Teaching an Old Dog New Tricks: Reusing Security Solutions in Novel Domains

Note: Presentation times are in Pacific Standard Time (PST).

Tuesday, February 01, 2022 - 4:30 pm5:00 pm

Graham Bleaney, Meta

Abstract: 

The security industry has spent decades building up tooling and knowledge on how to detect flaws in software that lead to vulnerabilities. To detect a breadth of vulnerabilities, these tools are built to identify general patterns such as data following from a source to a sink. These generalized patterns also map to problems in domains a diverse as performance, compliance, privacy, and data abuse. In this talk, I’ll present a series of case studies to show how Meta engineers have applied our security tools to detect and prevent implementation flaws in domains such as these.

I’ll go deep on a case study showing how static taint flow analysis —a tool Meta first deployed for security purposes— helped us make sure we weren’t storing or misusing user locations when we launched Instagram Threads. Then, to show that that case study was not an isolated example, I’ll more quickly walk through a half dozen additional examples where tools from our Product Security team have been used to check for implementation flaws in other domains. Finally, we’ll discuss the limitations of this approach, stemming from the tools themselves, differing organizational structures, and the ever-present need for defense in depth.

By the end of this talk, you should walk away brimming with ideas on new applications for your organization’s existing security tooling.

Graham Bleaney, Meta

Graham (@GrahamBleaney) is a Security Engineer at Meta. He focuses keeping Instagram and other Python codebases secure and private, through a mix of reviews, trainings, secure frameworks, and static analysis. He has previously spoken publicly about his work at PyCon 2021 and DEF CON 28.
BibTeX
@conference {277331,
author = {Graham Bleaney},
title = {Teaching an Old Dog New Tricks: Reusing Security Solutions in Novel Domains},
year = {2022},
address = {Santa Clara, CA},
publisher = {USENIX Association},
month = feb,
}