The annual Facebook F8 conference is generally a developer conference and not typically the place where security has been on the keynote stage, but that wasn’t the case for the 2018 event.
At the F8 2018 event on May 1, Facebook CSO Alex Stamos delivered a keynote address that explained how Facebook secures itself and its users. Stamos also provided some insights and ideas for the developers in the audience on steps they can take that benefit from the lessons learned by Facebook.
“Protecting people’s data and all the technical work that goes into that is extremely important, but it turns out that doing that is not enough,” Stamos said.
Stamos said that Facebook has had to adjust to the modern reality that security is about more than just building a secure and trustworthy system. In the modern threat environment that Facebook deals with, it’s also important to understand how technology can be abused to cause harm.
Broadly speaking, Stamos said that the core areas for security at Facebook include how to protect the company from attack, how to protect users from abuse and also looking at larger issues such as Facebook’s role in election security and integrity.
Protecting the Company
Stamos said that Facebook has a corporate security team that deals with common information security challenges that every company in the world faces.
“Our challenge is a little bit bigger because we have some of the best adversaries in the world trying to break into our corporate networks, but in the end it’s not that different than the kind of things you hear from lots of companies,” Stamos said. “We need to think about identity management and access control; we have to do vulnerability management; we have to build secure internal portals and systems that can withstand attack.”
Facebook also has very large production engineering security component, he noted, employing individuals who secure the actual production servers in Facebook’s data centers containing user data. Facebook also has a dedicated security engineering team that is concerned with how data is accessed, used and deleted at scale across the social network.
Stamos said that in the past, security was often considered a final step in the development process by most application developers. However, at Facebook security is built into the development lifecycle, with peer review and human checks, as well as automated code testing as part of a continuous workflow, he said.
Even with all the integrated security resources at Facebook, there are still issues that slip through. That’s where the bug bounty comes into play, providing another set of external resources that can help Facebook to find potential risks. Stamos said that Facebook has paid out a total of $6 million in bug bounties to third-party security researchers for responsibly disclosing flaws.
Facebook has also built its own open-source tool called osquery, which was launched in 2014. Stamos said that osquery runs on every system at Facebook to show what is running on system as well as revealing signs of potential intrusions.
Going a step further, Stamos said that Facebook has a “red team” of security penetration testing professionals that run scheduled and unscheduled exercises against Facebook products and infrastructure. The red team pretends to be a real adversary that tries to break into the Facebook network to go after an objective. Stamos said that the red team model tests Facebook’s abilities to detect and respond to a potential breach.
In terms of protecting people, Facebook has anti-harassment teams that look to curb abuse in news feeds and video. Facebook also has specific areas of focus for abuse including election security. Stamos outlined multiple steps that Facebook is now taking to to protect elections, with an advertising transparency effort, activities to combat false news and efforts to combat foreign interference.
“I’m not going to say that we don’t have more work to do,” Stamos said. “We have a lot of work to do to understand our responsibility and live up to that responsibility around the world, but I am encouraged that with support from the company from all over, we have teams all over Facebook that care incredibly deeply about this.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.