
Securitybot: Open Sourcing Automated Security at Scale - hepha1979
https://blogs.dropbox.com/tech/2017/02/meet-securitybot-open-sourcing-automated-security-at-scale/
======
perlgeek
The next logical evolution is writing a bot that responds with "yes" and some
BOFH-style explanation in your stead when securitybot comes asking.

Which is my way of saying that those automatic queries will likely start to
annoy folks very soon, and they'll find a way not to deal with them.

~~~
packetized
I could get on board with BOFH mad libs.

------
benmarks
Interesting timing given that Netflix announced an open source security
offering of their own: [http://techblog.netflix.com/2017/02/introducing-
netflix-stet...](http://techblog.netflix.com/2017/02/introducing-netflix-
stethoscope.html)

~~~
Cyphase
Here's the HN story:
[https://news.ycombinator.com/item?id=13697480](https://news.ycombinator.com/item?id=13697480)

------
misiti3780
If I am reading this correctly, I'm a little surprised that Dropbox is sending
their security problems through another company's (Slack's) chat system.

~~~
pacaro
I think that once you make then decision to use another companies chat system,
you have to recognize that just about any information might end up on it.

I can't imagine trying to educate users (outside of an environment in which
this thinking is normal) about what can and cannot go over which medium.

The realtime(ish) notifications and questions that they describe in the blog
post seem relatively benign compared to say, product planning discussions.

Disclaimer: I used to work at Dropbox and know the individuals involved

------
pmontra
The sql executes they are using build queries with "%s" instead of using ?
parameters. I guess they foresee that those scripts only see friendly data but
it's better to be safe than sorry and protect against sql injection from day
1.

Example
[https://github.com/dropbox/securitybot/blob/master/plugins/s...](https://github.com/dropbox/securitybot/blob/master/plugins/splunk/apps/securitybot_alerts/bin/bot_lookup.py)

~~~
lwf
I work on the security engineering team at Dropbox, and help manage our open
source programmes.

Note that we aren't doing ``.format()`` or ``%``, but passing the fill text as
the second parameter to ``.execute()`` — this is the correct way to protect
against SQLi using MySQLdb.

I actually mistakenly thought this was SQLi when I was reviewing this code for
release. Unfortunately, the MySQLdb documentation doesn't make that obvious.

See [http://stackoverflow.com/a/7929438](http://stackoverflow.com/a/7929438)

------
kolanos
This is very interesting. I worked on a similar project, but somewhat
different. It's a Slack bot that monitors your Slack channels for indicators
(IPs, URLs, files, etc.) and alerts you to possible threats, such as phishing
attacks. Your Slack channel is as good an attack vector as anything else.

[https://github.com/swimlane/makobot](https://github.com/swimlane/makobot)

------
siliconc0w
Ideally you can practice immutable infrastructure and avoid running any ad-hoc
commands on non-dev systems. Especially administrative ones using sudo. Takes
a bit of a culture shift though if people aren't used to working that way.

~~~
toomuchtodo
Because I love replacing an elastic search cluster when changing a single
parameter.

Immutable infrastructure is great for stateless micro services, everything
else not so much.

~~~
morgante
Ideally you implement a middle ground of declarative (but not necessarily
immutable) infrastructure where changes are diffed. Terraform does this pretty
nicely.

~~~
toomuchtodo
I hear what you're saying, but we've got elastic search in Terraform as a
module, and you dare not make mods to an existing cluster; Terraform will
dutifully tear that cluster down depending on the changes you make (I mean,
sure, use a "plan" first, but still).

~~~
morgante
Yea, unfortunately Terraform often insists on a full teardown when it would be
possible to make an incremental update.

~~~
nodesocket
Agree, Terraform is awesome and we love it
([https://blog.elasticbyte.net/getting-started-with-
terraform-...](https://blog.elasticbyte.net/getting-started-with-terraform-
and-google-compute-engine)). Howerver sometimes changes that should patch,
instead result in destroying and re-creating instances which can be scary.

~~~
geggam
Quit using terraform as a complete monolith and modularize it.

~~~
nodesocket
See the title "getting started..."

------
SEJeff
To get around HN's hug of death taking out the dropbox blog:

[http://archive.is/NqfmG](http://archive.is/NqfmG)

------
staunch
Email is pretty good for this and it's easier to backup and it's easier to BCC
multiple addresses hosted on separate servers.

------
dfc
Why is accidentally invoking nmap and/or any port scan generating logs that
humans were looking through?

