The Prophet never cries wolf, sometimes

Presented at ToorCon San Diego 18 (2016), Oct. 16, 2016, 3:30 p.m. (20 minutes).

Addepar’s primary code repository can easily see dozens of pull requests per day. While our two man security team would like to review all of them, we have other things to work on as well. We needed a way to filter out pull requests that obviously would not concern us. Placing the onus on the developer to notify us when they change some code related to security would be unreliable and an undue burden on the rest of our engineering team.

Prophet is a web application that regularly polls GitHub repositories for new pull requests. When a pull request is created, Prophet checks it against user created rules. Each rule consists of conditions and actions. Conditions are things like, “File name modified matches regex.” Actions are things like, “comment on the pull request, tagging the security team.” If a pull request matches a rule’s condition, Prophet will take the action. This granular approach makes it easier to avoid false positives as well.

We tried using Repoguard, an open source tool, combined with some custom scripting and Jenkins to flag pull requests that match certain regular expressions. This was a good start, but proved to be difficult to work with and inflexible in terms of the workflow for reviewing these pull requests. It also flooded us with emails that were clearly false positives. We wrote our own tool to solve this problem and make this part of our job as easy as we could.

We focused on making Prophet as generic and modular as possible. Conditions are broken up into properties of a pull request, e.g. “file name modified” or “line added,” and operators such as “regex matches.” It’s easy to write a new property or operator to expand the use of Prophet. The generic nature of the tool has made it attractive for other teams at Addepar. The design team wants to see changes made to all CSS files, and our data team wants to be notified of any changes to SQL files. The actions are similarly modular and make it easy to add new actions, like emailing a list of people or filing a JIRA ticket.

This talk will discuss the functions of Prophet and how it fits into the security team’s workflow. It will also demonstrate how other security teams could use Prophet or some of the ideas behind it to improve their own code review process.


Presenters:

  • Robert Picard
    I’m an Application Security Engineer at financial software startup Addepar. I came from a consulting position. I’ve been in the industry for about 2 years now. Prior to starting in the security industry I wrote a book on web development with Python’s Flask microframework called Explore Flask.

Links:

Similar Presentations: