I have highlighted that product teams need to move beyond security (preventing classic buffer overflows) to introducing cybersecurity within the logic of their application for real world scenarios. This active defense (called many things) is essential to having our products operate in hostile environments.
Facebook shared an example how they structure their product (authentication) to bolster the safety for it’s users – even when they are using products / platforms (Android older versions) that are proven to have backdoors and malicious code exploits. This is a great demonstration and opportunity for self reflection:
- How have you enhanced your product?
- Are you just ‘scanning’ and closing tickets or is your cybersecurity intelligence being applied to functional requirements?
- Is your ratio of Development engineers to Cybersecurity engineers appropriate?
Facebook can’t force you to use two-factor identification, even though it knows you would be safer if you did. That forces the social media giant to find other ways to build in safety for you. Alex Stamos CSO says, the company actually monitors black market password databases, looking for password matches against its user base, and warning people when they find compromised ones.