Until recently, static analysis tools weren’t seen by our industry as a reliable element of securing code at scale. After nearly a decade of investing in refining these systems, I’m so proud to celebrate our engineering teams today for being awarded the IEEE Computer Society’s Cybersecurity Award for Practice for development and deployment of static analysis systems, including Infer and Zoncolan. Here, I’ll focus on the security-specific tools that help us find and prevent security bugs across multiple programming languages.
Why we invest in static analysis
Keeping people’s data and our infrastructure secure is important to our team’s mission at Facebook. When it comes to scanning large codebases that change thousands of times a day, it can be challenging for the security engineers reviewing that code to detect security and privacy issues. Manually monitoring that code requires more time and resources than could possibly scale. To tackle this problem and to make sure our detection tools match our scale, we have invested time and engineering resources to create and train our static analysis algorithms to work effectively with large codebases to find security bugs.
Our original thesis was that by partnering the top static analysis experts with our security engineers, we would be able to go much further in understanding where and how security engineers can benefit from this type of system. As a result, we created a feedback loop that ultimately led to finding and eliminating entire classes of vulnerabilities in our codebase. In the first half of 2021, more than 50 percent of the security bugs we found were detected with the help of these automated tools.
Open-sourcing static analysis tools
The more common libraries our entire industry uses to build different products, the more we are all invested in spotting and preventing security bugs across the internet. That’s why our engineers have open-sourced our static analysis tools, Pysa and Mariana Trench.
Here is more about these systems and how they can be useful to other teams in the industry:
- Zoncolan for Hack: We began developing Zoncolan for Hack code by analyzing our database of past bug bounty reports, root causes, and corresponding code fixes. When we discover a new class of issue, we evaluate whether static analysis is the best form of detection (compared with other detection approaches like fuzzing or Invariant Detector). For each new Zoncolan rule, a security engineer evaluates the initial results to confirm that the rule actually captures the desired scenario and to provide guidance on ways to eliminate false positives. Today, we use Zoncolan to prevent committing code that the system flags as insecure with high confidence and to automate continuous detection of potentially insecure code to be flagged for investigation by security engineers.
- Pysa for Python (open source): Our success and experience with building Zoncolan inspired us to expand the development of static analysis tools to other programming languages we rely on. Our largest repository of Python code is the millions of lines that power Instagram’s servers. When we run Pysa on a developer’s proposed code change, the tool provides results in about an hour rather than the weeks or months it could take to review manually. These rapid results help us find and prevent an issue fast enough to keep it from being introduced into our codebase. The results go directly to either the developer or security engineers, depending on the type of issue detected and the signal-to-noise ratio of our detections for that specific issue.
- Mariana Trench for Java and Android (open source): We built Mariana Trench to focus on Android apps. While server-side code can be updated almost instantaneously for web apps, mitigating a security bug in an Android application relies on each user updating the application on the device they own in a timely way. This makes it that much more important for any app developer to put systems in place to help prevent vulnerabilities from making it into mobile releases, whenever possible. Mariana Trench is designed to be able to scan large mobile codebases and flag potential issues on pull requests before they make it into production.
Preventing security and privacy bugs at Facebook
Of course, not all bugs can be eliminated with one method alone. That’s why we rely on a defense-in-depth approach to layer protections, including runtime program analysis that monitors program and data behaviors in order to flag anomalies; code reviews to examine code, read documentation, and study the architecture of features, products, and projects to assess their security; and bug bounty programs to find and patch vulnerabilities before they are disclosed to the general public. We will continue sharing our learnings and tools with the open source community to contribute and do our part in securing the internet.
Learn more about Facebook Security Engineering and open roles here.