Build the future of communications.
Start Building for Free

Security posts

  • By Security
    Incident Report: Employee and Customer Account Compromise Copy of C01 Blog Text

    We've now concluded our investigation into this incident. Please read to the bottom of the post for our findings.

    Our initial post was published August 7, 2022.

    Twilio believes that the security of our customers’ data is of paramount importance, and when an incident occurs that might threaten that security, we communicate what happened in a transparent manner. To that end, we are providing an overview of this incident impacting customer information and our response.

    What happened?

    On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials. This broad based attack against our employee base succeeded in fooling some employees into providing their credentials. The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer …

    Read More
  • By Security
    インシデントのご報告〜Twilio従業員およびお客様のアカウント情報流出について TwSecIncident20220804JP

    このブログ記事は、こちらで公開した記事(英語)を日本語化したものです。情報更新の側面がありますので、英語版ブログ記事をマスター版、そしてこちらの日本語記事を参考情報として扱っていただけますようお願い申し上げます。

    本稿の初版は2022年8月7日(米国時間)に投稿されました。また、その後も調査状況等の進展に応じて、記事の後方にて追記を行ってまいりましたが、最終的に本件に関する調査を終了し、記事の最後尾における調査結果の追記も完了したことをご報告させていただきます。

    Twilioは、お客様データのセキュリティが最も重要であると考えており、セキュリティを脅かす可能性のあるインシデントが発生した場合、透明性のある方法で発生事由・事実経過をお伝えしております。この視点に立ち、お客様の情報に影響を与えた今回のインシデントの概要と弊社対応について以下にお知らせいたします。

    事実経過

    2022年8月4日、Twilioは、従業員の認証情報を盗むことを目的とした高度なソーシャルエンジニアリング攻撃により、ごく一部の弊社顧客アカウントに関する情報が不正にアクセスされたことを認識しました。弊社の従業員に対するこの広範な攻撃は、一部の従業員を騙して認証情報を提供させることに成功しました。その後、攻撃者は盗んだ認証情報を使って弊社の内部システムのいくつかにアクセスし、特定の顧客データにアクセスすることができました。弊社は、このインシデントの影響を受けたお客様に継続的にお知らせを行い、また直接やり取りをさせていただいております。弊社の調査は未だ初期段階にあり継続中です …

    Read More
  • By Kelley Robinson
    Cómo agregar la autenticación de clientes a Twilio Flex autenticación de clientes en el encabezado de Flex

    La seguridad del centro de llamadas es un punto débil conocido para muchas empresas. Esto se debe a que la mayoría de los centros de llamadas solo identifican y no autentifican realmente a los usuarios cuando llaman.

    La información de identidad suele ser un dato estático, como el número de teléfono o la fecha de nacimiento, cosas que mucha gente sabe sobre mí y sobre usted. La información de identidad suele ser fácil de encontrar o comprar y probablemente no cambia. Con un poco de búsqueda, los hackers pueden utilizar la ingeniería social para eludir la “verificación” común basada en el conocimiento de la identidad de un usuario. La autenticación es la forma de probar la identidad con un factor que puede ser algo que se conoce como una contraseña, algo que se tiene como una clave, o algo que se es como una huella digital.

    Las opciones para autenticar …

    Read More
  • By Matthew Setter
    How to Manage Go Application Secrets Using Vault How to Manage Go Application Secrets Using Vault

    Because modern software is so complex it needs to use secrets and confidential information, such as API keys, tokens, and the older usernames and passwords for connecting to remote servers and databases.

    While once it might have been seen as okay to store these alongside the code itself, these days — especially in light of the 12-factor app movement — that's no longer the case. It's considered bad security practice — with good reason — to keep any kind of secure information within your code.

    Consequently, a range of approaches and tools have been developed to keep credentials out of code bases, keeping them secure and readily available to the code as and when required.

    In this tutorial, you're going to learn how to manage Go application secrets with HashiCorp Vault.

    If you're a PHP developer, check out the PHP version of this tutorial.

    Prerequisites

    To follow along …

    Read More
  • By Jonathan Williams
    Secure Remote Debugging for IoT Connected Devices Secure Remote Debugging

    Interested in an STM32U585 Microvisor Dev Board? Sign up now to apply for receiving a free board to explore Twilio Microvisor!

    One of the challenges confronted by embedded device developers is what happens when something goes wrong with an IoT device – meaning you can no longer connect to it. Bad news if this happens to a single device in the field, but commercially disastrous if the same issue affects even a small proportion of your fleet of IoT devices.

    Imagine that a software bug escapes your otherwise comprehensive device test plan resulting in an interruption to the connectivity of 10% of your deployed devices; even in this case the cost of recovery would be huge.

    Issues like this do unfortunately happen, and while you know that software bugs occur, and no doubt can be fixed, the risk-impact of issues like this is significant.

    Separating the connectivity stack from …

    Read More
  • By Jonathan Williams
    Overcoming IoT security threats from the start IoT Security

    Here’s the sobering reality: across the Internet of Things (IoT), security has been overlooked. An amazing 1.51 billion IoT devices were breached in the first six months of 2021, an increase from 639 million in the same time period in 2020. With the anticipated number of connected devices worldwide predicted to reach ~29 billion by 2030, there is still a lot that needs to be done to ensure that these devices are protected from attacks.

    IoT security is hard to predict

    Consumers and device builders are increasingly aware of the importance of device security, but it can be challenging to know which devices are secure by design and which just haven’t been targeted yet. And for many device builders, security is an afterthought as they prioritize the features of the product or service itself when working towards a minimum viable product. Equally, security can sometimes be …

    Read More
  • By Kelley Robinson
    Migrar desde mensajería programable a Verify Copy of C04 Blog Text (3).png

    La API de Verify es una solución creada especialmente para enviar códigos de acceso de un solo uso (OTP) para la verificación y autenticación de usuarios a través de SMS, voz, correo electrónico, push y TOTP. La API de mensajería programable de Twilio proporciona a muchas empresas la base para construir sus propias soluciones de OTP. Sin embargo, mantener una solución OTP interna puede ser complejo y pude requerir muchos recursos, sobre todo porque el panorama de la mensajería y los requisitos de cumplimiento siguen cambiando. Muchas empresas están migrando a Verify para obtener la misma fiabilidad global y la entrega inigualable a escala que la mensajería programable de Twilio, con las ventajas agregadas de:

    • Administración regulatoria y de cumplimiento, incluido A2P 10DLC
    • Se incluye un conjunto de números de teléfono de envío administrado, incluidos los códigos cortos, los códigos largos, los números de teléfono gratuitos y los identificadores de …
    Read More
  • By Seif Hateb
    Basic API Security Guide Basic API Security Guide

    APIs are existing blocks of codes that facilitate the communication between software without the need to rewrite code. That’s making API usage exponentially increase every year.

    (Learn more about APIs in Twilio’s Glossary.)

    Developers use APIs to integrate information from outside sources into their applications and gain access to a large repository of resources and data, simplifying the coding process. However, users also benefit as it makes building interactive applications easier.

    In this post, I will walk you through the whats, hows, and whys of APIs, and discuss basic API security.

    Common API Security Risks

    According to Gartner, by 2022, APIs will become the largest attack vector due to their broad usage. APIs are highly targeted and have even larger attack surfaces than user interfaces (UIs) – and perhaps even larger than email (see the FBI Internet Threat Report).

    So, what makes APIs a new preferred target? …

    Read More
  • By Mingchao Ma
    Integrate Twilio Verify Service with RSA SecurID RSA Verify header

    Many organisations in the banking sector are still using RSA SecurID with hardware tokens for multi factor authentication (MFA). However, employees might forget their hardware token thus won’t be able to login. This leads to high support costs, poor user experience and reduced productivity. This is the exact challenge that one of our customers in banking is trying to address. So we worked together to explore how Twilio Verify Service can be leveraged as an alternative MFA. This will allow their employees to login their protected systems by using a One-Time Password (OTP) delivered to their employee’s mobile phone.

    This blog post will walk you through the steps of how to integrate Twilio Verify service with RSA SecurID.

    The RSA Authentication manager requires that you pin a certificate for the HTTPS endpoint of your SMS provider. This will cause your application to break when the certificates change in the future. …

    Read More
  • By Matt Coser
    Validating Webhook Signatures with Python & Flask Validating Webhook Signatures Hero

    The Internet can be a dark and scary place. As recent headlines remind us, it makes sense to be cautious when opening your web app to the internet.

    You don’t even need to belong to a cybercrime hacking syndicate to do damage with HTTP. Any script kiddie can take down a vulnerable server. For example, running something like the following code will make repeated GET requests to a targeted server, potentially overwhelming and crashing it.

    while True:
       request.get("https://sorryapp.com/ddos")
    

    Despite the risk, if you are going to build an awesome communication experience for your customers, you need to expose your app to the public Internet at some point.

    To help secure your app against malicious actors and bad code, Twilio cryptographically signs all HTTP requests that leave our edge. You can use this hash (provided in the X-Twilio-Signature header), to validate the authenticity of the request, and know that it came …

    Read More
  • Newer
    Older
    Sign up and start building
    Not ready yet? Talk to an expert.