Explore a comprehensive conference talk from nullcon Goa 2017 on engineering better security practices at Facebook. Delve into real-world security issues, vulnerability prevention, and detection techniques. Learn how Facebook empowers engineers to write more secure code through innovative tooling. Discover insights on the software development lifecycle, PHP, Hack, asynchronous functions, cross-site scripting, code abuse prevention, and code review processes. Examine linting techniques, Harold Rules, and production security measures. Investigate TLS, Certificate Transparency, and its practical applications. Gain valuable knowledge on scaling security efforts, managing false positives, and implementing effective security programs in large-scale environments. Benefit from the expertise of Karen Sittig, a Software Engineer at Facebook with a strong background in applied machine learning for security applications.
Overview
Syllabus
Introduction
About Karen
Software Development Lifecycle
PHP
Hack
Asynchronous function
Asynchronous call
Crosssite scripting
XHT
HTML
Example
Code Abuse
Code Reviews
linting
subscribe
Harold Rules
stuffing in production
Buzzers
Spring Deserialization
Head
TLS
Certificate Transparency
Certificate Transparency Example
Recap
Writing your code
Code review
Certificate transparency program
How do you scale
Rate of false positives
How far do we go
Herald Rules
Taught by
nullcon
