Level up your Twilio API skills in TwilioQuest, an educational game for Mac, Windows, and Linux. Download Now
Build the future of communications.
Start building for free
  • By Laxman Eppalagudem
    Can The Real Codeowners Please Stand Up? Code Provenance at Scale Code ownership at scale

    Figuring out code ownership at a large company can be challenging. And identifying code owners during code related incidents is hard – with an element of stress to boot. The Product Security team at Twilio set out to solve our code ownership challenges in a way that we think can help you as well.

    Today, we’re proud to release two things that go along way towards solving the problem:

    • about.yaml - a new code ownership file specification that has all the information you need to trace any code’s current owner across your company
    • Gordon - a Github app service to monitor repositories for keeping about.yaml files up-to-date.

    Why do we need this?

    More times than we’d like to admit, we found ourselves in a situation where we find a bug or vulnerability in a piece of code, do a git blame to see who last touched that code, and find …

    Read More
  • By Laxman Eppalagudem
    Dependencies, Confusions, and Solutions: What Did Twilio Do to Solve Dependency Confusion header - Solving Dependency Confusion @ Scale

    Early February 2021, the Product Security team at Twilio came across an article that spoke about a novel supply chain attack based on dependency package naming conventions. The attack consisted of uploading malware to open source repositories such as PyPI, NPM, and RubyGems, and naming them such that they would be downloaded and used by the target company’s application. In this post, we’ll talk about how we at Twilio went about protecting our customers' data from this attack and the various detections and controls we put in place.

    diagram of java code used for twilio private and public registries

    Common questions about dependency confusion

    Since dependency confusion is a novel attack, you probably have some questions about what it is and what’s currently happening. In this section, we’ve gathered some answers about how dependency confusion works, how we’re defending against it at Twilio, and how you can protect your own codebase.

    What’s a dependency?

    Dependencies are code modules packaged for easy …

    Read More
  • By Laxman Eppalagudem
    Deadshot: Keep Sensitive Data Out of Code Deadshot Header Image

    Code is no place for credentials, secrets, SQL statements, or any kind of sensitive data. But everyone makes mistakes, and it’s important to be able to catch human errors before they create real problems.

    It is impossible to manually monitor any organization’s entire code base hoping to catch sensitive changes before they escape to live forever on Github. This is a problem every security team faces when dealing with product code.

    The Product Security team at Twilio needed an automated way to ensure that developers weren’t accidentally adding sensitive data to code repositories and to flag sensitive changes for a security review. We knew we couldn’t monitor all code manually. Our solution: an automated way to monitor GitHub repositories in real-time, catching any sensitive data at the pull request stage, flagging issues as well as changes to sensitive functionality for a manual review. Thus was born Deadshot – which we’re …

    Read More
  • By Laxman Eppalagudem
    Deadshot : conserver les données sensibles en dehors du code Deadshot : conserver les données sensibles en dehors du code

    Le code n'est pas un endroit sûr pour les informations d'identification, les clés secrètes, les instructions SQL ou autres types de données sensibles. Mais tout le monde fait des erreurs, et il est important de détecter les erreurs humaines avant qu'elles n'entraînent de vrais problèmes.

    Il est impossible de surveiller manuellement l'ensemble de la base de code d'une organisation dans l'espoir de détecter les changements sensibles avant qu'ils ne soient mis en service pour toujours sur Github. Il s'agit d'un problème auquel toutes les équipes de sécurité sont confrontées lorsqu'elles traitent le code produit.

    L'équipe de sécurité des produits de Twilio avait besoin d'un moyen automatisé pour s'assurer que les développeurs n'ajoutaient pas accidentellement des données sensibles aux répertoires de code et de signaler les modifications sensibles pour tout examen de sécurité. Nous savions que nous ne pouvions pas surveiller tout le code manuellement. Notre solution : un outil automatisé …

    Read More
  • Newer
    Older
    Sign up and start building
    Not ready yet? Talk to an expert.