This expert team is one reason why Facebook is able to move fast without breaking things
Thanks to its sheer scale, there are many potential avenues for hackers to attack.And thanks to its tremendous global reach, there are also many well-funded bad guys who would take advantage of any chinks in Facebook's armor.Advertisement
Given that Facebook has a well-known mandate to "move fast and break things," this presents a dilemma.
"Security" and "moving fast" are usually exact opposites. Developers want to move fast, but the security team needs to make sure that the code they're writing isn't introducing new risks into the system.So Facebook turned the usual security process on its head, so its developers can keep moving fast without breaking anything too serious.
"You still have to move fast, there's now just a cost to moving fast," says Facebook open source software engineer Christine Abernathy.
A crack teamFacebook software and security engineer Ted Reed says that the goal is to make security part of the normal workflow. If every developer at Facebook came to him whenever they got a suspicious e-mail, that would be ideal. But the next best thing is to lock everything down behind the scenes. Advertisement
"We put the burden on ourselves," Reed says.
In a more proactive sense, Facebook's security squad is always working to protect the underlying infrastructure, making sure that the data that developers are working with is secured on every level. The goal is to make the underlying security completely unnoticeable to the developer.
"It becomes very hard to build insecure things," Reed says.The security team also has to build a strong relationship with Facebook's developers. Advertisement
Often, Reed says, a member of the infrastructure security team will join a Facebook project team to help them solve a problem - and end up joining that team permanently.
Facebook encourages that kind of team-jumping flexibility, and the security team loves it - it means that the product team in question now has someone devoted to preventing hacks.
Giving backAnother big way that the security team wins over Facebook developers is by giving them something that they can't get enough of: Data.Advertisement
"So either you made a code change, or someone else did," Reed says.
When there's a major data breach at companies like Target or Experian, Facebook's security team reads the news, gathers as much as it can about how their system was compromised, and then uses Osquery to make sure they're not vulnerable in the same way.
Justin Sullivan / Getty Images
Most security types are "paranoid," Reed says, but he convinced Facebook's powers-that-be to allow them to release Osquery as open source - meaning that developers from all over the world can look into Osquery's source code and, crucially, contribute back.
It's a smash hit: Since its release in mid-2014, Osquery has become the number-one most popular security project on GitHub, the so-called Facebook for programmers.Developers from big web companies have started using Osquery and contributing back their own data and the searches they routinely run using it, though Reed says those users don't like to discuss it. Again, security people are paranoid.Advertisement
The end result, though, is that Reed's Osquery team can offer its developers a continually updated, constantly evolving look into the landscape of computers and how people are using them.
That data is especially important given that Facebook has a huge focus on getting people in the developing world online, where they might not be running a laptop running the latest and greatest version of Windows."We can give something back to developers," Reed says.Advertisement
There's an obvious question here: Has Osquery ever actually turned back a hacker attack? Reed says he honestly doesn't know - it's not his department. He just builds the tools.Sometimes, Reed says, Facebook's dedicated anti-intrusion squad will get an e-mail, jump up from their desks in alarm, and scramble to a conference room. But when Reed looks in, they're just playing Starcraft. He asks what happened, and they brush him off.Advertisement
"Don't worry about it," they tell him.
NOW WATCH: How to tell if your Facebook has been hacked
- North Pole could see more clouds as a new chemical compound infiltrates its skies
- New motor vehicle rules effective from October 1— Here’s everything you need to know
- Mazagon Dock IPO shines while UTI AMC and Likhitha Infrastructure clock in a tepid response from investors
- Supermassive black hole traps six galaxies in a web that is 300 times bigger than the Milky Way
- Punjab government lifts night curfew and ends Sunday lockdown as coronavirus cases dip