![Page 1: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/1.jpg)
Security at scale: Web application security in a continuous
deployment environment
@zanelackey
![Page 2: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/2.jpg)
About this talk
Different approaches to common web application security challenges
![Page 3: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/3.jpg)
About this talk
Specifically, techniques that are simple and effective
![Page 4: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/4.jpg)
Continuous deployment?
![Page 5: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/5.jpg)
Continuous deployment
<- What it (hopefully) isn’t
![Page 6: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/6.jpg)
Continuous deployment
![Page 7: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/7.jpg)
Continuous deployment
Pushing to production 30 times a day on average
![Page 8: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/8.jpg)
Continuous deployment
(dogs push too)
![Page 9: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/9.jpg)
What it boils down to (spoiler alert)
• Make things safe by default
• Detect risky functionality / Focus your efforts
• Automate the easy stuff
• Know when the house is burning down
![Page 10: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/10.jpg)
Safe by default
![Page 11: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/11.jpg)
Safe by default
• Traditional defenses for XSS
– Input validation
– Output encoding
• How have they worked out?
![Page 12: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/12.jpg)
Safe by default
![Page 13: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/13.jpg)
Safe by default
• Problems? – Often done on a per-input basis
• Easy to miss an input or output
– May use defenses in wrong context • Input validation pattern may blocks full HTML injection, but
not injecting inside JS
– May put defenses on the client side in JS
– Etc …
These problems miss the point
![Page 14: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/14.jpg)
Safe by default
• The real problem is that it’s hard to find places where protections have been missed
• How can we make it simpler?
![Page 15: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/15.jpg)
Safe by default
Input validation
Output encoding
![Page 16: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/16.jpg)
Safe by default
Input validation
Output encoding
![Page 17: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/17.jpg)
Safe by default
• Input encoding? Input encoding.
• Encode dangerous HTML characters to HTML entities at the very start of your framework
• Before input reaches main application code
![Page 18: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/18.jpg)
Safe by default
On the surface this doesn’t seem like much of a change
![Page 19: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/19.jpg)
Safe by default
Except, we’ve just made lots of XSS problems grep-able
![Page 20: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/20.jpg)
Safe by default
![Page 21: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/21.jpg)
Safe by default
• Now we look for a small number of patterns: • Code that opts out of platform protections
• HTML entity decoding functions or explicit string replacements
• Data in formats that won’t be sanitized – Ex: Base64 encoding
![Page 22: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/22.jpg)
Safe by default
• Obviously not a panacea
– DOM based XSS
– Javascript: URLs
– Is a pain during internationalization efforts
![Page 23: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/23.jpg)
Focus your efforts
![Page 24: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/24.jpg)
Focus your efforts
• Continuous deployment means code ships fast
• Things will go out the door before security team knows about them
• How can we detect high risk functionality?
![Page 25: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/25.jpg)
Detect risky functionality
• Know when sensitive portions of the codebase have been modified
• Build automatic change alerting on the codebase
– Identify sensitive portions of the codebase
– Create automatic alerting on modifications
![Page 26: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/26.jpg)
Detect risky functionality
• Doesn’t have to be complex to be effective
• Approach:
– sha1sum sensitive platform level files
– Unit tests alert if hash of the file changes
– Notifies security team on changes, drives code review
![Page 27: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/27.jpg)
Detect risky functionality
• At the platform level, watching for changes to site-wide protections
– CSRF defenses
– XSS defenses
– Encryption
– Login/Authentication
– Etc
![Page 28: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/28.jpg)
Detect risky functionality
• At the feature level, watching for changes to specific sensitive methods
• Identifying these methods is part of initial code review/pen test of new features
![Page 29: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/29.jpg)
Detect risky functionality
• Watch for dangerous functions
• Usual candidates:
– File system operations
– Process execution/control
– HTML decoding (if you’re input encoding)
![Page 30: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/30.jpg)
Detect risky functionality
• Unit tests watch codebase for dangerous functions
– Split into separate high risk/low risk lists
• Alerts are emailed to the appsec team, drive code reviews
![Page 31: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/31.jpg)
Detect risky functionality
• Monitor application traffic
• Purpose is twofold:
– Detecting risky functionality that was missed by earlier processes
– Groundwork for attack detection and verification
![Page 32: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/32.jpg)
Detect risky functionality
• Regex incoming requests at the framework
– Sounds like performance nightmare, shockingly isn’t
• Look for HTML/JS in request
– This creates a huge number of false positives
• That’s by design, we refine the search later
![Page 33: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/33.jpg)
Detect risky functionality
• We deliberately want to cast a wide net to see where HTML is entering the application
• From there, build a baseline of
– The amount of traffic containing HTML
– The features in the application that receive HTML
![Page 34: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/34.jpg)
Detect risky functionality
• What to watch for:
– Did a new endpoint suddenly show up?
• A new risky feature might’ve just shipped
– Did the amount of traffic containing HTML just significantly go up?
• Worth investigating
![Page 35: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/35.jpg)
Detect risky functionality
Time to investigate
![Page 36: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/36.jpg)
Automate the easy stuff
![Page 37: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/37.jpg)
Automate the easy stuff
• Automate finding simple issues to free up resources for more complex tasks
• Use attacker traffic to automatically drive testing
• We call it Attack Driven Testing
![Page 38: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/38.jpg)
Automate the easy stuff
• Some cases where this is useful:
– Application faults
– Reflected XSS
– SQLi
![Page 39: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/39.jpg)
Automate the easy stuff
• Application faults (HTTP 5xx errors)
• As a pentester, these are one of the first signs of weakness in an app
– As a defender, pay attention to them!
![Page 40: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/40.jpg)
Automate the easy stuff
• Just watching for 5xx errors results in a lot of ephemeral issues that don’t reproduce
• Instead:
– Grab last X hours worth of 5xx errors from access logs
– Replay the original request
– Alert on any requests which still return a 5xx
![Page 41: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/41.jpg)
Automate the easy stuff
• Cron this script to run every few hours
• If a request still triggers an application fault hours later, it’s worth investigating
![Page 42: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/42.jpg)
Automate the easy stuff
• Similar methodology for reflected XSS
• For reflected XSS we:
– Identify requests containing basic XSS payloads
– Replay the request
– Alert if the XSS payload executed
![Page 43: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/43.jpg)
Automate the easy stuff
• Basic payloads commonly used in testing for XSS:
– alert()
– document.write()
– unescape()
– String.fromCharCode()
– etc
![Page 44: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/44.jpg)
Automate the easy stuff
• We created a tool to use NodeJS as a headless browser with full JavaScript
• Methodology: – Replay the request (but don’t interpret it yet)
– Prepend instrumented JS that flags if a method has been executed
– Interpret response with our instrumented JS
– Check if execution flags have been set
– Alert
![Page 45: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/45.jpg)
Automate the easy stuff
Test webserver
1. Fetch URL containing potential XSS
![Page 46: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/46.jpg)
Automate the easy stuff
Test webserver
2. Page contents returned to a temp buffer, not interpreted yet
![Page 47: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/47.jpg)
Automate the easy stuff
Test webserver
3. Inject our instrumented JS into page contents
+
Our JS Page contents
![Page 48: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/48.jpg)
Automate the easy stuff
Test webserver
4. Combination of instrumented JS + page contents interpreted
+
Our JS Page contents
![Page 49: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/49.jpg)
Automate the easy stuff
Test webserver
5. If instrumented JS is executed, alert appsec team for review
![Page 50: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/50.jpg)
Automate the easy stuff
• Sample instrumented JS:
(function() {
var proxiedAlert = window.alert;
window.alert = function() {
location="XSSDETECTED";
};
})();
![Page 51: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/51.jpg)
Automate the easy stuff
• Open sourced
– https://github.com/zanelackey/projects
• For better coverage combine this approach with driving a browser via Watir/Selenium
– Make sure to use all major browsers
![Page 52: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/52.jpg)
Know when the house is burning down
![Page 53: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/53.jpg)
Know when the house is burning down
![Page 54: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/54.jpg)
Know when the house is burning down
Graph early, graph often
![Page 55: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/55.jpg)
Know when the house is burning down
Which of these is a quicker way to spot a problem?
![Page 56: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/56.jpg)
Know when the house is burning down
![Page 57: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/57.jpg)
Know when the house is burning down
![Page 58: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/58.jpg)
Know when the house is burning down
• Methodology: – Instrument application to collect data points
– Fire them off to an aggregation backend
– Build individual graphs
– Combine groups of graphs into dashboards
• We’ve open sourced our instrumentation library – https://github.com/etsy/statsd
![Page 59: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/59.jpg)
Know when the house is burning down
![Page 60: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/60.jpg)
Know when the house is burning down
![Page 61: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/61.jpg)
Know when the house is burning down
Now we can visually spot attacks
![Page 62: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/62.jpg)
Know when the house is burning down
But who’s watching at 4AM?
![Page 63: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/63.jpg)
Know when the house is burning down
• In addition to data visualizations, we need automatic alerting
• Look at the raw data to see if it exceeds certain thresholds
• Works well for graphs like this…
![Page 64: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/64.jpg)
Know when the house is burning down
![Page 65: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/65.jpg)
Know when the house is burning down
But not like this…
![Page 66: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/66.jpg)
Know when the house is burning down
![Page 67: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/67.jpg)
Know when the house is burning down
• We need to smooth out graphs that follow usage patterns
• Use exponential smoothing formulas like Holt-Winters
• Math is hard, let’s look at screenshots!
![Page 68: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/68.jpg)
Know when the house is burning down
![Page 69: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/69.jpg)
Know when the house is burning down
• Now that we’ve smoothed out the graphs…
• Use the same approach as before:
– Grab the raw data
– Look for values above/below a set threshold
– Alert
![Page 70: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/70.jpg)
Know when the house is burning down
What about exposure of internal info?
![Page 71: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/71.jpg)
Know when the house is burning down
• Paste sites are extremely useful
– gist, pastebin, etc
• If you don’t have one internally, external ones will be used
– Or if you have a bad one internally
![Page 72: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/72.jpg)
Know when the house is burning down
• Use Google Alerts to monitor paste sites for internal info exposure
– Ex: Hostnames, class names
![Page 73: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/73.jpg)
Conclusions
![Page 74: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/74.jpg)
Conclusions
![Page 75: Web application security in a continuous …...Web application security in a continuous deployment environment zane@etsy.com @zanelackey About this talk Different approaches to common](https://reader034.vdocuments.net/reader034/viewer/2022042306/5ed18a1c6de7a91c625dd33b/html5/thumbnails/75.jpg)
Conclusions
• Make things safe by default
• Focus your efforts / Detect risky functionality
• Automate the easy stuff
• Know when the house is burning down