Vercel Scales Cloud Security to New Heights with Orca Security

Developers Flock to Vercel for Speedy Frontend Development

Developers from companies like IBM, Netflix, Splunk, and many more use the Vercel cloud platform to create web front ends with a specialized focus on end user performance. Vercel is an all-in-one development platform that provides the best experience for developers of all skill levels. 

Vercel speeds up the process of creating, testing, and deploying web pages by compiling all of the necessary code into a single file. In turn, it makes tracking changes, debugging errors, and ensuring consistent style across pages easier.

The Vercel platform embraces its cloud-native roots, putting innovative developer tooling and intuitive edge capabilities at the forefront of its offering. In its effort to give every developer the tools needed to build robust sites with ease, Vercel consistently expands what’s possible with cloud computing. The platform is predominantly hosted within AWS’s workspace and environment, using it in novel ways. This gives Vercel a voice with Amazon in terms of shipping features that live in Lambda, a core compute service heavily used by Vercel. 

By pushing the boundaries of what can be done in this cloud environment, Vercel continuously improves what it offers the development community. The company’s founder and CEO, Guillermo Rauch, created the web development framework Next.js and the Vercel team still maintains Next.js today with contributions from the open source community. In terms of security for the platform, the engineers embrace a shift left process to help ensure that Vercel has a positive security posture.

Orca Proves to Be the Right Tool for Cloud Security

Aaron Brown stepped into the role of Head of Cloud Security just under a year ago. He manages cloud, application, and product security as well as customer touch points when questions of security arise. His team leverages strong toolsets to reach and maintain a high level security posture.

“I was primarily interested in bringing in a tool to give us superior visibility,” says Brown. “I was getting asked, ‘What do we have? Where is it? What is it? What state is it in? What is the risk we can assume from these resources being exposed?’ I knew we needed to bring on tooling that could help us better answer those questions, with the turnaround and rigor my internal teams required.”

Brown was familiar with the Orca Cloud Security Platform from using it at a prior company, but still wanted to ensure it was the right tool for Vercel. “After speaking with multiple vendors, going through their demos, getting some of the leadership from the engineering team involved, we concluded that Orca truly is the best cloud security solution for Vercel. It makes the most sense from a very large coverage area due to its extensible and open API, agentless scanning capabilities, and passionate product and executive team that listens to customers and provides value.”

The onboarding experience was quick and simple. “We’re very conscious about not making any changes in our environment to accommodate security tools,” says Brown. “With no agent involved, Orca is very easy to connect and even easier to scale. It takes away the need for an enormous DevSecOps function to manage the deployment for you. I needed cloud security tooling that could get me visibility fast. Orca answers all my visibility needs within minutes – across multiple clouds.”

Using Orca all comes down to the high level of visibility of the Vercel cloud estate. “Being able to get an entire view of the domains we have out there, the pods we have exposed, and all the APIs that our users are able to touch, is a great way to get a solid inventory,” says Brown. 

“Orca is a very customer-driven product. The platform provides a tremendous amount of value both with current capabilities as well as the capabilities coming on the roadmap.” 
Aaron Brown

Head of Cloud Security

Brown says they start at the outermost layer – what the world can see – and Orca gives a clear view there. “Then we just continue to chip away at that,” he says. “As we move from external to internal facing, we get insight into who in our organization is overprovisioned with permissions, like what permission sets no longer make sense, or who or what still has access but no longer needs it. Orca gives us all of that with just one tool.”

The need to scrutinize permissions extends to connections across different accounts as well as across different clouds. “We have to manage those relationships, and Orca gives us a perspective on key management there,” says Brown. “We are also challenged by account sprawl. We have thousands of accounts across numerous organizations, making it generally hard to manage unless we have a tool that is able to function at scale, and Orca does this.”

One of the primary tech stacks Vercel is looking to support is serverless compute. “That’s the vast majority of what we have running,” explains Brown. “It reduces risk because persistence is going to be incredibly hard for an attacker to try to take advantage of in this case.” 

Orca Features and Functionality Are Customer-Driven

According to Brown, one of the most important aspects of the Orca relationship is that the vendor really listens to its customers. “When I was first introduced to Orca three years ago, my company at that time was customer number seven for Orca,” he says. “We could go straight to the co-founders and the executive leadership with our requests for the product, and we were taken seriously. We felt we helped drive the product roadmap, and it’s still that way today. Back then, we were instrumental in asking for the shift left capabilities that are a reality today. Orca has a very customer-driven approach.”

Several product features are important to Vercel’s way of working. “The integrations Orca provides are always going to be important to us, especially when we have the new query builder that Orca has, which I like quite a lot,” says Brown. “Trying to write the domain-specific language before Sonar was pretty hard, but now we can take the query builder and apply that directly to an automation and get a workflow set up to pipe findings to an S3 bucket, which is one of the features that I had asked Orca for, or to another storage solution or analytics platform.”

Brown explains that this level of integration enables him to run a query and push alerts into Slack or a SIEM, or for that matter, to Opsgenie or PagerDuty. “Having these integrations push what I care about directly to me is where I find value in Orca’s integrations,” says Brown.

He uses the compliance dashboard for a foundational technical review as well as looking at Vercel’s SOC 2 posture. What’s more, he uses benchmarking in a nearly bespoke way, using custom compliance rules from the CIS Benchmarks for AWS and Azure. “We score high on Orca’s best practices, which tells us we’re doing OK,” Brown says. “And when customers ask what we use to benchmark our environment, I’m able to directly point to those we have a bespoke wrapper around.”

“I had an engineer tell me that Orca ‘gamified’ his approach to cloud security by showing a single overall risk score, and if that number starts dropping he knows he needs to get it back up because a higher number is better. That’s a great way to encourage ownership in our security program.” 
Aaron Brown

Head of Cloud Security

Brown says a primary value proposition of the Orca Platform is its usefulness anytime a trending vulnerability comes up, such as the Log4j and OpenSSL issues. “Our ability to look across our environment and have a single-pane-of-glass to tell us whether we are impacted or not is invaluable. Orca gives us the query, we click on the tile, and we are put into the discovery view to show if any assets are impacted by that vulnerability. Not only can we verify internally that we are secure and are not going to be impacted but I can also send a response to our customers to say with confidence that we aren’t impacted.”

With a cloud estate as large and complex as Vercel’s, having confidence in the security posture is priceless.