I learned this at an OWASP conference, where several Twitter programmers revealed this and what they did to resolve it.
The guys who were presenting never said 'they brought us in to fix things', but that's exactly what they were. None of the guys who were building the 'hardened' Twitter were originally with the company - they were seasoned pros brought in from other companies.
And yes, they did some bad-ass things to fix it. But the presentation was more about OWASP level coders wanting to see what issues Twitter had to face. Nothing was Earth-shattering at that level, but it was excellent to see the amount of data they were working with and where their breaches were happening.
I don't want to speak for them, but it was obvious that one of their biggest issues was people writing insecure code and checking it in without any review. They have automated code review tools in place now.
Thanks for sharing this. I'm trying to convince my own company to switch to mandatory code reviews. Do you have a link to the talk or an article describing:
>it was obvious that one of their biggest issues was people writing insecure code and checking it in without any review. They have automated code review tools in place now.
The guys who were presenting never said 'they brought us in to fix things', but that's exactly what they were. None of the guys who were building the 'hardened' Twitter were originally with the company - they were seasoned pros brought in from other companies.
And yes, they did some bad-ass things to fix it. But the presentation was more about OWASP level coders wanting to see what issues Twitter had to face. Nothing was Earth-shattering at that level, but it was excellent to see the amount of data they were working with and where their breaches were happening.
I don't want to speak for them, but it was obvious that one of their biggest issues was people writing insecure code and checking it in without any review. They have automated code review tools in place now.