Fastly
Senior Application Security Engineer
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About Fastly
Fastly, Inc. is a technology company founded in 2011 and based in San Francisco, California. It specializes in an edge cloud platform that enhances digital experiences by processing applications close to end-users. This platform includes a programmable edge cloud solution, a configurable cache layer, and serverless compute products, allowing developers to improve performance and security. Fastly offers a variety of services centered around edge computing and cloud security. These include an edge compute solution for low-latency applications, cloud security features like web application firewalls and DDoS protection, and a managed content delivery network (CDN) that caches content near users. The company also provides image optimization, video streaming, and live entertainment services, along with an AI Accelerator introduced in 2024. Fastly serves diverse industries such as digital publishing, online retail, streaming media, and financial services, with operations in multiple countries including the United States, Australia, and the United Kingdom. The company focuses on a usage-based business model that emphasizes a programmable, software-defined network for enhanced security and performance.
Security at Fastly
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
“Stated AppSec Mission: "overseeing security operations, architecture, and compliance to protect its global infrastructure."Developer Enablement vs. Gatekeeping: "embedding security people into development teams — and developers into security teams"Risk Philosophy: "Don't chase shadows: Focus on bolstering defenses against known and existing attack vectors"Stated Pain Points or Goals (Verbatim): "AI solutions offer an opportunity to reduce so much of the manual toil within application security"Gaps & Contradictions: Information not publicly available: explicit, company-wide written AppSec charter or one-line mission statement beyond leader bios and blog framing.”
Security Team
Org Structure & Reporting Line: "overseeing security operations, architecture, and compliance". Public pages describe security functions (CSOC, Security Research, Security Solutions) but do not publish a clear org chart showing AppSec reporting lines. Information not publicly available where explicit reporting chain (e.g., AppSec -> CISO) is not stated in a single public source. Key Public-Facing Leaders: - Marshall Erwin, Chief Information Security Officer – https://www.fastly.com/blog/author/marshall-erwin. Key quote: "overseeing security operations, architecture, and compliance to protect its global infrastructure."- Zane Lackey, Global Head of Security Product Strategy – referenced in Fastly blog conversation (https://www.fastly.com/blog/4-people-centered-tips-for-building-a-security-minded-culture). - Sean Leach, Chief Product Architect – referenced in the same Fastly blog conversation (https://www.fastly.com/blog/4-people-centered-tips-for-building-a-security-minded-culture). Team Size Estimate (as_of:): Information not publicly available. LinkedIn Search Query Used: "site:linkedin.com Fastly "application security" OR "AppSec""— Result: Information not publicly available (company does not publish a definitive team-size figure). Active AppSec Job Postings (as_of:): Count: At least 1 public Senior Application Security Engineer posting. Evidence: "Senior Application Security Engineer"– ZipRecruiter listing. Common Skill/Tool Patterns: Emphasis on web application protection and WAF-related skills: "web application and API protection". Roles require collaboration with engineering teams and tooling to mitigate risk: "analyzing vulnerability findings". Gaps & Contradictions: Information not publicly available: exact headcount, team substructure (centralized vs. fully embedded), and formal reporting line in a single, citable public document.
Key Initiatives
Security Champions Program: Status: Evidence Found. Supporting quote: "security champions program adds real value.""Shift Left"in Practice: "embedding security people into development teams — and developers into security teams"Vulnerability Management Process (Intake / Triage / Remediation): Intake evidence: Fastly operates security research and publishes CVE notices and WAF rules: "continuously publishes a range of valuable resources, including blogs, CVE notices, new Next-Gen WAF rules". Triage/Remediation evidence: Job postings require "analyzing vulnerability findings"and working with engineering to mitigate risk: "analyzing vulnerability findings". Note: Public pages describe Fastly's managed services (CSOC) SLAs for customer incidents, but there is no public, verbatim Fastly engineering SLA/MTTR for internal AppSec ticketing. Information not publicly available for internal AppSec MTTR SLAs. Secure SDLC Artifacts: Evidence of embedding security and security reviews: "embedding security people into development teams"Recent Initiatives (Last 6 Months — relative to): Fastly published AppSec and AI-focused survey and commentary (Nov–Jul 2025): "Fastly AppSec Survey: AI & Security in 2025"and related AI adoption commentary. Specific product rollouts or internal AppSec policy changes in the last 6 months are not published in public materials. If not present: "Information not publicly available."Gaps & Contradictions: Information not publicly available: detailed internal vulnerability triage SLAs, documented secure SDLC gate definitions, and public playbooks for AppSec-to-engineering handoff.
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.