Build the future of communications.
Start building for free

Security posts

  • By Kelley Robinson
    Migrar desde mensajería programable a Verify Copy of C04 Blog Text (3).png

    La API de Verify es una solución creada especialmente para enviar códigos de acceso de un solo uso (OTP) para la verificación y autenticación de usuarios a través de SMS, voz, correo electrónico, push y TOTP. La API de mensajería programable de Twilio proporciona a muchas empresas la base para construir sus propias soluciones de OTP. Sin embargo, mantener una solución OTP interna puede ser complejo y pude requerir muchos recursos, sobre todo porque el panorama de la mensajería y los requisitos de cumplimiento siguen cambiando. Muchas empresas están migrando a Verify para obtener la misma fiabilidad global y la entrega inigualable a escala que la mensajería programable de Twilio, con las ventajas agregadas de:

    • Administración regulatoria y de cumplimiento, incluido A2P 10DLC
    • Se incluye un conjunto de números de teléfono de envío administrado, incluidos los códigos cortos, los códigos largos, los números de teléfono gratuitos y los identificadores de …
    Read More
  • By Seif Hateb
    Basic API Security Guide Basic API Security Guide

    APIs are existing blocks of codes that facilitate the communication between software without the need to rewrite code. That’s making API usage exponentially increase every year.

    (Learn more about APIs in Twilio’s Glossary.)

    Developers use APIs to integrate information from outside sources into their applications and gain access to a large repository of resources and data, simplifying the coding process. However, users also benefit as it makes building interactive applications easier.

    In this post, I will walk you through the whats, hows, and whys of APIs, and discuss basic API security.

    Common API Security Risks

    According to Gartner, by 2022, APIs will become the largest attack vector due to their broad usage. APIs are highly targeted and have even larger attack surfaces than user interfaces (UIs) – and perhaps even larger than email (see the FBI Internet Threat Report).

    So, what makes APIs a new preferred target? …

    Read More
  • By Mingchao Ma
    Integrate Twilio Verify Service with RSA SecurID RSA Verify header

    Many organisations in the banking sector are still using RSA SecurID with hardware tokens for multi factor authentication (MFA). However, employees might forget their hardware token thus won’t be able to login. This leads to high support costs, poor user experience and reduced productivity. This is the exact challenge that one of our customers in banking is trying to address. So we worked together to explore how Twilio Verify Service can be leveraged as an alternative MFA. This will allow their employees to login their protected systems by using a One-Time Password (OTP) delivered to their employee’s mobile phone.

    This blog post will walk you through the steps of how to integrate Twilio Verify service with RSA SecurID.

    The RSA Authentication manager requires that you pin a certificate for the HTTPS endpoint of your SMS provider. This will cause your application to break when the certificates change in the future. …

    Read More
  • By Matt Coser
    Validating Webhook Signatures with Python & Flask Validating Webhook Signatures Hero

    The Internet can be a dark and scary place. As recent headlines remind us, it makes sense to be cautious when opening your web app to the internet.

    You don’t even need to belong to a cybercrime hacking syndicate to do damage with HTTP. Any script kiddie can take down a vulnerable server. For example, running something like the following code will make repeated GET requests to a targeted server, potentially overwhelming and crashing it.

    while True:
       request.get("https://sorryapp.com/ddos")
    

    Despite the risk, if you are going to build an awesome communication experience for your customers, you need to expose your app to the public Internet at some point.

    To help secure your app against malicious actors and bad code, Twilio cryptographically signs all HTTP requests that leave our edge. You can use this hash (provided in the X-Twilio-Signature header), to validate the authenticity of the request, and know that it came …

    Read More
  • By Niels Swimberghe
    How to prevent email HTML injection in C# and .NET How to prevent email HTML injection in C# and .NET

    Every few years, the Open Web Application Security Project (OWASP) publishes a new list of the 10 most common security issues in web applications, called OWASP Top 10. There is one security flaw that has been around since the first edition in 2003, and grabbed the first spot in the 2010, 2013, and 2017 editions, and that security issue is vulnerability to injection attacks. I previously talked about injection attacks in general and more specifically, how dangerous email HTML injection attacks are and how you can prevent them. However, in this post, you'll learn how you can mitigate HTML injection attacks in .NET specifically.

    How HTML injection into emails work

    HTML injection is a vulnerability where an application accepts user input and then embeds the input into HTML. A malicious user can inject HTML through the user input so that their malicious HTML is embedded into …

    Read More
  • By Niels Swimberghe
    Don't let your users get pwned via email HTML injection Don't let your users get pwned via email HTML injection

    Every few years, the Open Web Application Security Project (OWASP) publishes a new list of the 10 most common security issues in web applications, called OWASP Top 10. There is one security flaw that has been around since the first edition in 2003, and grabbed the first spot in the 2010, 2013, and 2017 edition, and that security issue is vulnerability to injection attacks.

    What are injection attacks

    An injection attack occurs when an application accepts input and malicious users submit code into the input in an attempt to have the application execute the code. An application is vulnerable to this type of attack when the input provided by the user is embedded into application code that is then interpreted.

    The most well-known type of injection attack is SQL injection, which can occur when user input is embedded into the SQL queries. This allows malicious users …

    Read More
  • By Matthew Setter
    How to Manage Application Secrets With PHP Using Vault How to Manage Application Secrets With PHP Using Vault

    For far too many years, PHP developers stored application credentials and secrets, such as usernames, passwords, and API keys, alongside their code.

    While extremely convenient, this practice was a security nightmare just waiting to happen; if someone could access an application’s source code, they had access to all of its sensitive data too.

    Nowadays, this practice is nowhere near as common as it once was. Rather, it's now incredibly common to store credentials separately from code in dotenv files (.env) which makes them available as environment variables.

    However, while this is a significant improvement, this practice still isn't the best way to keep credentials and secrets secure. For example, if the .env file is accidentally committed to version control, then the credentials and secrets are once again stored alongside code.

    Alternatively, if a malicious actor can access the environment where an application is running from, they can access …

    Read More
  • By David Prothero
    How Twilio Keeps Internal Docs Secure with Okta and Netlify Secure Internal Docs Netlify Okta

    Twilio is releasing netlify-okta-auth as an open-source package to help everyone solve the same problem we had, keeping private and securing an internal docs Jamstack site.

    Building an internal docs site at Twilio

    At Twilio, we wanted to create a new site for documenting our internal products. The philosophy was that we should provide just as great of a developer experience for our internal engineers as we do for our developer customers.

    A company the size of Twilio has many internal tools, services, and processes for building, deploying, and maintaining our public APIs. There are thousands of engineers that need to use these internal products, and we needed a comprehensive and high-quality documentation site for them.

    Finding Docusaurus, a Jamstack documentation framework

    So, we embarked on the search for the right documentation platform. We finally settled on Docusaurus - an open source, Markdown-powered documentation platform. Oh yeah, and it is …

    Read More
  • By Funke Olasupo
    How to Customize Email Verification and Password Resets in Laravel How to Customize Email Verification and Password Resets in Laravel

    Email verification and password resetting are two integral authentication features of modern applications. In most web apps, users usually reset their lost passwords, however, they must also verify their email address before accessing the web app for the first time.

    Laravel provides handy, built-in services for sending and verifying email verification requests,and securely resetting passwords. But in this tutorial, you will learn how to create custom email verification and reset passwords in Laravel.

    Prerequisites

    Email verification and resetting passwords at a glance

    A password reset option is required whenever you add login and signup functionality for user authentication. Doing so, whenever users forget their password they have the means to reset it. As part of this process, there will usually be a token in the reset link, and that token …

    Read More
  • By Luís Leão
    Migração do Programmable SMS para Verify Migração do Programmable SMS para Verify

    A API Verify é uma solução de uso específico para enviar senhas de uso exclusivo (OTP) para verificação e autenticação do usuário via SMS, voz, e-mail, push e TOTP. A API Programmable Messaging da Twilio oferece a muitas empresas a base para criar soluções próprias de OTP. No entanto, manter uma solução de OTP interna pode ser complexo e usar muitos recursos, especialmente à medida que o cenário de mensagens e os requisitos de conformidade continuam a mudar. Muitas empresas estão migrando para Verify pela mesma confiabilidade global e entrega inigualável em escala que a Programmable Messaging da Twilio, com os benefícios adicionais de:

    • Gerenciamento regulatório e de conformidade, incluindo A2P 10DLC
    • Inclui um conjunto de números de telefone de envio gerenciado, incluindo short codes, long codes, números gratuitos e IDs de remetente alfa globais*
    • Entrega mundial gerenciada, como tipos de remetente e conformidade em escala global
    • API sem estado …
    Read More
  • Newer
    Older
    Sign up and start building
    Not ready yet? Talk to an expert.