Teaching an Old Dog New Tricks: Reusing Security Solutions in Novel Domains

The security industry has spent decades building up tooling and knowledge on how to detect flaws in software that lead to vulnerabilities. To detect a breadth of vulnerabilities, these tools are built to identify general patterns such as data following from a source to a sink. These generalized patterns also map to problems in domains a diverse as performance, compliance, privacy, and data abuse. In this talk, I’ll present a series of case studies to show how Meta engineers have applied our security tools to detect and prevent implementation flaws in domains such as these.

I’ll go deep on a case study showing how static taint flow analysis —a tool Meta first deployed for security purposes— helped us make sure we weren’t storing or misusing user locations when we launched Instagram Threads. Then, to show that that case study was not an isolated example, I’ll more quickly walk through a half dozen additional examples where tools from our Product Security team have been used to check for implementation flaws in other domains. Finally, we’ll discuss the limitations of this approach, stemming from the tools themselves, differing organizational structures, and the ever-present need for defense in depth.

By the end of this talk, you should walk away brimming with ideas on new applications for your organization’s existing security tooling.