Twig is a template engine for PHP and it is part of the Symfony2 framework. Drupal 8 Twig replaces as the default templating engine.
* By default, the twig theming engine compiles templates into PHP code and stores the compiled code in memory.
* Compiled code is unsuitable for development, Since Changes in twig templates are not immediately updated in your Drupal site.
* Twig automatically escapes the output by default, making Drupal 8 one of the most secure versions yet.
* For Drupal 7, as a whole, most security advisers were for cross-site scripting (XSS) vulnerabilities in contributed projects.
* with Drupal core, using twig, these security advisories should be severely reduced.