Twitter uses open source to automate security

Twitter is increasingly using open source automation tools to ensure security processes are taken care of in all the code it produces

Twitter is increasingly using open source automation tools to ensure security processes are taken care of in all the code it produces.

“Automation is where we see application security teams going in future,” Alex Smolen, Twitter product security team software engineer, told the Security Development Conference 2013 in San Francisco.

Apart from a desire by the team to write code that is as secure as possible, Twitter has a strong incentive for getting security right since the US Federal Trade Commission ordered the micro-blogging service to put in place an effective information security policy for 20 years.

The order followed one of Twitter’s worst security problems when hackers were able to take over US president Barack Obama’s account briefly in 2009.

Twitter set off down the road to automation when application security teams began looking for a way to get the right vulnerability information to the right people quickly to improve its bug fixing capabilities.

“We believe that writing secure code is a technical and a social challenge”, said Alex Smolen. “Communicating about vulnerabilities is just as important as finding and fixing them.

“The last bug is the best predicator of the next bug, so we wanted to understand why something happened to ensure it would not happen again, which is where automation is useful,” he said.

A desire to automating the “dumb work” that did not involve judgement or creativity added impetus to the project.

“Manual tasks, however, like code review, pen testing and external reporting can all be subject to full or part automation,” said fellow software engineer, Nick Green.

Through trial and error, the application security team found a way of integrating several open source code analysis and homegrown tools to report into a custom security automation dashboard (SADB).

SADB, pronounced sad-bee, is designed to analyse the reports from the automation tools and then notify the member of the security team best placed to fix the problem.

The tools reporting into SADB include: Brakeman - a static analysis security vulnerability scanner for Ruby on Rails; Phantom Gang - which does dynamic application security testing; ThreatDeck - a real-time threat intelligence tool; and Roshambo - a delegation tool.

Twitter has also built a Content Security Policy (CSP) as an input.

Having benefited from open source security tools, the Twitter application security team also plans to open source SADB soon, said Green.

Read more on Application security and coding requirements