Fastly’s security DNA: a look at our culture of safety, privacy, and trust
If you know Fastly, you know we’ve tackled some groundbreaking challenges — like caching dynamic content and safety in a high-performance serverless environment. And we’re developers first above all else, so we focus on giving developers unrivaled power, control, and visibility. But what you may not know about us, is that we invest deeply in security.
The security products our customers rely on — like WAF, DDoS, and TLS — are the most visible aspects of our security story. But there are other areas that are just as, if not more, important. We believe developer and SecOps empowerment, community investment, building products that solve for innovative use cases, and a rich internal culture of trust and safety are all essential to earning the trusted role of security provider. And we’ve gone about it by building layers of safety and security into our platform, products, and experience — making it less visible in the process.
Today, we’re giving these less visible security practices a spotlight. Developers can only build fast and fearlessly if they can build securely — and they need more from us than security products to do it.
One secure network, with visibility and control for all
Before I joined Fastly, I spent a decade working for security companies. Something that troubled me about the industry is that security, by its very nature, was an add-on — a never-ending stream of things to buy to secure networks, endpoints, and cloud infrastructure against increasingly unpredictable threats. Fastly turned this idea on its head. We know security works best for developers when it isn’t an obstacle to shipping, so we made it a seamless part of the platform experience.
Our platform sits squarely between our customers' applications and their users' requests, which creates unrivaled opportunity for visibility and enforcement. We took full advantage of this privileged position to build in default mechanisms that give developers more control against threats. Full visibility and near real-time response capabilities — like logs that can stream to any SIEM, a single massively scalable network, and the ability to write custom rules and deploy them globally in seconds — are just part of our core delivery product. They’re also powerful security tools, integrated by innovation not invoice.
Making trust and privacy everyone’s job
Two of the least visible tenets of our security strategy are also two of the most powerful: how we approach data privacy and who we choose as customers. So much so that they’ve become ingrained into our culture and ethics. These critical elements of how we operate help us invite less risk and ultimately greater safety for our platform and our customers.
Data is at the heart of nearly every security conversation. But all too often in product development, data privacy is an afterthought considered by legal and security teams rather than an integrated collaboration between engineering, product owners, and privacy experts baked into the roadmap from the beginning. We approach data differently. We’ve never been in the business of exploiting our customers' or their end users’ data, and our features were built to put our customers in control of their data. Real-time logging, for example, lets our customers capture the information they want, but on our end, we do not store those logs. Our data governance program is cross-functional and we ask essential questions about data before development begins
Another way we mitigate risk is by being good neighbors. We want good to thrive online, which means we don’t knowingly work with customers and partners that promote violence or hate. Choosing to do business with companies and individuals that are trustworthy and have integrity means that when you’re using Fastly, you’re in good company.
Shrinking the attack surface
One of the most exciting ways we’re making security more intrinsic to our platform is the unrivaled isolation model for Compute@Edge. While serverless providers solved a lot of operational headaches, they created a new tension between performance and security. And when they tried to address the performance issue by reusing environments, a new class of vulnerabilities was created. Compute@Edge takes a dramatically different approach. Rather than keeping long-running processes around, a fresh sandbox is spun up on every request to the platform, which automatically executes code for a limited period of time and rapidly destroys it. This significantly reduces the attack surface and makes it much harder for attackers to succeed.
Compute@Edge doesn’t just present a new place to run serverless functions. Its inherent security opens up entirely new possibilities for the types of applications that can be built securely at the edge. We’re already taking advantage of this safer foundation to build new solutions for network error logging, reading and writing the full HTTP stream, and more.
Building a more trustworthy internet
Perhaps one of the less expected drivers of security at Fastly is our company values. In order to build a platform that’s as safe as it is powerful, we also have to build a more trustworthy internet — which means thinking beyond Fastly and working on the ecosystem as a whole. This effort is fueled by curiosity, passion, and deep collaboration. Here are a few of the cool ways it plays out:
We evolve our platform in conjunction with the web's evolving protocols and we’re fortunate to have many of their key contributors working at Fastly. Our leaders collaborate with the industry to drive the increased security and innovation of core protocols like QUIC, HTTP/3, and TLS, making sure that we can bring these advances to the Fastly platform and take full advantage of the modern web.
WebAssembly programs offer stronger security guarantees than native code and can more effectively address side channel and buffer overflow attacks. This has huge implications for the future of web application security, so we’re partnering with the Bytecode Alliance and investing in the Wasm ecosystem to drive new standards.
Building a trustworthy web means explicitly making space for organizations doing good. We are honored to support organizations like Abuse.ch, Let’s Encrypt, and Quad9 who are doing exceptional work to power safer online experiences.
What’s next for Fastly, the not-so-secret security company
As code continues to move out of data centers and apps become increasingly distributed, the edge will only become a more essential place to secure websites and applications. We hope that businesses reimagining their architectures and modernizing their applications will increasingly put their trust in Fastly not only because of our security products but because of the foundation of trust and safety on which they’re built.
We’ll continue to make security a built-in part of our platform, business, and culture. And we’ll stay focused on creating sophisticated security tools that developers can be proud to consider an extension of their own core products — there’s more to come on that soon. We hope that by sharing learnings and insight into our decision making along the way, we can make it a bit less invisible to you.