Security

Page 11

Protecting Financial Applications at Scale

The Fastly Collective

Security and development teams have a responsibility to secure customer data at the web application layer and stop attackers and Fastly's Next-Gen WAF can help.

Security

Surfacing Key Indicators of Account Takeovers

The Fastly Collective

This post focuses on the key authentication events that financial services organizations should monitor to defend against account takeovers. We’ll also illustrate how utilizing a threshold-based approach enables organizations to identify irregular request patterns to spot fraudulent authentication and account activity.

Security

Listening to Web Attacks Remixed!

The Fastly Collective

Sigsci-sounds monitor attack and anomaly data and will play a sound for each type of attack or anomaly.

Security

Introducing Platform TLS and Subscriber Provided Prefix

Courtney Nash

Today we’re announcing two new offerings on the Fastly platform: Platform TLS and Subscriber Provided Prefix. Both empower companies to provide fast, secure web experiences to their customers and end-users, while reducing the workload on their own internal teams. Large companies, such as those offering mass hosting or managing multi-brand portfolios, can now quickly and easily manage hundreds of thousands of certificates in bulk.

Product
Security

Fastly's Response to SegmentSmack

Jana Iyengar, Ryan Landry, + 1 more

A remotely exploitable denial-of-service (DoS) attack against the Linux kernel, called SegmentSmack, was made public on August 6th, 2018 as CVE-2018-5390. Fastly was made aware of this vulnerability prior to that date through a responsible disclosure. As part of our initial investigation, Fastly discovered a candidate patch proposed by Eric Dumazet from Google to address this vulnerability. We discussed the vulnerability and the patch with Eric, reproduced the attack, validated the patch as a fix, and estimated the impact of the vulnerability to our infrastructure. We immediately deployed temporary mitigations where we were most vulnerable, while simultaneously preparing and rolling out a patched kernel to our fleet.

Security
Engineering

Introducing Quick Value Packages

Courtney Nash

Keeping your digital presence continuously tuned, optimized, and secure to align with changing business and technical requirements can be time consuming. That’s why we’ve put together our Quick Value Packages — a collection of expert consulting services focused on performance, analytics, and security. Each one allows you to tap into Fastly’s expertise to keep up with the ongoing change and complexity of modern businesses — all while freeing up your IT and engineering resources. You’ll deliver quick wins and delight your teams, enabling you to focus on driving your business forward.

Performance
+ 2 more

Building the WAF test harness

Christian Peron

To help our customers secure their sites and applications — while continuing to give their users reliable online experiences — we’ve built a performant, highly configurable, and comprehensive Web Application Firewall (WAF). In order to provide a comprehensive solution for securing your infrastructure, it’s critical to continuously test that solution. In this post, we’ll share how we ensure a quality WAF implementation for our customers, continuously testing it using our framework for testing WAFs (FTW), and go deeper into the findings and contributions we’ve made to the OWASP CRS community with FTW.

Security
+ 2 more

Three Ways Legacy WAFs Fail

The Fastly Collective

Legacy WAFs were a stopgap that compliance regulations forced many to adopt (or at least pretend to). Learn more about why they fail and how the next generation of WAFs bridges the gap.

Security

DDoS attacks: how to protect + mitigate

Jose Nazario, PhD, Ryan Landry

In part one of this series, we took a look at the evolving DDoS landscape, offering a sense of what’s out there in terms of attack size and type to help better inform decisions when it comes to securing your infrastructure. In this post, we’ll share an inside look at how we protect our customers, lessons learned from a real-live DDoS, and our recommended checklist for mitigating attacks.

Security
Engineering

Requiring TLS 1.2 for the Fastly API & control panel

Phil Groman

As part of our vision for defending the modern web, the Fastly engineering teams are focused on providing you with a robust and secure platform that empowers you to protect your customers. Because we’re committed to providing secure experiences, we’re requiring clients that connect to our infrastructure to support TLS 1.2. Read on to learn about our deprecation plan, plus how to check which TLS version you’re using.

Security

Videos from part 3 of our Security Speaker Series

Window Snyder

On October 26, we hosted an evening of drinks, snacks, and an excellent security discussion with the security research and engineering communities. Folks gathered at Bespoke Central Lounge in downtown San Francisco to hear from Alex Bazhaniuk, of Eclypsium, Inc., and Stephen Checkoway, of the University of Illinois. Watch the videos from their talks here.

Security

The evolving DDoS landscape

Ryan Landry, Jose Nazario, PhD

As an edge cloud platform, Fastly is in a unique position to monitor DDoS attack patterns and trends as they evolve. In this post, Jose Nazario, Sr. Director of Security Research, and Ryan Landry, Director of Edge Cloud Operations, take a look back at the history of DDoS, sharing how they’re changing and the trends we’re seeing. Getting a handle on the various shapes and sizes of DDoS will help inform how you address these attacks on your own infrastructure — you may not always be able to predict attacks, but knowing what’s out there and preparing for the worst will help you protect and mitigate.

Security
Engineering

Security Speaker Series, part 3

Window Snyder

We’re pleased to announce the next installment of our Security Speaker Series, which brings together researchers and engineers to share research, tools, and ideas. Join us for drinks, snacks, and a few hours of excellent security discussion on Thursday, Oct. 26 at 6pm PT at Bespoke Central Lounge in downtown San Francisco. Speakers include Alex Bazhaniuk, of Eclypsium, Inc., and Stephen Checkoway, of the University of Illinois.

Security

Building the Fastly WAF

Eric Hodel, Jose Nazario, PhD

In keeping with our security team’s vision for defending the modern web, we launched our Web Application Firewall (WAF) to help our customers secure their sites and applications while providing reliable online experiences for their users. In this post, two of the engineers who built our WAF will take you on a deep dive into the tech behind it, exploring how we built a performant, highly configurable, and comprehensive solution to secure customers’ infrastructure.

Security
+ 2 more

Deliberate practice in information security

Sandra Escandor-O’Keefe

Deliberate practice is the act of performing a set of tasks that are just slightly more difficult than what you’re used to, so you can get better at a specific activity and move from a novice to an experienced practitioner. In this post, Security Engineer Sandra Escandor-O’Keefe walks us through the art of deliberate practice, offering tips for novices and mentors alike.

Security
Engineering

The problem with patching in addressing IoT vulnerabilities

Jose Nazario, PhD

We need technology to provide capabilities to tackle the challenge of the cybersecurity gaps, recently highlighted by the WannaCry attacks. In this post, Director of Security Research Jose Nazario will explore these challenges as well as share research objectives that industry and academia must address soon before we can begin solving the security issues with IoT.

Security

How to bootstrap self-service continuous fuzzing

Jonathan Foote

OSS-Fuzz is an innovative project that is both advancing the state of the art in OSS security engineering and immediately improving the overall quality of the software that serves the internet. In this blog post, I’ll describe how to use the open source components of google/oss-fuzz to bootstrap self-service continuous fuzzing for both private and public software using h2o, Fastly’s HTTP/2 proxy, as a running example.

Security

The IoT industry’s response to emerging threats

Jose Nazario, PhD

Late last year, we took a look at how the Internet of Things (IoT) is under attack. We analyzed hundreds of individual IoT devices to see how often they were probed for vulnerabilities, with the intention of being employed for IoT botnet attacks. We did more robust vulnerability research on IoT devices that have been found vulnerable in the past and concluded that while malicious probes are constant, manufacturers have taken action to update their firmware and address security holes. Read on to hear our latest findings.

Security
Compute

Anatomy of an IoT Botnet Attack

Jose Nazario, PhD

Understand how malware attacks happen to IoT devices and what companies can do to protect their devices from attacks.

Security
Compute

Secure comms & Fastly advisories reminder | Fastly

Maarten Van Horenbeeck

We publish our security advisories to address vulnerabilities discovered on our own platform, as well as significant security vulnerabilities that affect the wider internet community.

Security