Interview with Joe Sullivan, CSO at Facebook

Joe Sullivan is the Chief Security Officer at Facebook, where he manages a small part of a company-wide effort to ensure a safe internet experience for Facebook users. He and the Facebook Security Team work internally to develop and promote high product security standards, partner externally to promote safe internet practices, and coordinate internal investigations with outside law enforcement agencies.

Being the CSO of Facebook certainly puts you into the spotlight. How have your prior positions prepared you for your work at Facebook?

I can think of two important ways my prior positions have helped prepare me for my current responsibilities. Before Facebook I worked as a federal prosecutor working on cybercrime cases that were in the media every day and then worked at eBay during the early part of the 2000s when that company was celebrated and scrutinized, . In both of those places I was challenged to develop creative solutions – because we were breaking new ground in areas where there was not much precedent. Likewise, in both I learned how to stay effective and focused even when under a serious microscope. Both skills, the ability to develop creative solutions to new and unique problems, and the ability to stay focused on addressing real risks and threats while under great scrutiny, are critically important for succeeding in my role at Facebook.

Facebook has partnered with the National Cyber Security Alliance on the STOP. THINK. CONNECT. campaign over two years ago. What are your thoughts about how public-awareness-raising campaigns can be improved in the future?

If you look at internet education safety campaigns before this effort by NCSA, you see a bunch of different parallel efforts focused on the same problems but using different tactics and terminology. This initiative is important because it brings together an incredibly wide spectrum of technology, communication and other companies to work with government on developing unified messaging. Having consistent terminology is critical to education in a complex area and with this effort the sum of our individual efforts working together is much greater than it would be if we invested the same in education but without this degree of coordination.

Facebook launched its bug bounty program in August last year and has already doled out quite a sum to outside security experts. Have there been any great surprises? Has the program influenced the way that the security team approaches code reviewing? Did you offer employment to a particularly successful bug hunter/are you thinking about doing it?

The program has been successful beyond our expectations. First, it really blew up the assumption that there are only a small number of quality researchers able and willing to report meaningful bugs. On the contrary, we have found that there is an incredibly vibrant entrepreneurial security community around the world that is passionate about engaging on web application security.

We have had submissions from over 16 countries and have already payed out over $150, 000 in bounties. In the process we have built great relationships with some amazing researchers from every corner of the globe. And yes, we do have a summer intern coming who we met through the program.

I don’t think it has influenced the way we review code, but it does make us feel even better about the overall review process we have in place being as complete as possible. We intend to keep investing in this program and are always looking for feedback on how to make it better.

Our latest iteration was to add a debit card as a payment option so that we can reload easily for people who submit bugs regularly.

As the number of Facebook users grows seemingly exponentially, does your security team as well? What security-related problems currently give you the biggest headaches?

We do continue to grow in size, but we are also constantly challenging ourselves to develop in such a way that every employee focused on security has a greater individual impact tomorrow than that person did today. We can do that both by continuing to innovate on our approaches to security and investing in system and infrastructure.

We know that we will always be out-numbered by the bad guys, but we can overcome that by making sure that our systems are up to the challenge. An example of how things change and new headaches arise the sudden increase in what we call self-XSS during last year. Self-XSS attacks used social engineering to trick users into copying-and-pasting malicious javascript into their browser, thereby self-propagating the spam and evading our detection systems. Before the attacks increased dramatically most experts would have doubted that a social engineering scheme could work at such scale.

Fortunately, we reacted quickly and have had success beating it back. In addition to improving internal detection mechanisms, we have worked with browser vendors to make it harder for spammers to take advantage of this vulnerability in the browser, and we have partnered with external companies to make our malicious link detection system more robust. We are still battling this but thankfully it is much less of a headache than it use to be.

I can’t remember the last time I saw a bogus or information-collecting app being pushed onto users by third party developers, and I recall them being plentiful at one point in time. How did you solve that particular problem?

We have several different teams that work closely together to ensure people have a great experience when connecting with applications that leverage our platform. Major props go to the platform integrity engineers who have been constantly iterating on the automated systems that we put in place to secure our Platform. Of particular note were the changes we made last July which made significant improvement to the enforcement systems so we can identify and disable apps that violate our policies as quickly as possible.

These changes instituted granular enforcement which selectively disables an app’s ability to propagate through Facebook based on the amount of negative user feedback – so that an app that has been reported for abusing chat will have this feature disabled until the developers have made substantial changes. In the future, we are moving to more sophisticated ranking models where the amount of distribution will be a function to the app’s quality. Good content will be seen by more people, while lower quality or spammy apps will be seen by fewer people or no one. We believe this will reward apps that provide great experiences while minimizing the negative impact of poor quality apps.