"This is what happened at Twitter - when the government came after them because they were getting hacked too often, Twitter went out and hired 'real' programmers and got things working. That's something that gets missed a lot in the 'startup story'."
That is interesting. Did you work at twitter or was this in the news?
I learned this at an OWASP conference, where several Twitter programmers revealed this and what they did to resolve it.
The guys who were presenting never said 'they brought us in to fix things', but that's exactly what they were. None of the guys who were building the 'hardened' Twitter were originally with the company - they were seasoned pros brought in from other companies.
And yes, they did some bad-ass things to fix it. But the presentation was more about OWASP level coders wanting to see what issues Twitter had to face. Nothing was Earth-shattering at that level, but it was excellent to see the amount of data they were working with and where their breaches were happening.
I don't want to speak for them, but it was obvious that one of their biggest issues was people writing insecure code and checking it in without any review. They have automated code review tools in place now.
Thanks for sharing this. I'm trying to convince my own company to switch to mandatory code reviews. Do you have a link to the talk or an article describing:
>it was obvious that one of their biggest issues was people writing insecure code and checking it in without any review. They have automated code review tools in place now.
That is interesting. Did you work at twitter or was this in the news?