AppSec USA 2017 has ended
Back To Schedule
Thursday, September 21 • 10:30am - 11:15am
Securing C code that seems to work just fine

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

Fastly offers a content delivery network (CDN) that ubiquitous and high-profile web properties like GitHub, Pinterest, and The New York Times rely on for performance, reliability, and security of their web applications. Fastly edge nodes seamlessly execute customer app security controls, handle sensitive user session data, and act as a trusted man-in-the-middle for TLS traffic. Edge daemons in the Fastly CDN are largely implemented in C. C has many strengths — including flexibility and performance — but C programs are also susceptible to memory corruption bugs that can lead to catastrophic security issues.

Like any successful startup, Fastly has taken many informed risks without things going terribly wrong, building an implicit optimism around legacy codebases and the organization's ability to continually innovate safely on them. Jonathan Foote, senior security architect at Fastly, will discuss the real-world successes and failures that led to an effective strategy for designing and deploying application security hardening measures that balances industry best practices, limited AppSec resources, and startup culture that is conditioned to think about what is going right versus what could go wrong. This talk will describe a minimum-viable approach for implementing application security controls, using deployment of self-service continuous fuzzing of critical internal C codebases including edge HTTP/2 services and Fastly’s varnish-cache fork as a running example.

avatar for Jonathan Foote

Jonathan Foote

Senior Security Architect, Fastly
Jonathan Foote is a senior security architect at Fastly, a content delivery network (CDN) that many ubiquitous and high-profile organizations rely on for performance, reliability, and security of their web applications. Previously, Jonathan attacked a range application and network... Read More →

Thursday September 21, 2017 10:30am - 11:15am EDT
Coronado K