Tips to building security in apps from the ground up: the FB way

Last week a few developers spent the week at F8, the Facebook Developer Conference in San Jose, in the interest of hearing about security updates with all the Cambridge Analytica stuff going on, along with hearing new updates about the apps under the Facebook umbrella.

While Facebook announced some interesting new features during keynotes, like Augmented Reality Camera Effects and video call coming to Instagram, along with the ability to clear your FB history similar to how you can clear browser cookies, (and of course, the new Facebook Dating site) our big takeaway was what Facebook is doing for security at scale and how we can improve security as we continue to grow.

Train up developers on your security standards
At Facebook, all new developers go through a 6-8 week boot camp before they touch any Facebook code. This ensures all engineers get the same knowledge from the beginning. The training covers their development stack along with security best practices.

Use existing secure libraries instead of reinventing the wheel
This should be common practice among most developers. For example, if you’re implementing a payment method on an e-commerce site you will most likely use something like PayPal which lets them take care of most of the security.
Let experts write secure code and keep it up to date so that you can focus on the security in the functionality you’re writing. Libraries and packages usually get updated anytime there is a vulnerability, automatically keeping your code secure by updating whenever there is an update available.

Keep different code stacks to a minimum
Facebook uses one stack to write all their code so all developers use the same languages and can easily understand code other developers are contributing. This reduces the risk of security vulnerabilities that occur when people aren’t as experienced with a language. View the Facebook Stack here. Along with using their own stack, they also wrote Hack, which sits on top of PHP but adds in additional security.

Peer review every piece of code no matter how small and use automated testing
Before any code goes to production it goes under peer review. Once a developer reviews a piece of code, their name is on it so they’re responsible for it once it’s in production too. This gives developers more responsibility to review it more thoroughly. In addition to this, all code goes through extensive automated tests before it gets pushed to production.

Continuous Integration, Continuous Delivery
Along with peer reviews and automated testing, use infrastructure to merge and deploy code. The code is automatically deployed once tests pass, allowing developers to easily and quickly patch code.

Document and track all bugs
Facebook has set up a bug reward process, encouraging people to report bugs and vulnerabilities by offering incentives. In some cases, developers have also been hired by reporting bugs.

Hack your own apps
Similar to the Netflix Simian Army for their cloud services, Facebook has a dedicated “Red Team”. This team is responsible for trying to hack the facebook app. They will set up random hacks to try to find vulnerabilities but also test how the teams respond to an incoming attack.

Security needs to be built into apps from the very beginning. This is done by training developers and using best practices, not by adding security onto the end as an afterthought.