• Home

  • Technology

  • "Defending the Bird". Justin Collins, Alex Smolen, Twitter
63

"Defending the Bird". Justin Collins, Alex Smolen, Twitter

  • Upload
    yandex

  • View
    1.277

  • Download
    0

Embed Size (px)

DESCRIPTION

The product security team is responsible for ensuring the security of all code Twitter ships. This means proactively finding and fixing vulnerabilities using automation, working closely with engineering teams throughout the company to design and implement secure systems, and building security features into the product. To make all this happen and execute at a fast pace, we practice an agile process and build tools to support rapid information transfer. First, we'll talk about our approach to using automation to ensure that we ship secure code by getting the right information to the right people at the right time. We will also discuss our security review process, which is focused on improving the pace of development and cooperative problem solving. Finally, we'll talk about how we develop security features for Twitter, including our recent improvements to login verification. At Twitter, our goal is to reach every person on the planet. Having a global reach means understanding and responding to many threats. We want to share the details of our team's organization and process that allows us to keep Twitter secure as we continue to rapidly scale.

Citation preview

Page 1: "Defending the Bird". Justin Collins, Alex Smolen, Twitter
Page 2: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

Defending the Bird

Product Security Engineering at Twitter

Alex Smolen (@alsmola)

Justin Collins (@presidentbeef)

YAC, Moscow, 2013

Page 3: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

What does it mean to “Defend the Bird”?

Page 4: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

500+ million Tweets a day

Hyper-growth

2000+ employees around the world

200+ million daily active users

Page 5: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

Twitter as the global town square.

Page 6: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

3 floors~700 employees

1 floor~100 employees

5+ floors~2000+ employees

Page 7: "Defending the Bird". Justin Collins, Alex Smolen, Twitter
Page 8: "Defending the Bird". Justin Collins, Alex Smolen, Twitter
Page 9: "Defending the Bird". Justin Collins, Alex Smolen, Twitter
Page 10: "Defending the Bird". Justin Collins, Alex Smolen, Twitter
Page 11: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

https://twitter.com

https://twitter.com
https://twitter.com
Page 12: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

https://twitter.com

https://mobile.twitter.com

https://twitter.com
https://twitter.com
https://mobile.twitter.com
https://mobile.twitter.com
Page 13: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

https://twitter.com

https://ads.twitter.com

https://mobile.twitter.com

https://twitter.com
https://twitter.com
https://ads.twitter.com
https://ads.twitter.com
https://mobile.twitter.com
https://mobile.twitter.com
Page 14: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

https://twitter.com

https://ads.twitter.com

https://dev.twitter.com

https://mobile.twitter.com

https://twitter.com
https://twitter.com
https://ads.twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://dev.twitter.com
https://mobile.twitter.com
https://mobile.twitter.com
Page 15: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

https://twitter.com

https://ads.twitter.com

https://dev.twitter.com

https://support.twitter.com

https://mobile.twitter.com

https://twitter.com
https://twitter.com
https://ads.twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://support.twitter.com
https://mobile.twitter.com
https://mobile.twitter.com
Page 16: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

https://twitter.com

https://ads.twitter.com

https://dev.twitter.com

https://support.twitter.com

https://analytics.twitter.com

https://mobile.twitter.com

https://twitter.com
https://twitter.com
https://ads.twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://support.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://mobile.twitter.com
https://mobile.twitter.com
Page 17: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

https://twitter.com

https://ads.twitter.com

https://dev.twitter.com

https://support.twitter.com

https://analytics.twitter.com

https://mobile.twitter.com

https://translate.twitter.com

https://twitter.com
https://twitter.com
https://ads.twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://support.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://mobile.twitter.com
https://mobile.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
Page 18: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

https://twitter.com

https://ads.twitter.com

https://dev.twitter.com

https://support.twitter.com

https://analytics.twitter.com

https://mobile.twitter.com

https://translate.twitter.com

https://bluefin.com

https://twitter.com
https://twitter.com
https://ads.twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://support.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://mobile.twitter.com
https://mobile.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
Page 19: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

https://twitter.com

https://ads.twitter.com

https://dev.twitter.com

https://support.twitter.com

https://analytics.twitter.com

https://mobile.twitter.com

https://translate.twitter.com

https://bluefin.com

https://admob.com

https://twitter.com
https://twitter.com
https://ads.twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://support.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://mobile.twitter.com
https://mobile.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
Page 20: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

https://twitter.com

https://ads.twitter.com

https://dev.twitter.com

https://support.twitter.com

https://analytics.twitter.com

https://mobile.twitter.com

https://translate.twitter.com

https://bluefin.com

https://admob.com

https://posterous.com

https://twitter.com
https://twitter.com
https://ads.twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://support.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://mobile.twitter.com
https://mobile.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
Page 21: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

https://twitter.com

https://ads.twitter.com

https://dev.twitter.com

https://support.twitter.com

https://analytics.twitter.com

https://mobile.twitter.com

https://translate.twitter.com

https://bluefin.com

https://admob.com

https://posterous.com

https://crashalytics.com

https://twitter.com
https://twitter.com
https://ads.twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://support.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://mobile.twitter.com
https://mobile.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
Page 22: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

https://twitter.com

https://ads.twitter.com

https://dev.twitter.com

https://support.twitter.com

https://analytics.twitter.com

https://mobile.twitter.com

https://translate.twitter.com

https://bluefin.com

https://admob.com

https://posterous.com

https://crashalytics.com

https://vine.co

https://twitter.com
https://twitter.com
https://ads.twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://support.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://mobile.twitter.com
https://mobile.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
Page 23: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

https://twitter.com

https://ads.twitter.com

https://dev.twitter.com

https://support.twitter.com

https://analytics.twitter.com

https://mobile.twitter.com

https://translate.twitter.com

https://bluefin.com

https://admob.com

https://posterous.com

https://crashalytics.com

https://vine.co

https://twitter.com
https://twitter.com
https://ads.twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://support.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://mobile.twitter.com
https://mobile.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
Page 24: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

https://twitter.com

https://ads.twitter.com

https://dev.twitter.com

https://support.twitter.com

https://analytics.twitter.com

https://mobile.twitter.com

https://translate.twitter.com

https://bluefin.com

https://admob.com

https://posterous.com

https://crashalytics.com

https://vine.co

https://tweetdeck.com

https://twitter.com
https://twitter.com
https://ads.twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://support.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://mobile.twitter.com
https://mobile.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
Page 25: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

https://twitter.com

https://ads.twitter.com

https://dev.twitter.com

https://support.twitter.com

https://analytics.twitter.com

https://mobile.twitter.com

https://translate.twitter.com

https://bluefin.com

https://admob.com

https://posterous.com

https://crashalytics.com

https://vine.co

https://tweetdeck.com

https://trendrr.com

https://twitter.com
https://twitter.com
https://ads.twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://support.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://mobile.twitter.com
https://mobile.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
Page 26: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

https://twitter.com

https://ads.twitter.com

https://dev.twitter.com

https://support.twitter.com

https://analytics.twitter.com

https://mobile.twitter.com

https://translate.twitter.com

https://bluefin.com

https://admob.com

https://posterous.com

https://crashalytics.com

https://vine.co

https://tweetdeck.com

https://trendrr.com

https://twitter.com
https://twitter.com
https://ads.twitter.com
https://ads.twitter.com
https://dev.twitter.com
https://dev.twitter.com
https://support.twitter.com
https://support.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://mobile.twitter.com
https://mobile.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
https://analytics.twitter.com
Page 27: "Defending the Bird". Justin Collins, Alex Smolen, Twitter
Page 28: "Defending the Bird". Justin Collins, Alex Smolen, Twitter
Page 29: "Defending the Bird". Justin Collins, Alex Smolen, Twitter
Page 30: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

We are 1 out of 100 engineers.

Page 31: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

We can’t do everything.

Page 32: "Defending the Bird". Justin Collins, Alex Smolen, Twitter
Page 33: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

Automation

Code review

Security features

Page 34: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

Automating Security

Avoid tedious tasks

Catch issues early

Notify right people

Page 35: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

We need a central location where information is collected and transferred.

Page 36: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

Static analysisDynamic analysisInternal metrics

Page 37: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

How do we let developers know when they check in bad code?

Page 38: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

Brakeman

Static analysis for Rails

Needs infrastructure for integration

Reports to SADB

Page 39: "Defending the Bird". Justin Collins, Alex Smolen, Twitter
Page 40: "Defending the Bird". Justin Collins, Alex Smolen, Twitter
Page 41: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

Coffee Break

Javascript static analysis

Catch DOM-based XSS

Reports to SADB

Page 42: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

Phantom Gang

Dynamic HTTP scanning

Specific, not full scan

Reports to SADB

Page 43: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

We manually review what slips through the cracks.

Page 44: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

Code Reviews

Code goes through a review system

Security is automatically added to sensitive reviews

Security can be manually added to any review

Page 45: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

Accountability

Email when there are new reviews

Dashboard of pending reviews

Once a month clean sweep

Page 46: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

Teams request security reviews through a self-service form.

Page 47: "Defending the Bird". Justin Collins, Alex Smolen, Twitter
Page 48: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

Security features

Page 49: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

Two-factor authentication

Something we’ve wanted to build for a long time

Designed and implemented by the product security team

How do you build a robust yet simple solution?

Page 50: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

SMS-based two-factor

Send a six digit code the user

Requires a temporary password to sign in to other apps and devices

Page 51: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

Native two-factor

Client has a private/public keypair

Signs request sent by server over push, which has public key

One-tap sign in

Page 52: "Defending the Bird". Justin Collins, Alex Smolen, Twitter
Page 53: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

Two-factor challenges

Happy case is easy, sad case is hard

Doesn’t deal with many-to-many account access

People can’t manage their own keys

Page 54: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

Twitter was one of the first major

services to require 100% SSL.

Page 55: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

HTTP Strict Transport Security

How do you bootstrap?

Tells browser not to use HTTP

Sub-domains, CDNs, mobile

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
Page 56: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

Certificate pinning

Implemented in mobile apps, Chrome

Only one certificate is valid

Also working on TACK

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
Page 57: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

ECDHE

SSL mode with perfect forward secrecy

Ephemeral keys used for conversations

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
Page 58: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

We need to build security in to our custom frameworks.

Page 59: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

Security headers

Adds several default security headers

Implements interoperable CSP

https://github.com/twitter/secureheaders

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
https://github.com/twitter/secureheaders
https://github.com/twitter/secureheaders
https://github.com/twitter/secureheaders
https://github.com/twitter/secureheaders
Page 60: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

Keybird

Keys delivered securely to production environment

Uses puppet

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
Page 61: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

The bird is big, and we’re small.

Page 62: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

We use tools to accomplish more.

Page 63: "Defending the Bird". Justin Collins, Alex Smolen, Twitter

Defending Infection

Defending Infection

Documents
Defending Wikipedia 2

Defending Wikipedia 2

Technology
EDRi - Defending rights and freedoms online · EDRi - Defending rights and freedoms online

EDRi - Defending rights and freedoms online · EDRi - Defending rights and freedoms online

Documents
A Consumer’s Guide to Defending Florida Foreclosuresricardolaw.com/downloads/Defending-Your-Florida-Foreclosure-2012.pdf · A Consumer’s Guide to Defending Florida Foreclosures

A Consumer’s Guide to Defending Florida Foreclosuresricardolaw.com/downloads/Defending-Your-Florida-Foreclosure-2012.pdf · A Consumer’s Guide to Defending Florida Foreclosures

Documents
Defending Diagnoses

Defending Diagnoses

Documents
Defending Prometheus

Defending Prometheus

Documents
Defending Your Frontend

Defending Your Frontend

Technology
Defending Elysium.doc

Defending Elysium.doc

Documents
Defending Parents

Defending Parents

Documents
[James J. Smolen] Cased Hole and Production Log Ev(Bookos.org)

[James J. Smolen] Cased Hole and Production Log Ev(Bookos.org)

Documents
Defending the University

Defending the University

Documents
Defending territories, Defending our lives

Defending territories, Defending our lives

Documents
Defending Market Share

Defending Market Share

Documents
HE BOARD S ROLE IN DEFENDING AGAINST 2007 Foley & Lardner LLP THE BOARD’S ROLE IN DEFENDING AGAINST HOSTILE BIDS 1:15 PM Bryan Armstrong, Ashton Partners Justin Friesen, UBS Securities

HE BOARD S ROLE IN DEFENDING AGAINST 2007 Foley & Lardner LLP THE BOARD’S ROLE IN DEFENDING AGAINST HOSTILE BIDS 1:15 PM Bryan Armstrong, Ashton Partners Justin Friesen, UBS Securities

Documents
Defending my logo

Defending my logo

Education
Defending HKD

Defending HKD

Documents
Tintamarre - JUSTIN LAPIERRE - JUSTIN LAPIERRE

Tintamarre - JUSTIN LAPIERRE - JUSTIN LAPIERRE

Documents
Notebooking Pages by AJTL PAGE SAMPLEsite.ajourneythroughlearning.net/RomansReformersRevolutionaries... · Dividing & Defending the Empire Reasons for the Fall of Rome Polycarp Justin

Notebooking Pages by AJTL PAGE SAMPLEsite.ajourneythroughlearning.net/RomansReformersRevolutionaries... · Dividing & Defending the Empire Reasons for the Fall of Rome Polycarp Justin

Documents
Poison Prevention 2006 Navind Oodit Amanda Smolen Janine Kosmoski Faculty Advisor: Karl Fiebelkorn

Poison Prevention 2006 Navind Oodit Amanda Smolen Janine Kosmoski Faculty Advisor: Karl Fiebelkorn

Documents
Defending Epistemic Responsibility

Defending Epistemic Responsibility

Documents
Defending an Open Enrollment Appeal Making & Defending Good (Legal) Decisions

Defending an Open Enrollment Appeal Making & Defending Good (Legal) Decisions

Documents
Defending Consequentialism Handout

Defending Consequentialism Handout

Documents
Defending Pipeline Drug Cases Handout (00090039.DOCX;1) · Web viewDefending Pipeline . Drug Cases . Defending Pipeline . Drug Cases . Defending Pipeline . Drug Cases . Defending

Defending Pipeline Drug Cases Handout (00090039.DOCX;1) · Web viewDefending Pipeline . Drug Cases . Defending Pipeline . Drug Cases . Defending Pipeline . Drug Cases . Defending

Documents
Defending Foreclosure

Defending Foreclosure

Documents
Defending Planet Earth

Defending Planet Earth

Documents
Defending Substitution

Defending Substitution

Documents
Defending Rawls

Defending Rawls

Documents
Defending your design

Defending your design

Education
DEFENDING HOPE

DEFENDING HOPE

Documents
Definitions (Defensive) Defending territory Defending citizens Defending values Defending allies Defending preferred world order

Definitions (Defensive) Defending territory Defending citizens Defending values Defending allies Defending preferred world order

Documents