Facebook engineers receive 2021 IEEE Computer Society Cybersecurity Award for static analysis tools
By Clyde Rodriguez, VP of engineering, Facebook
Until recently, our industry didn’t see static analysis tools as a reliable element of securing code at scale. After nearly a decade of investing in refining these systems, I’m so proud to celebrate our engineering teams — Francesco Logozzo, Manuel Fahndrich, Peter O'Hearn, Dino Distefano — for being awarded the IEEE Computer Society’s Cybersecurity Award for Practice for development and deployment of static analysis systems, including Infer and Zoncolan. Here, I’ll focus on the security-specific tools that help us find and prevent security bugs across multiple programming languages.
Why we invest in static analysis.
Keeping people’s data and our infrastructure secure is essential to our team’s mission at Facebook. When it comes to scanning large codebases that change thousands of times a day, it can be challenging for the security engineers reviewing that code to detect security and privacy issues. Manually monitoring that code requires more time and resources than could possibly scale. To tackle this problem and to make sure our detection tools match our scale, we have invested time and engineering resources to create and train our static analysis algorithms to work effectively with large codebases to find security bugs.
Our original thesis was that, by partnering the top static analysis experts with our security engineers, we could go much further in understanding where and how security engineers can benefit from this type of system. As a result, we created a feedback loop that ultimately led to finding and eliminating entire classes of vulnerabilities in our codebase. In the first half of 2021, more than 50 percent of the security bugs we found were detected with the help of these automated tools.
0 Comments