Vulnerabilities / Threats

11/30/2015
10:30 AM
Chris Bream
Chris Bream
Commentary
100%
0%

How Facebook Bakes Security Into Corporate Culture

Security is everyone's responsibility at the famous social network. These five ingredients are what make up the secret sauce.

Sophisticated systems and advanced engineering capabilities are critical for scaling security at Facebook, and we're fortunate to have them. However, one of our most powerful defenses is something businesses of any size can develop: a strong security culture. 

Frequent and proactive discussions about security helped us create a culture where security is paramount and knowledge drives out fear. We nurture specific characteristics of our security culture at Facebook to keep it strong -- and they're things every company can do.

Ingredient #1: Openness
Security is everyone's responsibility at Facebook and we don't wait until something bad happens to talk about it. A member of the Facebook security team is part of every orientation session for all new hires to introduce them to our security approach and ensure they know how to reach our team for any reason. New engineers go through a six-week bootcamp program, which includes several courses on security. So, before they even start working on projects, our engineers are familiar with our expectations for security and are active participants in our defense strategy.  

But a security culture doesn’t start and end with training. Facebook employees have direct access to security teams at any time. We value feedback from anyone about what's working and what isn't; including employees in security discussions that could impact the way they do their job removes friction and builds a network of internal security advocates across the company. It also helps employees understand why we're doing something not just what we're doing

Ingredient #2: Company Mission
Tying security to the overall purpose and future of the company is also critical. It sets the tone for how security is treated within the organization. Is it an afterthought, an inconvenience, a compliance mandate, or is it critical to the company's success? Facebook's mission is to make the world more open and connected. To do this effectively, we must do it securely. This empowers everyone at Facebook to be part of making our services — and the Internet as a whole — safer and more secure. 

To succeed, we have to move fast with multiple code pushes per day involving a dizzying number of diffs. To do this securely, we complement traditional security reviews with secure development frameworks so engineers can be more productive while also removing vulnerabilities from our code.  A team of software engineers is dedicated to making it easier for developers to quickly create secure code by default. In this way, security contributes to the overall success of our company mission.

Ingredient #3: Community Collaboration
Exchanging ideas, lessons, and best practices with other security teams helps keep your skills sharp and your company informed. Whether you’re discussing new discoveries at events, sharing threat intelligence, or contributing to open source projects, collaboration allows us to solve problems as a community for the entire Internet. Take advantage of things that have already been solved by others, especially if you don't have the resources or expertise to build solutions on your own.

We open-sourced osquery last year, giving other companies a way to detect intrusions in Linux and Mac systems. It's now the most popular security project on GitHub with dozens of contributions from outside Facebook. Osquery has an active user community sharing new improvements and experiences with each other and our security team.

Ingredient #4: Empathy
With all its technical elements, it's easy to forget the human side of security — and that can be a costly mistake. At Facebook, we strive to make empathy the driving force behind the problems we solve and how we apply solutions. Even well-intentioned people can find themselves in trouble if they don't understand the implications of their choices. Don't expect everyone to be a security expert, so look at your products from their perspective and plan for a variety of uses. This is an important consideration both internally and externally.

Empathy requires that security issues get addressed from the start, especially at Facebook where we develop, test, and iterate quickly. Empathy Labs in Facebook offices around the world give engineers a better understanding for how people with different abilities, in different parts of the world, facing various life situations might interact with our products. A strong commitment to empathy is the only way we could build products that work safely for everyone. 

Ingredient #5: Engagement
Most people need a level of muscle memory to recognize when something suspicious is happening. Thus, security education must be consistent and memorable for employees to recognize potential risks on their own. This can't be done with periodic compliance training or static content alone. 

Hacktober is a month-long program at Facebook with contests and workshops designed to engage employees on how to protect our company and all the people who use Facebook. We use gamification to drive participation, rewarding employees not only for avoiding unsafe behavior, but also contributing to security improvements such as identifying bugs in code. Fun interactive activities help reinforce the principles we practice throughout the year without reverting to scare tactics.

There is no magic technology or process for creating a security culture -- it's about people. A security culture requires understanding your employees and the people you serve. Whether it's empowering your security team to participate in industry collaboration or articulating how security enables the overall company mission, a focus on people is critical. This effort has made all the difference at Facebook where every employee is part of the team that helps us protect 1.5 billion people around the world.

Chris Bream is a security director at Facebook. Chris has 12 years of IT experience, with the previous ten focused on information security. At Facebook, he leads a team that helps drive security on the infrastructure that delivers Facebook, Instagram, and Oculus to people ... View Full Bio
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
chris.bream
50%
50%
chris.bream,
User Rank: Apprentice
2/2/2016 | 3:25:22 PM
Re: Certs
Sorry for the delay Joe. I somehow totally missed this.

Instead of certifications, we've built out an entire course structure. We're fortunate enough to have engineers that can build out these courses and deliver them. We also have mentors that help our new hires during this training.
jerome-denis
50%
50%
jerome-denis,
User Rank: Apprentice
12/4/2015 | 10:31:06 AM
Re
Nice article, great analysis !
seo-rennes
50%
50%
seo-rennes,
User Rank: Apprentice
12/4/2015 | 3:53:44 AM
Re: Certs
Yes, normaly they are Joe. ;-)
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
11/30/2015 | 6:00:37 PM
Certs
Hi, Chris.  Thanks for these insights.  Do the engineers do any certification courses or training during their six weeks of coursework?
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
CVE-2018-20727
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.