53: Offensive security at Meta’s Red Team X

Red Team X is a security team at Meta that is responsible for finding and exploiting vulnerabilities in third-party products that could impact Meta's own security. The team acts as a hybrid between a traditional red team, which focuses on probing their own organisation's systems and products for vulnerabilities, and an elite bug-hunting group.

The team was founded by Vlad I. in 2020 when the pandemic and the sudden shift to Work From Home challenged various previously-held assumptions about security.

In his discussion with Pascal, Vlad explains the roles of different security teams within Meta, how they go about prioritising the highest-impact targets to exploit and how they work with vendors to ensure not just Meta but the entire world benefits from the fixes produced.

Got feedback? Send it to us on Twitter (https://twitter.com/metatechpod), Instagram (https://instagram.com/metatechpod) and don’t forget to follow our host @passy (https://twitter.com/passy and https://mastodon.social/@passy). Fancy working with us? Check out https://www.metacareers.com/.

Links:

• The Diff episode about Velox: https://thediffpodcast.com/docs/episode-17

• Risky Business Podcast: https://risky.biz/

• RTX Blog: https://rtx.meta.security

• RTX Disclosures: https://rtx.meta.security/bugs

• RTX in WIRED: https://www.wired.com/story/facebook-red-team-x-vulnerabilities/

Timestamps:

• Intro 0:06

• Vlad Intro 1:55

• Red Teaming 2:43

• Staying up-to-date 6:34

• Different team colours 10:02

• Defence-in-depth 12:44

• Red Team X 15:57

• Hardware v Software 19:43

• Focus areas 21:29

• Prioritising requests 22:44

• Notable RTX Disclosures 26:05

• Vulnerability disclosure policy 28:52

• Getting into offensive security 38:48

• Outro 40:51