The product security team is responsible for ensuring the security of all code Twitter ships. This means proactively finding and fixing vulnerabilities using automation, working closely with engineering teams throughout the company to design and implement secure systems, and building security features into the product. To make all this happen and execute at a fast pace, we practice an agile process and build tools to support rapid information transfer. First, we'll talk about our approach to using automation to ensure that we ship secure code by getting the right information to the right people at the right time. We will also discuss our security review process, which is focused on improving the pace of development and cooperative problem solving. Finally, we'll talk about how we develop security features for Twitter, including our recent improvements to login verification. At Twitter, our goal is to reach every person on the planet. Having a global reach means understanding and responding to many threats. We want to share the details of our team's organization and process that allows us to keep Twitter secure as we continue to rapidly scale.
49. Two-factor authentication
Something we’ve wanted to
build for a long time
Designed and implemented by
the product security team
How do you build a robust yet
simple solution?
50. SMS-based two-factor
Send a six digit code the user
Requires a temporary password
to sign in to other apps and
devices
51. Native two-factor
Client has a private/public
keypair
Signs request sent by server over
push, which has public key
One-tap sign in
52.
53. Two-factor challenges
Happy case is easy, sad case is
hard
Doesn’t deal with many-to-
many account access
People can’t manage their own
keys
54. Twitter was one of
the first major
services to require
100% SSL.
55. HTTP Strict Transport Security
How do you bootstrap?
Tells browser not to use HTTP
Sub-domains, CDNs, mobile