Facebook hosted Security @Scale 2014 at its headquarters in Menlo Park, Calif., Oct. 29, and production engineer Fernanda Weiden recapped the proceedings in a post on the Facebook engineering blog, which also included videos of the event’s presentations.
Making online services safe and secure for more than 1 billion people means that security solutions have to scale well. Recent Internet-wide incidents involving SSL technology, such as POODLE and Heartbleed, only reinforce the importance of getting this stuff right, as well as the extent to which security technology impacts more than any single company.
For our second Security @Scale conference, we wanted to openly discuss and learn from the different ways companies such as GitHub, HackerOne, Square, Twitter and Facebook are solving the same problems. Our goals are ultimately the same: finding better engineering solutions so our front-end teams don’t have to always think about writing security into their programs but can benefit by default. Our jobs, as security team leaders, encompass everything from incident response and product consulting to compliance and, more generally, cleaning up all the code on our networks.
At the event last Wednesday, we previewed where security was as far back as 2010, how far it has come and how much we still have to accomplish. Check out the talks below to hear from some of the industry’s leading voices on security solutions that scale.
And here are the videos:
Opening Remarks: Scott Renfro of Facebook’s security infrastructure team welcomed the group to this year’s Security @Scale by discussing the state of cybersecurity and his experience with past Security @Scale conferences.
Mutiny on the Bounty: Lessons Learned in How Data Defeated Dogma: Katie Moussouris, now chief policy officer of HackerOne, dove into the development of Microsoft‘s bug bounty program, which she pioneered over three years of looking at data starting in 2010 and announced in 2013. Her talk showed how the game theory, economics, politics and data turned heresy to gospel at the world’s largest software company. Katie’s talk focused on alternate bounty models and levers that don’t require vendors to be the highest bidder to create successful structured incentive programs that bring about specific strategic outcomes. Katie walked through the motivations of hackers outside of monetary compensation and showed the success of the programs she created, having paid out $253,000 since June 2013. She stressed that organizations that offer bounties have choices in factors like timing and turning a thin market into a thick market, and how researchers should not have to choose between doing the right thing and getting paid. She then wrapped up by previewing how to set up a bounty program based on data plugged into any organizations models and goals.
Human Botnet: Scaling Your Security Organization: Diogo Mónica talked about Square scaled vulnerability management, access control and security monitoring initiatives while still effectively managing the organization’s risk. As the organization adds employees, the number of hours security engineers sleep every night continuously decreases. This phenomenon happens due to the increasingly hard task of ensuring security against malicious actors, both internal and external, as the company increases in size. Mónica presented many different systems that Square built internally to effectively scale the security team’s job. In particular, he introduced Report Card, a tool to socialize the security status of a project within the company; Doorman, a centralized two-factor SSO that allows self-enrollment and expiration of arbitrary capabilities; and Sting, a security alerting tool that distributes the load of dealing with low SNR alerts throughout the engineering organization.
Better Large-Scale Rule Engines with Haxl: Louis Brandy of Facebook’s site integrity team kicked off a discussion about scalable spam fighting and the anti-abuse structure at Facebook and Instagram. He stressed the importance of focusing on systems instead of spam itself, and how his team at Facebook has focused on progressive refinement in developing an efficient scalable rule engine powered by a domain-specific language called Haxl. Haxl works by allowing the user to write a simple and expressive set of rules, and have those rules be run with aggressive I/O scheduling and optimizations. Haxl automatically explores the computation to batch multiple requests to the same source, fetch from multiple sources concurrently and cache and deduplicate identical requests. This creates a simple and expressive rule language that executes optimally and reduces latency.