Also, some setups are not prone to this: Twitter most likely uses an proxy terminating SSL and then forwards the request to a smaller webserver running the app. This one will not hold the keys.
Most larger webservers can also run the app workers with a different user than the webserver itself.
both Linux and Windows allow processes to read the memory of other processes running as the same user, via ptrace() and /proc/pid/mem on Linux, and via ReadProcessMemory() on Windows.
(how else could you ever debug anything?)
They usually only allow ptrace from parent to child or as root.
Also, wrt debugging, see the comment in the second link:
> If you are running a machine and do not plan on debugging the applications on this machine, you should turn this boolean on.
(how else could you ever secure anything?)