"Defending the Bird". Justin Collins, Alex Smolen, Twitter

1,722 views

Published on

The product security team is responsible for ensuring the security of all code Twitter ships. This means proactively finding and fixing vulnerabilities using automation, working closely with engineering teams throughout the company to design and implement secure systems, and building security features into the product. To make all this happen and execute at a fast pace, we practice an agile process and build tools to support rapid information transfer. First, we'll talk about our approach to using automation to ensure that we ship secure code by getting the right information to the right people at the right time. We will also discuss our security review process, which is focused on improving the pace of development and cooperative problem solving. Finally, we'll talk about how we develop security features for Twitter, including our recent improvements to login verification. At Twitter, our goal is to reach every person on the planet. Having a global reach means understanding and responding to many threats. We want to share the details of our team's organization and process that allows us to keep Twitter secure as we continue to rapidly scale.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,722
On SlideShare
0
From Embeds
0
Number of Embeds
905
Actions
Shares
0
Downloads
6
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

"Defending the Bird". Justin Collins, Alex Smolen, Twitter

  1. 1. Defending the Bird Product Security Engineering at Twitter Alex Smolen (@alsmola) Justin Collins (@presidentbeef) YAC, Moscow, 2013
  2. 2. What does it mean to “Defend the Bird”?
  3. 3. 500+ million Tweets a day Hyper-growth 2000+ employees around the world 200+ million daily active users
  4. 4. Twitter as the global town square.
  5. 5. 3 floors ~700 employees 1 floor ~100 employees 5+ floors ~2000+ employees
  6. 6. https://twitter.com
  7. 7. https://twitter.com https://mobile.twitter.com
  8. 8. https://twitter.com https://ads.twitter.com https://mobile.twitter.com
  9. 9. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://mobile.twitter.com
  10. 10. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://mobile.twitter.com
  11. 11. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com
  12. 12. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com
  13. 13. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com
  14. 14. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com
  15. 15. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com
  16. 16. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com
  17. 17. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com https://vine.co
  18. 18. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com https://vine.co
  19. 19. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com https://vine.co https://tweetdeck.com
  20. 20. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com https://vine.co https://tweetdeck.com https://trendrr.com
  21. 21. https://twitter.com https://ads.twitter.com https://dev.twitter.com https://support.twitter.com https://analytics.twitter.com https://mobile.twitter.com https://translate.twitter.com https://bluefin.com https://admob.com https://posterous.com https://crashalytics.com https://vine.co https://tweetdeck.com https://trendrr.com
  22. 22. We are 1 out of 100 engineers.
  23. 23. We can’t do everything.
  24. 24. Automation Code review Security features
  25. 25. Automating Security Avoid tedious tasks Catch issues early Notify right people
  26. 26. We need a central location where information is collected and transferred.
  27. 27. Static analysis Dynamic analysis Internal metrics
  28. 28. How do we let developers know when they check in bad code?
  29. 29. Brakeman Static analysis for Rails Needs infrastructure for integration Reports to SADB
  30. 30. Coffee Break Javascript static analysis Catch DOM-based XSS Reports to SADB
  31. 31. Phantom Gang Dynamic HTTP scanning Specific, not full scan Reports to SADB
  32. 32. We manually review what slips through the cracks.
  33. 33. Code Reviews Code goes through a review system Security is automatically added to sensitive reviews Security can be manually added to any review
  34. 34. Accountability Email when there are new reviews Dashboard of pending reviews Once a month clean sweep
  35. 35. Teams request security reviews through a self- service form.
  36. 36. Security features
  37. 37. Two-factor authentication Something we’ve wanted to build for a long time Designed and implemented by the product security team How do you build a robust yet simple solution?
  38. 38. SMS-based two-factor Send a six digit code the user Requires a temporary password to sign in to other apps and devices
  39. 39. Native two-factor Client has a private/public keypair Signs request sent by server over push, which has public key One-tap sign in
  40. 40. Two-factor challenges Happy case is easy, sad case is hard Doesn’t deal with many-to- many account access People can’t manage their own keys
  41. 41. Twitter was one of the first major services to require 100% SSL.
  42. 42. HTTP Strict Transport Security How do you bootstrap? Tells browser not to use HTTP Sub-domains, CDNs, mobile
  43. 43. Certificate pinning Implemented in mobile apps, Chrome Only one certificate is valid Also working on TACK
  44. 44. ECDHE SSL mode with perfect forward secrecy Ephemeral keys used for conversations
  45. 45. We need to build security in to our custom frameworks.
  46. 46. Security headers Adds several default security headers Implements interoperable CSP https://github.com/twitter/ secureheaders
  47. 47. Keybird Keys delivered securely to production environment Uses puppet
  48. 48. The bird is big, and we’re small.
  49. 49. We use tools to accomplish more.

×