Going surfing – Protect your Node.js app from Cross-Site Request Forgery

One classic attack when working with web applications is Cross Site Request Forgery aka CSRF/XSRF (read C-Surf). They are used by attackers to perform requests on behalf of users in your application without them noticing. Let’s look at how they can pull this off and how we can protect our applications from these type of threat. Let’s talk theory Before we can prevent CSRF attacks we need to… Read More

Putting the helmet on – Securing your Express app

Express is a great way to build a web server using Node.js. It’s easy to get started with and allows you to configure and extend it easily thanks to its concept of middleware. While there are a variety of frameworks to create web applications in Node.js, my first choice is always Express. However, out of the box Express doesn’t adhere to all security best practices. Let’s look at… Read More

Design Thinking & GDPR

Security & GDPR

The General Data Protection Regulation (GDPR) makes the law (at least, in relation to EU personal data) what privacy professionals have been saying for years—think about privacy concerns (like collecting as little personal data as necessary and safely getting rid of personal data when it is no longer needed) when designing products and services that involve the handling of personal data. GDPR calls this “Data Protection… Read More

What Twilio is Doing to Protect Your Data

What Twilio is doing to protect your data

Five major product requirements for GDPR-Compliance. What Twilio is doing about GDPR. New data protection features. You may have already seen Twilio’s blog post series from our Lead Privacy Counsel about the GDPR. These posts cover the legal side of this new regulation, and include such details as “What is the GDPR?” and whether you, Twilio, both, or neither a “controller or processor.” However, you may… Read More

Scan your projects for crossenv and other malicious npm packages

On August 1st, Oscar Bolmsten tweeted about how he found a malicious npm package called crossenv that scans for environment variables and POSTs them to a server. @kentcdodds Hi Kent, it looks like this npm package is stealing env variables on install, using your cross-env package as bait: pic.twitter.com/REsRG8Exsx — Oscar Bolmsten (@o_cee) August 1, 2017 This is particularly dangerous considering that you might have secret credentials… Read More

Introducing Call Recording Encryption

call recording encryption feature for programmable voice api

Added security for sensitive call recordings. Use your own public key to encrypt recordings before they’re stored. Available in developer preview. Today, our default security for call recordings includes encryption at rest for recordings stored with Twilio. However, we’ve learned that some customers, typically those that need to comply with strict industry or regional regulations for data protection, require even stronger security mechanisms. A level of… Read More

Protect Customer Privacy: Announcing Phone Number Redaction

Customer privacy is a big deal to us here at Twilio. In March, we increased SMS privacy with Message Body Redaction, which redacts the content of your texts before they’re stored anywhere in Twilio’s infrastructure. Today, we’re excited to introduce our latest SMS feature to further protect customer data: Phone Number Redaction. Phone Number Redaction takes privacy a step further by redacting the last four digits… Read More

Introducing Single Sign-On for Enterprises

Single Sign-On for Twilio Enterprise Plan

Today we’re excited to announce the launch of Single Sign-On (SSO). Available as part of the Twilio Enterprise Plan, SSO mitigates compliance and security risks for organizations by giving businesses control over user authentication and user revocation via corporate mandated tools. Today, all developers and any user accessing Twilio console maintains his or her own login credentials. While this is totally acceptable for small businesses or… Read More

What is the “Goldilocks” number of cloud-computing accounts to limit your blast radius?

When signing up for an IaaS account provider, like Amazon, Google Cloud, or Azure, you’ll be asked to provide or link an email address and password.  After a brief wait, possibly a confirmation email, you are logged in— dropped at an empty console, teeming with possibilities.  Is this where the next billion-dollar unicorn starts?  What will you build today? Fast forward a hopefully small amount of… Read More