How does Facebook develop securely?


As Facebook celebrates National Cyber Security Awareness Month, the company’s security team talked about how Facebook develops with security squarely in mind.

Benjamin Strahs, Security Infrastructure Engineer, recently served on a panel organized by Bloomberg Government in Washington, D.C., talking Internet security with representatives from the Department of Homeland Security, Google and Microsoft.

He wrote a blog post Monday detailing Facebook’s mission with regard to security:

Security is core to everything we do at Facebook, and we believe everyone at the company plays a role in keeping our platform safe. Building a security-aware culture means understanding that a security vulnerability popping up in HR could be just as serious as one in our back-end systems. We’re currently celebrating our annual tradition of Hacktober, our internal security awareness initiative that runs all month long and pulls together technical and non-technical teams across the company. Employees participate in trainings, talks, activities like movie nights, and drills that test them to identify suspicious behavior like stray USB keys and fake phishing emails. People who join in the fun walk away with special Hacktober t-shirts and other goodies. After running the program for four years, we’ve seen it take off across our global offices and drive participation in our security discussion groups throughout the rest of the year.

Beyond building awareness, doing security successfully at scale involves thinking dynamically and allowing flexibility to adapt to new threats and circumstances. We built several security-focused teams across our organization to make sure we’re bringing diverse skill sets and perspectives to the issues that are most likely to impact our systems and the people using our service. By combining code frameworks and security reviews with proactive threat scanning and rapid response functions, our combined teams are well adapted to handling new situations that arise. At a technical level, we supplement our processes by adding HTTPS by default, designing strict internal access controls, and then using auditing to review and improve our past actions.

Top image courtesy of Shutterstock.

Recommended articles