Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/30/2015
10:30 AM
Chris Bream
Chris Bream
Commentary
100%
0%

How Facebook Bakes Security Into Corporate Culture

Security is everyone's responsibility at the famous social network. These five ingredients are what make up the secret sauce.

Sophisticated systems and advanced engineering capabilities are critical for scaling security at Facebook, and we're fortunate to have them. However, one of our most powerful defenses is something businesses of any size can develop: a strong security culture. 

Frequent and proactive discussions about security helped us create a culture where security is paramount and knowledge drives out fear. We nurture specific characteristics of our security culture at Facebook to keep it strong -- and they're things every company can do.

Ingredient #1: Openness
Security is everyone's responsibility at Facebook and we don't wait until something bad happens to talk about it. A member of the Facebook security team is part of every orientation session for all new hires to introduce them to our security approach and ensure they know how to reach our team for any reason. New engineers go through a six-week bootcamp program, which includes several courses on security. So, before they even start working on projects, our engineers are familiar with our expectations for security and are active participants in our defense strategy.  

But a security culture doesn’t start and end with training. Facebook employees have direct access to security teams at any time. We value feedback from anyone about what's working and what isn't; including employees in security discussions that could impact the way they do their job removes friction and builds a network of internal security advocates across the company. It also helps employees understand why we're doing something not just what we're doing

Ingredient #2: Company Mission
Tying security to the overall purpose and future of the company is also critical. It sets the tone for how security is treated within the organization. Is it an afterthought, an inconvenience, a compliance mandate, or is it critical to the company's success? Facebook's mission is to make the world more open and connected. To do this effectively, we must do it securely. This empowers everyone at Facebook to be part of making our services — and the Internet as a whole — safer and more secure. 

To succeed, we have to move fast with multiple code pushes per day involving a dizzying number of diffs. To do this securely, we complement traditional security reviews with secure development frameworks so engineers can be more productive while also removing vulnerabilities from our code.  A team of software engineers is dedicated to making it easier for developers to quickly create secure code by default. In this way, security contributes to the overall success of our company mission.

Ingredient #3: Community Collaboration
Exchanging ideas, lessons, and best practices with other security teams helps keep your skills sharp and your company informed. Whether you’re discussing new discoveries at events, sharing threat intelligence, or contributing to open source projects, collaboration allows us to solve problems as a community for the entire Internet. Take advantage of things that have already been solved by others, especially if you don't have the resources or expertise to build solutions on your own.

We open-sourced osquery last year, giving other companies a way to detect intrusions in Linux and Mac systems. It's now the most popular security project on GitHub with dozens of contributions from outside Facebook. Osquery has an active user community sharing new improvements and experiences with each other and our security team.

Ingredient #4: Empathy
With all its technical elements, it's easy to forget the human side of security — and that can be a costly mistake. At Facebook, we strive to make empathy the driving force behind the problems we solve and how we apply solutions. Even well-intentioned people can find themselves in trouble if they don't understand the implications of their choices. Don't expect everyone to be a security expert, so look at your products from their perspective and plan for a variety of uses. This is an important consideration both internally and externally.

Empathy requires that security issues get addressed from the start, especially at Facebook where we develop, test, and iterate quickly. Empathy Labs in Facebook offices around the world give engineers a better understanding for how people with different abilities, in different parts of the world, facing various life situations might interact with our products. A strong commitment to empathy is the only way we could build products that work safely for everyone. 

Ingredient #5: Engagement
Most people need a level of muscle memory to recognize when something suspicious is happening. Thus, security education must be consistent and memorable for employees to recognize potential risks on their own. This can't be done with periodic compliance training or static content alone. 

Hacktober is a month-long program at Facebook with contests and workshops designed to engage employees on how to protect our company and all the people who use Facebook. We use gamification to drive participation, rewarding employees not only for avoiding unsafe behavior, but also contributing to security improvements such as identifying bugs in code. Fun interactive activities help reinforce the principles we practice throughout the year without reverting to scare tactics.

There is no magic technology or process for creating a security culture -- it's about people. A security culture requires understanding your employees and the people you serve. Whether it's empowering your security team to participate in industry collaboration or articulating how security enables the overall company mission, a focus on people is critical. This effort has made all the difference at Facebook where every employee is part of the team that helps us protect 1.5 billion people around the world.

Chris Bream is a security director at Facebook. Chris has 12 years of IT experience, with the previous ten focused on information security. At Facebook, he leads a team that helps drive security on the infrastructure that delivers Facebook, Instagram, and Oculus to people ... View Full Bio
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
chris.bream
50%
50%
chris.bream,
User Rank: Apprentice
2/2/2016 | 3:25:22 PM
Re: Certs
Sorry for the delay Joe. I somehow totally missed this.

Instead of certifications, we've built out an entire course structure. We're fortunate enough to have engineers that can build out these courses and deliver them. We also have mentors that help our new hires during this training.
jerome-denis
50%
50%
jerome-denis,
User Rank: Apprentice
12/4/2015 | 10:31:06 AM
Re
Nice article, great analysis !
seo-rennes
50%
50%
seo-rennes,
User Rank: Apprentice
12/4/2015 | 3:53:44 AM
Re: Certs
Yes, normaly they are Joe. ;-)
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
11/30/2015 | 6:00:37 PM
Certs
Hi, Chris.  Thanks for these insights.  Do the engineers do any certification courses or training during their six weeks of coursework?
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12868
PUBLISHED: 2019-06-18
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.
CVE-2019-12865
PUBLISHED: 2019-06-17
In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command.
CVE-2017-10720
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed o...
CVE-2017-10721
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car ga...
CVE-2017-10722
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi password. This application is install...