Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Putting to your Robots to Work V1.1

1.714 Aufrufe

Veröffentlicht am

Updated version of the presentation given at AppSec USA 2012.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Putting to your Robots to Work V1.1

  1. 1. @salesforceApril 23, 2013Putting YourRobots to WorkSecurity Automation at Twitter
  2. 2. @salesforce April 2013@alsmola | @ndm | @presidentbeefThe future
  3. 3. @salesforce April 2013@alsmola | @ndm | @presidentbeef
  4. 4. @salesforce April 2013@alsmola | @ndm | @presidentbeef
  5. 5. @salesforce April 2013@alsmola | @ndm | @presidentbeef
  6. 6. @salesforce April 2013@alsmola | @ndm | @presidentbeef
  7. 7. @salesforce April 2013@alsmola | @ndm | @presidentbeef
  8. 8. @salesforce April 2013@alsmola | @ndm | @presidentbeef
  9. 9. @salesforce April 2013@alsmola | @ndm | @presidentbeef
  10. 10. @salesforce April 2013@alsmola | @ndm | @presidentbeef
  11. 11. @salesforce April 2013@alsmola | @ndm | @presidentbeefPhilosophicalGuidelinesGuidelines
  12. 12. @salesforce April 2013@alsmola | @ndm | @presidentbeefGet the right information to theright people
  13. 13. @salesforce April 2013@alsmola | @ndm | @presidentbeefFind bugs as quickly as possible
  14. 14. @salesforce April 2013@alsmola | @ndm | @presidentbeefDont repeat your mistakes
  15. 15. @salesforce April 2013@alsmola | @ndm | @presidentbeefAnalyze from many angles
  16. 16. @salesforce April 2013@alsmola | @ndm | @presidentbeefLet people prove you wrong
  17. 17. @salesforce April 2013@alsmola | @ndm | @presidentbeefHelp people help themselves
  18. 18. @salesforce April 2013@alsmola | @ndm | @presidentbeefAutomate dumb work
  19. 19. @salesforce April 2013@alsmola | @ndm | @presidentbeefKeep it tailored
  20. 20. @salesforce April 2013@alsmola | @ndm | @presidentbeefAutomating Security
  21. 21. @salesforce April 2013@alsmola | @ndm | @presidentbeefManual security tasksCode reviewExternal reportsPen testing
  22. 22. @salesforce April 2013@alsmola | @ndm | @presidentbeefAutomated security tasksCode reviewExternal reportsPen testingStatic analysis toolsDynamic analysis toolsCSP
  23. 23. @salesforce April 2013@alsmola | @ndm | @presidentbeefManual security workflowRun tool Wait forit...InterpretreportsFix stuff
  24. 24. @salesforce April 2013@alsmola | @ndm | @presidentbeefManual security workflowRun tool Wait forit...InterpretreportsFix stuffRepeat
  25. 25. @salesforce April 2013@alsmola | @ndm | @presidentbeefPut your robots to work!CodecommittedRun dynamictoolsRun staticanalysis toolsGatherreportsIssuenotificationsAutomate dumb work
  26. 26. @salesforce April 2013@alsmola | @ndm | @presidentbeefAfter automation
  27. 27. @salesforce April 2013@alsmola | @ndm | @presidentbeefJenkins CI
  28. 28. @salesforce April 2013@alsmola | @ndm | @presidentbeefSecurity Automation Dashboard (SADB)
  29. 29. @salesforce April 2013@alsmola | @ndm | @presidentbeefCSPBrakemanThreatDeckPhantom GangRoshamboEmaildevelopersEmailsecurity
  30. 30. @salesforce April 2013@alsmola | @ndm | @presidentbeefCSPBrakemanThreatDeckPhantom GangRoshamboEmaildevelopersEmailsecurity
  31. 31. @salesforce April 2013@alsmola | @ndm | @presidentbeefOpen SourceStatic analysis for Ruby on Railsbrakemanscanner.orgbrakemanscanner.org
  32. 32. @salesforce April 2013@alsmola | @ndm | @presidentbeefWriteCodeRunTestsCommitCodePush toCICodeReviewQA DeployCodeBrakeman can run anytimeSaveCodeFind bugs as quickly aspossible
  33. 33. @salesforce April 2013@alsmola | @ndm | @presidentbeefDeveloperMesos +BrakemanCodeRepository SADBPush CodePull CodeSendReportSendEmailGet the right information tothe right people
  34. 34. @salesforce April 2013@alsmola | @ndm | @presidentbeefHistorical trends2007 2008 2009 2010 2011 2012 2013
  35. 35. @salesforce April 2013@alsmola | @ndm | @presidentbeefHistorical trends Twitter starts using Brakeman2007 2008 2009 2010 2011 2012 2013
  36. 36. @salesforce April 2013@alsmola | @ndm | @presidentbeefReports
  37. 37. @salesforce April 2013@alsmola | @ndm | @presidentbeefAnatomy of a warningWarning message
  38. 38. @salesforce April 2013@alsmola | @ndm | @presidentbeefAnatomy of a warningWhen warning first reported
  39. 39. @salesforce April 2013@alsmola | @ndm | @presidentbeefAnatomy of a warningCode location, link to repo
  40. 40. @salesforce April 2013@alsmola | @ndm | @presidentbeefAnatomy of a warningCode snippet
  41. 41. @salesforce April 2013@alsmola | @ndm | @presidentbeefAnatomy of a warningRails-specific informationHelp people helpthemselves
  42. 42. @salesforce April 2013@alsmola | @ndm | @presidentbeefAnatomy of a warningFalse positive report buttonLet people prove youwrong
  43. 43. @salesforce April 2013@alsmola | @ndm | @presidentbeefQuickTime™ and aH.264 decompressorare needed to see this picture.
  44. 44. @salesforce April 2013@alsmola | @ndm | @presidentbeef
  45. 45. @salesforce April 2013@alsmola | @ndm | @presidentbeefCSPBrakemanThreatDeckPhantom GangRoshamboEmaildevelopersEmailsecurity
  46. 46. @salesforce April 2013@alsmola | @ndm | @presidentbeefMixed-contentSensitive forms posting over HTTPOld, vulnerable versions of jQueryForms without authenticity tokensWhat does it look for?
  47. 47. @salesforce April 2013@alsmola | @ndm | @presidentbeefDont repeat your mistakes
  48. 48. @salesforce April 2013@alsmola | @ndm | @presidentbeef
  49. 49. @salesforce April 2013@alsmola | @ndm | @presidentbeefPhantom-gang 2.0
  50. 50. @salesforce April 2013@alsmola | @ndm | @presidentbeefCSPBrakemanThreatDeckPhantom GangRoshamboEmaildevelopersEmailsecurity
  51. 51. @salesforce April 2013@alsmola | @ndm | @presidentbeef
  52. 52. @salesforce April 2013@alsmola | @ndm | @presidentbeefDetecting XSSAnalyze from many angles
  53. 53. @salesforce April 2013@alsmola | @ndm | @presidentbeef
  54. 54. @salesforce April 2013@alsmola | @ndm | @presidentbeefQuickTime™ and aH.264 decompressorare needed to see this picture.
  55. 55. @salesforce April 2013@alsmola | @ndm | @presidentbeef
  56. 56. @salesforce April 2013@alsmola | @ndm | @presidentbeefImplementing CSP is not trivial
  57. 57. @salesforce April 2013@alsmola | @ndm | @presidentbeefHTTP Strict Transport Security
  58. 58. @salesforce April 2013@alsmola | @ndm | @presidentbeefX-Frame-Options
  59. 59. @salesforce April 2013@alsmola | @ndm | @presidentbeefX-Xss-ProtectionX-Content-Type-OptionsX-Xss-Protection
  60. 60. @salesforce April 2013@alsmola | @ndm | @presidentbeef
  61. 61. @salesforce April 2013@alsmola | @ndm | @presidentbeefSecureHeadersAutomate dumb work
  62. 62. @salesforce April 2013@alsmola | @ndm | @presidentbeefHeader status page
  63. 63. @salesforce April 2013@alsmola | @ndm | @presidentbeefCSPBrakemanThreatDeckPhantom GangRoshamboEmaildevelopersEmailsecurity
  64. 64. @salesforce April 2013@alsmola | @ndm | @presidentbeefThreatDeck
  65. 65. @salesforce April 2013@alsmola | @ndm | @presidentbeefCSPBrakemanThreatDeckPhantom GangRoshamboEmaildevelopersEmailsecurity
  66. 66. @salesforce April 2013@alsmola | @ndm | @presidentbeefReview all the things
  67. 67. @salesforce April 2013@alsmola | @ndm | @presidentbeefRo-Sham-Bo
  68. 68. @salesforce April 2013@alsmola | @ndm | @presidentbeefRo-Sham-Bo
  69. 69. @salesforce April 2013@alsmola | @ndm | @presidentbeefRo-Sham-BoNeeds to be reviewedAutomate dumb work
  70. 70. @salesforce April 2013@alsmola | @ndm | @presidentbeefOur journey thus farManual tasksLow visibilityLate problem discoveryAutomated tasksTrends and reportsAutomatic notifications
  71. 71. @salesforce April 2013@alsmola | @ndm | @presidentbeefTools in this presentation

×