There's only downside for that job
Gregory Alan Bolcer stashed this in Dangerous Decisions
Probably the best decision he's ever made. Being responsible for a public company that handles real money to buy digital goods with dozens upon dozens of products all haphazardly built on top of software with major security issues?
At Zynga they say that "exploits" are always P0/top-priority issues.
But at Zynga, "exploits" are bugs that allow users to get Virtual Goods for free (virtual goods should never be free!), not necessarily security issues that put users data at risk :) Nothing makes Pincus more upset than a bug that upsets the delicate balance of his virtual economy. As a Zynga employee, you're not even supposed to take free virtual goods for yourself, unless it's on a fake test account and you're doing it purely in the pursuit of official Zynga business.
Which isn't to say that they don't have a special 1337 team of fat, nerdy boys whose sole job is to sniff out security holes and plug them with raw command-line talent, but in my 6 months at Zynga I never had to directly interface with one of these guys. If they're anything like this one asshole I know from core Network Ops team, then they're probably not very good (or at least not very motivated).
One time at Treasure Isle, a technologically sophisticated user somehow cracked the client-side swf file and was raking in the virtual dough. Several of the "top" devs in the studio spent days trying to figure out how he was doing it, but (I think) eventually gave up because they couldn't figure out how he was doing it. I believe he was detected simply by looking through the database for top-ranking users under various metrics, and he appeared to be a major outlier, and was rich in virtual goods despite having spent to real money on the app.
Of course, these schmoes didn't think to just contact the guy and ask him how he was doing it. I don't know, maybe that's not considered acceptable practice, but if it were my app I would just send a cordial message telling him that I can see he's identified a flaw and would appreciate it if he could clue me in so that I could fix it.
But it's practically impossible to keep things like that from happening at Zynga. The Treasure Isle app was probably 60% FarmVille code (and our bug database was probably correspondingly rich in FV bugs). On top of that, you've got an army of (mostly) inexperienced devs -- for many it's their first job, in fact -- making fast, loose commits and lacking a strong understanding of version control (at least from the command line). We had some bad problems with .mergeinfo files getting screwed up in SVN that we had to migrate to Git, especially after an unknown issue corrupted trunk so badly that we had to create a "trunk2" from an earlier version while we figured out what the problem was.
I think that, in general, it's very hard to maintain security so good that a sophisticated and determined attacker can't have his way with your app. But under conditions like they have at Zynga, I can hardly see how it's even possible.
Thanks for that anecdote. Chilling.
I still find it challenging to say "Zynga" and "security" in the same sentence.