20131210прохоренков
Your SlideShare is downloading.
×
Check these out next
More Related Content
Viewers also liked (20)
More from Yandex (20)
Recently uploaded (20)
"Defending the Bird". Justin Collins, Alex Smolen, Twitter
- 1. Defending the Bird Product Security Engineering at Twitter Alex Smolen (@alsmola) Justin Collins (@presidentbeef) YAC, Moscow, 2013
- 2. What does it mean to “Defend the Bird”?
- 3. 500+ million Tweets a day Hyper-growth 2000+ employees around the world 200+ million daily active users
- 4. Twitter as the global town square.
- 5. 3 floors ~700 employees 1 floor ~100 employees 5+ floors ~2000+ employees
- 6. https://twitter.com
- 7. https://twitter.com https://mobile.twitter.com
- 8. https://twitter.com https://ads.twitter.com https://mobile.twitter.com
- 9. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://mobile.twitter.com
- 10. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://mobile.twitter.com
- 11. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com
- 12. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com
- 13. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com
- 14. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com
- 15. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com
- 16. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com
- 17. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com https://vine.co
- 18. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com https://vine.co
- 19. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com https://vine.co https://tweetdeck.com
- 20. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com https://vine.co https://tweetdeck.com https://trendrr.com
- 21. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com https://vine.co https://tweetdeck.com https://trendrr.com
- 22. We are 1 out of 100 engineers.
- 23. We can’t do everything.
- 24. Automation Code review Security features
- 25. Automating Security Avoid tedious tasks Catch issues early Notify right people
- 26. We need a central location where information is collected and transferred.
- 27. Static analysis Dynamic analysis Internal metrics
- 28. How do we let developers know when they check in bad code?
- 29. Brakeman Static analysis for Rails Needs infrastructure for integration Reports to SADB
- 30. Coffee Break Javascript static analysis Catch DOM-based XSS Reports to SADB
- 31. Phantom Gang Dynamic HTTP scanning Specific, not full scan Reports to SADB
- 32. We manually review what slips through the cracks.
- 33. Code Reviews Code goes through a review system Security is automatically added to sensitive reviews Security can be manually added to any review
- 34. Accountability Email when there are new reviews Dashboard of pending reviews Once a month clean sweep
- 35. Teams request security reviews through a self- service form.
- 36. Security features
- 37. Two-factor authentication Something we’ve wanted to build for a long time Designed and implemented by the product security team How do you build a robust yet simple solution?
- 38. SMS-based two-factor Send a six digit code the user Requires a temporary password to sign in to other apps and devices
- 39. Native two-factor Client has a private/public keypair Signs request sent by server over push, which has public key One-tap sign in
- 40. Two-factor challenges Happy case is easy, sad case is hard Doesn’t deal with many-to- many account access People can’t manage their own keys
- 41. Twitter was one of the first major services to require 100% SSL.
- 42. HTTP Strict Transport Security How do you bootstrap? Tells browser not to use HTTP Sub-domains, CDNs, mobile
- 43. Certificate pinning Implemented in mobile apps, Chrome Only one certificate is valid Also working on TACK
- 44. ECDHE SSL mode with perfect forward secrecy Ephemeral keys used for conversations
- 45. We need to build security in to our custom frameworks.
- 46. Security headers Adds several default security headers Implements interoperable CSP https://github.com/twitter/ secureheaders
- 47. Keybird Keys delivered securely to production environment Uses puppet
- 48. The bird is big, and we’re small.
- 49. We use tools to accomplish more.
