Vulnerabilities / Threats

11/30/2015
10:30 AM
Chris Bream
Chris Bream
Commentary
100%
0%

How Facebook Bakes Security Into Corporate Culture

Security is everyone's responsibility at the famous social network. These five ingredients are what make up the secret sauce.

Sophisticated systems and advanced engineering capabilities are critical for scaling security at Facebook, and we're fortunate to have them. However, one of our most powerful defenses is something businesses of any size can develop: a strong security culture. 

Frequent and proactive discussions about security helped us create a culture where security is paramount and knowledge drives out fear. We nurture specific characteristics of our security culture at Facebook to keep it strong -- and they're things every company can do.

Ingredient #1: Openness
Security is everyone's responsibility at Facebook and we don't wait until something bad happens to talk about it. A member of the Facebook security team is part of every orientation session for all new hires to introduce them to our security approach and ensure they know how to reach our team for any reason. New engineers go through a six-week bootcamp program, which includes several courses on security. So, before they even start working on projects, our engineers are familiar with our expectations for security and are active participants in our defense strategy.  

But a security culture doesn’t start and end with training. Facebook employees have direct access to security teams at any time. We value feedback from anyone about what's working and what isn't; including employees in security discussions that could impact the way they do their job removes friction and builds a network of internal security advocates across the company. It also helps employees understand why we're doing something not just what we're doing

Ingredient #2: Company Mission
Tying security to the overall purpose and future of the company is also critical. It sets the tone for how security is treated within the organization. Is it an afterthought, an inconvenience, a compliance mandate, or is it critical to the company's success? Facebook's mission is to make the world more open and connected. To do this effectively, we must do it securely. This empowers everyone at Facebook to be part of making our services — and the Internet as a whole — safer and more secure. 

To succeed, we have to move fast with multiple code pushes per day involving a dizzying number of diffs. To do this securely, we complement traditional security reviews with secure development frameworks so engineers can be more productive while also removing vulnerabilities from our code.  A team of software engineers is dedicated to making it easier for developers to quickly create secure code by default. In this way, security contributes to the overall success of our company mission.

Ingredient #3: Community Collaboration
Exchanging ideas, lessons, and best practices with other security teams helps keep your skills sharp and your company informed. Whether you’re discussing new discoveries at events, sharing threat intelligence, or contributing to open source projects, collaboration allows us to solve problems as a community for the entire Internet. Take advantage of things that have already been solved by others, especially if you don't have the resources or expertise to build solutions on your own.

We open-sourced osquery last year, giving other companies a way to detect intrusions in Linux and Mac systems. It's now the most popular security project on GitHub with dozens of contributions from outside Facebook. Osquery has an active user community sharing new improvements and experiences with each other and our security team.

Ingredient #4: Empathy
With all its technical elements, it's easy to forget the human side of security — and that can be a costly mistake. At Facebook, we strive to make empathy the driving force behind the problems we solve and how we apply solutions. Even well-intentioned people can find themselves in trouble if they don't understand the implications of their choices. Don't expect everyone to be a security expert, so look at your products from their perspective and plan for a variety of uses. This is an important consideration both internally and externally.

Empathy requires that security issues get addressed from the start, especially at Facebook where we develop, test, and iterate quickly. Empathy Labs in Facebook offices around the world give engineers a better understanding for how people with different abilities, in different parts of the world, facing various life situations might interact with our products. A strong commitment to empathy is the only way we could build products that work safely for everyone. 

Ingredient #5: Engagement
Most people need a level of muscle memory to recognize when something suspicious is happening. Thus, security education must be consistent and memorable for employees to recognize potential risks on their own. This can't be done with periodic compliance training or static content alone. 

Hacktober is a month-long program at Facebook with contests and workshops designed to engage employees on how to protect our company and all the people who use Facebook. We use gamification to drive participation, rewarding employees not only for avoiding unsafe behavior, but also contributing to security improvements such as identifying bugs in code. Fun interactive activities help reinforce the principles we practice throughout the year without reverting to scare tactics.

There is no magic technology or process for creating a security culture -- it's about people. A security culture requires understanding your employees and the people you serve. Whether it's empowering your security team to participate in industry collaboration or articulating how security enables the overall company mission, a focus on people is critical. This effort has made all the difference at Facebook where every employee is part of the team that helps us protect 1.5 billion people around the world.

Chris Bream is a security director at Facebook. Chris has 12 years of IT experience, with the previous ten focused on information security. At Facebook, he leads a team that helps drive security on the infrastructure that delivers Facebook, Instagram, and Oculus to people ... View Full Bio
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
chris.bream
50%
50%
chris.bream,
User Rank: Apprentice
2/2/2016 | 3:25:22 PM
Re: Certs
Sorry for the delay Joe. I somehow totally missed this.

Instead of certifications, we've built out an entire course structure. We're fortunate enough to have engineers that can build out these courses and deliver them. We also have mentors that help our new hires during this training.
jerome-denis
50%
50%
jerome-denis,
User Rank: Apprentice
12/4/2015 | 10:31:06 AM
Re
Nice article, great analysis !
seo-rennes
50%
50%
seo-rennes,
User Rank: Apprentice
12/4/2015 | 3:53:44 AM
Re: Certs
Yes, normaly they are Joe. ;-)
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
11/30/2015 | 6:00:37 PM
Certs
Hi, Chris.  Thanks for these insights.  Do the engineers do any certification courses or training during their six weeks of coursework?
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.