Opinions & Insights
Building a world-class cybersecurity program at Netlify
Building a modern, enterprise-level cybersecurity program at a startup is a challenging job, but startup culture provides a freedom that is difficult for larger organizations to similarly realize. Startups can move quickly in new directions and have less legacy processes and systems to get in the way of establishing a secure-by-design architecture and culture.
Our goal at Netlify is to embrace cutting-edge cybersecurity best practices before they become industry norms. We take a threat- and risk-based approach to prioritizing how we use our resources, and decidedly do not implement security practices simply because “everyone else is doing it”.
Let’s face it, if Netlify followed the same approach that industry has taught us for the last two decades, we would spend far more resources than responsible defending against threats. Industry has also shown us in the recent past that spending exorbitant resources may not even have a material impact on preventing data breaches, as we see evidence of in the number of companies reporting breaches increasing each year.
At Netlify, we take a pragmatic approach to how and why we apply resources, and do so in a manner to meet modern adversaries and threats. Our speed, agility, and core value of “caring deeply” is what sets us apart from other enterprise-grade hosting and infrastructure providers.
Ingredients for building an effective security program
Applying a threat-informed risk analysis
Most folks in cybersecurity are familiar with traditional risk analyses that still offer considerable value. In addition to traditional approaches, at Netlify, we also conduct a separate, more technical, risk analysis through the eyes of an adversary, which is geared specifically at identifying risks that might be used in a breach. It can be thought of as a penetration test on current organizational processes instead of on physical systems.
When conducting these kinds of initiatives, our team is constantly asking things like: How might an adversary look to breach our company? What customer data might an adversary be after? What types of threats are other cloud-native SaaS companies facing?
By answering these questions, identifying weaknesses, and rating the risks through the Penetration Testing Execution Standard (PTES) methodology, we can effectively prioritize where to focus resources, and build a cohesive roadmap for our security program.
A strong offense is a better defense
At Netlify, we believe in the effectiveness of having a strong offensive security program. In addition to conducting our own internal penetration testing of our infrastructure and applications, we welcome security researchers around the world to participate in our HackerOne bug bounty program. When selecting third-party penetration testing vendors we use top-tier vendors with strong reputations in the offensive security space. Our most recent penetration test was conducted by Red Siege, a top name in penetration testing and red teaming.
Automate all the things
Where possible, we look to automate secure processes, and avoid spending staff hours on repeated tasks. To this end, we are in the process of moving to a continuous vulnerability patching system, where our virtualized cloud servers and microservices are patched automatically and configured by default to be hardened. We additionally monitor patching status on a continuous basis to ensure coverage.
It’s not possible in cybersecurity to achieve 100% prevention. While penetration testing, access control, and vulnerability management are essential, it’s also important to focus on detecting adversarial behavior. Our team is working on integrating tooling within our infrastructure and organization to detect anomalous behavior associated with the Tactics Techniques and Procedures (TTPs) used by threat actors.
Practicing Incident Response and Disaster Recovery with tabletops and simulation
Security is challenging and practice helps! At Netlify, we conduct regular Incident Response Plan (IRP) tabletop scenarios designed to train our staff to respond effectively to a modern breach event. In addition, we conduct regular Disaster Recovery (DR) simulations to ensure we can restore critical data and infrastructure from an availability event.
Compliance isn’t security, but is essential!
Netlify aims to not only meet — but exceed — the security requirements set by industry compliance standards. Our goal is to achieve and maintain standards that demonstrate to our customers we handle your data carefully. Currently, Netlify holds AICPA SOC 2 Type 2, ISO 27001, and PCI compliance certifications. Netlify also adheres to both GDPR and CCPA regulations.
Empowering organizational security
There is only so much coverage a security team can provide to an organization. At Netlify, we are lucky to work with a team of talented and security-minded engineers throughout the organization! Often, customer-facing security enhancements come from outside the security engineering team. Our engineers as a whole are empowered to implement security features, and question the implications and risks of their developments. Some of these customer-facing features include our new Secrets Controller feature set, Content Security Policy integration and Firewall Traffic Rules which have been highlighted in blog posts this week. By working together as one team, we can achieve secure solutions that meet the stringent data security requirements of our customers.
Every day our team aims to deliver a world-class security program at Netlify. By focusing on the modern threats and risks that affect SaaS companies, and emerging best practices, we optimize where and how we apply resources to ensure we keep our customer data safe and secure.
Interested in speaking with a member of our team to learn more about if Netlify is a good fit for your business? Request a risk-free consultation.
Did you know this week we just announced three new security features? Check out the blogs from earlier this week:
- Netlify Secrets Controller: Proactive security for secret keys
- Netlify Firewall Traffic Rules: IP and Geo Restrictions for WAF Security
- Netlify Dynamic Content Security Policy Integration: Simplified protection against common web exploits
Learn more about our enterprise cybersecurity program.