Cybersecurity award for Fb static evaluation
Until recently, static analysis tools were not viewed by our industry as a reliable means of securing code on a large scale. After nearly a decade of investing in the advancement of these systems, I am very proud to today celebrate our engineering teams receiving the IEEE Computer Society’s Cybersecurity Award for Practice for developing and deploying static analysis systems, including Conclude and Zoncolan. Here I focus on the security enforcement tools that help us find and prevent security bugs in multiple programming languages.
Why we invest in static analysis
The security of people’s data and our infrastructure is important to the mission of our team at Facebook. When it comes to scanning large bases of code that change a thousand times a day, it can be difficult for safety engineers to review that code to identify security and privacy issues. Manual monitoring of this code takes more time and resources than could possibly be scaled up. To address this issue and to ensure that our detection tools were up to scratch, we invested time and technical resources in building and training our static analysis algorithms to work effectively with large code bases to find security flaws.
Our original thesis was that by having the best static analysis experts working with our safety engineers, we could go much further to understand where and how safety engineers can benefit from this type of system. As a result, we created a feedback loop that ultimately led to entire classes of vulnerabilities in our code base being found and eliminated. In the first half of 2021, more than 50 percent of the security gaps we found were detected with the help of these automated tools.
Open-sourcing static analysis tools
The more popular libraries our entire industry uses to create different products, the more we invest in identifying and preventing vulnerabilities on the Internet. For this reason, our engineers have made our static analysis tools Pysa and Mariana Trench available as open source.
Here’s more about these systems and how they can be useful to other teams in the industry:
- Zoncolan for hack: We started developing Zoncolan for Chop Code by analyzing our database of previous bug bounty reports, causes and related code fixes. When we discover a new class of problems, we evaluate whether static analysis is the best form of detection (compared to other detection approaches like fuzzing or Invariant detector). For each new Zoncolan rule, a security engineer evaluates the initial results to confirm that the rule actually captures the desired scenario and to provide guidance on how to resolve false positives. Today we use Zoncolan to prevent code committing that the system has a high degree of certainty marking as unsafe and to automate the continuous detection of potentially unsafe code that should be flagged for investigation by safety engineers.
- Mosey for Python (Open source): Our success and experience developing Zoncolan has inspired us to extend static analysis tool development to other programming languages that we rely on. Our largest Python code repository is the millions of lines that power Instagram’s servers. When we run Pysa on the code change suggested by a developer, the tool delivers results in about an hour, rather than the weeks or months it would take to manually review. These quick results help us find and prevent a problem quickly enough to keep it from being included in our code base. The results go directly to the developer or the safety engineers, depending on the type of problem detected and the signal-to-noise ratio of our detections for that particular problem.
- Mariana Trench for Java and Android (Open source): We developed Mariana Trench to focus on Android apps. While server-side code for web apps can be updated almost instantly, mitigating a security flaw in an Android application depends on each user updating the application on their device in a timely manner. It is all the more important for every app developer to set up systems to prevent weak points from getting into mobile releases if possible. Mariana Trench is designed to scan large mobile code bases and identify potential problems with pull requests before they go into production.
Preventing security and privacy errors on Facebook
Of course, not all errors can be eliminated with one method alone. That is why we rely on defense-in-depth Approach to shift protection, including run-time program analysis that monitors program and data behavior to detect anomalies; Code reviews to examine code, read documentation, and study the architecture of functions, products, and projects to assess their security; and bug bounty programs to find and fix vulnerabilities before they are released to the public. We will continue to share our insights and tools with the open source community to do our part to keep the Internet safe.
Find out more about Facebook Security Engineering and vacancies here.