Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Automation at Twitter - Rise of the Ma...

Security Automation at Twitter - Rise of the Machines

A sequel/remake of the AppSec USA 2012 talk "Put Your Robots to Work: Security Automation at Twitter". Presented at http://devopsenterprise.io/ 2015.

In 2009, multiple security incidents at Twitter resulted in an investigation by the Federal Trade Commission (FTC). As part of its 2010 decision, the FTC instructed Twitter to form and maintain an effective information security program. By 2012, Twitter had exploded with hundreds of millions of Tweets sent every day and a rapidly growing engineering force. The amount of new code being written quickly outpaced the security team, leading them to consider ways of reducing their workload by automating tools and processes.

Security automation at Twitter started with a desire to automate a single static analysis tool. From there we started to see more opportunities to write code to prevent security vulnerabilities, instead of manually to find vulnerabilities. This talk will cover that journey, our philosophy for unobtrusive continuous security, the simple yet effective tools we used, and the general approach I believe works for multiplying impact through automated security.

Justin Collins

October 20, 2015
Tweet

More Decks by Justin Collins

Other Decks in Technology

Transcript

  1. No company-provided email accounts No admin password complexity requirements No

    separate administrative login page No limit on failed admin login attempts No admin password rotation enforcement No access controls on admin actions No IP restrictions on admin logins
  2. Incident 02 Attacker gains access to employee’s email account Finds

    two passwords, over six months old Infers current password
  3. 02 Solve In Code Write a library Make it safe

    by default Enforce library use in CI