Upload File

does15 - justin collins - rise of the machines security automation at twitter

  • Home
  • Technology
  • DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter
60

Upload: gene-kim

Post on 10-Jan-2017

433 views

Category:

Technology


1 download

Report

TRANSCRIPT

Page 1: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter
Page 2: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Alex SmolenNeil Matatall

Me

Nick Green

Page 3: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Secure by DefaultDetect via Tests

Page 4: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Don’t Fix VulnerabilitiesPrevent Them

Page 5: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Is Twitter a Unicorn?

Page 6: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

2009-2010

Page 7: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter
Page 8: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

No company-provided email accounts

No admin password complexity requirements

No separate administrative login page

No limit on failed admin login attempts

No admin password rotation enforcement

No access controls on admin actions

No IP restrictions on admin logins

Page 9: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Also...

Every employee is an admin!

Page 10: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter
Page 11: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Incident 01

Employee password brute-forced

Page 12: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Incident 01

Employee password brute-forced

Password:

Page 13: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Incident 01

Employee password brute-forced

Password: happiness

Page 14: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter
Page 15: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter
Page 16: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter
Page 17: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Incident 02

Attacker gains access to employee’s email account

Page 18: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Incident 02

Attacker gains access to employee’s email account

Finds two passwords, over six months old

Page 19: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Incident 02

Attacker gains access to employee’s email account

Finds two passwords, over six months old

Infers current password

Page 20: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

FTC Order

Page 21: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

FTC Order

Page 22: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Tweets per Day

Page 23: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

About Me

Page 24: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

About Machines

Page 25: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Tool Cycle

Run Tool Wait Interpret Results Fix Issues

Page 26: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Tool Cycle

Run Tool Wait Interpret Results Fix Issues

Repeat

Page 27: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter
Page 28: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Philosophy of Automation

Page 29: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Right Informationto the

Right People

Page 30: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Find Bugs asQuickly as Possible

Page 31: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Don’t RepeatYour Mistakes

Page 32: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Analyze fromMany Angles

Page 33: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Let PeopleProve You Wrong

Page 34: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Help PeopleHelp Themselves

Page 35: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Automate Dumb Work

Page 36: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Keep It Tailored

Page 37: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Legend of SADB

Page 38: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Brakeman

Page 39: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Using Brakeman

Run Tool Wait Interpret Results Fix Issues

Repeat

Page 40: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Automated Brakeman

Page 41: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Automated Brakeman

Push Code

Page 42: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Automated Brakeman

Push Code

Pull Code

Page 43: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Automated Brakeman

Push Code

Pull Code Send Results

Page 44: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Automated Brakeman

Push Code

Pull Code Send Results

Send Emails

Page 45: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter
Page 46: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Warnings Over Time

Page 47: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Warnings Over Time

Started using Brakeman

Page 48: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter
Page 49: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter
Page 50: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Legacy of SADB

Page 51: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Automated Reviews

Pattern Match

Comment on Review

Page 52: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

01 Identify Problem

Repeated incident?

Opt-in code security?

Repetitive work?

Page 53: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

02 Solve In Code

Write a library

Make it safe by default

Enforce library use in CI

Page 54: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

04 Detect Statically

Determine fingerprint of issue

Identify suspect code

Alert during code review

Page 55: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

05 Detect Dynamically

Write Selenium tests

Write a crawler

Page 56: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

06 Use Browser Security

Content Security Policy

Strict Transport Security

Public Key Pinning

Subresource Integrity

Page 57: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Secure by DefaultDetect via Tests

Page 58: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

Don’t Fix VulnerabilitiesPrevent Them

Page 59: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter
Page 60: DOES15 - Justin Collins - Rise of the Machines Security Automation at Twitter

1 Collins Stewart Select Funds Use of Alternative Investment Vehicles in Fund of Funds Mark Piper & Justin Oliver Investment Directors

Static Analysis For Security and DevOps Happiness w/ Justin Collins

1 AAE 451 Senior Aircraft Design Spring 2006 Preliminary Design Review Group VI Team Members: John Collins Chad Davis Chris Fles Danny Sze Ling Lim Justin

DOES15 - Vineet Banga and Jacob Johnson - Learnings from a DevOps Organization in the Making

DOES15 - Carmen DeArdo - How DevOps is Enabling Lean Application Development

DOES15 - Damon Edwards - DevOps Kaizen Practical Steps to Start & Sustain a Transformation

Collins French - Collins Language

Tintamarre - JUSTIN LAPIERRE - JUSTIN LAPIERRE

DOES15 - Mark Michaelis - Metrics that Matter

From Teams to Tribes: Creating a one team culture - #DOES15

DOES15 - Jeffrey Snover - The Cultural Battle To Remove Windows from Windows Server

DOES15 - Jim Stoneham - Getting Faster Answers at Yahoo Answers

MOW - Justin Knipper ,Socastee 120 4A.pdf · Alec Cook Fall 3:53 Marcus Montgomery 10-2 4104 Anthony Collins 14-6 Dalton Simpson 10-7 4164 Anthony Collins 7-0 Anthony Collins 12-3

MCC Students Succeed Academically - monroecc.edu Students Succeed Academically ... Collins-Blaize, Charlotte Romford, United Colon, Justin Rochester Page 7. Colon, Paul Rochester Colon,

Security as Code: DOES15

North Beacon Hill - Seattle · 2017. 4. 25. · North Beacon Hill Council Design Guidelines Committee: Dan Collins Judith Edwards Justin Fogel John Fulton Harry Harris Rita Harris

DOES15 - Eric Passmore - Launching MSN on Azure: A Story of the 76 Point Checklist

Justin collins - Practical Static Analysis for continuous application delivery

DOES15 - Sherry Chang - Intel’s Journey to Large Scale DevOps Transformation

Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code Justin Collins Tin Zaw AppSec USA September 23, 2011

Justin Bieber The Key Eau du Parfum 100mL Justin Bieber ...files.shoppersdrugmart.ca/offers/justin-bieber/july2013/JB3_presell... · [ ] Justin Bieber The Key 100mL $70.00* [ ] Justin

DOES15 - Aaron Volkmann - Busting Silos & Red Tape: DevOps in Federal Government

DOES15 - Troy Magennis and Julia Wester - Metrics and Modeling – Helping Teams See How to Improve

"Defending the Bird". Justin Collins, Alex Smolen, Twitter

DOES15 - Ramona Jackson and Aji Rajappan - Continuous Delivery at Cisco IT

DOES15 - Scott Prugh & Erica Morrison - Conway & Taylor Meet the Strangler (v2.0)

Justin stoeber project manager from fort collins

DOES15 - Ernest Mueller - DevOps Transformations At National Instruments and

1 AAE 451 Senior Aircraft Design Spring 2006 Systems Definition Review Group VI Team Members: John Collins Chad Davis Chris Fles Danny Sze Ling Lim Justin

DOES15 - Heather Mickman & Ross Clanton - (Re)building an Engineering Culture: DevOps at Target

DOES15 DevOps@TGT (re)building an engineering culture

DOES15 - Finn-Braun and Reed - The Blameless Cloud: Bringing Actionable Retrospectives to Salesforce

DOES15 - Mirco Hering - Adopting DevOps Practices for Systems of Record – An Experience Report

DOES15 - Alan Kraft - Learning & Teaching DevOps in the Enterprise

DOES15 - Paula Thrasher - Three Steps to Change: Lessons from Battling Bureaucracy