DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Preview:

Click to see full reader

Citation preview

Alex SmolenNeil Matatall

Me

Nick Green

Secure by DefaultDetect via Tests

Don’t Fix VulnerabilitiesPrevent Them

Is Twitter a Unicorn?

2009-2010

No company-provided email accounts

No admin password complexity requirements

No separate administrative login page

No limit on failed admin login attempts

No admin password rotation enforcement

No access controls on admin actions

No IP restrictions on admin logins

Also...

Every employee is an admin!

Incident 01

Employee password brute-forced

Incident 01

Employee password brute-forced

Password:

Incident 01

Employee password brute-forced

Password: happiness

Incident 02

Attacker gains access to employee’s email account

Incident 02

Attacker gains access to employee’s email account

Finds two passwords, over six months old

Incident 02

Attacker gains access to employee’s email account

Finds two passwords, over six months old

Infers current password

FTC Order

FTC Order

Tweets per Day

About Me

About Machines

Tool Cycle

Run Tool Wait Interpret Results Fix Issues

Tool Cycle

Run Tool Wait Interpret Results Fix Issues

Repeat

Philosophy of Automation

Right Informationto the

Right People

Find Bugs asQuickly as Possible

Don’t RepeatYour Mistakes

Analyze fromMany Angles

Let PeopleProve You Wrong

Help PeopleHelp Themselves

Automate Dumb Work

Keep It Tailored

Legend of SADB

Brakeman

Using Brakeman

Run Tool Wait Interpret Results Fix Issues

Repeat

Automated Brakeman

Automated Brakeman

Push Code

Automated Brakeman

Push Code

Pull Code

Automated Brakeman

Push Code

Pull Code Send Results

Automated Brakeman

Push Code

Pull Code Send Results

Send Emails

Warnings Over Time

Warnings Over Time

Started using Brakeman

Legacy of SADB

Automated Reviews

Pattern Match

Comment on Review

01 Identify Problem

Repeated incident?

Opt-in code security?

Repetitive work?

02 Solve In Code

Write a library

Make it safe by default

Enforce library use in CI

04 Detect Statically

Determine fingerprint of issue

Identify suspect code

Alert during code review

05 Detect Dynamically

Write Selenium tests

Write a crawler

06 Use Browser Security

Content Security Policy

Strict Transport Security

Public Key Pinning

Subresource Integrity

Secure by DefaultDetect via Tests

Don’t Fix VulnerabilitiesPrevent Them

Recommended

DOES15 - Adrian Cockcroft - Systems for Innovation
Technology
DOES15 - Heather Mickman & Ross Clanton - (Re)building an Engineering Culture: DevOps at Target
Technology
10536-10538 JUSTIN DRIVE - LoopNet · − 10536 Justin - 2,260 SF* − 10538 Justin - 5,790 SF* *Can be combined + Lease Rate − 10536 Justin - $8.75/SF NNN − 10538 Justin - $9.25-9.50/SF
Documents
DOES15 - Joshua Corman & John Willis - Immutable Awesomeness?
Technology
DOES15 - Jody Mulkey - DevOps in the Enterprise: A Transformation Journey
Business
MOW - Justin Knipper ,Socastee 120 4A.pdf · Alec Cook Fall 3:53 Marcus Montgomery 10-2 4104 Anthony Collins 14-6 Dalton Simpson 10-7 4164 Anthony Collins 7-0 Anthony Collins 12-3
Documents
DOES15 - Aaron Volkmann - Busting Silos & Red Tape: DevOps in Federal Government
Technology
Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code Justin Collins Tin Zaw AppSec USA September 23, 2011
Documents
DOES15 - Troy Magennis and Julia Wester - Metrics and Modeling – Helping Teams See How to Improve
Technology
DOES15 - Sherry Chang - Intel’s Journey to Large Scale DevOps Transformation
Technology
WEDNESDAY BENEDICTION: SATURDAY VIGIL MASS: SUNDAY … · 2019-09-24 · Sgt. Sean Collins (US Army) Michael Martins (USMC) Dr. Nick Patellis (NG/Kuwait) Justin Smallwood (USMC) If
Documents
DOES15 - Damon Edwards - DevOps Kaizen Practical Steps to Start & Sustain a Transformation
Technology
DOES15 - Mark Michaelis - Metrics that Matter
Technology
Justin collins - Practical Static Analysis for continuous application delivery
Presentations & Public Speaking
DOES15 DevOps@TGT (re)building an engineering culture
Technology
DOES15 - Eric Passmore - Launching MSN on Azure: A Story of the 76 Point Checklist
Technology
MCC Students Succeed Academically - monroecc.edu Students Succeed Academically ... Collins-Blaize, Charlotte Romford, United Colon, Justin Rochester Page 7. Colon, Paul Rochester Colon,
Documents
DOES15 - Carmen DeArdo - How DevOps is Enabling Lean Application Development
Technology
Justin Bieber The Key Eau du Parfum 100mL Justin Bieber ...files.shoppersdrugmart.ca/offers/justin-bieber/july2013/JB3_presell... · [ ] Justin Bieber The Key 100mL $70.00* [ ] Justin
Documents
DOES15 - Jeffrey Snover - The Cultural Battle To Remove Windows from Windows Server
Technology