Facebook revealed the “defense-in-depth” approach it uses to make sure that its platform and services are secure and to find, fix, and prevent security issues to reach live deployment and affect end users.
As described by Collin Greene, Facebook’s Manager of Product Security, the social networks’ development and security teams use a “layered” approach for bug prevention and patching.
Because bugs can later evolve into very serious security vulnerabilities would-be attackers could use to gain access to Facebook users’ data, the social network giant’s development workflow includes multiple measures designed to keep them in check.
Moreover, the Facebook defense-in-depth platform security approach uses five different bug filtering layers: secure frameworks, automated testing tools, peer and design reviews, red team exercises, and a bug bounty program.
In the “Designing Security for Billions” press release, Greene stated that:
At Facebook we take what’s called a “defense-in-depth” approach to security, meaning we layer a number of protections to make sure we prevent and address vulnerabilities in our code from multiple angles. It is a massive, ongoing effort that spans teams, departments and time zones. Security engineers and practices are embedded throughout the company to help ensure that data protections are built into our code and designs from the get-go, rather than added on at the end.
To be more exact, Facebook’s engineering workforce uses secure frameworks designed to reduce programming errors as much as possible.
Hack, an update of the PHP programming language and XHP, an open-source PHP/Hack augmentation, are just two examples of the frameworks that make it possible to prevent security issues such as cross-site scripting vulnerabilities with little to no effort.
$7.5 million awarded through the Facebook bug bounty program
Automated testing tools are also used to continually analyze code at scale, with one such code analysis tools designed to continuously monitor and analyze the entire Facebook codebase of roughly 100 million lines of Hack code.
Facebook also employs peer reviews, design reviews, and red team exercises that allow it to find security flaws in its codebase with the help of human experts. The human factor makes it possible for the social network to “improve the coordination between our teams working on security, privacy, public policy, communications, product and legal and helps us exercise the organizational muscles we would need during a real incident.”
The Facebook bug bounty program is the fifth component of the social network’s layered defense-in-depth security approach, a program that has been running since 2011 and has awarded over $7.5 million in bounties to security researchers from all over the world.
Our focus on finding, fixing and preventing security issues has allowed us to scale our defenses as Facebook has grown to support billions of people connecting with one another. At times this has meant adapting our strategies to protect our expanding global community, rewriting our widely-used coding frameworks and open-sourcing unique security tools.
Security issues still plaguing Facebook despite all its efforts
Despite all the efforts to provide the best possible security for its users, Facebook disclosed a security vulnerability during September 2018 which affected around 50 million people and allowed malicious third parties to likely access the personal information of all affected users accounts.
Furthermore, during December a bug in the platform’s Photo API (application programming interface) may have also provided potential attackers with unauthorized access to the protected images of roughly 6.8 million Facebook users.
Also, according to BBC research, a seller going by the name “FBSaler” put up the information of 120 million Facebook users and the private messages of 81,000 profiles on underground criminal forums for 10 cents each.