How Facebook Maintains Its Security-Aware Culture


FacebookSecurityLogo650As part of National Cyber Security Awareness Month, Facebook security infrastructure engineer Benjamin Strahs spoke on a panel organized by Bloomberg Government in Washington, D.C., last week, along with representatives from the Department of Homeland Security, Google and Microsoft.

Strahs offered highlights from the panel in a note on the Facebook Security page:

Security is core to everything we do at Facebook, and we believe everyone at the company plays a role in keeping our platform safe. Building a security-aware culture means understanding that a security vulnerability popping up in human resources could be just as serious as one in our back-end systems. We’re currently celebrating our annual tradition of Hacktober, our internal security-awareness initiative that runs all month long and pulls together technical and non-technical teams across the company. Employees participate in training, talks, activities like movie nights, and drills that test them to identify suspicious behavior like stray USB keys and fake phishing emails. People who join in the fun walk away with special Hacktober T-shirts and other goodies. After running the program for four years, we’ve seen it take off across our global offices and drive participation in our security discussion groups throughout the rest of the year.

Beyond building awareness, doing security successfully at scale involves thinking dynamically and allowing flexibility to adapt to new threats and circumstances. We built several security-focused teams across our organization to make sure we’re bringing diverse skill sets and perspectives to the issues that are most likely to impact our systems and the people using our service. By combining code frameworks and security reviews with proactive threat scanning and rapid response functions, our combined teams are well-adapted to handling new situations that arise. At a technical level, we supplement our processes by adding HTTPS by default, designing strict internal access controls and then using auditing to review and improve our past actions.

Our commitment to secure development extends to the community beyond Facebook. We are proud contributors to many open-sourcing projects, and security is no exception. We’ve released a string of popular open-source security software, including an intrusion detection system with Etsy called MIDAS, an Android crypto library for efficient and secure storage called Conceal and another that’s coming out later this month. On Oct. 29, we’re hosting an event called Security @Scale at our headquarters, where security engineers will come together to share insights and lessons about secure coding, and we hope to find more opportunities for companies to share helpful security information with one another.

I’m passionate about developing secure products, and Facebook has made building secure products easier and faster for all our teams across the world. We hope others take this chance to evaluate their own practices and come up with new ways to build in security from the very beginning. Happy Hacktober!