Facebook engineers receive 2021 IEEE Computer Society Cybersecurity Award for static analysis tools

Until recently, static analysis tools weren’t seen by our industry as a reliable element of securing code at scale. After nearly a decade of investing in refining these systems, I’m so proud to cel…

Clyde Rodriguez
5 min readadvanced
--
View Original

Overview

Facebook's engineering teams have been awarded the 2021 IEEE Computer Society Cybersecurity Award for their advancements in static analysis tools, specifically Infer and Zoncolan. The article discusses the importance of static analysis in securing code at scale and highlights the open-sourcing of tools like Pysa and Mariana Trench to enhance security across the industry.

What You'll Learn

1

How to utilize static analysis tools to identify security vulnerabilities in code

2

Why integrating static analysis with security engineering enhances vulnerability detection

3

When to apply different detection methods like static analysis versus fuzzing

Prerequisites & Requirements

  • Understanding of static analysis concepts and security vulnerabilities
  • Familiarity with static analysis tools like Infer, Pysa, and Mariana Trench(optional)

Key Questions Answered

What is the significance of Facebook's static analysis tools in cybersecurity?
Facebook's static analysis tools, such as Infer and Zoncolan, play a crucial role in identifying and preventing security vulnerabilities in their codebase. In the first half of 2021, over 50 percent of security bugs were detected using these automated tools, demonstrating their effectiveness in enhancing code security at scale.
How does Zoncolan help in securing Hack code?
Zoncolan was developed by analyzing past bug bounty reports and is designed to prevent insecure code from being committed. It automates the detection of vulnerabilities, allowing security engineers to focus on high-confidence issues flagged by the system, thus improving overall code security.
What are the capabilities of Pysa for Python code?
Pysa is designed to analyze proposed code changes in Python, providing results in about an hour. This rapid feedback loop allows developers to identify and fix potential security issues before they are integrated into the codebase, significantly speeding up the review process.
What role does Mariana Trench play in Android app security?
Mariana Trench focuses on scanning Android applications to flag potential security issues before they reach production. Given the update constraints of mobile apps, it is essential for developers to use tools like Mariana Trench to prevent vulnerabilities from being released to users.

Key Statistics & Figures

Percentage of security bugs detected by automated tools
50 percent
In the first half of 2021, more than 50 percent of the security bugs found at Facebook were detected with the help of automated static analysis tools.

Technologies & Tools

Static Analysis Tool
Infer
Used for detecting security vulnerabilities in code.
Static Analysis Tool
Zoncolan
Developed for Hack code to prevent insecure code commits.
Static Analysis Tool
Pysa
Analyzes Python code changes to identify security issues quickly.
Static Analysis Tool
Mariana Trench
Scans Android applications for security vulnerabilities before production.

Key Actionable Insights

1
Integrate static analysis tools into your development workflow to enhance security.
By using tools like Infer, Pysa, and Zoncolan, teams can automate the detection of vulnerabilities, allowing for quicker identification and remediation of security issues, which is crucial in fast-paced development environments.
2
Leverage open-source static analysis tools to contribute to community security.
Open-sourcing tools like Pysa and Mariana Trench allows other developers to benefit from Facebook's advancements in security, fostering a collaborative approach to improving code safety across the industry.
3
Establish a feedback loop between security engineers and static analysis experts.
This collaboration can lead to the development of more effective detection rules and the elimination of false positives, enhancing the overall efficacy of security measures in code reviews.

Common Pitfalls

1
Relying solely on manual code reviews can lead to missed vulnerabilities.
Manual reviews are time-consuming and may not scale effectively with large codebases. Implementing automated static analysis tools can help ensure that vulnerabilities are consistently identified and addressed.