Security
Page 13
-
5 tips for creating a secure DevOps culture
Kevin Rollinson
Integrating security into your DevOps cycle isn’t something that happens overnight. Here are five tips for building a culture in which secure DevOps can thrive, enabling your team to build secure apps quickly.
Culture+ 2 more -
Preventing Server Side Request Forgery (SSRF)
The Fastly Collective
Learn about the technical details of SSRF, how it was utilized in the Capital One breach, why it’s so critical to understand for today’s cloud-hosted web apps, and how organizations can protect their web applications and APIs from such attacks.
Security -
TLS with Fastly is now easier and more flexible
Blake Dournaee
Fastly now offers two new TLS services for the trust, flexibility, and scalability customers need to bring the best of the internet to life.
SecurityProduct -
Protecting WebSocket Protocol Apps and APIs with Fastly
The Fastly Collective
The 4.2 release of the Fastly agent introduces WebSocket traffic inspection, enabling customers to extend the coverage of applications, APIs, and microservices protected by Fastly’s Next-Gen WAF to apps and services that utilize the WebSockets protocol.
Security -
Incorrect service routing involving HTTP/2 client connections
Fastly Security Research Team, The Fastly Security Technical Account Management Team
On November 11, 2019, at 21:57 UTC, Fastly deployed a new build of its HTTP/2 termination software to two Fastly cache servers in the Minneapolis-St.Paul (STP) data center. This build contained a processing flaw involving connection re-use between internal Fastly systems (unrelated to HTTP/2 multiplexing), and caused some incoming HTTP/2 requests for Fastly customers’ services to potentially be routed incorrectly to a group of up to 20 different Fastly customers’ services and origins. This led to some client request data being delivered to, and a response returned by, an incorrect customer origin. The customers whose origins erroneously received these requests may have logged the incorrectly-routed request data. Fastly was first notified by a customer of a client error on November 12, 2019, at 23:07 UTC. On November 13, 2019, at 00:50 UTC, all customer traffic was diverted away from the affected data center. Fastly immediately commenced an investigation, and on November 14, 2019, at 00:31 UTC, we validated the presence of incorrectly routed request data in a customer’s logs. We estimate this flaw affected 0.00016% of our global request traffic during the 27-hour period. It is unlikely that affected client requests came from outside of North America. Because Fastly does not store customer log data, we are not able to say with certainty if an affected request was incorrectly routed.
Security -
Prevent attacks with proof of work | Fastly
Andrew Betts
With attackers using publicly available lists of compromised passwords in an attempt to steal accounts, proof of work is a good way to slow the attackers down.
Security -
Protecting Financial Applications at Scale
The Fastly Collective
Security and development teams have a responsibility to secure customer data at the web application layer and stop attackers and Fastly's Next-Gen WAF can help.
Security -
Surfacing Key Indicators of Account Takeovers
The Fastly Collective
This post focuses on the key authentication events that financial services organizations should monitor to defend against account takeovers. We’ll also illustrate how utilizing a threshold-based approach enables organizations to identify irregular request patterns to spot fraudulent authentication and account activity.
Security -
Listening to Web Attacks Remixed!
The Fastly Collective
Sigsci-sounds monitor attack and anomaly data and will play a sound for each type of attack or anomaly.
Security -
Introducing Platform TLS and Subscriber Provided Prefix
Courtney Nash
Today we’re announcing two new offerings on the Fastly platform: Platform TLS and Subscriber Provided Prefix. Both empower companies to provide fast, secure web experiences to their customers and end-users, while reducing the workload on their own internal teams. Large companies, such as those offering mass hosting or managing multi-brand portfolios, can now quickly and easily manage hundreds of thousands of certificates in bulk.
ProductSecurity -
Fastly's Response to SegmentSmack
Jana Iyengar, Ryan Landry, + 1 more
A remotely exploitable denial-of-service (DoS) attack against the Linux kernel, called SegmentSmack, was made public on August 6th, 2018 as CVE-2018-5390. Fastly was made aware of this vulnerability prior to that date through a responsible disclosure. As part of our initial investigation, Fastly discovered a candidate patch proposed by Eric Dumazet from Google to address this vulnerability. We discussed the vulnerability and the patch with Eric, reproduced the attack, validated the patch as a fix, and estimated the impact of the vulnerability to our infrastructure. We immediately deployed temporary mitigations where we were most vulnerable, while simultaneously preparing and rolling out a patched kernel to our fleet.
SecurityEngineering -
Cache Poisoning Leveraging Various X-Headers
Fastly Security Research Team, The Fastly Security Technical Account Management Team
On Thursday, August 9th, research was published at Black Hat USA 2018 on cache poisoning attacks against websites deployed behind caching infrastructure. These attacks could allow an attacker to inject arbitrary content into a victim’s cache. Fastly service configurations that do not take into consideration the interaction between headers that backends use to select content may be vulnerable. This risk can be fully mitigated via a VCL patch or by modifying backend configurations.
Security -
Vulnerability in Linux Kernel TCP implementation
Fastly Security Research Team, The Fastly Security Technical Account Management Team
On August 6, 2018, a vulnerability in the Linux kernel TCP implementation, called SegmentSmack, was publicly disclosed. This vulnerability allowed a remote attacker to cause a denial-of-service attack on a target server by simply establishing a TCP connection to the server and sending specific segments over the connection. Fastly has worked with the security community in advance of this disclosure to address this vulnerability in our edge networks. They pose no threat to Fastly customers.
Security -
Introducing Quick Value Packages
Courtney Nash
Keeping your digital presence continuously tuned, optimized, and secure to align with changing business and technical requirements can be time consuming. That’s why we’ve put together our Quick Value Packages — a collection of expert consulting services focused on performance, analytics, and security. Each one allows you to tap into Fastly’s expertise to keep up with the ongoing change and complexity of modern businesses — all while freeing up your IT and engineering resources. You’ll deliver quick wins and delight your teams, enabling you to focus on driving your business forward.
Performance+ 2 more -
Building the WAF test harness
Christian Peron
To help our customers secure their sites and applications — while continuing to give their users reliable online experiences — we’ve built a performant, highly configurable, and comprehensive Web Application Firewall (WAF). In order to provide a comprehensive solution for securing your infrastructure, it’s critical to continuously test that solution. In this post, we’ll share how we ensure a quality WAF implementation for our customers, continuously testing it using our framework for testing WAFs (FTW), and go deeper into the findings and contributions we’ve made to the OWASP CRS community with FTW.
Security+ 2 more -
Three Ways Legacy WAFs Fail
The Fastly Collective
Legacy WAFs were a stopgap that compliance regulations forced many to adopt (or at least pretend to). Learn more about why they fail and how the next generation of WAFs bridges the gap.
Security -
DDoS attacks: how to protect + mitigate
Jose Nazario, PhD, Ryan Landry
In part one of this series, we took a look at the evolving DDoS landscape, offering a sense of what’s out there in terms of attack size and type to help better inform decisions when it comes to securing your infrastructure. In this post, we’ll share an inside look at how we protect our customers, lessons learned from a real-live DDoS, and our recommended checklist for mitigating attacks.
SecurityEngineering -
Requiring TLS 1.2 for the Fastly API & control panel
Phil Groman
As part of our vision for defending the modern web, the Fastly engineering teams are focused on providing you with a robust and secure platform that empowers you to protect your customers. Because we’re committed to providing secure experiences, we’re requiring clients that connect to our infrastructure to support TLS 1.2. Read on to learn about our deprecation plan, plus how to check which TLS version you’re using.
Security -
Videos from part 3 of our Security Speaker Series
Window Snyder
On October 26, we hosted an evening of drinks, snacks, and an excellent security discussion with the security research and engineering communities. Folks gathered at Bespoke Central Lounge in downtown San Francisco to hear from Alex Bazhaniuk, of Eclypsium, Inc., and Stephen Checkoway, of the University of Illinois. Watch the videos from their talks here.
Security -
Vulnerability in modern processors
Fastly Security Research Team, The Fastly Security Technical Account Management Team
On Wednesday, January 3rd, research was published on a class of security vulnerabilities affecting specific processors. These vulnerabilities could allow a user who can execute code on a system to gain unauthorized access to information across security boundaries. Fastly has completed initial analysis of these vulnerabilities and does not believe they pose an immediate threat to Fastly customers.
Security
