• About Us
    • New York
  • Work
  • Capabilities
  • Careers
  • Technology
  • Blog
  • Contact Us
  • About Us
    • New York
  • Work
  • Capabilities
  • Careers
  • Technology
  • Blog
  • Contact Us
May 10, 2018

Tips to building security in apps from the ground up: the FB way

Posted by Emily Fox

Last week a few developers spent the week at F8, the Facebook Developer Conference in San Jose, in the interest of hearing about security updates with all the Cambridge Analytica stuff going on, along with hearing new updates about the apps under the Facebook umbrella.

While Facebook announced some interesting new features during keynotes, like Augmented Reality Camera Effects and video call coming to Instagram, along with the ability to clear your FB history similar to how you can clear browser cookies, (and of course, the new Facebook Dating site) our big takeaway was what Facebook is doing for security at scale and how we can improve security as we continue to grow.

  • Train up developers on your security standards
    At Facebook, all new developers go through a 6-8 week boot camp before they touch any Facebook code. This ensures all engineers get the same knowledge from the beginning. The training covers their development stack along with security best practices.
  • Use existing secure libraries instead of reinventing the wheel
    This should be common practice among most developers. For example, if you’re implementing a payment method on an e-commerce site you will most likely use something like PayPal which lets them take care of most of the security.
    Let experts write secure code and keep it up to date so that you can focus on the security in the functionality you’re writing. Libraries and packages usually get updated anytime there is a vulnerability, automatically keeping your code secure by updating whenever there is an update available.
  • Keep different code stacks to a minimum
    Facebook uses one stack to write all their code so all developers use the same languages and can easily understand code other developers are contributing. This reduces the risk of security vulnerabilities that occur when people aren’t as experienced with a language. View the Facebook Stack here. Along with using their own stack, they also wrote Hack, which sits on top of PHP but adds in additional security.
  • Peer review every piece of code no matter how small and use automated testing
    Before any code goes to production it goes under peer review. Once a developer reviews a piece of code, their name is on it so they’re responsible for it once it’s in production too. This gives developers more responsibility to review it more thoroughly. In addition to this, all code goes through extensive automated tests before it gets pushed to production.
  • Continuous Integration, Continuous Delivery
    Along with peer reviews and automated testing, use infrastructure to merge and deploy code. The code is automatically deployed once tests pass, allowing developers to easily and quickly patch code.
  • Document and track all bugs
    Facebook has set up a bug reward process, encouraging people to report bugs and vulnerabilities by offering incentives. In some cases, developers have also been hired by reporting bugs.
  • Hack your own apps
    Similar to the Netflix Simian Army for their cloud services, Facebook has a dedicated “Red Team”. This team is responsible for trying to hack the facebook app. They will set up random hacks to try to find vulnerabilities but also test how the teams respond to an incoming attack.

Security needs to be built into apps from the very beginning. This is done by training developers and using best practices, not by adding security onto the end as an afterthought.

f8Facebooksecurity
Previous
Next

Latest White Papers

  • Shifting Plans for 2020 & Beyond
  • Game On: How Brands Can Log Into A Diverse Multi-Billion Dollar Industry
  • What CCPA Means For Brands
  • How Google is Improving Consumer Data Privacy
  • Ways to Prepare for the Cookieless Future
  • See all White Papers

Featured Posts

  • Ad Age Names PMG #1 Best Place to Work in 2021
  • MediaPost Names PMG Independent Agency of the Year
  • PMG Client Portfolio Trends During Amazon Prime Day 2020
  • A Closer Look at the Congressional Big Tech Market Power Report
  • What to Know About Reddit

Categories

  • Consumer Insights
  • Content
  • Creative Design
  • Data Analytics
  • Development
  • Digital TV & Video
  • Ecommerce
  • Industry News
  • Local
  • Mobile
  • Paid Search
  • PMG Culture
  • Programmatic & Display
  • SEO
  • Social Media
  • Structured Data
Fort Worth

2845 West 7th Street
Fort Worth, TX 76107

Dallas

3102 Oak Lawn Avenue
Suite 650
Dallas, TX 75219

Austin

823 Congress Avenue
Suite 800
Austin, TX 78701

London

33 Broadwick Street
London
W1F 0DQ

New York

120 East 23rd Street
New York, NY 10010

Get in touch

(817) 420 9970
info@pmg.com

Subscribe to the PMG Newsletter
© 2021 PMG Worldwide, LLC, All Rights Reserved
  • Contact
  • Privacy Policy
 Tweet
 Share
 Tweet
 Share
 Tweet
 Share
 LinkedIn
We and our partners use cookies to personalize content, analyze traffic, and deliver ads. By using our website, you agree to the use of cookies as described in our Cookie Policy.