“All of the work we do should require creativity and judgment”, said Alex Smolen, software engineer at Twitter. “If the work doesn’t require either of these things, we should write a tool to do it - automate the dumb stuff”, he said of the Twitter philosophy.
At the Security Development Conference in San Francisco, in a presentation titled ‘Putting your robots to work’, Smolen and his colleague Nick Green, also a software engineer at Twitter, explained to the audience that their team is responsible for “the security of the code we ship, building libraries and features, and code reviews.”
“The best predictor of the next bug is the last bug”, advised Smolen, who explained that understanding why an exploit happened and preventing it from happening again is a top priority. “That’s where automation can be really useful”, he said.
“Of course, we can’t automate all of it, because we wouldn’t have jobs”, Green added. Traditionally manual tasks, however, like code review, pen testing and external reporting can all be subject to full or part automation. “We’ve gone from being a manual-centric team to introducing more automation and automated notifications.”
“Twitter”, Smolen declared, “has grown very quickly and has encountered infrastructure challenges along the way”. He gave examples of Justin Bieber “single-handedly bringing the service down” and “one of our worst security problems to date: the hacked account of President Obama”, which was a result of an exploited bug found in the technology of a company acquired by Twitter. “It turns out that was as good as finding a bug in twitter.com”, he said.
As a consequence of the latter, Twitter were ordered by the Federal Trade Commission to “have an effective infosec policy for 20 years. It gives us an incentive to do the right thing.”
This incentive, according to Smolen, isn’t entirely necessary. “Developers at Twitter want to build secure code, do the right thing, and they want to take the time to do it properly.” Empowering developers to write their own secure code by sharing security expertise is important to the company, he said.
“We believe that writing secure code is a technical and a social challenge”, he said. “The capability to communicate vulnerabilities is as – or more - important as finding and fixing them.”
The social media company received a lot of help from those external to Twitter to find and fix vulnerabilities. “We get an in-depth, unofficial, penetration test every time we ship a new product”, Smolen said of those that hack new releases. “It’s not an ideal way for us to find them.”