A flowchart is a type of diagram that represents an algorithm or process, showing the steps as boxes of various kinds, and their order by connecting them with arrows. Process operations are represented in these boxes. Rather, they are implied by the sequencing of operations. Flowcharts are used in analyzing, designing, documenting or managing a process or program in various fields.

Flowcharts can be modeled from the perspective of different user groups (such as managers, system analysts and clerks) and that there are four general types.

Document flowcharts, showing controls over a document-flow through a system

Data flowcharts, showing controls over a data-flow in a system

System flowcharts showing controls at a physical or resource level

Program flowchart, showing the controls in a program within a system

For a computer engineering, for example, he may need to draw a program flowchart before creating new software. They can also use tools like Athtek Flowchart to code which can directly convert the flowchart they designed to code.

More recently Mark A. Fryman (2001) stated that there are more differences: "Decision flowcharts, logic flowcharts, systems flowcharts, product flowcharts, and process flowcharts are just a few of the different types of flowcharts that are used in business and government".

In addition, many diagram techniques exist that are similar to flowcharts but carry a different name, such as UML activity diagrams.

This newly-formed department made some huge strides during the Twitter Hack Week, which occurs once every quarter, where they were able to focus on proactive work. They wanted to focus on creating more automation, but anchored in the framing principles.

Justin Collins spoke about the manual security tasks of reviewing code, penetration testing and handling reports from the external world. They set out to automate all of these activities. He made a fantastic point of the workflow around static code analysis. BTW, now the efforts could be saved for we have flowchart to code. When the code changes, we have to do it all over again! Even though we’re using ‘automated tools,’ we’re still doing a lot of manual work…. So we wanted to put our robots to work. They built static code analysis into the Jenkins continuous integration process, but there was much more they wanted to do. So they set out to build SADB, the Security Automation Dashboard. SADB takes input from brakeman, phantom gang, csp, threat deck, Rosh ambo, and the outputs include emails that go to developers and infosec. So we should just wait and see whether the team will achieve success or hit the riff.

from manual -> automated

Having infosec integrated into the development and continuous integration cycle is awesome. In typical Twitter development, Brakeman runs upon each code commit, when the fix is committed, SADB will email them another email.

from low visibility -> trending/reports

What have been the results of using Brakeman? Neil Matatall then described Phantom Gang, which does dynamic application security testing. It complements Brakeman by looking for issues like mixed content, sensitive forms posting over non-HTTPS, old versions of query that often pop up when new micro sites are created, forms without authenticity token which are prone to forgery, etc.

from late discovery of issues -> auto notification

The output of Phantom Gang goes to JIRA, as opposed to directly to developers directly. Why? Often the issues are more difficult to trace to an individual developer. They eventually want to extend Phantom Gang so that they can see the effects of any SQL Injection attacks.

Twitter is a big fan of CSP. It’s great for enforcing policy and protecting web sites.