Fastly balances security and business growth for Spread Group 

From personalized caps to plug-and-play merch stores for creators, Spread Group has customized fashion and lifestyle all sewn up. Founded in Leipzig, Germany, its reach is truly global. More than 1,000 skilled employees from 43 countries produce individualized apparel and accessories from four production sites in Europe and the US. 

To sustain this global scale and convert clicks online to clothes on customers’ backs, weaving delivery with security became increasingly crucial. With the Fastly CDN solution already working smoothly, Spread Group looked at the Fastly Next-Gen WAF as flexible security that could fit its ever-evolving platform like a glove. 

Creative delivery with Fastly CDN 

Spread Group runs three distinct brands: Spreadshirt, TeamShirts and Spreadshop. Its far-reaching mission to ‘print ideas’ connects customers and corporates who want customized clothing with independent creators selling on-demand merchandise. 

The secret sauce behind this unique offer is a powerful platform that integrates product design, marketing, sales, production, payments, shipping and customer service. 

With over 6.17 billion average monthly requests, finding a CDN to supercharge delivery took first place on this innovator’s wish-list early on. 

So in 2016, Fastly enabled Spread Group to implement a creative, tailored CDN solution which: 

• included a clever chatbot, allowing developers to roll out changes in 12 seconds

• leveraged live logging to provide real-time insights

• optimized A/B testing

• improved overall cache purging time

This feature set fitted perfectly with Spread Group’s CI/CD (Continuous Integration, Continuous Delivery and Continuous Monitoring) demands. Now it could improve quality and delivery while rapidly releasing features and updates. 

Hard-to-reach flexibility: a complex cybersecurity challenge 

So far, so good. But no tech-savvy brand sits back and relaxes. 

With dynamic delivery in hand, Spread Group recently turned to its next challenge: finding a robust WAF that’s flexible enough to work in harmony with a constantly evolving platform. 

At the time, it already had a good, internally developed security monitoring and observability infrastructure (largely consisting of open source software). When security monitoring flagged an attack, it was mitigated with the chatbot developed with the Fastly CDN. 

This worked for a while, but wasn’t viable long-term: 

• A flexible WAF that could run in blocking mode was needed to provide more time to modernize vulnerable legacy components. 

• Open-source tools were being used in non-blocking mode since blocking mode would have severely restricted the platform's functionality without a lot of configuration work. 

• An ideal solution would ideally provide great security measures while balancing out business needs and providing excellent observability to gain rich security insights. 

A WAF that provided a fail-open approach needed to be less restrictive and balance security with business needs. Other must-haves included fast reaction times to combat threats like automated tooling, Bots, DDoS, XSS and SQLi attacks. 

And there’s more: as well as reducing the amount of manual work needed to tune rules (because of a fast release cycle), the new WAF would also need different deployment types (to integrate with Spread Group’s traffic infrastructure). No easy task. 

But a positive CDN experience put Fastly’s Next-Gen WAF at the forefront of considerations for Spread Group. 

Fastly Next-Gen WAF: integrated, intuitive security 

Selecting Fastly as a WAF vendor was a collaborative effort for Spread Group. Senior platform security experts made the ultimate decision because they performed the product evaluation and tested the PoC, while colleagues from the operations team also provided feedback on setting it up in the infrastructure. 

But testing came first. Spread Group set up two testing sites for the evaluation: one in the QA environment to test blocking mode and other components, followed by one where it was initially running in non-blocking mode and later switched to blocking mode for the production environment.

The team ran Burp Suite and other attack tooling tests manually and automatically to check which rules were enforced by the WAF. Core business flows were also tested to work with activated blocking mode.

Early wins were impressive: 

• The Fastly Next-Gen WAF displayed a more discerning blocking approach than competitors. It only blocked malicious requests, not business-critical functions. 

• The high-performance WAF didn’t add a lot of overhead/latency to each request for the analysis.  

• The WAF fitted smoothly with their existing security ecosystem, with its API-first approach helping to inspect and filter header links. 

• The WAF's potential to work with Fastly Compute@Edge, a serverless compute solution, could be capitalized in the future.

Results: 7 key benefits 

 Spread Group were sold on seven key Fastly Next-Gen WAF benefits:

1. Analytics insights

2. Insight-providing signals

3. Intuitive UI

4. Threshold-based blocking approach (with good granularity for rules)

5. High performance (with very low decision time on top of incoming requests)

6. Fail-open approach

7. API-first approach

For instance, a Fastly solution architect helped on-board operations colleagues to ensure the solution was as inclusive and accessible as possible from the outset. 

The entire testing and implementation process took three months and Spread Group has enjoyed Fastly’s backing since. The CSOC (Customer Security Operations Center) rapidly resolves support tickets and experts are always available for a short call or a ping on Slack. 

Spread Group is no ordinary organization. Its operations span finely tuned tech and physical manufacturing, with a complex platform that’s an attractive attack surface for increasingly sophisticated threats. 

All said, Fastly’s proud to help this exciting fashion and lifestyle player protect its assets and maintain exceptional performance. 

Creative delivery + flexible security = business evolution. Maybe we should print that on a t-shirt.