{"id":492,"date":"2021-10-20T14:20:45","date_gmt":"2021-10-20T14:20:45","guid":{"rendered":"https:\/\/fde.cat\/index.php\/2021\/10\/20\/facebook-engineers-receive-2021-ieee-computer-society-cybersecurity-award-for-static-analysis-tools\/"},"modified":"2021-10-20T14:20:45","modified_gmt":"2021-10-20T14:20:45","slug":"facebook-engineers-receive-2021-ieee-computer-society-cybersecurity-award-for-static-analysis-tools","status":"publish","type":"post","link":"https:\/\/fde.cat\/index.php\/2021\/10\/20\/facebook-engineers-receive-2021-ieee-computer-society-cybersecurity-award-for-static-analysis-tools\/","title":{"rendered":"Facebook engineers receive 2021 IEEE Computer Society Cybersecurity Award for static analysis tools"},"content":{"rendered":"<p><span>Until recently, static analysis tools weren\u2019t seen by our industry as a reliable element of securing code at scale. After nearly a decade of investing in refining these systems, I\u2019m so proud to celebrate our engineering teams today for being awarded the IEEE Computer Society\u2019s Cybersecurity Award for Practice for development and deployment of static analysis systems, including<\/span><a href=\"https:\/\/fbinfer.com\/\"> <span>Infer<\/span><\/a><span> and Zoncolan. Here, I\u2019ll focus on the security-specific tools that help us find and prevent security bugs across multiple programming languages.<\/span><\/p>\n<h2><span>Why we invest in static analysis<\/span><\/h2>\n<p><span>Keeping people\u2019s data and our infrastructure secure is important to our team\u2019s mission at Facebook. When it comes to scanning large codebases that change thousands of times a day, it can be challenging for the security engineers reviewing that code to detect security and privacy issues. Manually monitoring that code requires more time and resources than could possibly scale. To tackle this problem and to make sure our detection tools match our scale, we have invested time and engineering resources to create and train our static analysis algorithms to work effectively with large codebases to find security bugs.<\/span><\/p>\n<p><span>Our original thesis was that, by partnering the top static analysis experts with our security engineers, we would be able to go much further in understanding where and how security engineers can benefit from this type of system. <\/span><span>As a result, we created a feedback loop that ultimately led to finding and eliminating entire classes of vulnerabilities in our codebase. In the first half of 2021, more than 50 percent of the security bugs we found were detected with the help of these automated tools.<\/span><\/p>\n<h2><span>Open sourcing static analysis tools<\/span><\/h2>\n<p><span>The more common libraries our entire industry uses to build different products, the more we are all invested in spotting and preventing security bugs across the internet. That\u2019s why our engineers have open-sourced our static analysis tools, Pysa and Mariana Trench.<\/span><\/p>\n<p><span>Here is more about these systems and how they can be useful to other teams in the industry.<\/span><\/p>\n<p><a href=\"https:\/\/engineering.fb.com\/2019\/08\/15\/security\/zoncolan\/\"><span>Zoncolan<\/span><\/a> <span>for Hack:<\/span> <span>We began developing Zoncolan for<\/span><a href=\"https:\/\/hacklang.org\/\"> <span>Hack<\/span><\/a><span> code by analyzing our database of past bug bounty reports, root causes, and corresponding code fixes. When we discover a new class of issue, we evaluate whether static analysis is the best form of detection (compared with other detection approaches like fuzzing or<\/span><a href=\"https:\/\/research.fb.com\/publications\/ivd-automatic-learning-and-enforcement-of-authorization-rules-in-online-social-networks\/\"> <span>Invariant Detector<\/span><\/a><span>). For each new Zoncolan rule, a security engineer evaluates the initial results to confirm that the rule actually captures the desired scenario and to provide guidance on ways to eliminate false positives. Today, we use Zoncolan to prevent committing code that the system flags as insecure with high confidence; and to automate continuous detection of potentially insecure code to be flagged for investigation by security engineers.<\/span><br \/>\n<a href=\"https:\/\/engineering.fb.com\/2020\/08\/07\/security\/pysa\/\"><span>Pysa<\/span><\/a><span> for Python (<\/span><a href=\"https:\/\/pyre-check.org\/docs\/pysa-quickstart\"><span>open-source<\/span><\/a><span>):<\/span> <span>Our success and experience with building Zoncolan inspired us to expand the development of static analysis tools to other programming languages we rely on. Our largest repository of Python code is the millions of lines that power Instagram\u2019s servers. When we run Pysa on a developer\u2019s proposed code change, the tool provides results in about an hour rather than the weeks or months it could take to review manually. These rapid results help us find and prevent an issue fast enough to keep it from being introduced into our codebase. The results go either directly to the developer or to security engineers, depending on the type of issue detected and the signal-to-noise ratio of our detections for that specific issue.<\/span><br \/>\n<a href=\"https:\/\/engineering.fb.com\/2021\/09\/29\/security\/mariana-trench\/\"><span>Mariana Trench<\/span><\/a><span> for Java and Android (<\/span><a href=\"https:\/\/github.com\/facebook\/mariana-trench\/\"><span>open-source<\/span><\/a><span>): We built Mariana Trench to focus on Android apps. While server-side code can be updated almost instantaneously for web apps, mitigating a security bug in an Android application relies on each user updating the application on the device they own in a timely way. This makes it that much more important for any app developer to put systems in place to help prevent vulnerabilities from making it into mobile releases, whenever possible. Mariana Trench is designed to be able to scan large mobile codebases and flag potential issues on pull requests before they make it into production.<\/span><\/p>\n<h2><span>Preventing security and privacy bugs at Facebook<\/span><\/h2>\n<p><span>Of course, not all bugs can be eliminated with one method alone. That\u2019s why we rely on a defense-in-depth<\/span> <span>approach to layer protections, including runtime program analysis that monitors program and data behaviors in order to flag anomalies; code reviews to examine code, read documentation, and study the architecture of features, products, and projects to assess their security; and bug bounty programs to find and patch vulnerabilities before they are disclosed to the general public. We will continue sharing our learnings and tools with the open-source community to contribute and do our part in securing the internet.<\/span><\/p>\n<p><a href=\"https:\/\/www.facebook.com\/careers\/life\/introducing-our-security-team\"><span>Learn more about Facebook Security Engineering and open roles here.<\/span><\/a><\/p>\n<p>\u00a0<\/p>\n<p>The post <a href=\"https:\/\/engineering.fb.com\/2021\/10\/20\/security\/static-analysis-award\/\">Facebook engineers receive 2021 IEEE Computer Society Cybersecurity Award for static analysis tools<\/a> appeared first on <a href=\"https:\/\/engineering.fb.com\/\">Facebook Engineering<\/a>.<\/p>\n<p>Facebook Engineering<\/p>","protected":false},"excerpt":{"rendered":"<p>Until recently, static analysis tools weren\u2019t seen by our industry as a reliable element of securing code at scale. After nearly a decade of investing in refining these systems, I\u2019m so proud to celebrate our engineering teams today for being awarded the IEEE Computer Society\u2019s Cybersecurity Award for Practice for development and deployment of static&hellip; <a class=\"more-link\" href=\"https:\/\/fde.cat\/index.php\/2021\/10\/20\/facebook-engineers-receive-2021-ieee-computer-society-cybersecurity-award-for-static-analysis-tools\/\">Continue reading <span class=\"screen-reader-text\">Facebook engineers receive 2021 IEEE Computer Society Cybersecurity Award for static analysis tools<\/span><\/a><\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","footnotes":""},"categories":[7],"tags":[],"class_list":["post-492","post","type-post","status-publish","format-standard","hentry","category-technology","entry"],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":480,"url":"https:\/\/fde.cat\/index.php\/2021\/09\/29\/open-sourcing-mariana-trench-analyzing-android-and-java-app-security-in-depth\/","url_meta":{"origin":492,"position":0},"title":"Open-sourcing Mariana Trench: Analyzing Android and Java app security in depth","date":"September 29, 2021","format":false,"excerpt":"We\u2019re sharing details about Mariana Trench (MT), a tool we use to spot and prevent security and privacy bugs in Android and Java applications. As part of our effort to help scale security through building automation, we recently open-sourced MT to support security engineers at Facebook and across the industry.\u00a0\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":728,"url":"https:\/\/fde.cat\/index.php\/2023\/06\/27\/meta-developer-tools-working-at-scale\/","url_meta":{"origin":492,"position":1},"title":"Meta developer tools: Working at scale","date":"June 27, 2023","format":false,"excerpt":"Every day, thousands of developers at Meta are working in repositories with millions of files. Those developers need tools that help them at every stage of the workflow while working at extreme scale. In this article we\u2019ll go through a few of the tools in the development process. And, as\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":658,"url":"https:\/\/fde.cat\/index.php\/2022\/11\/30\/enabling-static-analysis-of-sql-queries-at-meta\/","url_meta":{"origin":492,"position":2},"title":"Enabling static analysis of SQL queries at Meta","date":"November 30, 2022","format":false,"excerpt":"UPM is our internal standalone library to perform static analysis of SQL code and enhance SQL authoring.\u00a0 UPM takes SQL code as input and represents it as a data structure called a semantic tree. Infrastructure teams at Meta leverage UPM to build SQL linters, catch user mistakes in SQL code,\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":170,"url":"https:\/\/fde.cat\/index.php\/2020\/12\/14\/infer-powering-microsofts-infer-a-new-static-analyzer-for-c\/","url_meta":{"origin":492,"position":3},"title":"Infer powering Microsoft\u2019s Infer#, a new static analyzer for C#","date":"December 14, 2020","format":false,"excerpt":"What it is: Infer# brings the Infer static analysis platform to developers who use Microsoft\u2019s C# programming language. It can already detect null-pointer dereference and resource leak bugs, thanks to bi-abduction analysis. Detection of race conditions based on RacerD analysis is also in the works. Infer# has been used to\u2026","rel":"","context":"In &quot;External&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":656,"url":"https:\/\/fde.cat\/index.php\/2022\/11\/22\/retrofitting-null-safety-onto-java-at-meta\/","url_meta":{"origin":492,"position":4},"title":"Retrofitting null-safety onto Java at Meta","date":"November 22, 2022","format":false,"excerpt":"We developed a new static analysis tool called Nullsafe that is used at Meta to detect NullPointerException (NPE) errors in Java code. Interoperability with legacy code and gradual deployment model were key to Nullsafe\u2019s wide adoption and allowed us to recover some null-safety properties in the context of an otherwise\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":777,"url":"https:\/\/fde.cat\/index.php\/2023\/10\/24\/automating-dead-code-cleanup\/","url_meta":{"origin":492,"position":5},"title":"Automating dead code cleanup","date":"October 24, 2023","format":false,"excerpt":"Meta\u2019s Systematic Code and Asset Removal Framework (SCARF) has a subsystem for identifying and removing dead code. SCARF combines static and dynamic analysis of programs to detect dead code from both a business and programming language perspective. SCARF automatically creates change requests that delete the dead code identified from the\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/492","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/comments?post=492"}],"version-history":[{"count":0,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/492\/revisions"}],"wp:attachment":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/media?parent=492"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/categories?post=492"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/tags?post=492"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}