How does Facebook protect their source code?

Facebook (and Google and probably many others) don't have employees check out code on their laptops. Code is checked out on developer servers or workstations and employees connect to these to work. These are only accessible on the corporate network, and connecting  from outside the network requires VPN, which itself requires multi-factor authentication.

I think you will find very few companies willing to go into specifics about their security measures. However, the best way to protect source code on employee laptops is to not have source code on employee laptops, and to use a secured development environment.

Not having code on employee laptops is kind of true, at least if you're only talking about web/backend code. But if you're developing for mobile (which is a huge chunk of what FB does these days), you have to work with repositories stored on-device. And unless you don't give your employees laptops (heresy!), that means you're taking home a lot of code. As for how that doesn't get stolen: 1) I'm sure it sometimes does. 2) A lot of it is trust and loyalty. And lack of incentive. No chunk of code that you're working on is so valuable that you'd give up a good job just to put it on the internet. 3) At FB, we did our best to open-source as much code as possible, so instead of having it stolen, we were literally giving it away. If you're doing code right for mobile, your source code can't really be stolen in any meaningful way. Security and authentication shouldn't happen on-device, and you can hide api keys/secrets with compiler tricks. For the most part, the real magic is knowing how it's all put together and understanding how it works. We wrote blog posts about how we made our code better, just to help other people make their code better. We read posts by people at other companies with the same goals. There are no guards at the door frisking employees for laptops or anything. They just trust. People are usually honest. And failing that, it's actually pretty hard to be truly anonymous on the internet. If someone did steal code that mattered (and there is some stuff that is important to keep secure), it wouldn't be all that hard to figure out who did it, unless that person had trained to be Jason Bourne for most of his or her life prior to working at FB. Software people tend to know that.

I think you are assigning to much value to the source code.  It's incredibly valuable if you have the engineers who are familiar with the code, and the enviroment to run it on.  By itself it's not that useful.  Sure you could examine it to get ideas or for security bugs, but that's going to require a lot of effort. Also you assume there is a big repo with all of Facebook in it.  It's likely FB splits up their code base into numerous different repos.   In the unlikely event a FB engineer had something checked out on his/her laptop it would just be a small piece of the code base.