from manual -> automated
Having infosec integrated into the development and continuous integration cycle is awesome. In typical Twitter development, Brakeman runs upon each code commit, when the fix is committed, SADB will email them another email.
from low visibility -> trending/reports
What have been the results of using Brakeman? Neil Matatall then described Phantom Gang, which does dynamic application security testing. It complements Brakeman by looking for issues like mixed content, sensitive forms posting over non-HTTPS, old versions of query that often pop up when new micro sites are created, forms without authenticity token which are prone to forgery, etc.
from late discovery of issues -> auto notification
The output of Phantom Gang goes to JIRA, as opposed to directly to developers directly. Why? Often the issues are more difficult to trace to an individual developer. They eventually want to extend Phantom Gang so that they can see the effects of any SQL Injection attacks.
Twitter is a big fan of CSP. It’s great for enforcing policy and protecting web sites.