Cool. 56
    • #5hakacon June 2013 @ndm Sweeeeet. I don’t have write secure code! 57
    • #5hakacon June 2013 @ndm Time of convergence 58
    • #5hakacon June 2013 @ndm Content secur-a-wat? 59
    • #5hakacon June 2013 @ndm Content secur-a-wat? Content security policy is reshaping the security model 59
    • #5hakacon June 2013 @ndm Content secur-a-wat? Content security policy is reshaping the security model It is a complicated spec with great differences across browsers 59
    • #5hakacon June 2013 @ndm Content secur-a-wat? Content security policy is reshaping the security model It is a complicated spec with great differences across browsers It is not widely adopted 59
    • #5hakacon June 2013 @ndm Content secur-a-wat? Content security policy is reshaping the security model It is a complicated spec with great differences across browsers It is not widely adopted However! 59
    • #5hakacon June 2013 @ndm Content secur-a-wat? Content security policy is reshaping the security model It is a complicated spec with great differences across browsers It is not widely adopted However! It completely eliminates reflected, stored, and DOM XSS (if supported) 59
    • #5hakacon June 2013 @ndm Content secur-a-wat? Content security policy is reshaping the security model It is a complicated spec with great differences across browsers It is not widely adopted However! It completely eliminates reflected, stored, and DOM XSS (if supported) It ensures that you never load mixed content 59
    • #5hakacon June 2013 @ndm Content secur-a-wat? Content security policy is reshaping the security model It is a complicated spec with great differences across browsers It is not widely adopted However! It completely eliminates reflected, stored, and DOM XSS (if supported) It ensures that you never load mixed content It allows you to accept arbitrary html code from users 59
    • #5hakacon June 2013 @ndm Content secur-a-wat? Content security policy is reshaping the security model It is a complicated spec with great differences across browsers It is not widely adopted However! It completely eliminates reflected, stored, and DOM XSS (if supported) It ensures that you never load mixed content It allows you to accept arbitrary html code from users It finds bugs in your code! 59
    • #5hakacon June 2013 @ndm Content secur-a-wat? Content security policy is reshaping the security model It is a complicated spec with great differences across browsers It is not widely adopted However! It completely eliminates reflected, stored, and DOM XSS (if supported) It ensures that you never load mixed content It allows you to accept arbitrary html code from users It finds bugs in your code! IS THERE ANYTHING CSP CAN’T DO??? 59
    • #5hakacon June 2013 @ndm 60
    • #5hakacon June 2013 @ndm How does the browser know? Was that inline script placed there by the application? Was it injected by some malicious activity? 61
    • #5hakacon June 2013 @ndm What is inline script? <script>alert(“hi mom”)</script> <a href=”#” onclick=”alert(‘hi mom’)”> <a href=”javascript:alert(‘hi mom’)”> 62
    • #5hakacon June 2013 @ndm What is eval? eval(“alert(‘hi mom’)”) setTimeout(“alert(‘hi mom’)”, 0) new Function(“alert(‘hi mom’)”) 63
    • #5hakacon June 2013 @ndm And inline styles? <style> secret { display: none; }</style> <a href=”#” style=”display: none”> 64
    • #5hakacon June 2013 @ndm We’ve all seen it... <script>var x = <%= user_input %></script> <a href=”#” onclick=(“alert(<%= user_input %>”)> <script>eval($(‘#userInput’).value)</script> <a href =”#” style=”display:none <%= “red” if red? %>”> 65
    • #5hakacon June 2013 @ndm 66
    • #5hakacon June 2013 @ndm 67
    • #5hakacon June 2013 @ndm Part of NHO, company-wide standard 68
    • 69
    • #5hakacon June 2013 @ndm cspisawesome.com 70
    • #5hakacon June 2013 @ndm userCSP FF Extension 71
    • #5hakacon June 2013 @ndm Helper Libraries Ruby - secure_headers (poor name, I know) https://github.com/twitter/secureheaders Javascript - Helmet https://npmjs.org/package/helmet JVM - Headlines https://github.com/sourceclear/headlines com.twitter.macaw.ContentSecurityPolicy.scala 72
    • #5hakacon June 2013 @ndm CSPLint 73
    • #5hakacon June 2013 @ndm CSPLint Node server to accept reports, also works as a front end lib 73
    • #5hakacon June 2013 @ndm CSPLint Node server to accept reports, also works as a front end lib Is this header valid? 73
    • #5hakacon June 2013 @ndm CSPLint Node server to accept reports, also works as a front end lib Is this header valid? What does this header mean? 73
    • #5hakacon June 2013 @ndm CSPLint Node server to accept reports, also works as a front end lib Is this header valid? What does this header mean? Open source this thing already. 73
    • #5hakacon June 2013 @ndm Applying the right header is worth it 74
    • #5hakacon June 2013 @ndm Applying the right header is worth it FF 23+, Chrome 25+ Send standard header 74
    • #5hakacon June 2013 @ndm Applying the right header is worth it FF 23+, Chrome 25+ Send standard header FF < 23 Send X-Content-Security-Policy with original FF-style header 74
    • #5hakacon June 2013 @ndm Applying the right header is worth it FF 23+, Chrome 25+ Send standard header FF < 23 Send X-Content-Security-Policy with original FF-style header Chrome < 25, Safari 6 Send X-Webkit-CSP with standard header value 74
    • #5hakacon June 2013 @ndm Applying the right header is worth it FF 23+, Chrome 25+ Send standard header FF < 23 Send X-Content-Security-Policy with original FF-style header Chrome < 25, Safari 6 Send X-Webkit-CSP with standard header value IE, Safari < 6*, Firefox < 4, Chrome < ??? nil 74
    • #5hakacon June 2013 @ndm Inconsistencies There are > 6 differences between these two header values 75
    • #5hakacon June 2013 @ndm script-(nonce|hash) Tell the browser where the script came from! 76
    • #5hakacon June 2013 @ndm You mean there’s more on CSP? The browser sends reports! It has a “Report Only” mode { "csp-report": { "document-uri":"http://localhost:3000/home", "referrer":"", "blocked-uri":"ws://localhost:35729/livereload", "violated-directive":"default-src 'self'" "effective-directive":"connect-src" } 77
    • #5hakacon June 2013 @ndm What do the reports tell you (anonymously)? 78
    • #5hakacon June 2013 @ndm What do the reports tell you (anonymously)? Lots of noise :( 78
    • #5hakacon June 2013 @ndm What do the reports tell you (anonymously)? Lots of noise :( Mixed content - easy 78
    • #5hakacon June 2013 @ndm What do the reports tell you (anonymously)? Lots of noise :( Mixed content - easy Unauthorized resource load - easy 78
    • #5hakacon June 2013 @ndm What do the reports tell you (anonymously)? Lots of noise :( Mixed content - easy Unauthorized resource load - easy How many users have lastpass installed? 78
    • #5hakacon June 2013 @ndm What do the reports tell you (anonymously)? Lots of noise :( Mixed content - easy Unauthorized resource load - easy How many users have lastpass installed? Which hosts are serving your content, including .ru? 78
    • #5hakacon June 2013 @ndm How to analyze? 79
    • #5hakacon June 2013 @ndm How to analyze? Focus on one site/domain at a time 79
    • #5hakacon June 2013 @ndm How to analyze? Focus on one site/domain at a time Focus on one violation-type at a time 79
    • #5hakacon June 2013 @ndm How to analyze? Focus on one site/domain at a time Focus on one violation-type at a time Look for patterns in results 79
    • #5hakacon June 2013 @ndm How to analyze? Focus on one site/domain at a time Focus on one violation-type at a time Look for patterns in results Classify reports into broad categories 79
    • #5hakacon June 2013 @ndm How to analyze? Focus on one site/domain at a time Focus on one violation-type at a time Look for patterns in results Classify reports into broad categories Filter out the noise 79
    • #5hakacon June 2013 @ndm How to analyze? Focus on one site/domain at a time Focus on one violation-type at a time Look for patterns in results Classify reports into broad categories Filter out the noise 79
    • #5hakacon June 2013 @ndm How to analyze? Focus on one site/domain at a time Focus on one violation-type at a time Look for patterns in results Classify reports into broad categories Filter out the noise OR 79
    • #5hakacon June 2013 @ndm How to analyze? Focus on one site/domain at a time Focus on one violation-type at a time Look for patterns in results Classify reports into broad categories Filter out the noise OR 79
    • #5hakacon June 2013 @ndm How to analyze? Focus on one site/domain at a time Focus on one violation-type at a time Look for patterns in results Classify reports into broad categories Filter out the noise OR Just dork around until something comes out 79
    • #5hakacon June 2013 @ndm Monitor and Tune ALL the things 80
    • #5hakacon June 2013 @ndm BIG DATA 81
    • #5hakacon June 2013 @ndm Trending and anomalies 82
    • #5hakacon June 2013 @ndm Header status page 83
    • #5hakacon June 2013 @ndm 84
    • #5hakacon June 2013 @ndm Review all the things 85
    • #5hakacon June 2013 @ndm Needs to be reviewed areweslacking.com 86
    • #5hakacon June 2013 @ndm Needs to be reviewed Automate dumb work areweslacking.com 86
    • #5hakacon June 2013 @ndm Not-so-wonderful automation 87
    • #5hakacon June 2013 @ndm Not-so-wonderful automation Theatdeck web 3.0 cyber intelligence cloud ShadySpots - finds use of dangerous JS functions Header alerter dude - notifies us of new, or missing headers GSC - search git history for credentials 87
    • Follow these super awesome accounts @TwitterSecurity @Brakeman @SeeEssPee @SADB @adambarth @hillbrad @imelven #5hakacon June 2013 @ndm Mahalo! 88