"Defending the Bird". Justin Collins, Alex Smolen, Twitter
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

"Defending the Bird". Justin Collins, Alex Smolen, Twitter

on

  • 1,522 views

The product security team is responsible for ensuring the security of all code Twitter ships. This means proactively finding and fixing vulnerabilities using automation, working closely with ...

The product security team is responsible for ensuring the security of all code Twitter ships. This means proactively finding and fixing vulnerabilities using automation, working closely with engineering teams throughout the company to design and implement secure systems, and building security features into the product. To make all this happen and execute at a fast pace, we practice an agile process and build tools to support rapid information transfer. First, we'll talk about our approach to using automation to ensure that we ship secure code by getting the right information to the right people at the right time. We will also discuss our security review process, which is focused on improving the pace of development and cooperative problem solving. Finally, we'll talk about how we develop security features for Twitter, including our recent improvements to login verification. At Twitter, our goal is to reach every person on the planet. Having a global reach means understanding and responding to many threats. We want to share the details of our team's organization and process that allows us to keep Twitter secure as we continue to rapidly scale.

Statistics

Views

Total Views
1,522
Views on SlideShare
700
Embed Views
822

Actions

Likes
0
Downloads
4
Comments
0

8 Embeds 822

http://tech.yandex.ru 736
http://tech.yandex.com 42
https://tech.yandex.ru 33
https://tech.yandex.com 7
http://admin-ru.tech.yandex-team.ru 1
http://negativecreep.mmm-tasty.ru 1
http://yastatic.net 1
http://news.google.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

"Defending the Bird". Justin Collins, Alex Smolen, Twitter Presentation Transcript

  • 1. Defending the Bird Product Security Engineering at Twitter Alex Smolen (@alsmola) Justin Collins (@presidentbeef) YAC, Moscow, 2013
  • 2. What does it mean to “Defend the Bird”?
  • 3. 500+ million Tweets a day Hyper-growth 2000+ employees around the world 200+ million daily active users
  • 4. Twitter as the global town square.
  • 5. 3 floors ~700 employees 1 floor ~100 employees 5+ floors ~2000+ employees
  • 6. https://twitter.com
  • 7. https://twitter.com https://mobile.twitter.com
  • 8. https://twitter.com https://ads.twitter.com https://mobile.twitter.com
  • 9. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://mobile.twitter.com
  • 10. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://mobile.twitter.com
  • 11. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com
  • 12. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com
  • 13. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com
  • 14. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com
  • 15. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com
  • 16. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com
  • 17. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com https://vine.co
  • 18. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com https://vine.co
  • 19. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com https://vine.co https://tweetdeck.com
  • 20. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com https://vine.co https://tweetdeck.com https://trendrr.com
  • 21. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com https://vine.co https://tweetdeck.com https://trendrr.com
  • 22. We are 1 out of 100 engineers.
  • 23. We can’t do everything.
  • 24. Automation Code review Security features
  • 25. Automating Security Avoid tedious tasks Catch issues early Notify right people
  • 26. We need a central location where information is collected and transferred.
  • 27. Static analysis Dynamic analysis Internal metrics
  • 28. How do we let developers know when they check in bad code?
  • 29. Brakeman Static analysis for Rails Needs infrastructure for integration Reports to SADB
  • 30. Coffee Break Javascript static analysis Catch DOM-based XSS Reports to SADB
  • 31. Phantom Gang Dynamic HTTP scanning Specific, not full scan Reports to SADB
  • 32. We manually review what slips through the cracks.
  • 33. Code Reviews Code goes through a review system Security is automatically added to sensitive reviews Security can be manually added to any review
  • 34. Accountability Email when there are new reviews Dashboard of pending reviews Once a month clean sweep
  • 35. Teams request security reviews through a self- service form.
  • 36. Security features
  • 37. Two-factor authentication Something we’ve wanted to build for a long time Designed and implemented by the product security team How do you build a robust yet simple solution?
  • 38. SMS-based two-factor Send a six digit code the user Requires a temporary password to sign in to other apps and devices
  • 39. Native two-factor Client has a private/public keypair Signs request sent by server over push, which has public key One-tap sign in
  • 40. Two-factor challenges Happy case is easy, sad case is hard Doesn’t deal with many-to- many account access People can’t manage their own keys
  • 41. Twitter was one of the first major services to require 100% SSL.
  • 42. HTTP Strict Transport Security How do you bootstrap? Tells browser not to use HTTP Sub-domains, CDNs, mobile
  • 43. Certificate pinning Implemented in mobile apps, Chrome Only one certificate is valid Also working on TACK
  • 44. ECDHE SSL mode with perfect forward secrecy Ephemeral keys used for conversations
  • 45. We need to build security in to our custom frameworks.
  • 46. Security headers Adds several default security headers Implements interoperable CSP https://github.com/twitter/ secureheaders
  • 47. Keybird Keys delivered securely to production environment Uses puppet
  • 48. The bird is big, and we’re small.
  • 49. We use tools to accomplish more.