How one woman protects almost the whole Internet (Q&A)
In Window Snyder’s new role, she’s a bit like a sheriff for the Internet.
Formerly an influential security and privacy evangelist at Apple, she last year took the chief security officer job at Fastly, which operates a content delivery network, or CDN—lots servers all over the world that ensure customers’ sites are always up and that visitors get content fast.
Fastly says that it sees attacks of multiple hundreds of gigabytes in size against its customers, which include financial and media services companies like Stripe, A&E, Yelp, WePay, Foursquare, Kickstarter, Pinterest, and Conde Nast.
Snyder got her start as a teenager with the Boston-area hacker community in the 1990s, and made her way into the corporate world as director of security architecture at @Stake. She was security lead on Windows XP Service Pack 2 for Microsoft, and guided security at Mozilla, maker of Firefox, before jumping to Apple.
As she tells it, in making sure that Fastly’s customers’ websites are always up, she’s stopping malicious hackers—and ensuring that the Web is safer to use. Here is an edited transcript of our conversation.
Q: Why would someone with your background go to a company that focuses on delivering Web content?
Snyder: I see Fastly as a security company. We’ve got this incredibly privileged position on the network between the security connection.
Pushing the content closer and closer to your users is the modern model, and that’s best deployed with a CDN. But developing that kind of expertise is inefficient in most organizations. What you want to do is find a partner to host your content and bring it closer to your users.
What kinds of behaviors on the network tip you off to a possible attack?
When a human pulls this content down [to his phone or computer], queries take a couple seconds to complete. But if someone automates pulling down this content, [it happens much faster], they could be scraping our content.
We have some hidden images. A human couldn’t see an image that’s hidden. They couldn’t click on it, so if it’s requested, it must be by an automated system.
We can take the knowledge from [an attempted connection] on one site and use it to protect all the other sites on the network. We can leverage the learning across all the websites hosted on Fastly.
What kinds of attacks can Fastly protect against?
Distributed Denial of Service attacks [flooding the targeted website with requests so nobody can access it], which are very common, all the way to attacks that have the resources of a nation-state.
We’re building web-application firewall technologies, protections that you deploy in front of the website before the site content is accessed, because [hackers] are looking for a vulnerability that’s difficult to patch or widespread in software that lots of folks are using. [The web-application firewall] protects customers before an attack can succeed.
A customer who’s dealing with attacks scraping content, blocking availability of that hot new product, we’re helping them by building solutions that are specific to their circumstances.
Most humans don’t have 100,000 instances open in a Web browser, so nobody can access the site. [Something that can detect that] is going to be easier to deploy on a network like a CDN than it will be to build on a data center.
We see vulnerabilities in PHP, and Rails and WordPress—tech that people deploy on websites—and in how we implement Web applications. If there’s a known vulnerability in WordPress, and one of our sites is running WordPress, we don’t need to know that the site is actually vulnerable in order to take advantage of that vulnerability and block it.
And yet, attacks still occur, and even sometimes get through, modern defenses. Why’s it so hard to protect the Internet?
One of the things that’s unfortunate about security is that even though we may know the right things to do, they’re difficult to execute. You can’t get a patch deployed until the next maintenance window, and until that time you’re vulnerable. But we do use what we see to anticipate what sorts of attacks we’ll face in the future.
We also benefit from some of the security platform choices we’ve made, using higher level languages like Python, Ruby, and Go, where we don’t see a lot of the security vulnerabilities. We abstract memory management away from the developer, which also makes it faster to develop and deploy.
What are you seeing in the coming defense trends?
We already host the same service for your phone app. There are lots of customers we host code for, and we can execute it on our servers.
Hosting content at the edge (as in a CDN) has been around since the 1990s. Hosting code at the edge is much more modern. The Web is a lot more complex now than it was in the 90s. It’s not just images or Web files anymore.