Talk Transcript: How Cloudflare Thinks About Security

John Graham-Cumming, CTO of Cloudflare, discussed the company's approach to internal security during a talk at Unbabel in Lisbon on September 25, 2019. Key points include: 1. Culture: A strong culture of reporting security problems is crucial for internal defense. Encouraging employees to report minor issues helps identify potential vulnerabilities early. 2. Hackers: Cloudflare uses HackerOne to receive external reports of security problems and has a private paid bug bounty program with around 150 hackers. 3. Identity: Effective identity management and authentication are critical for security. Cloudflare built its own solutions, reducing the number of passwords needed and increasing overall security. 4. Openness: Transparency about mistakes increases trust in a company's product and encourages people to report potential security problems. 5. Change: After experiencing issues like Cloudbleed, Cloudflare prioritized using memory-safe languages such as Go and Rust for software development. 6. Detection and Response: Collecting data about endpoint behavior helps detect anomalies and respond quickly to internal security incidents. 7. Edge Security: Ensuring the security of machines in 194 cities requires a combination of physical data center security and software measures, such as Keyless SSL for private key distribution. 8. Eating our own dogfood: Cloudflare uses its own products to secure itself and builds new security features based on internal feedback.