Your SlideShare is downloading. ×
"Defending the Bird". Justin Collins, Alex Smolen, Twitter
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

"Defending the Bird". Justin Collins, Alex Smolen, Twitter


Published on

The product security team is responsible for ensuring the security of all code Twitter ships. This means proactively finding and fixing vulnerabilities using automation, working closely with …

The product security team is responsible for ensuring the security of all code Twitter ships. This means proactively finding and fixing vulnerabilities using automation, working closely with engineering teams throughout the company to design and implement secure systems, and building security features into the product. To make all this happen and execute at a fast pace, we practice an agile process and build tools to support rapid information transfer. First, we'll talk about our approach to using automation to ensure that we ship secure code by getting the right information to the right people at the right time. We will also discuss our security review process, which is focused on improving the pace of development and cooperative problem solving. Finally, we'll talk about how we develop security features for Twitter, including our recent improvements to login verification. At Twitter, our goal is to reach every person on the planet. Having a global reach means understanding and responding to many threats. We want to share the details of our team's organization and process that allows us to keep Twitter secure as we continue to rapidly scale.

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Defending the Bird Product Security Engineering at Twitter Alex Smolen (@alsmola) Justin Collins (@presidentbeef) YAC, Moscow, 2013
  • 2. What does it mean to “Defend the Bird”?
  • 3. 500+ million Tweets a day Hyper-growth 2000+ employees around the world 200+ million daily active users
  • 4. Twitter as the global town square.
  • 5. 3 floors ~700 employees 1 floor ~100 employees 5+ floors ~2000+ employees
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22. We are 1 out of 100 engineers.
  • 23. We can’t do everything.
  • 24. Automation Code review Security features
  • 25. Automating Security Avoid tedious tasks Catch issues early Notify right people
  • 26. We need a central location where information is collected and transferred.
  • 27. Static analysis Dynamic analysis Internal metrics
  • 28. How do we let developers know when they check in bad code?
  • 29. Brakeman Static analysis for Rails Needs infrastructure for integration Reports to SADB
  • 30. Coffee Break Javascript static analysis Catch DOM-based XSS Reports to SADB
  • 31. Phantom Gang Dynamic HTTP scanning Specific, not full scan Reports to SADB
  • 32. We manually review what slips through the cracks.
  • 33. Code Reviews Code goes through a review system Security is automatically added to sensitive reviews Security can be manually added to any review
  • 34. Accountability Email when there are new reviews Dashboard of pending reviews Once a month clean sweep
  • 35. Teams request security reviews through a self- service form.
  • 36. Security features
  • 37. Two-factor authentication Something we’ve wanted to build for a long time Designed and implemented by the product security team How do you build a robust yet simple solution?
  • 38. SMS-based two-factor Send a six digit code the user Requires a temporary password to sign in to other apps and devices
  • 39. Native two-factor Client has a private/public keypair Signs request sent by server over push, which has public key One-tap sign in
  • 40. Two-factor challenges Happy case is easy, sad case is hard Doesn’t deal with many-to- many account access People can’t manage their own keys
  • 41. Twitter was one of the first major services to require 100% SSL.
  • 42. HTTP Strict Transport Security How do you bootstrap? Tells browser not to use HTTP Sub-domains, CDNs, mobile
  • 43. Certificate pinning Implemented in mobile apps, Chrome Only one certificate is valid Also working on TACK
  • 44. ECDHE SSL mode with perfect forward secrecy Ephemeral keys used for conversations
  • 45. We need to build security in to our custom frameworks.
  • 46. Security headers Adds several default security headers Implements interoperable CSP secureheaders
  • 47. Keybird Keys delivered securely to production environment Uses puppet
  • 48. The bird is big, and we’re small.
  • 49. We use tools to accomplish more.