Securing C code that seems to work just fine

Presented at AppSec USA 2017, Sept. 21, 2017, 10:30 a.m. (45 minutes).

Fastly offers a content delivery network (CDN) that ubiquitous and high-profile web properties like GitHub, Pinterest, and The New York Times rely on for performance, reliability, and security of their web applications. Fastly edge nodes seamlessly execute customer app security controls, handle sensitive user session data, and act as a trusted man-in-the-middle for TLS traffic. Edge daemons in the Fastly CDN are largely implemented in C. C has many strengths - including flexibility and performance - but C programs are also susceptible to memory corruption bugs that can lead to catastrophic security issues. Like any successful startup, Fastly has taken many informed risks without things going terribly wrong, building an implicit optimism around legacy codebases and the organization's ability to continually innovate safely on them. Jonathan Foote, senior security architect at Fastly, will discuss the real-world successes and failures that led to an effective strategy for designing and deploying application security hardening measures that balances industry best practices, limited AppSec resources, and startup culture that is conditioned to think about what is going right versus what could go wrong. This talk will describe a minimum-viable approach for implementing application security controls, using deployment of self-service continuous fuzzing of critical internal C codebases including edge HTTP/2 services and Fastly's varnish-cache fork as a running example.

Presenters:

  • Jonathan Foote - Senior Security Architect - Fastly
    Jonathan Foote is a senior security architect at Fastly, a content delivery network (CDN) that many ubiquitous and high-profile organizations rely on for performance, reliability, and security of their web applications. Previously, Jonathan attacked a range application and network environments as a penetration tester, acted as primary investigator for security research projects at Carnegie Mellon University SEI/CERT, and engineered secure network communication systems for Fortune 100 companies. Jonathan holds a BS in Computer Science from Penn State and an MBA from Loyola University.

Links:

Similar Presentations: