Call usTry Fastly free
Fastly talk 20:44

Fireside chat: Why Fastly and Signal Sciences are building a unified security platform for secure DevOps

Presented by
speaker avatar

Cassandra Dixon

Sr. Manager, Edge Solutions Architect, Fastly

speaker avatar

Zane Lackey

Co-Founder, Signal Sciences, Fastly

speaker avatar

Andrew Peterson

Co-Founder, Signal Sciences, Fastly

twitterlinkedinfacebook

The understatement of 2020: Things move a lot faster than they used to. As DevOps, continuous delivery and Agile become commonplace for development teams, silos are breaking down for software delivery. And, teams are increasingly embracing secure DevOps as a path to faster and more secure delivery. In a lively fireside chat with two of the co-founders of Signal Sciences, now part of Fastly, we’ll explore how InfoSec and DevOps teams are coming together to approach practices, culture, and tools in a modern software development environment.

Protecting the best of the web

See how Fastly helps businesses protect against advanced app and API threats.

Video Transcript

Cassandra Dixon:

Hi, everyone. I'm Cassandra Dixon. I also go by Cassie and I am a senior manager here at Fastly for our solutions engineering team. Many of you may know me if we worked on a Fastly integration or heard me talk about some of the interesting challenges we've had to tackle over the last couple of years. We have a foundation that's built on improved requirements, more control and better visibility. And that has helped us center around the needs that we do to bring secure applications and API APIs to your integrating with your workflow, which is why I think this is going to be a very interesting discussion. As we have two people who have spent over a decade, improving security for mission critical organ applications or organizations that have gone through digital transformation and to here today, I'm very excited to introduce Andrew Peterson and Zane Lachlan.


Andrew Peterson:

Thanks, Cassie. I'm excited to be here and excited to be in the first event that we're joining for Fastly officially. My name's Andrew Peterson. I'm the now former CEO and co-founder of Signal Sciences and yeah, just really excited to share what we've got to share today.


Zane Lackey:

Hey, super excited to be here as well. I think it's going to be fun. So I'm Zane Lackey. I'm one of the co-founders and the former chief security officer for Signal Sciences. And yeah, I think it's going to be a really good discussion.


Cassandra Dixon:

So first question, tell us about Signal Sciences. And as former practitioners that started a company to solve a problem that you firsthand experienced, which resonates very well with Fastly's origin story, what was the problem you were trying to solve?


Zane Lackey:

We needed a better way of protecting our applications and our APIs, and that the things on the market that had existed out there, they really were built for a different generation. They were built for very legacy kind of waterfall-driven applications. And what we found as our teams were moving faster and faster is that we needed not only a better way of protecting them, but that way also needed to work regardless of the technology choices that they're making, be able to deploy anywhere they're deploying an app or an API. And at the same time, not only work for just one or two siloed security experts, but really empower the broader development and dev ops teams, because that's what makes the whole transition to digital transformation or cloud or DevOps, whatever you want to call it ... what makes that successful is all of the teams being able to be empowered and have the capabilities that they need to push things forward. And that's really what we live from a security perspective and why we built what became Signal Sciences.


Andrew Peterson:

This is one of the things that was particularly exciting for us when we started having these conversations with Fastly about what a combined entity can look like and do, because our backstories are so similar as it relates to what makes us unique. And one of the things that I always come back to ... there's a lot of technology pieces that make us unique. I hope Zane gets a chance to touch on those, but one of the things that's really core to how we approach all of this in the first place is that we were practitioners, right? We had to deal with how hard it is to do security on a day-to-day basis. And essentially, this is exactly our Archer story as well, and Fastly's founding story as well, is that they were on the flip side of this, trying to deal with new types of technologies that weren't solving the problems that they really were facing as practitioners and coming at that.


Andrew Peterson:

And so when we talk to customers, we're always basically saying, "Hey, we were in your shoes before. These were the problems that kept us up at night that we couldn't possibly come up with solutions for. And this is why we got into what we did." So number one, we certainly have technical solutions for them, but when they talk to us, they can always ... I don't know. We hear ... how often do we hear this, Zane, is like, "We can hear your passion in how you even talk about this, and we don't hear that from other security vendors like we hear from you." So I'd say that's one of the things that yeah, we're super passionate about solving these problems, because that's why we started the company. We wanted to help all of our colleagues that were out in the industry suffering from the same problems that we had.


Cassandra Dixon:

So taking a look at the team, how has digital transformation, DevOps, and the shift to cloud changed the way enterprises kind of approach application security?


Zane Lackey:

The big change here is just the increase in velocity, right? That all of this, the rate of change has not only increased by orders of magnitude, but it's increasing exponentially. The rate at which we're shipping new services and new apps and new APIs, it's faster tomorrow than it is today. And today was faster than it was yesterday. And I think security, which I'll talk about in a second, I think is experiencing what delivery by its very nature had to experience much earlier, which was you looked at historical CDNs. And the time that it took to do any sort of purging on the cash side was 30 minutes, an hour, days, probably weeks with some of them.


Zane Lackey:

And this is what was so compelling about Fastly when it came to market, was the whole instant purchase, the ability to really, at its core, support the pace of application delivery that enterprises actually want to do. And so I think security, funny enough, is learning those same lessons. It was just historically a few years behind. And this is what we see with all of our customers that are going through any stage of that digital transformation journey, is that they recognize the rate of change is increasing, and security solutions historically slowed things down. And so one of the things that we always hear from C-level executives that are customers of ours is that, "You enabled to do what we wanted to do in a secure way at the pace we actually wanted to do."


Cassandra Dixon:

So in my experience, I've seen a lot with customers as they're working to cash more on the Fastly application, as well as do more with our platform. And I'm having to learn new applications or new things that they're bringing in such as Terraform or new cloud backends while I'm also trying to stay on top of our products that are coming out. And so with that, how have you seen ... what's your experience with developers kind of taking standardized app architecture and making it obsolete? What's your experience that you've seen in how it's opposing maybe challenges to security?


Andrew Peterson:

I was giving this talk, and after the talk, I was talking to one of the folks that runs a pretty big division of a big manufacturing company, and they actually are doing a ton of software development in the manufacturing company. And so it was him, and he had one of his sort of more junior engineers with him. And I was talking about "Hey, you don't have a LAMP stack anymore," and the junior developer was like, "What's a LAMP stack?" And I was like, "This is perfect. It's such a great ... " and we were both like, "What? You don't know what a LAMP stack is?" And he's like, "No, I have no idea what that is," because that might exist still, you might still use Linux, you might still use Python, but ... I'm sorry, PHP, but perfect example, right?


Andrew Peterson:

You're using all sorts of different not only languages, right? The languages have totally exploded, but then you're using different architectures, like microservices, containers, APIs. And all those layers are creating things where the developers are just trying to keep up to all the new technologies that's coming on. But security people don't know anything about any of those things, right? So security is a whole one step behind the development teams who are ... and how this ends up manifesting itself for a security person is that they're saying, "Hey, not only am I trying to learn the technology that I'm supposed to go and help to secure, but if I've gotten ... I spend three months and I finally try to understand exactly what this application structure looks like and so I can really understand all the problems with it, and then three months later, they switched and they moved to something else."


Andrew Peterson:

So the stuff that I've heard for CSOs is that they're saying, "I actually have a really hard time sort of keeping up with the solution sets that are needed here. And they're changing so often that I'm only I'm only going to start to bind three month contracts or something with these firms." And the flip then for the conversations that we then have with them is that they're like, "Look, as those new technologies have come out, we've increased our support for each one of those architectures and each one of those technologies as they come out so that the security people don't ... A, they don't have to learn those architectures and understand what they do, and B, they don't have to go and search for a separate point solution to just give them protection over their API system or over the new container system that someone's using." And that's to them makes it so that we're a real partner for them long-term to have a sort of security platform.


Zane Lackey:

There's one customer that immediately pops to my mind that I think just so perfectly exemplifies that the change that we've all seen, which is they use us to use us to protect their classic kind of marketing site and their e-commerce app and everything like that. But it turns out they're actually a vacuum cleaner company and they also use us to protect their entire IOT connected vacuums and all the APIs that power those. And I don't think you could get a bigger shift in technologies than a random marketing website and the IOT APIs that power a vacuum cleaner all under one roof here. And I think that's exactly ... it's not always that extreme, but I think this really exemplifies what any sort of technology or security executive is facing, that the rate of change is huge and it's more and more and more new technologies entering the enterprise every day.


Andrew Peterson:

I'm just seeing AI dirt devils or something that come after you.


Cassandra Dixon:

I know. I can see that too. I mean, I think that's the point, is before it's just static content. Now there's ... people are coming, asking to cash or protect things I'm like, "What? You want to cash that?" And I'm like, "Okay." And we have to think about it. And then there's an interesting solution around it and then all of a sudden you have a workshop or you have a documentation or a story about all these new ways that you can serve something, save, protect something. It's just ... customers are creative.


Andrew Peterson:

That's the exciting part of digital transformation, is that you're able to do so many new things for your customers. You can connect with your customers in new ways. And so this is exactly why, to Zane's point from I think the last question that we were talking about, which is like speed, it's just pushing everything way faster because we're unlocking these new experiences that you're able to ... yeah, that the vacuum cleaner company is able to actually have, but then the flip side of that is that, "Oh yeah, we're all excited about that, so we just raced forward to create the functionality," but security continues to be and has been both either an afterthought or it actually slows down that progress. And so this is why security's role is just really changing here, is that you can't slow it down. That's business critical stuff that's going out. You're getting in the way of really being able to innovate and help your customer set. And security is always going to be behind if they're not taking a forward approach to this stuff.


Cassandra Dixon:

So everyone has their own style and flavor of two approaches. So for you, for your team, what makes your product different than what's existing in the market today?


Zane Lackey:

I think kind of from a technical and business value perspective, there have been four particular pieces over time that we have always heard back from customers as just tremendous bits of value that they have seen from us that has really helped them solve core problems. And number one was really our architecture and our ability to deploy ... and this really speaks to something Andrew said a minute ago, which is that if you're an enterprise, you are somewhere on that digital transformation journey. I think there's a lot attention to folks that are very much at the leading edge of it, but the reality is, for most of us, you're somewhere on that journey. You might be at the very beginning of it. You might be somewhere in the middle. And so you've got not only cloud services and edge services, but you've got legacy things that are in the data center that aren't going to leave anytime soon and everything in between.


Zane Lackey:

And so a big thing that was really important for us as practitioners and that we hear back from customers is they needed a way to deploy security technology across all of that, and really have an architecture that was flexible enough to deploy, not just for the brand new stuff, but also for the legacy things and tie all of that together through one console, one management plane, one way of enforcing policies. That was the first bit, and that was really critical. And I think that bit is only going to get even more exciting, and probably at future altitudes, we're going to talk even more about that with the accommodation with Fastly.


Zane Lackey:

Number two is really much broader coverage from a security perspective, that historically when you were defending an app and an API, it was against very specific technical injection style attacks, things like SQL injection and cross-site scripting, if those terms sound familiar, but what really keeps us up at night as practitioners, and I'll tell you from being a CSO, it's really the much broader set of attacks. It's the account takeover and credential stuffing. It's the bots. It's API security and advanced rate-limiting capabilities. And so the fact that our customer is able to use Signal Sciences to cover all of those different pieces in addition to [inaudible 00:14:00] functionality is huge. They'll use one technology to protect their apps and APIs from really any different attack type.


Zane Lackey:

Number three is really not having to pay a tremendous maintenance cost in terms of tuning and learning and things like that. I'd say for every enterprise technology leader, whether you're a CIO, a CTO, a CSO, a software engineer, any level, if you've dealt with security technology in the past, especially around web app firewalls, they were always a tremendous pain point. They always slowed you down. You always had to deal with a lot of false positives and a lot of tuning. And I think why we've seen so much adoption on this particular area is that our customers are able to drop us in user technology without that sort of headache, without that sort of constant tuning, constant adjusting things. The stat that we're always able to share that we're tremendously of and is actually true, funny enough, is that 95% of our customers are in full blocking mode for their production applications. And that's unheard of in this space.


Zane Lackey:

And then number four, and I think this is really the final piece, and I think this is really what stitches everything together, which is that historically, security technology was only used by siloed security experts. And so the fourth piece of what we see is that we really built our whole technology and our whole platform API first so they can integrate with any other technologies that customers are using, whether that's Splunk or Slack or Jira or PagerDuty or Teams or any of these different pieces or their own custom tooling that they just write against our API. And this is something that we loved so much about the Fastly story as well, is that really API first mentality, that developer first mentality. And that's what we brought from the security side. And this is why I think this combination is so exciting, is that you bring that mentality together from both the delivery side and edge side and a security side.


Cassandra Dixon:

So you spent a lot of time working with developers who are in control of the environments and technologies that they use, and really giving them the power to kind of do more with that. How would you give advice to them, or what should they be doing to work with the security and partner with the security team so that they can kind of build on that relationship and that bond even more?


Zane Lackey:

I think in a lot of ways it's kind of applying the lessons that you as development teams already learned on this whole journey into DevOps and journey into cloud, which is ... one of the key tenants is around kind of observability for performance reasons and reliability reasons and all that. Thinking about how do you get security observability for your services as well so that you can really start to own some of the core security capabilities for that as well. And that means it can really become a two-sided conversation with the security teams, that as you get that sort of observability, now you can have a much more equal footed conversation with the security team, rather than the security team potentially bringing you attack information or something like that, or the reverse, the application team going to the security team and asking, "Is this an attack?"


Andrew Peterson:

I start out with if you really care about trying to work better with your security team, God bless you. That's music to any security team's ears. Because these are teams that I think historically have had a hard time working together, for very good reasons. But I think this is where again, these sort of movements to having the capabilities that Zane's talking about around observability, it's a new thing, right? It's kind of the first time that we're starting to get the ability to have these things.


Andrew Peterson:

And so yeah, some of those relationships change, but to your point, Zane, some of the specific examples that I've heard is that, look, in the past, when some errors happen in our application ... this is from the sort of the developer's perspective, right? They're like, "Hey we saw ... " let's say a spike in 500 errors or something happened. They're sitting here being like, "I don't know if this is a security incident or not. This might be somebody trying to hack into our systems right now. And I could file a ticket and have the security team look into it, but legit, I might not hear back for a week."


Andrew Peterson:

And so you're kind of stuck in a rock and a hard place because you're like, "Well, I either actually do the responsible thing and figure out if this is a security incident or not," or you have to wait a week to continue your development, one way or the other. And this is where I think for the developer, if they're really like, "Hey, we want to get the same visibility you're getting so that in real time ... or the same observability that you're getting so that in real time we can see also if there's an attack that's happening at the same time as we see other errors or other anomalies or other weird things happening with our system." Then they can be ... I mean, you can really extend that front line of defense of people that are just looking out for bad things happening to your entire development team.


Andrew Peterson:

And by the way, to the developers, it makes their job better because they can triage those problems very quickly. They can say, "Hey, I'm not seeing a corresponding set of security activity or sort of attack activity going on on our applications right now. Okay. I can check that box off of, 'That's not the problem,' and I can move on." And then if it is the problem and they don't know how to solve that problem, they can say, "Hey security team, can you please get involved and help me actually figure out what the problem is here?"


Andrew Peterson:

And you solve it in the moment, because guess what? The hacker's not going to wait around for your security team to show up when they actually answer the ticket if it's going to take seven weeks. That stuff's happening right now. So you need ... these are just ... it's fun because those are the capabilities that allow a defender who's normally in the position of really having to sort of abide by the policies and the politics of how long it takes to get access to some of these systems, you can actually be on the same level as them. We're saying, "We see the attacks going on right now, and now we can go in and solve those things right now as well."


Cassandra Dixon:

So then I guess wrapping this up, I'm excited to kind of introduce you guys to the customers that I've worked with. I know we have a lot who are very excited to now add security on top of delivery and whatever else is going to come out of both product teams now merged together. Thank you for letting me learn more about both of you and hopefully everyone else got to see kind of the excitement and the passion that we're going to bring.


Andrew Peterson:

Thanks, Cassie. This is super fun. I'm looking forward to future altitudes.


Zane Lackey:

Absolutely. Thanks for having us. This is exciting. The best is yet to come.