How to scale security: An inside look at how Facebook does it

Implementing measures to scale security is pivotal to Facebook achieving its mission to "give people the power to build community and bring the world closer together" -- as well as secure its array of underlying infrastructures, family of applications and users.

"We work really hard to help make Facebook a safe place for people to connect and share with each other," said Aanchal Gupta, director of security at Facebook. Gupta leads a global team responsible for assessing and mitigating security risks across Facebook and its family of applications, including WhatsApp, Instagram and Oculus. Prior to joining Facebook, she was CISO at Microsoft for Skype and Skype for Business.

In part one of this three-part Q&A, Gupta gives an overview of the best practices and methodologies that Facebook has employed to scale security. She provides three focus areas to get there, including the importance of automation techniques when trying to scale security processes.

Editor's note: The following transcript has been edited for clarity and length.

Why is it important to scale security?

Aanchal Gupta: One primary reason for us is that we have more than 2 billion people using our platform. They trust us with their sensitive information and it is our primary goal to keep our platform safe and secure.

Aanchal Gupta

We are doing work in some new technological areas and we want to make sure that even though we are pioneering in those areas, we are also pioneering on the security controls in those areas. When I talk about 2 billion users, that's only one offering, which is Facebook. We also have other offerings like Instagram, WhatsApp and Messenger. We want to make sure that all our offerings are secure offerings. This is important to us and that's why we are very focused on scaling security.

How is Facebook working to scale security and what are the focus areas?

Gupta: As our user base is growing and we are innovating in new areas, the three areas we focus on are technical solutions, lightweight process and security programs.

Technical solutions are where we are building automated solutions that help our engineering scale. Lightweight process is where we look at where we can automate something from the process aspect based upon repeatable patterns. The third one is security programs -- we have various internal and external security programs in place.

What best practices has Facebook adopted to scale security?

Gupta: From the best practices aspect, I personally think that automating is key, because when you are automating something you are basically lifting all boats. I can give you a few examples of how we have done this.

We built tools for our engineers to use when they are writing code so that it's much harder for security issues to be introduced inadvertently. We recently open sourced Pyre, which is a static type checker for Python. It is designed to help improve code quality and the development speed [in large Python codebases] by flagging type errors. It's an interactive tool; you can integrate it with your terminal or editor. We also recently introduced new machine learning techniques.

We also built a lot of tools for our end users because we believe in empowering them. These are things like two-factor authentication via security keys, notifications about untrusted logins, and trusted contacts -- where you choose highly trusted friends to help you regain access to your account if you lose access.

We want to make sure that internet is secure and everybody is building products more securely.

How is Facebook implementing security automation?

Gupta: We rely heavily on security automation; companies need to scale by automation.

We want to make sure that the internet is secure and everybody is building products more securely. Given the pace at which we work, we cannot just do everything manually. We automate a lot and Pyre is a good example. As developers are writing code, Pyre can run in background and it will do a static type checking for developers, so they don't have to worry about making these mistakes unknowingly.

Integrating your security tools with your development workflow is important. Developers used to write their code and give it to security experts for manual review, or security experts would go and run some tools on it to check that there are no security gaps in there. But given the pace at which we work these days, it's not a very scalable model so we have to make this a part of the entire workflow. Today, most of the companies are doing it this way -- rather than bringing this into your development cycle later it is very much integrated with your development cycle.

Osquery is another good example. It is used by a lot of people in the industry. What it does is it pretty much converts the operating system-level event into a relational database. When you have those events all structured in a relational database, you can write SQL query because now your data is structured. If it wasn't structured then you would have all sorts of logs going around and it makes it very hard for you to do any detection and forensics on those machines.

What roadblocks have you faced on your path to scale security?

Gupta: I wouldn't call them roadblocks. We do realize that it's our responsibility to keep our users secure on our platform. This is a challenge that is both humbling as well as motivating for both me and my team.

As we are innovating in new areas like augmented reality or virtual reality -- these are totally new areas where we are pioneering in -- we need to make sure that we are investing and pioneering in the security aspects of these areas as well. Oculus is one good example where we are using virtual reality. As for Oculus, we are building the hardware as well as operating system and the browser, so there's a lot of investment we are making in Oculus and we want to make sure that the entire stack is secure.

We invest in top security experts and they review the entire stack, working hand-in-hand with engineering. They are not just focusing on the code, but they are looking at all the three aspects I mentioned -- the technical aspect, the process aspect and the program aspect of it -- making sure that whatever offering we have for our users is secure.

Check out part two of the Q&A where Gupta talks about how Facebook is building diverse security teams.