Defending the Bird
Product Security Engineering at Twitter
Alex Smolen (@alsmola)
Justin Collins (@presidentbeef)
YAC, Mos...
What does it mean to
“Defend the Bird”?
500+ million Tweets a day
Hyper-growth
2000+ employees around the world
200+ million daily active users
Twitter as the
global town square.
3 floors
~700 employees
1 floor
~100 employees
5+ floors
~2000+ employees
https://twitter.com
https://twitter.com
https://mobile.twitter.com
https://twitter.com
https://ads.twitter.com
https://mobile.twitter.com
https://twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://mobile.twitter.com
https://twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://mobile.twitter.com
https://twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://analytics.twitter....
https://twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://analytics.twitter....
https://twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://analytics.twitter....
https://twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://analytics.twitter....
https://twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://analytics.twitter....
https://twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://analytics.twitter....
https://twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://analytics.twitter....
https://twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://analytics.twitter....
https://twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://analytics.twitter....
https://twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://analytics.twitter....
https://twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://analytics.twitter....
We are 1 out of 100
engineers.
We can’t do
everything.
Automation
Code review
Security features
Automating Security
Avoid tedious tasks
Catch issues early
Notify right people
We need a central
location where
information is
collected and
transferred.
Static analysis
Dynamic analysis
Internal metrics
How do we let
developers know
when they check in
bad code?
Brakeman
Static analysis for Rails
Needs infrastructure for integration
Reports to SADB
Coffee Break
Javascript static analysis
Catch DOM-based XSS
Reports to SADB
Phantom Gang
Dynamic HTTP scanning
Specific, not full scan
Reports to SADB
We manually review
what slips through
the cracks.
Code Reviews
Code goes through a review
system
Security is automatically added
to sensitive reviews
Security can be manual...
Accountability
Email when there are new
reviews
Dashboard of pending reviews
Once a month clean sweep
Teams request
security reviews
through a self-
service form.
Security features
Two-factor authentication
Something we’ve wanted to
build for a long time
Designed and implemented by
the product security...
SMS-based two-factor
Send a six digit code the user
Requires a temporary password
to sign in to other apps and
devices
Native two-factor
Client has a private/public
keypair
Signs request sent by server over
push, which has public key
One-tap...
Two-factor challenges
Happy case is easy, sad case is
hard
Doesn’t deal with many-to-
many account access
People can’t man...
Twitter was one of
the first major
services to require
100% SSL.
HTTP Strict Transport Security
How do you bootstrap?
Tells browser not to use HTTP
Sub-domains, CDNs, mobile
Certificate pinning
Implemented in mobile apps,
Chrome
Only one certificate is valid
Also working on TACK
ECDHE
SSL mode with perfect forward
secrecy
Ephemeral keys used for
conversations
We need to build
security in to our
custom frameworks.
Security headers
Adds several default security headers
Implements interoperable CSP
https://github.com/twitter/
securehead...
Keybird
Keys delivered securely to
production environment
Uses puppet
The bird is big,
and we’re
small.
We use tools to
accomplish
more.
"Defending the Bird". Justin Collins, Alex Smolen, Twitter
"Defending the Bird". Justin Collins, Alex Smolen, Twitter
"Defending the Bird". Justin Collins, Alex Smolen, Twitter
"Defending the Bird". Justin Collins, Alex Smolen, Twitter
"Defending the Bird". Justin Collins, Alex Smolen, Twitter
"Defending the Bird". Justin Collins, Alex Smolen, Twitter
"Defending the Bird". Justin Collins, Alex Smolen, Twitter
"Defending the Bird". Justin Collins, Alex Smolen, Twitter
"Defending the Bird". Justin Collins, Alex Smolen, Twitter
"Defending the Bird". Justin Collins, Alex Smolen, Twitter
"Defending the Bird". Justin Collins, Alex Smolen, Twitter
"Defending the Bird". Justin Collins, Alex Smolen, Twitter
"Defending the Bird". Justin Collins, Alex Smolen, Twitter
"Defending the Bird". Justin Collins, Alex Smolen, Twitter
Upcoming SlideShare
Loading in...5
×

"Defending the Bird". Justin Collins, Alex Smolen, Twitter

1,330

Published on

The product security team is responsible for ensuring the security of all code Twitter ships. This means proactively finding and fixing vulnerabilities using automation, working closely with engineering teams throughout the company to design and implement secure systems, and building security features into the product. To make all this happen and execute at a fast pace, we practice an agile process and build tools to support rapid information transfer. First, we'll talk about our approach to using automation to ensure that we ship secure code by getting the right information to the right people at the right time. We will also discuss our security review process, which is focused on improving the pace of development and cooperative problem solving. Finally, we'll talk about how we develop security features for Twitter, including our recent improvements to login verification. At Twitter, our goal is to reach every person on the planet. Having a global reach means understanding and responding to many threats. We want to share the details of our team's organization and process that allows us to keep Twitter secure as we continue to rapidly scale.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,330
On Slideshare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

"Defending the Bird". Justin Collins, Alex Smolen, Twitter

  1. 1. Defending the Bird Product Security Engineering at Twitter Alex Smolen (@alsmola) Justin Collins (@presidentbeef) YAC, Moscow, 2013
  2. 2. What does it mean to “Defend the Bird”?
  3. 3. 500+ million Tweets a day Hyper-growth 2000+ employees around the world 200+ million daily active users
  4. 4. Twitter as the global town square.
  5. 5. 3 floors ~700 employees 1 floor ~100 employees 5+ floors ~2000+ employees
  6. 6. https://twitter.com
  7. 7. https://twitter.com https://mobile.twitter.com
  8. 8. https://twitter.com https://ads.twitter.com https://mobile.twitter.com
  9. 9. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://mobile.twitter.com
  10. 10. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://mobile.twitter.com
  11. 11. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com
  12. 12. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com
  13. 13. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com
  14. 14. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com
  15. 15. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com
  16. 16. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com
  17. 17. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com https://vine.co
  18. 18. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com https://vine.co
  19. 19. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com https://vine.co https://tweetdeck.com
  20. 20. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com https://vine.co https://tweetdeck.com https://trendrr.com
  21. 21. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com https://vine.co https://tweetdeck.com https://trendrr.com
  22. 22. We are 1 out of 100 engineers.
  23. 23. We can’t do everything.
  24. 24. Automation Code review Security features
  25. 25. Automating Security Avoid tedious tasks Catch issues early Notify right people
  26. 26. We need a central location where information is collected and transferred.
  27. 27. Static analysis Dynamic analysis Internal metrics
  28. 28. How do we let developers know when they check in bad code?
  29. 29. Brakeman Static analysis for Rails Needs infrastructure for integration Reports to SADB
  30. 30. Coffee Break Javascript static analysis Catch DOM-based XSS Reports to SADB
  31. 31. Phantom Gang Dynamic HTTP scanning Specific, not full scan Reports to SADB
  32. 32. We manually review what slips through the cracks.
  33. 33. Code Reviews Code goes through a review system Security is automatically added to sensitive reviews Security can be manually added to any review
  34. 34. Accountability Email when there are new reviews Dashboard of pending reviews Once a month clean sweep
  35. 35. Teams request security reviews through a self- service form.
  36. 36. Security features
  37. 37. Two-factor authentication Something we’ve wanted to build for a long time Designed and implemented by the product security team How do you build a robust yet simple solution?
  38. 38. SMS-based two-factor Send a six digit code the user Requires a temporary password to sign in to other apps and devices
  39. 39. Native two-factor Client has a private/public keypair Signs request sent by server over push, which has public key One-tap sign in
  40. 40. Two-factor challenges Happy case is easy, sad case is hard Doesn’t deal with many-to- many account access People can’t manage their own keys
  41. 41. Twitter was one of the first major services to require 100% SSL.
  42. 42. HTTP Strict Transport Security How do you bootstrap? Tells browser not to use HTTP Sub-domains, CDNs, mobile
  43. 43. Certificate pinning Implemented in mobile apps, Chrome Only one certificate is valid Also working on TACK
  44. 44. ECDHE SSL mode with perfect forward secrecy Ephemeral keys used for conversations
  45. 45. We need to build security in to our custom frameworks.
  46. 46. Security headers Adds several default security headers Implements interoperable CSP https://github.com/twitter/ secureheaders
  47. 47. Keybird Keys delivered securely to production environment Uses puppet
  48. 48. The bird is big, and we’re small.
  49. 49. We use tools to accomplish more.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×