The following data security requirements correspond to the 2023 Data Protection Assessment.
For assessment versions received after February 2024, please see this page.
Apps with access to certain types of Platform Data from Meta are required to complete the annual Data Protection Assessment (DPA). DPA is designed to determine whether developers meet the requirements of Meta Platform Terms as it relates to the use, sharing, and protection of Platform Data. A subset of the DPA questionnaire is focused on Platform Term 6, which outlines data security requirements. We recommend you utilize this document to understand the expectations, requirements, and related evidence with respect to data security use and processing as defined in Meta Platform Terms.
Please note there is a glossary included at the end of this document with key terms and definitions.
Find more video resources from Data Protocol.
Throughout this document, the phrase server side is used as a shorthand for any backend environment that an organization uses to process Platform Data, whether running on a cloud host like Amazon Web Services (AWS), hosted by the developer in a shared or exclusive data center, or a hybrid (combination of these).
Client side requirements refer to processing Platform Data within browsers, mobile devices, within apps on desktop and laptop computers, and other types of devices used by people.
Create (or update, if necessary) a data flow diagram or description that illustrates how the app or system processes Platform Data.
In the end, the data flow diagram or description should include:
You may be required to submit evidence to support the answers related to data security protections that you implement. We recommend that you read the Evidence Guide in this document for examples of acceptable evidence and prepare the evidence accordingly. We accept common document file types along with screenshots and screen recordings. Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.
Please ensure that you redact (remove) sensitive data from the evidence before submitting it.
For apps that are asked to upload evidence related to data security protections, Meta requires two different types of documentation:
Policy or procedure evidence, sometimes referred to as an administrative control, is written documentation that describes the approach for a particular data security protection. The form of this evidence can vary – it could be an excerpt from a set of internal policies, part or all of an internal wiki page, or a newly-created document that you use to describe the approach if you do not have any pre-existing documentation. In any case, the policy or procedure evidence you upload must clearly explain how the approach for a given protection relates to Meta’s requirements. Please only provide the policy or language that is relevant and necessary for Meta’s security review, or use the free-text box associated with the question to direct our reviewers to the relevant section(s).
Implementation evidence illustrates how you have implemented the policy or procedure in practice directly via a screenshot or screen recording. Because different developers have different configurations, we cannot provide examples for every scenario. That said, the implementation evidence should demonstrate the same level of detail as the examples we have provided to the extent possible.
We understand that it may be unduly burdensome to prepare implementation evidence that comprehensively demonstrates implementation of a given data security protection. With that in mind, you should submit evidence according to the guidance here, taking care to redact sensitive information from the evidence before submitting it:
Do not submit evidence that contains any of these values in readable (unredacted) form. If you are using an image editor for a screenshot, overlay a black box over the value. If you are using a PDF editor, make sure you are redacting the text by using a tool that actually removes the values rather than simply adding a layer while preserving the text (e.g., the redact tool in Apple’s Preview app).
Question: Do you enforce encryption at rest for all Platform Data stored in a cloud, server, or data center environment?
Encryption at rest protects Platform Data by making the data indecipherable without a separate decryption key. This provides an additional layer of protection against unauthorized read access.
If you do store Platform Data server side:
If developer does NOT store Platform Data server side, this requirement is not applicable.
If you store Platform Data using IaaS hosting (e.g., AWS EC2, Microsoft Azure IaaS, and Google Compute Engine), self hosting, or a hybrid approach then this question does apply.
However, there are other backend hosting models that are special cases:
If you store Platform Data only via any of these (and not using IaaS, Self Hosting, or Hybrid Hosting), this question does not apply. You should instead describe this relationship in the Service Provider section of the DPA.
If you store Platform Data only via a Meta API, for example using player.setDataAsync()
, in the Instant Games SDK, this question does not apply.
If you are asked to submit evidence for this protection, follow the instructions in Preparing Evidence to prepare both policy/procedure and implementation evidence.
AWS RDS - encryption at rest is configurable in AWS RDS, so developers must make sure that the configuration option is set to apply this protection.
For a representative RDS instance that contains Platform Data, use the AWS CLI tool to fetch its StorageEncrypted configuration.
# List RDS instances in default region $ aws rds describe-db-instances \ --query 'DBInstances[*].DBInstanceIdentifier' [ "database-1", "database-2" ] # For each instance returned, retrieve the storage encrypted config $ aws rds describe-db-instances \ --db-instance-identifier database-1 \ --query 'DBInstances[*].StorageEncrypted' [ true ] $ aws rds describe-db-instances \ --db-instance-identifier database-2 \ --query 'DBInstances[*].StorageEncrypted' [ true ]
AWS DynamoDB is encrypted at rest by default. You can fetch the encryption at rest configuration for a table using these commands.
$ aws dynamodb list-tables --output table -------------- | ListTables | +------------+ ||TableNames|| |+----------+| || Users || |+----------+| $ aws dynamodb describe-table \ --table-name Users \ --query "Table.SSEDescription.Status" "ENABLED"
AWS DocumentDB must be configured to apply encryption at rest. For a representative cluster that contains Platform Data, use these commands to fetch the StorageEncrypted configuration.
$ aws docdb describe-db-clusters --query 'DBClusters[*].DBClusterIdentifier' [ "docdb-users" ] $ aws docdb describe-db-clusters \ --db-cluster-identifier 'docdb-users' \ --query 'DBClusters[*].StorageEncrypted' [ true ]
AWS S3 buckets may be configured to apply encryption at rest to all objects created within the bucket. Use these commands to list buckets and fetch the configuration for default bucket encryption.
$ aws s3api list-buckets --output table --query "Buckets[*].Name" --------------------------------------------- | ListBuckets | +-------------------------------------------+ | platform.storage | +-------------------------------------------+ $ aws s3api get-bucket-encryption \ --bucket platform.storage \ --query "ServerSideEncryptionConfiguration.Rules[*].ApplyServerSideEncryptionByDefault" \ --output table --------------------- |GetBucketEncryption| +-------------------+ | SSEAlgorithm | +-------------------+ | AES256 | +-------------------+
Consult Microsoft’s documentation on encryption at rest in Azure that’s relevant to the organization’s use of their services.
Consult Google’s documentation on encryption at rest on Google Cloud Platform.
If you do not implement encryption at rest in the server side environment, you may be protecting Platform Data in an alternative way that is still acceptable. In this case, you should describe the following:
Question: Specifically concerning data stored on organizational and personal devices: Do you enforce encryption at rest, or do you have in place policies and rules to reduce the risk of data loss, for all Platform Data stored on these devices?
If a developer allows Platform Data on devices like employee laptops or removable storage (e.g., USB drives), that data is at high risk of unauthorized access if the device is lost or stolen. Developers should take steps to limit this risk.
To reduce the risk of unauthorized Platform Data access, Developers must have either technical controls (preferred) or administrative controls (not preferred, but acceptable) relevant to Platform Data on organizational devices (e.g., laptops) and removable media.
This requirement applies whether or not you process Platform Data server side.
If you are asked to submit evidence for this protection, follow the instructions in Preparing Evidence to prepare both policy/procedure and implementation evidence.
You may be using one or both of: a) technical controls (e.g., disk encryption), or b) rules/policies to reduce the risk of data loss for Platform Data being stored on organizational devices like laptops and mobile phones.
Technical controls might include:
Rules/policies might include:
An organization classifies Platform Data from Meta as “private data” according to their data classification standard. The organization has created Data Handling Guidelines and obligates all personnel to understand and abide by these policies.
Question: Do you enable security protocol TLS 1.2 or greater for all network connections that pass through, or connect, or cross public networks where Platform Data is transmitted? Additionally, do you ensure that Platform Data is never transmitted over public networks in unencrypted form (e.g., via HTTP or FTP) and that security protocols SSL v2 and SSL v3 are never used?
Platform Data transmitted across the internet is accessible to anyone that can observe the network traffic. Therefore it must be protected with encryption to prevent those unauthorized parties from being able to read the data.
Whether or not you processes Platform Data server side:
The table below summarizes encryption in transit policy for different transmission types.
Type of Transmission | Encryption in Transit Policy |
---|---|
To and from end user devices (mobile phones, PCs, tablets, etc.) and the server or cloud infrastructure. |
|
To and from the server or cloud infrastructure and any remote server, cloud infrastructure, or 4th party service. | TLS 1.2 or greater must be enforced |
To and from components entirely within the private data center, server, or cloud infrastructure | TLS encryption is recommended but not required for Platform Data transfers that are entirely within a private cloud network |
To and from Meta and any device, server, or cloud infrastructure | Out of Scope for Data Protection Assessment - Meta controls the TLS policy for these transfers |
If you are asked to submit evidence for this protection, follow the instructions in Preparing Evidence to prepare both policy/procedure and implementation evidence. A straightforward way to produce implementation evidence that demonstrates the configuration of one of the web listeners is to use the Qualys SSL Server Test tool.
This is an example output from the Qualys SSL Server Test tool. Note the red annotations in the Configuration section, which summarizes which SSL/TLS versions are supported. Note: this example includes only the first two pages but you should include the full test output.
You may be protecting Platform Data in transit using a different type of encryption besides TLS; this may be acceptable if the approach provides equivalent protection. In this case, you should submit details about the encryption used for Meta to review:
Question: Do you test the app and systems for vulnerabilities and security issues at least every 12 months? (For example, do you perform a manual penetration test?)
Developers must test for vulnerabilities and security issues so that they can be discovered proactively, ideally preventing security incidents before they happen
Applicable to all developers:
Additional requirements for developers that process Platform Data server side:
If the organization is considering adding SAST to the development process, NIST maintains a list of open source and commercial tools that you may find a useful starting point for choosing a tool.
If you are asked to submit evidence for this protection, follow the instructions in Preparing Evidence to prepare both policy/procedure and implementation evidence.
If the organization processes Platform Data in a cloud or server environment:
The internet-accessible cloud or server software (e.g., a REST API used by web and mobile clients) you use to process Platform Data must be in the scope of this test for it to be acceptable.
If the organization does NOT process Platform Data in a cloud or server environment:
Penetration Test - An organization commissions a penetration test of their software running server side that integrates with Meta APIs and processes Platform Data. The test firm completes the test and produces a summary letter like the one below. Note the red annotations, which highlight that the date when the test took place is denoted (must be within past 12 months) and there is a summary of the unresolved critical/high severity findings at the conclusion of testing (or retesting, if applicable). Please redact sensitive information from the report (in particular, any detailed vulnerability reproduction steps) before submitting it.
Static analysis - If using a different approach, for example a SAST tool, export the results into a document that includes the SAST run date and a list of findings that includes each finding’s type and its severity/criticality.
Cloud Configuration Review
A developer uses NCC Scout Suite using the default ruleset for their cloud provider (in this case, AWS) to review their cloud configuration for vulnerabilities and security issues. The tool outputs a JSON file containing the detailed run results. In this example, there are a number of issues flagged as “Danger” severity that the developer needs to review and resolve.
The raw NCC Scout Suite JSON file contains details about your cloud environment that you should not upload. Instead, filter the responses to show the count of findings by severity.
$ python3 scout.py aws –-no-browser 2022-08-22 11:39:38 localhost scout[76981] INFO Saving data to scoutsuite-report/scoutsuite-results/scoutsuite_results_aws-043954759379.js $ cd scoutsuite-report/scoutsuite-results $ tail -n +2 scoutsuite_results_aws-043954750000.js| jq '. | {last_run}' | pbcopy { "last_run": { "ruleset_about": "This ruleset consists of numerous rules that are considered standard by NCC Group. The rules enabled range from violations of well-known security best practices to gaps resulting from less-known security implications of provider-specific mechanisms. Additional rules exist, some of them requiring extra-parameters to be configured, and some of them being applicable to a limited number of users.", "ruleset_name": "default", "run_parameters": { "excluded_regions": [], "regions": [], "services": [], "skipped_services": [] }, "summary": { "acm": { "checked_items": 4, "flagged_items": 2, "max_level": "warning", "resources_count": 2, "rules_count": 2 }, "awslambda": { "checked_items": 0, "flagged_items": 0, "max_level": "warning", "resources_count": 0, "rules_count": 0 }, "cloudformation": { "checked_items": 11, "flagged_items": 0, "max_level": "warning", "resources_count": 11, "rules_count": 1 }, "cloudfront": { "checked_items": 0, "flagged_items": 0, "max_level": "warning", "resources_count": 0, "rules_count": 3 }, "cloudtrail": { "checked_items": 153, "flagged_items": 4, "max_level": "danger", "resources_count": 17, "rules_count": 9 }, "cloudwatch": { "checked_items": 2, "flagged_items": 0, "max_level": "warning", "resources_count": 2, "rules_count": 1 }, "codebuild": { "checked_items": 0, "flagged_items": 0, "max_level": "warning", "resources_count": 0, "rules_count": 0 }, "config": { "checked_items": 17, "flagged_items": 0, "max_level": "warning", "resources_count": 1227, "rules_count": 1 }, "directconnect": { "checked_items": 0, "flagged_items": 0, "max_level": "warning", "resources_count": 0, "rules_count": 0 }, "dynamodb": { "checked_items": 0, "flagged_items": 0, "max_level": "warning", "resources_count": 1, "rules_count": 0 }, "ec2": { "checked_items": 760, "flagged_items": 108, "max_level": "danger", "resources_count": 44, "rules_count": 28 }, "efs": { "checked_items": 0, "flagged_items": 0, "max_level": "warning", "resources_count": 0, "rules_count": 0 }, "elasticache": { "checked_items": 0, "flagged_items": 0, "max_level": "warning", "resources_count": 0, "rules_count": 0 }, "elb": { "checked_items": 0, "flagged_items": 0, "max_level": "warning", "resources_count": 0, "rules_count": 3 }, "elbv2": { "checked_items": 42, "flagged_items": 4, "max_level": "danger", "resources_count": 0, "rules_count": 5 }, "emr": { "checked_items": 0, "flagged_items": 0, "max_level": "warning", "resources_count": 0, "rules_count": 0 }, "iam": { "checked_items": 801, "flagged_items": 27, "max_level": "danger", "resources_count": 87, "rules_count": 37 }, "kms": { "checked_items": 15, "flagged_items": 0, "max_level": "warning", "resources_count": 15, "rules_count": 1 }, "rds": { "checked_items": 1, "flagged_items": 0, "max_level": "warning", "resources_count": 27, "rules_count": 9 }, "redshift": { "checked_items": 0, "flagged_items": 0, "max_level": "warning", "resources_count": 0, "rules_count": 6 }, "route53": { "checked_items": 0, "flagged_items": 0, "max_level": "warning", "resources_count": 1, "rules_count": 3 }, "s3": { "checked_items": 121, "flagged_items": 34, "max_level": "warning", "resources_count": 7, "rules_count": 18 }, "secretsmanager": { "checked_items": 0, "flagged_items": 0, "max_level": "warning", "resources_count": 1, "rules_count": 0 }, "ses": { "checked_items": 0, "flagged_items": 0, "max_level": "warning", "resources_count": 0, "rules_count": 4 }, "sns": { "checked_items": 0, "flagged_items": 0, "max_level": "warning", "resources_count": 0, "rules_count": 7 }, "sqs": { "checked_items": 0, "flagged_items": 0, "max_level": "warning", "resources_count": 0, "rules_count": 8 }, "vpc": { "checked_items": 271, "flagged_items": 211, "max_level": "warning", "resources_count": 0, "rules_count": 9 } }, "time": "2022-08-22 11:42:25-0400", "version": "5.11.0" } }
Another approach for conducting a cloud configuration review for developers using Amazon Web Services ruleset.
# Show that AWS Foundational Security Best Practices are enabled $ aws securityhub get-enabled-standards { "StandardsSubscriptions": [ { "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:043954759379:subscription/aws-foundational-security-best-practices/v/1.0.0", "StandardsArn": "arn:aws:securityhub:us-west-1::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsStatus": "READY" } ] } # Show that aggregator is configured for a representative region used to process Platform Data $ aws securityhub list-finding-aggregators $ aws securityhub get-finding-aggregator --finding-aggregator-arn '{REPLACE-WITH-FINDING-AGGREGATOR-ARN}' # Demonstrate that the ruleset is running by fetching active findings and counting the number of lines of output $ aws securityhub get-findings --query 'Findings[?RecordState==`ACTIVE`]' --filters '{"GeneratorId":[{"Value": "aws-foundational-security","Comparison":"PREFIX"}]}' --output text | wc -l 4876 # Demonstrate that there are no active critical severity findings $ aws securityhub get-findings --query 'Findings[?Severity.Label==`CRITICAL`] | [?RecordState==`ACTIVE`] | [*][Title, GeneratorId]' --filters '{"GeneratorId":[{"Value": "aws-foundational-security","Comparison":"PREFIX"}]}' []
If you are operating a functioning Vulnerability Disclosure Program (VDP), e.g., using the BugCrowd or HackerOne platforms, you may present this as an alternative protection instead of a pen test or vulnerability scan. To demonstrate this, you must submit evidence that:
In this case, the evidence should include:
Question: Are Meta API access tokens and app secrets protected in both of the following ways?
App secrets and access tokens are fundamental to the security of how Meta APIs make decisions about what actions to allow. If an unauthorized party gains access to these credentials they could call Meta APIs - impersonating the real developer - and take any of the actions that we have granted the app (e.g., reading data from Meta APIs about an app’s users).
Access Tokens
App Secret - one of these two things must be true:
If you are asked to submit evidence for this protection, follow the instructions in Preparing Evidence to prepare both policy/procedure and implementation evidence.
Include documentation about the policy for protecting Meta API access tokens and the app secret If the app processes Meta access tokens server side, include evidence that demonstrates the protections that you take (e.g., use of a vault, demonstrating that values are stored in an encrypted format, configuration of the app to require appsecret proofs).
Make sure that you do not include (i.e., remove) the plaintext values of any secrets or access tokens in the evidence that you submit.
An organization uses AWS Secrets Manager to security store sensitive data, including the Meta App Secret.
An organization has configured its Meta app to require App Secret proof for API calls.
Question: Do you test the systems and processes you would use to respond to a security incident (e.g., a data breach or cyberattack) at least every 12 months?
Security incidents happen to all companies sooner or later, so it is essential that organizations have planned ahead for who needs to do what to contain the incident, communicate with stakeholders, recover and learn from what happened.
Developer must have:
This requirement applies whether or not you process Platform Data server side.
Follow the instructions in Preparing Evidence to prepare both policy/procedure and implementation evidence.
A developer has created a comprehensive incident response plan based on this template. These images depict just the table of contents but there is a link below to the full template.
See the full Counteractive incident response plan template (docx format)
A developer has conducted a test of their incident response plan via a tabletop exercise and documented the outcome based on this template.
Only the first two pages are included here, but you should submit the entire document.
Question: Do you require multi-factor authentication for remote access to every account that is able to connect to the cloud or server environment and/or to access the services you use to deploy, maintain, monitor, and operate the systems where you store Platform Data from Meta?
A common technique used by adversaries to gain access to confidential data is to start by gaining access to tools that a developer uses to build or operate their app/system. Sophisticated tools exist to hack into accounts that are protected only by passwords; multi-factor authentication provides an additional layer of security to guard against this risk.
Related to an organization’s processing of Platform Data, remote access to these tools must be protected with multi factor authentication (i.e., not simply a password):
Specifically, MFA or an acceptable alternative protection is required for the following:
Regarding the implementation of MFA:
If you are asked to submit evidence for this protection, follow the instructions in Preparing Evidence to prepare both policy/procedure and implementation evidence.
An organization uses AzureAD as their Single Sign On solution. This policy requires Multi-Factor Authentication.
The policy is then mapped to the cloud apps to which it applies. Using this approach, evidence should show the entire Selected items section to make it clear which cloud apps require MFA.
This rule requires MFA for all logins.
This is an example of an AWS IAM policy that allows MFA configuration but forbids other actions if MFA is not present.
An organization has configured GitHub authentication to require MFA for everyone in the organization.
Question: Do you have a system for maintaining accounts (assigning, revoking, and reviewing access and privileges)?
Having good account management hygiene is an important part of preventing unauthorized use of accounts to gain access to Platform Data. In particular, developers must make sure that access to resources or systems is revoked when it’s no longer needed.
This requirement applies whether or not you process Platform Data server side.
Follow the instructions in Preparing Evidence to prepare both policy/procedure and implementation evidence.
Policy / procedure - A developer has created an Access Lifecycle Management Standard that includes procedures for granting, reviewing, and revoking access.
A developer uses Workday as the authoritative source for Human Resources (HR) data, including current employment status. This developer uses Google Cloud Identity as their Identity Provider (IdP) for managing user accounts and granting access to information systems and tools.
A developer submits evidence that access is revoked for departed personnel by submitting a report that shows that a recent (i.e., within the past 12 months) reconciliation report has been run showing that no active user accounts exist in Google Cloud Identity for people who are not active employees according to a Workday report of current employees.
A developer uses Google Cloud Identity as their Identity Provider (IdP) for managing user accounts and granting access to information systems and tools.
A developer submits evidence that access is revoked when it is no longer used (e.g., no logins in the past 6 months) by submitting evidence of their user directory sorted by last sign in to demonstrate that there are no active user accounts where the last sign in was older than this.
A developer uses a Single Sign On (SSO) tool for identity management and granting access to information systems and tools. The developer has configured GitHub to require SSO authentication.
Question: Do you have a system for keeping system code and environments updated, including servers, virtual machines, distributions, libraries, packages, and anti-virus software?
Software components are routinely updated or patched to resolve security vulnerabilities, and eventually these components will reach their end of life when they are no longer supported. Developers who package or rely on these components must keep up to date to avoid running software with known vulnerabilities.
For the following software components, as applicable, you must have a defined and repeatable way of identifying available patches that resolve security vulnerabilities, prioritizing based on risk, and applying patches as an ongoing activity:
Meta does not require the use of any particular tool for these activities. It’s common that an organization would use different approaches for keeping different types of software up to date (e.g., libraries that are packaged with the app vs operating system updates for employee laptops).
This requirement applies irrespective of the hosting approach (e.g., BaaS, PaaS, IaaS, self hosted, or hybrid), although the set of components that you are responsible for keeping up to date will vary
The diagram below illustrates where patching may be required for various architecture types.
If you are asked to submit evidence for this protection, follow the instructions in Preparing Evidence to prepare both policy/procedure and implementation evidence.
Start by identifying the in-scope types of software in the environment, e.g., Libraries, SDKs, Packages, Virtual Machine images, app containers, and operating systems, Browsers, operating systems, and other applications used by the employees / contributors.
You may have one or more tools that you use for the following activities:
Snyk for a NodeJS app - A developer uses the Synk Command Line Interface (CLI) to identify packaged third-party dependencies that have known security vulnerabilities and prioritize based on the severity of those vulnerabilities.
A developer is using NPM Audit to find vulnerabilities in the dependencies used in a Node application. The example image below shows multiple high severity vulnerabilities that need to be patched.
A developer uses Trivy to find vulnerabilities in a machine image. The example image below shows high severity vulnerabilities in libraries included in this image that need to be patched.
A developer uses Windows Server Update Services (WSUS) to manage their fleet of servers and PCs / laptops. The example image below shows an admin view of the WSUS tool, which allows for reviewing, approving, and deploying Windows updates.
Without reliable log files it can be difficult to impossible for a developer to detect unauthorized access to Platform Data.
If you process Platform Data server side, then within that environment:
If you’re asked to upload evidence, it should demonstrate that:
Understanding how Platform Data is expected to be processed and then monitoring actual processing is an important way for an organization to make sure that Platform Data is only used for intended purposes
If you process Platform Data server side, then within that server environment, you should:
If you are asked to submit evidence for this protection, follow the instructions in Preparing Evidence to prepare both policy/procedure and implementation evidence.
You should provide evidence that:
It’s unrealistic to rely on humans to review and identify unexpected behavior in a modern internet-accessible system. Instead, tools exist that are able to ingest log files and other signals to raise alarms that need further investigation by people.
If you process Platform Data server side, then within that server environment, you should:
A developer would commonly adopt a Security Information and Event Management (SIEM) tool for this purpose, for example:
You should provide evidence that relevant signal sources are being routed into their tool of choice, that triggers or alarms have been configured, evidence that alarms are routed to personnel who are responsible for following up, and finally that there is a process by which alarms are tuned periodically (e.g., via monthly review and update cycles).
3rd party - in risk management terminology, 3rd party refers to developers on Meta’s platform (1st party is Meta itself; 2nd party is people that use Meta’s products)
4th party - in risk management terminology, 4th party refers to the firms that developers rely on to provide them services that enable their business (1st party is Meta, 2nd party is Meta’s users, and 3rd party is developers on Meta’s platform)
Access token - a credential, like a password, that allows software to call an API to take some action (e.g., read data from a user’s profile).
Amazon Web Services (AWS) - Amazon’s suite of cloud computing services
App scoped ID (ASID) - a unique identifier that Meta generates when a person chooses to use an app. ASIDs help improve privacy for users by making it more difficult for data sets to correlate users across apps, since a single user using two apps will have different ASIDs in each app.
App secret - a shared secret that Meta makes available to developers via the app dashboard. Possession of the app secret authorizes software to take some actions via the Graph API, so developers need to take care that unauthorized parties are not able to get access to the app secret.
App compromise - if a malicious actor is able to gain unauthorized access to an organization’s internal network via a misconfiguration or vulnerability in their app (e.g., a software vulnerability in a webapp) it’s called app compromise. A defense against app compromise is to pen test the app. See also network compromise.
Application container - a container packages up software code and related dependencies so that the app will run on different types of servers (e.g., servers running different operating systems like Linux or Windows Server). A developer will create a container image that packages their app. An application container engine or runtime hosts (runs) the container image.
Application encryption - a method of protecting data where the application software itself does the encryption and decryption operations. In contrast, Transport Layer Security (TLS) seamlessly encrypts data in transit when an application establishes a secure connection to a remote server (e.g., using HTTPS) and cloud providers offer services to transparently encrypt data at rest.
Application Programming Interface (API) - allows two computers to talk to each other over a network, for example a mobile app fetching today’s weather for a certain location from a centralized weather forecasting system
Appsecret proof - an additional layer of security for API calls to Meta whereby a developer generates a parameter (the appsecret proof) that demonstrates that they possess the app secret. The appsecret proof is the product of a hashing function (also called a one-way function) based on the app secret and access token. Configuring an app to require appsecret proofs during Graph API invocations reduces the potential harm from a breach of user access tokens, since those access tokens cannot be used without the additional appsecret proof parameter.
Backend as a Service (BaaS) - a style of cloud computing that provides a suite of server-side capabilities for an app developer so that the developer can focus on building the frontend (i.e., the part of an app that users interact with). BaaS solutions are similar to PaaS and, in addition, add services like user authentication and mobile push notifications. For example, these are some popular BaaS products: AWS Amplify, Azure Mobile Apps, Firebase, and MongoDB Switch.
Cipher text - a synonym for encrypted data, cipher text is the name given to data that has been made unreadable via some encryption algorithm. The opposite of cipher text is plain text.
Client side - people typically interact with internet-accessible services by opening a website in a browser or by running a mobile app on a phone or tablet. The browser or mobile apps are referred to as local clients or client side. Clients make requests from remote computers (servers) via the internet.
Cloud computing - refers to a style of managing server computers, networks, and storage so that an organization doesn’t need to worry about the physical environment (i.e., a data center full of server racks and network cables). Instead, the organization can provision these assets on demand and pay for the services that they consume.
Cloud configuration - the set of cloud computing options that an organization has set in relation to their use of a cloud provider running some software. Examples of cloud configuration include what sorts of network connections are allowed or blocked, where log files are written and how long they are kept, and the set of users who are authorized to make changes to the cloud configuration.
Compensating controls - a security control that differs from some baseline set of requirements but is intended to deliver comparable protection against a risk.
Database - software that allows arbitrary data to be stored, read, updated, and deleted. Databases can run on clients and on servers. Organizations that integrate with the Meta platform will commonly store data they fetch from the Graph API in a database that runs server side.
Decryption - process by which encrypted data is transformed back into its original format. In other words, decryption changes cipher text into plain text.
Encryption - process by which data is transformed into a format that is unusable to anyone that cannot decrypt it. In other words, encryption changes plain text into cipher text.
Encryption at rest - data that has been protected with encryption when written to persistent storage (e.g., a disk drive). Encryption at rest provides an additional layer of protection against unauthorized access since an actor that’s able to read the raw files on the storage device will see cipher text and will not be able to decrypt it unless they are also able to gain access to the decryption key.
Encryption in transit - data that has been protected with encryption when transmitted across a network. Encryption in transmit provides protection against eavesdropping along the network path since an actor that’s able to read the network packets will see cipher text and will not be able to decrypt it unless they are also able to gain access to the decryption key.
End of Life (EOL) software - when an organization chooses to stop support (e.g., create patches to resolve security vulnerabilities) for a software product that software is considered EOL. Since this software is no longer maintained, it’s very risky to run any EOL software.
Google Cloud Platform (GCP) - Google’s suite of cloud computing services
Graph API - the primary way for apps to read and write to the Meta social graph. All Meta SDKs and products interact with the Graph API in some way.
Hashing function - a cryptographic function that takes any data as input and outputs a short code that cannot be reversed into the original input. In cryptography, hashing functions are used to protect data like passwords – instead of storing a user’s password in plaintext that could be stolen, passwords are first transformed with a hash function and then stored. Later, to confirm that a user has input the correct password, the system will use the same hash function to transform the input and compare the resulting hash against the stored value. Also called a one-way function since the output hash cannot be reversed into the original input.
Hosted environment - refers to a set of remote servers, networks, and storage devices that an organization is running in their own data center or within a data center co-located (or colo) with other customers. This arrangement is relatively uncommon in the modern era since cloud computing has become more popular.
Identity Provider (IdP) - a cloud service used to centralize management of digital identities and authenticate users. Organizations that use an IdP typically configure cloud apps to rely on the IdP for user authentication. The organization can then manage users by creating, granting access to selected apps, and disabling user accounts centrally within the IdP instead of having to do this repeatedly in each cloud app.
Identity and Access Management (IAM) - refers to the category of tools and processes that are used to manage accounts and grant access to systems.
Infrastructure as a Service (IaaS) - a cloud computing approach that lets customers configure computing, storage, and networking services without having responsibility for the physical assets themselves (e.g., managing a data center full of servers, network devices, and storage arrays). Compared to Paas, IaaS gives an organization more control over the configuration of their cloud assets but at the cost of more complexity to manage those assets. For example, these are some popular IaaS products: AWS EC2, Microsoft Azure IaaS, and Google Compute Engine.
Library - pre-existing software building blocks, typically from an external company or developer, that’s used to handle certain tasks within another developer’s app or system. Libraries simplify development of an app since a developer doesn’t have to reinvent the wheel when a library already exists for a given function. However, libraries can contain security vulnerabilities – or can themselves include additional libraries that do – so developers who use libraries as part of their app need to know what libraries are in use and keep them up to date over time.
Mobile client or mobile app - an app that a person installs onto a phone or table from a mobile app store (e.g., iOS App Store or Google Play Store). It’s common for mobile clients to communicate over the internet with an organization’s REST API and may also communicate with other parties (e.g., to the Graph API via the Facebook SDK for Android).
Multi-Factor Authentication (MFA) - an authentication approach that requires more than one factor to gain access to an app or system. MFA, in contrast to single factor authentication that relies on just a password to authenticate a user, will typically require a password plus one or more of these: a code sent via email or SMS, a code from an authenticator app, a biometric scan, or a security key. MFA protects against account takeovers by making it more difficult for unauthorized actors to force their way into an account, e.g., by repeatedly attempting to login to an account by using a known email address and common passwords until successful.
Native software - apps that are downloaded and installed onto laptops or mobile devices are referred to as native software (e.g., the Facebook app for iOS). In contrast, an app that runs within a browser is referred to as a webapp (e.g., opening Facebook using the Chrome browser).
Network compromise - if a malicious actor is able to gain unauthorized access to an organization’s internal network via a misconfiguration or vulnerability in the network itself it’s called a network compromise. A defense against network compromise is to run a network scan to identify misconfigurations and vulnerabilities in the internet-facing network. See also application compromise.
Network scan - a risk management process that uses software to: (1) identify active servers on a network that will respond to remote communications, and then (2) see if any of those servers are running old versions of software that is known to be vulnerable to one or more security exploits. An organization may use network scanning periodically to make sure that there are no unexpected open ports on their network perimeter, for example.
Node Package Manager (NPM) - a tool used by JavaScript developers to speed up development by allowing pre-built packages to be included in a developer’s app or system. NPM includes features to audit the set of packages that are in use by an app and to identify packages that have known security vulnerabilities.
Object storage buckets - a type of persistent storage in the cloud that makes it simple for organizations to store files into persistent storage, including files that are very large, without having to worry about scaling physical assets like storage arrays or how to back these files up to ensure they aren’t lost in the case of a disaster like a fire or flood.
Operating System - the software running on a computer or mobile device that allows applications to run and use that computer’s processor, memory, storage, and network resources. For example, Microsoft’s Windows, Apple’s macOS or iOS, and Linux.
Organization member - someone with a role and responsibilities within an organization, for example an employee, a contractor, a contingent worker, an intern, or a volunteer.
Organizational device - a computer or mobile device used by an organization member in the context of doing work for the organization.
Platform Term 6.a.i - Refers to Meta’s Platform Terms section (6) heading (a) paragraph (i), which describes platform developers’ obligations related to data security.
Package - synonym for library
Patch - software updates that resolve security vulnerabilities, fix bugs, or add new functionality. All sorts of software gets patched, including Operating Systems, containers, libraries, and SDKs.
Penetration test - a simulated attack against an app or system where the tester attempts to find vulnerabilities in the code or configuration that could be exploited by an unauthorized actor. Pen testers will use similar tools to cyber criminals to conduct reconnaissance, scan for potential weaknesses, and test vulnerabilities that could be used to gain unauthorized access. At the conclusion of a pen test, the tester will create a report that describes the findings along with the severity of each and the organization that maintains the software is responsible for crafting fixes to resolve the vulnerabilities.
Plain text - a synonym for unencrypted data, plain text is the name given to data that has not been protected by encryption.
Platform as a Service (PaaS) - a cloud computing approach whereby a customer deploys an application into a platform managed by the cloud provider. Compared to IaaS, PaaS is simpler for customers to manage since not only the physical assets (i.e., the servers, storage devices, and network devices) are managed by the cloud host but also the operating system and application container where the customer’s app runs. For example, these are some popular PaaS products: AWS Elastic Beanstalk, Google App Engine, Force.com.
Port - when a client makes a connection to a server over the internet the destination address has two parts: (1) an Internet Protocol (IP) address for the server and (2) a port number on that server that a particular application will respond to. Common protocols use reserved ports (e.g., HTTPS uses 443) but a developer can use custom ports for network communications if desired.
REST API - a widely adopted style of building web-accessible services where the client and server communicate using the HTTP protocol. A developer on the Meta platform might host a REST API on a subdomain like api.example.com that their mobile app sends and receives Platform Data to/from.
Secure Shell (SSH) - a communication scheme that allows administrators to remotely login to servers and run programs on those servers. Referred to as secure since the communications between the client and server are protected against eavesdropping unlike earlier protocols like Telnet. Also called Secure Socket Shell.
Secure Sockets Layer (SSL) - An obsolete and insecure version of encryption in transit. The modern secure version is called Transport Layer Security (TLS).
Server - a computer that provides services remotely over a network. Browsers and mobile apps connect to servers over the internet.
Serverless computing - a style of cloud computing where the cloud host manages the physical infrastructure, the server operating system, and the container. A developer is only responsible for custom code and associated libraries along with the cloud configuration.
Server side - data or computation on the other side of a network connection (i.e., on a server) is referred to as server side. In contrast, data or computation on a local device like a laptop or mobile device is referred to as client side.
Single Sign On (SSO) - an arrangement where apps rely on a centralized user directory (i.e., an IdP) to authenticate users. In addition to centralizing user account and app access administration for the organization, users benefit by having a single set of credentials instead of requiring users to maintain different credentials (e.g., username and password) for each different app.
Software Development Kit (SDK) - a building block of code that a developer can use to simplify the development process for a given need. For example, Meta creates and maintains SDKs that simplify working with the Graph API for iOS and Android developers. Similar to a library, developers that use SDKs in their apps need to keep them up to date over time.
Software as a Service (SaaS) - allows customers to use cloud-based apps via the internet. Unlike PaaS or IaaS, a customer of a SaaS app does not deploy custom code nor have responsibility for configuring, upgrading, or patching the SaaS app as all of these are the responsibility of the SaaS software vendor. For example, these are some popular SaaS products: Dopbox, MailChip, Salesforce, Slack.
Static analysis - see Static Application Security Testing
Static Application Security Testing (SAST) - an approach for finding vulnerabilities in software by running a specialized tool against the source code. A SAST tool will identify potential vulnerabilities, such as those listed in the OWASP Top 10 project, and then the developer is responsible for reviewing the findings, distinguishing true positives from false positives, and fixing vulnerabilities in the software. SAST can be useful because it can allow developers to find vulnerabilities before they are deployed into production, but unlike a penetration test a SAST tool will not be able to find vulnerabilities related to the production configuration of the app.
Transparent data encryption - a type of encryption at rest that typically applies to database storage (i.e., the database contents themselves and its log files). In this arrangement, the database software manages the encryption keys and transparently handles the encryption operations (upon writes) and decryption operations (upon reads).
Transport Layer Security (TLS) - an encryption in transit scheme that uses encryption to protect data transmitted over networks from eavesdroppers along the network path. TLS is the modern secure version of the obsolete earlier technology called SSL.
Two-Factor Authentication (2Fac) - a synonym for Multi-Factor Authentication.
Vault - a secret management system for sensitive data like encryption keys, access tokens, and other credentials. A vault allows tight control over who is able to access the secrets it contains and offers additional services like keeping audit logs.
Virtual Machine (VM) - very similar to an Application Container – a VM runs in a host called a hypervisor whereas an Application Container runs in a container engine. The main difference is that a VM image contains an Operating System whereas an Application Container will not. Both VMs and Application Containers contain application(s) and dependencies like libraries.
Virtual Private Cloud (VPC) - term used by AWS to refer to a set of cloud resources that resembles a traditional network in a data center in the pre-cloud era.
Vulnerability - a flaw in a system or app that could be exploited, e.g., to read data that the actor otherwise would not be entitled to read
Vulnerability Disclosure Program (VDP) - an approach whereby organizations solicit security vulnerability reports from researchers (sometimes called ethical hackers) so that the vulnerabilities can be discovered and fixed before malicious actors exploit them. An effective VDP requires a set of researchers who are actively looking for vulnerabilities, analysts within the organization to review and triage incoming disclosures, and engineers who are knowledgeable about cybersecurity that are able to create and deploy fixes for vulnerabilities.
Vulnerability scan - an approach that uses software to look for vulnerabilities in servers, networks, and apps. Compared to a penetration test, a vulnerability scan is cheaper to run and hence can be run repeatedly (e.g., monthly or quarterly) but it’s typical that a pen test will find vulnerabilities that a vulnerability scan misses because skilled penetration testers bring analytical skills and instincts that are hard to replicate with strictly automated approaches. See also network scan.
Webapp - Webapps are programs that run inside browsers and are comprised of resources like HTML documents, JavaScript code, videos and other media, and CSS for styling. In contrast to a mobile app that a person installs onto a mobile phone from an app store, people simply fetch a webapp from a remote server using their browser (e.g., www.facebook.com) without the need for an installation step.