Over at Facebook, Collin Greene, Manager of Product Security, has posted a blog entry that supposedly shows how much Facebook is doing to protect you.  (Personally, I think the "billions" in the title are dollars, not users.)

OK, I had a quick look at it, and my initial impression is: yet another attempt to promote the idea that Facebook cares and is doing something, but not really saying anything at all.

However, I should examine it in a bit of detail.

Collin starts off with "defense-in-depth." Defence in depth is not just "let's throw a whole bunch of fixes at it!" Defence in depth has structure and strategy. (You can see how much structure and strategy their graphic has.)

It needs to start with the core, and then see what areas might be weak, and provide layers that specifically protect those weak areas. Facebook's misson statement is, basically, "Hey! Let's get people to give us lots of their private information and then we'll sell it to other people/companies!" You will notice that it doesn't provide for much in the way of security.

Facebook seems to think that "OK, people have complained about X, so let's do something that makes it slightly less obvious that we are doing X, rinse and repeat" is defence in depth. It isn't.

Then they mention bugs.

Then they mention a bootcamp. (Nothing about the syllabus.) Then security frameworks. Except, oops! seems that security frameworks are only the fact that they have their own programming languages.

Then we have automated testing tools. Lots of tools. Some of them standard tools. Including a unique tool! With no details of how it works. (Its 'magic. Trust us.)

Then they have reviews. (Except, shouldn't design reviews come *before* you actually write the code?) Again, a standard part of secure development, but no mention of how it works. (At Facebook.)

Then a bug bounty program! (Bug bounty programs had inherent problems two decades ago, and they are still there.)

No, this is just more pretence that Facebook cares about your privacy and info.