Sean Leach, Fastly: “it’s crucial that businesses focus on cloud security”


As cloud security begins to pre-occupy business owners’ thoughts, more solutions appear to help develop and secure your company’s digital presence.

Every program starts with a code, and every code – with a team of specialists behind it. But many professionals are not aware of the tools available to them, helping to deploy code instantly at the edge.

To learn more about the ins and outs of a top-notch secure app or website, the Cybernews team sat down with Sean Leach, the Chief Product Architect of Fastly – a cloud computing services provider.

What has your journey been like since your start in 2011? How did the idea of Fastly come about?

Ten years ago, our founder and Chief Architect, Artur Bergman, saw a need for a radically modern solution that offered fast, secure, and reliable experiences at a massive scale.

At that time, the legacy CDNs were not addressing this need sufficiently and Artur realized it was because they weren’t equipped to enable the global, real-time experiences needed to deliver to community members. Added to that, there was a lack of flexibility, visibility, and scalability.

Artur knew we needed something radically more modern to provide the community with equally fast, secure, and reliable experiences at a massive scale—and so did many other companies whose missions are to provide everything from real-time airline bookings to online ticket sales to breaking news on the web.

So, Fastly was born. I joined the leadership team in 2014 to help build out our security engineering and product teams. And have been proud of the focus we’ve maintained on our security solutions over the better portion of a decade. In 2020, we acquired Signal Sciences to further expand Fastly’s robust security portfolio at a time when security at the edge has never been more critical. Signal Sciences' strong, developer-first web application and API protection solutions will bolster Fastly's existing security offerings to bring customers a unified edge security solution. Today, we’ve successfully launched the edge deployment of our Next-Gen Web Applications Firewall (WAF), the industry’s first and only unified WAF offering.

It is evident that open source is essential to Fastly. Would you like to share more about your vision?

Alongside our founding team, I’m a firm believer that investment in open source and cross-industry collaboration is crucial to improving the internet’s security and performance for everyone. Fastly has a heritage in open source (our core is Varnish, an open-source web accelerator designed for high-performance delivery of dynamic content, APIs, and logic at the edge), and we’ve supported many open source organizations since the launch of our Non-Profit and Open Source Program in 2014.

In 2019, we open-sourced our WebAssembly compiler and runtime, Lucet, which allowed our edge cloud network to execute tens of thousands of WebAssembly programs simultaneously. WebAssembly has the potential to unlock something we’ve never had before - a common platform that was designed for performance but with security guarantees.

To continue our contributions to the WebAssembly ecosystem we believe so strongly in, Fastly became a founding member of the Bytecode Alliance, where collaboration with others aims to create secure new software foundations using WebAssembly and WebAssembly System Interface. I’m particularly excited about the work happening here and hope others will follow along.

Can you tell us a little bit about your global edge cloud network? What features make it stand out in the market?

Fastly was built to put the power back into developers’ hands, and our edge cloud network – the world’s fastest – made that possible. Using the software, we designed a platform to power the developers’ ability to write and deploy code instantly at the edge. And that’s significant because edge computing reduces the amount of data traveling through the primary network, allowing for lower latency and faster overall speed.

Our platform was designed to be self-service, extremely accessible, and API-first, which immediately differentiated Fastly from the traditional approaches being offered by legacy CDNs. We’re able to bring the power of the cloud closer to the user, allowing for a highly dynamic, secure, and personalized digital experience in real-time, on a global scale.

We have consistently shown up to be disruptors in delivering ease of use and performance for some of the largest sites in the world. And have proven to be nimble and very focused on our customers and their needs. And there’s proof in the pudding - we’ve been named the only vendor to receive Gartner’s Peer Insights Customers’ Choice for Web Application Firewalls (WAF) for four consecutive years, and we are a leader in the edge development space, according to Forrester.

Do you think the pandemic altered the way people approach cybersecurity?

In the last two years, we have seen – and been crucial partners for – businesses navigating accelerated digital transformation due to COVID-19, which sped up the demand for secure, performant online experiences. We’ve witnessed companies answering in a big way, innovating how and what they build to better meet their customer experiences. But the security offerings that protect these new digital experiences haven’t kept pace.

To answer this need for more consolidated security solutions that developers and operators want and love to use, Fastly acquired Signal Sciences in the Fall of 2020. This provided us with the opportunity to add web application and API security solutions to our portfolio - and existing security offerings - expanding our developer-first security portfolio in a meaningful way. We have put a stake in the ground as a company that cares about the complete delivery path - making it not just resilient and performant, but inherently secure as well. We recently announced a major milestone in the integration of Signal Sciences with our Next-Gen WAF edge deployment - the industry’s first and only unified Web Application Firewall.

Why do you think certain organizations might not be aware of the dangers lurking in their own networks?

For the longest time, I would tell people to focus on their third-party code - supply chain vulnerabilities. I found folks often overlooked them when securing their infrastructure, which can be a major risk as they become the back door into a network. This includes code that organizations develop (third-party libraries you might use so that you don’t have to code every piece of functionality) or third-party APIs, ad networks, and more – anything that is in the critical path of your software. Unfortunately, supply chain vulnerabilities were the big topic last year - from compromised third-party Javascript libraries to entire products that run within your network - organizations are starting to see the attack surface these expose. But, there are still a ton of companies that don’t properly secure any of those components.

In your opinion, what security details are often overlooked when developing a website or an app?

APIs. A lot of focus and technology has been built to protect web applications, but often overlook APIs. APIs have as much if not more access to critical internal systems and databases, but developers overlook that those need different security tools than web applications. And with the explosion of technologies like GraphQL, you can’t just secure your rest APIs. You need a holistic approach to securing all of those technologies.

Besides implementing cloud solutions, what other security measures are essential for organizations nowadays?

People are beginning to realize that the majority of web apps and API security tools were designed for a very different time. An era before developers and security practitioners worked together to ship secure software using integrated workflows. Applications didn’t need to be globally distributed, and they weren’t API-based. Our CEO Joshua Bixby often says, “Attackers are developers, too,” and they aren’t slowed down by the limitations of legacy solutions. They’re nimble and fast, using modern tools and workflows to build and advance new threats. So today, it’s crucial that businesses focus on cloud security, but more specifically on web app and API security solutions as part of their tech stack. I see web apps and APIs as the future of how modern digital experiences are built and delivered to end-users, so creating the internal framework and processes to build with security in mind from the early design phases will be critical to keeping attackers out.

I am also very bullish on serverless solutions. There isn’t enough security talent on the market today. So the fewer things that enterprises need to worry about securing, the more they can get done with the scarce security resources they have. Serverless technologies on cloud providers (either central or edge clouds) allow developers and organizations to only worry about writing business logic, and the cloud providers handle securing everything down the stack. Application servers, operating systems, networks, etc. It would go a long way to solving this security talent shortage.

Talking about individual users, what security tools should be a part of everyone’s daily lives?

I am going to cheat and give you two. If everyone used a password manager that generated unique passwords per site, combined with multi-factor authentication (NOT with SMS code, but OTP or something more secure like that) so many attacks would be protected against. Account takeover, phishing, and all of the related attacks that work based on having someone's compromised password without a second factor of authentication would be so much less impactful. This is true for technical and non-technical users. I make sure all of my family members have those two set up.

What does the future hold for Fastly?

Compute@Edge, Fastly’s serverless compute environment, is an exciting look into the future of how developers build things on the web. For the past decade, our customers have tapped our platform’s foundation in VCL to build some incredible digital experiences. But knowing the speed and flexibility developers continued to need to innovate, we created Compute@Edge, our serverless offering that is 100x faster than other offerings on the market.

Combined with the unmatched speed at which our Compute@Edge environment operates, businesses can reduce the risk of accidental data leakage. A “burn-after-reading” approach to request memory means entire classes of vulnerabilities are eliminated, with protection from side-channel attacks and diminished resource contention.

We’ll also be growing our security business by 10x by 2025 because security challenges for developers continue to increase. They need an all-in-one solution that can protect apps and APIs with accuracy, so we are excited to continue to invest in our WAF, DDoS, and bot mitigation capabilities.

Beyond that, we always remain focused on investing and scaling our network efficiently. We operate, as of September 30, 2021, in 68 markets across the globe, and we will continue to strategically expand, upgrade, and augment it based on the needs of our customers. By focusing on building extremely powerful points of presence in strategic locations, we are able to scale and optimize a more modern network and help the largest enterprises deliver next-gen digital experiences around the world.