Back to blog

Follow and Subscribe

Join Fastly Security Labs: Try New WAF Features | Fastly

Daniel Corbett

Staff Product Manager , Fastly

Offensive and defensive security capabilities are evolving every day. At Fastly, we’re continuously working to improve our next-gen WAF and empower our customers to strengthen their security posture. We believe it’s important to bring our many security innovations to our customers faster, and to incorporate their feedback into our development process as early as possible. Today, we’re happy to announce the launch of Fastly Security Labs, a new program that empowers customers to continuously innovate by being the first to test new detection and security features — ultimately shaping the future of security.

How it works

Fastly Security Labs provides you an open line of communication directly to the Security Product team and bolsters our feedback loops for the Fastly Next-Gen WAF (powered by Signal Sciences), helping us create stronger products. We’ll use the program to test a wide range of features from new Signals and Templated Rules to new inspection protocols. 

Historically, we’ve been no stranger to including customers in our development process. Several of you reading this may have participated in one of our recent betas around the Fastly Next-Gen WAF Edge Deployment, Custom Response Codes, and GraphQL Inspection. Fastly Security Labs brings more structure to the release of our beta features and also provides you with new toggles within your management console that allow you to opt in or out of individual features.

Customers who are opted in to the program and visit their “Corp Settings” page will find a new section at the bottom with a toggle to enable or disable Labs features:

With the launch of the program, we’re also introducing two new features for those participating in the Fastly Security Labs program to test:

  • A Changelog for our Signals and Templated Rules

  • A new attack signal (Log4J JNDI)

Changelog


While we’ve had release notes for quite some time for our agents and modules, we didn’t have one available for our Signals and Templated Rules. This is an important feature to expose so you can easily review the new features we’ve added. 

Log4J JNDI


The Log4J JNDI RCE vulnerability, commonly referred to as Log4Shell, was discovered in December 2021. In response, we immediately deployed a virtual patch to protect our customers and actively tracked exploitation attempts and variant payloads. Meanwhile, our engineers were hard at work leveraging the SmartParse capabilities within the Fastly Next-Gen WAF: we developed a new attack signal for detecting the Log4Shell vulnerability with a lower false-positive rate. This new attack signal also simplifies deployment as it won’t need to be enabled on a site-by-site basis.

Want to join?

We’re very excited about the launch of Fastly Security Labs as it provides a structured process for allowing you to get your hands on cutting-edge detection and security technologies while simultaneously improving your security posture. If you’re interested in participating in Fastly Security Labs, reach out to your account manager or sales@fastly.com to learn more.