Back to blog

Follow and Subscribe

Security

Page 14

  • Request body disclosure to other Fastly services

    Fastly Security Research Team, The Fastly Security Technical Account Management Team

    From August 31st through November 4th, Fastly deployed a version of Varnish which contained a security bug that, in a limited and non-standard set of configurations, disclosed request bodies to other customer origins. In these cases, a request body sent to an affected Fastly customer's service would have been included in a malformed request to a different customer's origin, which may have been logged in that origin web server's access logs. Fastly performed a comprehensive assessment to identify customers most likely to be affected by this issue. These customers have been contacted directly by Fastly Customer Engineering.

    Security

  • The evolving DDoS landscape

    Ryan Landry, Jose Nazario, PhD

    As an edge cloud platform, Fastly is in a unique position to monitor DDoS attack patterns and trends as they evolve. In this post, Jose Nazario, Sr. Director of Security Research, and Ryan Landry, Director of Edge Cloud Operations, take a look back at the history of DDoS, sharing how they’re changing and the trends we’re seeing. Getting a handle on the various shapes and sizes of DDoS will help inform how you address these attacks on your own infrastructure — you may not always be able to predict attacks, but knowing what’s out there and preparing for the worst will help you protect and mitigate.

    Security
    Engineering

  • Security Speaker Series, part 3

    Window Snyder

    We’re pleased to announce the next installment of our Security Speaker Series, which brings together researchers and engineers to share research, tools, and ideas. Join us for drinks, snacks, and a few hours of excellent security discussion on Thursday, Oct. 26 at 6pm PT at Bespoke Central Lounge in downtown San Francisco. Speakers include Alex Bazhaniuk, of Eclypsium, Inc., and Stephen Checkoway, of the University of Illinois.

    Security

  • Building the Fastly WAF

    Eric Hodel, Jose Nazario, PhD

    In keeping with our security team’s vision for defending the modern web, we launched our Web Application Firewall (WAF) to help our customers secure their sites and applications while providing reliable online experiences for their users. In this post, two of the engineers who built our WAF will take you on a deep dive into the tech behind it, exploring how we built a performant, highly configurable, and comprehensive solution to secure customers’ infrastructure.

    Security
    + 2 more

  • Deliberate practice in information security

    Sandra Escandor-O’Keefe

    Deliberate practice is the act of performing a set of tasks that are just slightly more difficult than what you’re used to, so you can get better at a specific activity and move from a novice to an experienced practitioner. In this post, Security Engineer Sandra Escandor-O’Keefe walks us through the art of deliberate practice, offering tips for novices and mentors alike.

    Security
    Engineering

  • Vulnerability in Fastly open source CDN module intended to be integrated into Magento2

    Fastly Security Research Team, The Fastly Security Technical Account Management Team

    During the investigation of a customer report, Fastly became aware of and addressed a security vulnerability (CVE-2017-13761) in the Fastly CDN module intended to be integrated into Magento2. This is open source code which Fastly releases to enable easy integration with our partner’s products. All versions prior to 1.2.26 are affected and customers are encouraged to upgrade. Fastly has reached out directly to customers currently using affected versions of the module.

    Security

  • The problem with patching in addressing IoT vulnerabilities

    Jose Nazario, PhD

    We need technology to provide capabilities to tackle the challenge of the cybersecurity gaps, recently highlighted by the WannaCry attacks. In this post, Director of Security Research Jose Nazario will explore these challenges as well as share research objectives that industry and academia must address soon before we can begin solving the security issues with IoT.

    Security

  • How to bootstrap self-service continuous fuzzing

    Jonathan Foote

    OSS-Fuzz is an innovative project that is both advancing the state of the art in OSS security engineering and immediately improving the overall quality of the software that serves the internet. In this blog post, I’ll describe how to use the open source components of google/oss-fuzz to bootstrap self-service continuous fuzzing for both private and public software using h2o, Fastly’s HTTP/2 proxy, as a running example.

    Security

  • The IoT industry’s response to emerging threats

    Jose Nazario, PhD

    Late last year, we took a look at how the Internet of Things (IoT) is under attack. We analyzed hundreds of individual IoT devices to see how often they were probed for vulnerabilities, with the intention of being employed for IoT botnet attacks. We did more robust vulnerability research on IoT devices that have been found vulnerable in the past and concluded that while malicious probes are constant, manufacturers have taken action to update their firmware and address security holes. Read on to hear our latest findings.

    Security
    Compute

  • Anatomy of an IoT Botnet Attack

    Jose Nazario, PhD

    Understand how malware attacks happen to IoT devices and what companies can do to protect their devices from attacks.

    Security
    Compute

  • Secure comms & Fastly advisories reminder | Fastly

    Maarten Van Horenbeeck

    We publish our security advisories to address vulnerabilities discovered on our own platform, as well as significant security vulnerabilities that affect the wider internet community.

    Security

  • Resolved: Fastly “forward secrecy” vulnerability

    Fastly Security Research Team, The Fastly Security Technical Account Management Team

    On Monday, November 14, 2016, security researchers published a paper “Measuring the Security Harm of TLS Crypto Shortcuts.” Among other findings across the TLS implementation of several sites, the paper identified Fastly as not frequently rotating TLS session tickets, limiting the effectiveness of forward secrecy. While Fastly was not directly contacted by the researchers, Fastly had previously been made aware of the issue, and this vulnerability was addressed on Friday, November 11. No customer action is required to benefit from the fix.

    Security

  • Widespread Dyn DNS outage affecting Fastly customers

    Fastly Security Research Team, The Fastly Security Technical Account Management Team

    On October 21st, 2016, Dyn, a major managed DNS provider, experienced a Distributed Denial of Service attack, which led to outages affecting several major websites, including Fastly infrastructure (such as the Fastly Control Panel and API) and Fastly customers. Fastly worked with our additional managed DNS providers to ensure availability during the incident. This mitigated impact on Fastly customers.

    Security

  • GlobalSign TLS certificate revocation errors

    Fastly Security Research Team, The Fastly Security Technical Account Management Team

    On October 13, 2016 around 11:10am GMT, users visiting websites using GlobalSign TLS certificates, including some hosted by Fastly, started experiencing TLS certificate validation errors. This issue was caused by incorrect certificate revocation information published by our certificate vendor, GlobalSign. This security advisory describes the root cause of this issue, and describes the actions Fastly has taken to limit customer impact.

    Security

  • Lean Threat Intelligence, Part 4: Batch alerting

    Zack Allen

    In Part 3, we showcased a technology that allows you to route messages to and from topics via Kafka. Now that data is flowing, how can you start monitoring and reacting to security events? In this post, we’ll show you a batch alerting strategy that you can use with Graylog and Kafka.

    Security

  • Best practices for protecting your domain

    Maarten Van Horenbeeck

    We continuously work on making the edge more secure, and develop features you can leverage to protect your applications. However, in order for you to benefit from these investments, there are steps you should take at the crucial stage where traffic is handed off to the CDN. In this post, Director of Security Engineering Maarten Van Horenbeeck discusses how (and why) you can protect traffic on its way to the CDN.

    Security

  • Our security team’s vision for defending the modern web

    Jose Nazario, PhD

    Director of Security Research Jose Nazario describes our team’s vision for employing our CDN’s unique position to defend the modern web. Using the recent HTTPoxy vulnerability as an example, he outlines the benefits and challenges of this vision.

    Security

  • Sponsoring the Tor project with content delivery services

    Maarten Van Horenbeeck

    Fastly has historically supported many open source projects. We’re happy to announce that Fastly now provides sponsored Content Delivery for the Tor Project. TorBrowser updates are served over the Fastly network, taking load off of the Tor Project's backend servers and speeding up downloads for end users.

    Security
    Customers

  • Battling log absurdity with Kafka

    Zack Allen

    In “Lean Threat Intelligence Part 2: The foundation,” we explained how we built our log management system, Graylog, using Chef. Next, we’ll cover how we created a message pipeline that allows us to route messages to different endpoints for analysis or enrichment.

    Security

  • TLS 1.2-only delivery is now available

    Sean Leach

    Earlier this year we updated you on our revised deprecation plan for TLS 1.0 and 1.1. We’re happy to announce that you can now request migration to TLS 1.2-only hosts if you’ve purchased a paid TLS option.

    Security
Fastly
© Fastly 2025