Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2012: Putting your robots to work: security automation at Twitter

7,595 views

Published on

How the Twitter product security team does automation and where we're going. All tools in the presentation were built on open source technology and will be open sourced over time.

Published in: Technology

2012: Putting your robots to work: security automation at Twitter

  1. 1. Putting YourRobots to WorkSecurity Automation at Twitter#appsecusa#sadbOctober 25, 2012
  2. 2. The future#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  3. 3. #appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  4. 4. #appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  5. 5. #appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  6. 6. #appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  7. 7. #appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  8. 8. #appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  9. 9. #appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  10. 10. #appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  11. 11. #appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  12. 12. #appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  13. 13. #appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  14. 14. Philosophical Guidelines#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  15. 15. Get the right information to the right people#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  16. 16. Find bugs as quickly as possible#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  17. 17. Dont repeat your mistakes#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  18. 18. Analyze from many angles#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  19. 19. Let people prove you wrong#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  20. 20. Help people help themselves#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  21. 21. Automate dumb work#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  22. 22. Keep it tailored#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  23. 23. Automating Security #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  24. 24. Manual security tasks Code review Pen testing External reports #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  25. 25. Automated security tasks Code review Static analysis tools Pen testing Dynamic analysis tools External reports CSP #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  26. 26. Manual security workflow Run tool Wait for Interpret Fix stuff it... reports #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  27. 27. Manual security workflow Run tool Wait for Interpret Fix stuff it... reports Repeat #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  28. 28. Put your robots to work! Code Run static committed analysis tools Gather Issue reports notifications Run dynamic tools #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  29. 29. Put your robots to work! Code Run static committed analysis tools Automate dumb work Gather Issue reports notifications Run dynamic tools #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  30. 30. After automation #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  31. 31. Jenkins CI #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  32. 32. Security Automation Dashboard (SADB)#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  33. 33. CSP Phantom Gang ThreatDeck Brakeman Roshambo Email Email developers security#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  34. 34. CSP Phantom Gang ThreatDeck Brakeman Roshambo Email Email developers security#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  35. 35. Static analysis for Ruby on Rails#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  36. 36. Since AppSecUSA 2011 Since AppSecUSA 2011 0.8.0 1.8.2 25 releases 10 contributors 752 files changed 60,102 insertions 34,869 deletions #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  37. 37. Brakeman can run anytime Write Run Commit Push to Code QA Deploy Code Tests Code CI Review Code #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  38. 38. Brakeman can run anytime Write Run Commit Push to Code QA Deploy Code Tests Code CI Review Code #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  39. 39. Brakeman can run anytime Write Run Commit Push to Code QA Deploy Code Tests Code CI Review Code #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  40. 40. Brakeman can run anytime Write Run Commit Push to Code QA Deploy Code Tests Code CI Review Code #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  41. 41. Brakeman can run anytime Write Run Commit Push to Code QA Deploy Code Tests Code CI Review Code #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  42. 42. Brakeman can run anytime Write Run Commit Push to Code QA Deploy Code Tests Code CI Review Code #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  43. 43. Brakeman can run anytime Write Run Commit Push to Code QA Deploy Code Tests Code CI Review Code #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  44. 44. Brakeman can run anytime Write Run Commit Push to Code QA Deploy Code Tests Code CI Review Code Save Code #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  45. 45. Brakeman can run anytime Find bugs as quickly as Write Run Commit Push to possible Code QA Deploy Code Tests Code CI Review Code Save Code #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  46. 46. Mesos + Brakeman Code Repository SADB Developer#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  47. 47. Mesos + Brakeman Code Repository SADB Push Code Developer#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  48. 48. Mesos + Brakeman Pull Code Code Repository SADB Developer#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  49. 49. Mesos + Brakeman Send Report Code Repository SADB Developer#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  50. 50. Mesos + Brakeman Code Repository SADB Send Email Developer#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  51. 51. Mesos + Brakeman Code Repository SADB Send Email et the right information to G the right people Developer#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  52. 52. Historical trends #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  53. 53. Historical trends Twitter starts using Brakeman #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  54. 54. Historical trends Brakeman 1.6.1 #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  55. 55. Historical trends Brakeman 1.7.0 #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  56. 56. Reports #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  57. 57. Anatomy of a warning Warning message #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  58. 58. Anatomy of a warning When warning first reported #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  59. 59. Anatomy of a warning Code location, link to repo #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  60. 60. Anatomy of a warning Code snippet #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  61. 61. Anatomy of a warning Rails-specific information #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  62. 62. Anatomy of a warning Help people help themselves Rails-specific information #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  63. 63. Anatomy of a warning False positive report button #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  64. 64. Anatomy of a warning False positive report button Let people prove you wrong #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  65. 65. #appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  66. 66. CSP Phantom Gang ThreatDeck Brakeman Roshambo Email Email developers security#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  67. 67. What does it look for? #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  68. 68. What does it look for? Mixed-content #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  69. 69. What does it look for? Mixed-content Sensitive forms posting over HTTP #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  70. 70. What does it look for? Mixed-content Sensitive forms posting over HTTP Old, vulnerable versions of jQuery #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  71. 71. What does it look for? Mixed-content Sensitive forms posting over HTTP Old, vulnerable versions of jQuery Forms without authenticity tokens #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  72. 72. #appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  73. 73. Dont repeat your mistakes#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  74. 74. #appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  75. 75. #appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  76. 76. #appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  77. 77. #appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  78. 78. #appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  79. 79. Phantom-gang 2.0 #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  80. 80. CSP Phantom Gang ThreatDeck Brakeman Roshambo Email Email developers security#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  81. 81. Detecting XSS #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  82. 82. Detecting XSS Analyze from many angles #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  83. 83. #appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  84. 84. #appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  85. 85. HTTP Strict Transport Security #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  86. 86. X-Frame-Options #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  87. 87. X-Content-Type-Options X-Xss-Protection X-Xss-Protection#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  88. 88. #appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  89. 89. Automate dumb work#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  90. 90. CSP Phantom Gang ThreatDeck Brakeman Roshambo Email Email developers security#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  91. 91. ThreatDeck #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  92. 92. CSP Phantom Gang ThreatDeck Brakeman Roshambo Email Email developers security#appsecusa #sadb@nilematotle | @alsmola | @presidentbeef
  93. 93. Review all the things #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  94. 94. Ro-Sham-Bo #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  95. 95. Our journey thus far Manual tasks Automated tasks Low visibility Trends and reports Late problem discovery Automatic notifications #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef
  96. 96. Tools in this presentation #appsecusa #sadb @nilematotle | @alsmola | @presidentbeef

×