This website uses cookies to ensure you get the best possible experience. See our Cookies Policy.

PMG Digital Made for Humans

Tips to building security in apps from the ground up: the FB way

3 MINUTE READ | May 10, 2018

Tips to building security in apps from the ground up: the FB way

Last week a few developers spent the week at F8, the Facebook Developer Conference in San Jose, in the interest of hearing about security updates with all the Cambridge Analytica stuff going on, along with hearing new updates about the apps under the Facebook umbrella.

While Facebook announced some interesting new features during keynotes, like Augmented Reality Camera Effects and video call coming to Instagram, along with the ability to clear your FB history similar to how you can clear browser cookies, (and of course, the new Facebook Dating site) our big takeaway was what Facebook is doing for security at scale and how we can improve security as we continue to grow.

  • Train up developers on your security standardsAt Facebook, all new developers go through a 6-8 week boot camp before they touch any Facebook code. This ensures all engineers get the same knowledge from the beginning. The training covers their development stack along with security best practices.

  • Use existing secure libraries instead of reinventing the wheelThis should be common practice among most developers. For example, if you’re implementing a payment method on an e-commerce site you will most likely use something like PayPal which lets them take care of most of the security.Let experts write secure code and keep it up to date so that you can focus on the security in the functionality you’re writing. Libraries and packages usually get updated anytime there is a vulnerability, automatically keeping your code secure by updating whenever there is an update available.

  • Keep different code stacks to a minimumFacebook uses one stack to write all their code so all developers use the same languages and can easily understand code other developers are contributing. This reduces the risk of security vulnerabilities that occur when people aren’t as experienced with a language. View the Facebook Stack here. Along with using their own stack, they also wrote Hack, which sits on top of PHP but adds in additional security.

  • Peer review every piece of code no matter how small and use automated testingBefore any code goes to production it goes under peer review. Once a developer reviews a piece of code, their name is on it so they’re responsible for it once it’s in production too. This gives developers more responsibility to review it more thoroughly. In addition to this, all code goes through extensive automated tests before it gets pushed to production.

  • Continuous Integration, Continuous DeliveryAlong with peer reviews and automated testing, use infrastructure to merge and deploy code. The code is automatically deployed once tests pass, allowing developers to easily and quickly patch code.

  • Document and track all bugsFacebook has set up a bug reward process, encouraging people to report bugs and vulnerabilities by offering incentives. In some cases, developers have also been hired by reporting bugs.

  • Hack your own appsSimilar to the Netflix Simian Army for their cloud services, Facebook has a dedicated “Red Team”. This team is responsible for trying to hack the facebook app. They will set up random hacks to try to find vulnerabilities but also test how the teams respond to an incoming attack.

Insights meet inbox

Sign up for weekly articles & resources.

Security needs to be built into apps from the very beginning. This is done by training developers and using best practices, not by adding security onto the end as an afterthought.

Posted by Emily Fox

Related Content

thumbnail image

Get Informed

PMG Innovation Challenge Inspires New Alli Technology Solutions

4 MINUTES READ | November 2, 2021

Get Informed

Applying Function Options to Domain Entities in Go

11 MINUTES READ | October 21, 2019

thumbnail image

Get Informed

My Experience Teaching Through Jupyter Notebooks

4 MINUTES READ | September 21, 2019

Get Informed

Trading Symfony’s Form Component for Data Transfer Objects

8 MINUTES READ | September 3, 2019

Get Inspired

Working with an Automation Mindset

5 MINUTES READ | August 22, 2019

Get Informed

Parsing Redshift Logs to Understand Data Usage

7 MINUTES READ | May 6, 2019

Get Inspired

3 Tips for Showing Value in the Tech You Build

5 MINUTES READ | April 24, 2019

thumbnail image

Get Informed

Testing React

13 MINUTES READ | March 12, 2019

Get Inspired

Tips for Designing & Testing Software Without a UX Specialist

4 MINUTES READ | March 6, 2019

Get Informed

A Beginner’s Experience with Terraform

4 MINUTES READ | December 20, 2018