Among the many juicy stories that poured out of the company following Musk’s takeover, was one that dealt with the total lack of security with employee access to systems and customer data. But buried in there were two nuggets of information that meant nothing to the public or politicians but which stunned IT people around the world when they were revealed to Congress by a whistleblower:
[Former Twitter security executive Peiter “Mudge” Zatko] explained that they had no software development lifecycle [SDLC] and they’d misled the FTC on that.
Twitter does not have separate development, test, staging, and production environments. At least 5,000 employees had privileged access to production systems.
…
On [January 6, 2021], Mudge (the whistleblower) wanted to take action to prevent potential sabotage by a rogue employee. He learned it was not possible for Twitter to secure its production environment.
THE FUCK?
Musk, with his IT background, must have just about had a heart attack when he found this out. Having those areas separated has been basic IT practice for sixty years. Having SDLC has been standard practice for forty years. This was a Silicon Valley titan? And any of five thousand employees could reach out and touch the production systems?
In 2020, Twitter had security incidents serious enough they had to be reported to the federal government on an almost weekly basis. Meanwhile, [CEO] Parag Agarwal was lying about how secure Twitter was.
…
Twitter did not keep backups of employee computers. They used to, but then the system broke, was never fixed, and execs decided this was good because it meant they couldn’t comply with regulators.
…
Mudge realized that a data center failure could potentially cause the permanent loss of all of Twitter’s data. He shared this fact with senior leadership, who instructed him not to put it in writing for the Board.
…
A few months later, that exact eventuality almost came true, and only herculean effort by Twitter engineers prevented “permanent, irreparable failure.”
Meaning the collapse of the then $44 billion company. Read the whole story.
No Minister 
That has to be by design. Any professional software engineer lead would insist on proper code structure, versioning, roll forward/ roll back, release cycle, back up and restore, security restrictions.. Etc etc.
I can only assume it was deliberate to run in such an unprofessional manner but that seems weird given this level of shit show will stick to the IT pros involved in future career opportunities
The question is why? Did it make it easy for 3 letter agencies to deploy and remove code when they wanted? Or just something mundane like incompetence?
Sounds like a project that got too big for itself.
It’s very difficult to demand all that software life cycle stuff when people want immediate results.
AH HA!!!!
You’re back. Your own nightmare of a project is at an end, at least until Janaury!!! 🙂 🙂
Glad you picked up on this post, even if a month later. I’m still staggered by the lack of separate environments.