EP 31 — Cloudflare’s Sri Pulla on Building Collaboration and Synergies for Better Product Security

In this episode of the Future of Application Security, Harshil speaks with Sri Pulla, Director, Application Security at Cloudflare, a company that wants to “build a better internet” through its cloud platform of network services. They discuss how Cloudflare protects its products, uses risk scoring for prioritization and decision making, and why the engineering team must answer a security questionnaire before each deployment. They also discuss how to better collaborate across teams — engineering, privacy, compliance, and legal — and how Cloudflare is moving to a centralized team model to better scale their security.

Topics discussed:

• The evolution of Sri’s career, including her background as a software engineer, how she’s been at “the right place at the right time” to help big companies rebuild apps after data breaches, and how she joined Cloudflare as the Director of Application Security.
• Why Cloudflare is moving from a decentralized model where security engineers were embedded in product teams to a centralized model so security can scale better.
• How AppSec fits into the SDLC, and how before each product is shipped, the review process includes a security questionnaire about the changes being deployed.
• How Cloudflare defines a product, how they use risk scores to determine which products to prioritize, and how they’re integrating more data privacy.
• Why the future of AppSec will be found in collaboration, and how the security team and engineering team can support one another.
• How security teams need to be prepared for a future where the cloud is here to stay, and how to sustain a model where products are secure even after deployment. 
• What skills Sri looks for when hiring, which includes some kind of programming or products background that can help build empathy with software engineers.

Guest Quotes: 

“Eventually I think the bigger picture is to find more synergies on how we can incorporate things that privacy team is doing and compliance team is doing into our work, and even legal, too. I’ve been having some conversations with people in all of these departments to say what are some of the things that they are looking for, is it similar to what we are capturing already in our risk scores, and can we share that information and work together on it?” (19:44)

“That’s one of the main things I look for when I’m hiring for people is people who have some kind of programming or building products background. Then you have a little bit of more empathy towards a software engineer who’s building products. Somebody who’s purely security does not go and understand the nitty-gritties of how a product gets built and the difficulties or challenges there. So when an AppSec person has a programming background and has built products, they drive those conversations with a little more empathy because they understand where an engineer is coming from, a software engineer is coming from.” (4:26)

“So privacy comes to mind maybe because we’ve been doing a lot of work with them around data privacy and how we define data classification for things that we store behind the scenes for all the data that flows through our network. And the current initiative is more around, when we classify data is security and privacy on the same page? Like when you say something is PII, their definition and our definition should align, and how we ensure that information flows bi-directionally from them to us. (20:35)

“The team vision at Cloudflare is, how can we collaborate seamlessly with our engineering teams to ensure that any product that they want to launch, we can support it. So we’ve always had this role of, however insane an idea might sound, bring your code, we’ll run it on our edge as one of our products. And now we have another product, which is bring your binaries and we’ll run it on our edge. It sounds very insane to say that we do it, but then security is like, okay, we get it. Let’s solve this unique problem in the most secure way possible.” (22:27)

“I think cloud and public cloud is here to stay. Everybody is going to push more and more of their things into cloud or things into an environment where we are not the sole contributors of securing that end-to-end. We are handing it over and relying on a different company or team to do security. How can we continue in that model and make sure that it actually sustains is something that we are looking at in Cloudflare, too.” (23:49)