Cold Call Questions - App Sec

Question 1

Are you interested in the IT/security team saving time with more streamlined WAF management, making the WAF rule updates even easier across many zones?

Answer 1

WAF

Good fit answers:
We would have to protects hundred of separate applications.

OR

We would like ways to save time

What we say: Given you would like to free up teams from granular WAF management, our Advanced WAF package is well suited for your needs.

Question 2

Do your applications access PII, credit card data, or other sensitive data?

Where does risk of data exfiltration fall on your list of concerns?

Answer 2

WAF

Good fit answer from prospect:

We do have a lot of PII/sensitive data exposed in requests and responses.

Yeah, we worry about data exfiltration…

What we say: You mentioned data protection is critical - so the sensitive data detections in our WAF Advanced package will help with the data exfiltration concerns we discussed.

Question 3

Is the ability to prevent account takeover from the use of stolen credentials on all applications a priority?

Answer 3

WAF

Good fit answer from prospect:

We have login pages that are vulnerable to stuffing attacks

OR

Account takeover is a big concern for us, customer trust can be really affected.

What we say: We discussed being able to prevent credential stuffing on all applications which is why I recommend WAF Advanced that will allow you to mitigate credential stuffing risk.

Question 4

Guess the question based on this reasoning:

We discussed being able to prevent credential stuffing on all applications which is why I recommend WAF Advanced that will allow you to mitigate credential stuffing risk.

Answer 4

Is the ability to prevent account takeover from the use of stolen credentials on all applications a priority?

Question 5

Guess the question based on this reasoning:

You mentioned data protection is critical - so the sensitive data detections in our WAF Advanced package will help with the data exfiltration concerns we discussed.

Answer 5

Do your applications access PII, credit card data, or other sensitive data? Where does risk of data exfiltration fall on your list of concerns?

Question 6

Guess the question based on this reasoning:

Given you would like to free up teams from granular WAF management, our Advanced WAF package is well suited for your needs.

Answer 6

Are you interested in the IT/security team saving time with more streamlined WAF management, making the WAF rule updates even easier across many zones? This frees up teams for higher-value projects.

Question 7

How do you stop abusive, distributed bots that are behind scraping and stuffing attacks and not easily blocked by IP address?

Answer 7

ADVANCED RATE LIMITING

Good fit answer from prospect: We have regular rate limiting that uses IP addresses. It is not very effective against distributed attacks.

Question 8

How do you stop abuse in authenticated API sessions?

Answer 8

ADVANCED RATE LIMITING

Good fit answer from prospect:

We use normal rate limiting on APIs to block abuse by IP

We don’t have any abuse protections for APIs.

Question 9

Do you need to make sure APIs never stop business when they are overwhelmed by computationally expensive requests?

Answer 9

ADVANCED RATE LIMITING

Good fit answer from prospect:

We have never used rate limiting this way, just to throttle by IP.

We use the CDN and load balancing to ease server burdens.

Question 10

Have you tracked and blocked bot traffic to date? What percent of your traffic is automated?

Answer 10

BOT MANAGEMENT

Good fit answer:

No idea how much traffic comes from bots
I don’t think we block any bot traffic, we probably should

OR

We block bots with manual IP blocklists we update all the time

We say: About a third of the traffic we see is bots - slowing web servers and carrying out attacks against business. [If existing customer share any Bot insights from Grafana.] Business is at risk without appropriate protections

Question 11

Have you measured lost revenue from page/cart abandonments from slow loading?

Answer 11

BOT MANAGEMENT

Good fit answer: Probably, we don’t have the bot visibility to know.

We say: Your web analytics will show challenges that bots pose to revenues. We work with many organizations to put dedicated protections in place so this won’t be a concern.

Question 12

Have competitors tried to undercut your business with scraping bots? Have bots interrupted online revenues?

Answer 12

BOT MANAGEMENT

Good fit answer: We don’t know, we have tried stopping bots but I don’t think we know how it impacts business.

We say: Unfortunately, it is common for competitors to set up scraping bots or hoarding bots to harm business. This is a key use case we address for customers.

Question 13

How much time have you lost to manual mitigations? How much does that cost you?

Answer 13

BOT MANAGEMENT

Good fit answer: We do try to stop bots manually but it seems like a never-ending process.

We say: We know - many customers have gone through what you have. Bot Management stops bots while letting IT become even more efficient working on more important projects.

Question 14

How many CAPTCHAs do you serve web visitors to confirm they are human ? How do your web visitors care for them?

Answer 14

BOT MANAGEMENT

Good fit answer: We do use reCAPTCHA to confirm users and we dislike the experience like all our web visitors do.

We say: Did you know that our Bot Management customers don’t serve CAPTCHAs by default? We have built something better to replace CAPTCHAs, Managed Challenge, that confirms a person is real without annoying visual puzzles.

Question 15

Are APIs becoming a central part of your business model? How have you kept them productive in the face of abusive API traffic and attacks?

Answer 15

API SHIELD

Good fit answer from prospect:

We are constantly pushing new APIs into production but don’t have good visibility into that process, so we have to catch up with the dev teams.

OR

We have lots of APIs, but no visibility into how many are deployed at any given time.

We say: We understand - API visibility is a common challenges we assist organizations with all the time. We make it easy to see all APIs in production - then apply strong security and useful performance monitoring and management.

Question 16

What tools and vendors do you rely on to build and secure your APIs today?

Answer 16

API SHIELD

Good fit answer from prospect:

We don’t have anything - no dedicated API gateway or security…maybe just our WAF or rate limiting.
We built our own API backend…no true gateway product

OR

We use [Kong, Apigee, Mulesoft] today but don’t get enough value. [might consider consolidating on Cloudflare to save]

IF NO TOOLS, we say: Our API Gateway offers visibility, management, and protection for all APIs, known and unknown - all as part of your integrated application security posture. Discover your APIs and then protect them with schema validation and volumetric abuse prevention. API endpoints are clearly secured and managed, with monitoring metrics to understand how they are performing.

IF USING TOOLS - Cloudflare API Gateway lets you discover, manage, and protect all of your APIs, either old or new. We are adding new Gateway features often, like secure routing or token authentication, and our security tools are superior to Gateway vendors. You can consolidate API security and management with Cloudflare and stop attacks at our edge before they get to your origin.

Question 17

How many APIs do you have in production? If an auditor asked for it, how you would produce a complete and reliable list of your API endpoints?

Answer 17

API SHIELD

Good fit answer from prospect:

We don’t have a good process to track this…it changes all the time.

OR

Development teams let us know after the fact that new API are in place.

OR

I doubt we’d be able to produce a list for auditors.

We say: API visibility is something that many companies have struggled with so you are not alone. API discovery and management is where we begin to help most customers to gain a list of all APIs, known and unknown.

Question 18

Which teams are responsible for building and securing APIs at your organization? If there is shared responsibility, describe how you organize tasks between teams so nothing gets missed?

Answer 18

API SHIELD

Good fit answer from prospect:

Security is in charge of securing APIs, but other teams build them [network engineering, enterprise architecture, devops, infrastructure]

I don’t think we have good processes to ensure teams building APIs communicate with security to ensure APIs are secured for prior to publishing.

We say: Much like API visibility, limited communication between those building APIs and the team securing them is not unusual. Good tools for API discover and security help take the pressure off, so at the least APIs in production are immediately discovered, even without good processes that make sure things are not missed.

Question 19

How many 3rd party scripts do you have in your web properties? How do you track them?

Answer 19

PAGE SHIELD

Good fit answer from prospect: I don’t know if we have a good process for tracking these…I know other teams are making changes all the time with new dependencies.

We say: Most organizations have trouble keeping pace with scripts as they are added, and don’t have a good sense for how many are present at any given time.

Question 20

How do you make sure plans for adding new website functionality is discussed ahead of time so security is accounted for?

Answer 20

PAGE SHIELD

Good fit answer from prospect: I wouldn’t say we have a good process communicating new scripts.

We say: Many customers we work with do not have a well-developed process to account for new scripts in advance. Good tooling ensures new scripts are closely detected and then monitored for security risks.

Question 21

Do you accept credit cards on your site? If so, what is your plan to comply with the new PCI controls (new control 6.3.4) for payment page scripts?

Answer 21

PAGE SHIELD

Good fit answer from prospect: Yes, we do accept credit cards, and I was actually not aware of this new control.

We say: Ecommerce vendors have begun to take this risk more and more seriously given they accept payments online.

The new PCI control is emerging so many are unaware, and Page Shield will let you comply and as importantly, address client-side security risks.

Question 22

How have you implemented Content security policies (CSPs)? How do you keep them updated so they don’t break newly added site functionality?

Answer 22

PAGE SHIELD

Good fit answer from prospect:

What is a CSP? I haven’t heard of that

We do use CSPs, they are difficult to manage every time there is a new dependency added

Yes, we have CSPs, but we create them broadly so they don’t break anything, which weakens security.

We say: We have [soon] automated blocking that takes the pressure off of team responsible to constantly updating CSPs. We provide suggested CSPs that take into account all required scripts, removing the burden of manually filtering through each script and updating.

Question 23

If a dependency gets compromised, would you know or be alerted to this?

Answer 23

Good fit answer from prospect:

I doubt it given we don’t really track them

No, our CSPs don’t alert like this.

We say: It is tough to know if a compromise occurs. We have built functionality into our Page Shield product to alert on script compromises to stay ahead on attackers targeting dependencies.