wrote a new note: Secure Development at Facebook. The theory behind “safe by default” code is preventing the introduction of security vulnerabilities from the start. My team at Facebook works hard every day to build coding frameworks that incorporate security best practices to prevent flaws, so I was excited to take part in a panel organized by Bloomberg Government in Washington, D.C., last Thursday that centered around built-in, embedded security. With the fitting backdrop of National Cyber Security Awareness Month, I joined representatives from the Department of Homeland Security, Google and Microsoft to talk about building a culture of secure development and how it works at Facebook. The ideas from the panel have stuck with me since then, so I thought Id share some of the highlights. Security is core to everything we do at Facebook, and we believe everyone at the company plays a role in keeping our platform safe. Building a security- aware culture means understanding that a security vulnerability popping up in HR could be just as serious as one in our back-end systems. Were currently celebrating our annual tradition of Hacktober, our internal security awareness initiative that runs all month long and pulls together technical and non-technical teams across the company. Employees participate in trainings, talks, activities like movie nights, and drills that test them to identify suspicious behavior like stray USB keys and fake phishing emails. People who join in the fun walk away with special Hacktober t-shirts and other goodies. After running the program for four years, weve seen it take off across our global offices and drive participation in our security discussion groups throughout the rest of the year. Beyond building awareness, doing security successfully at scale involves thinking dynamically and allowing flexibility to adapt to new threats and circumstances. We built several security- focused teams across our organization to make sure were bringing diverse skill sets and perspectives to the issues that are most likely to impact our systems and the people using our service. By combining code frameworks and security reviews with proactive threat scanning and rapid response functions, our combined teams are well adapted to handling new situations that arise. At a technical level, we supplement our processes by adding HTTPS by default, designing strict internal access controls, and then using auditing to review and improve our past actions. Our commitment to secure development extends to the community beyond Facebook. We are proud contributors to many open sourcing projects, and security is no exception. Weve released a string of popular open source security software, including an intrusion detection system with Etsy called MIDAS , an Android crypto library for efficient and secure storage called Conceal, and another thats coming out later this month. On October 29th were hosting an event called Security @Scale at our headquarters where security engineers will come together to share insights and lessons about secure coding, and we hope to find more opportunities for companies to share helpful security information with one another. Im passionate about developing secure products, and Facebook has made building secure products easier and faster for all our teams across the world. We hope others take this chance to evaluate their own practices and come up with new ways to build in security from the very beginning. Happy Hacktober!
Posted on: Sat, 18 Oct 2014 08:51:55 +0000
Trending Topics
Recently Viewed Topics
© 2015