• Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
976
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
8

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. From Gates to Guardrails: Alternate Approaches to Product Security LASCON 2013 Jason Chan chan@netflix.com
  • 2. About Me •  Engineering Director @ Netflix: –  Security: Product, App, Ops, IR, etc. •  Previously: –  Led security team @ VMware –  Consultant - @stake, iSEC Partners
  • 3. About Netflix
  • 4. AGILE/CD/CLOUD/DEVOPS CHARACTERISTICS
  • 5. SAFELY HANDLING SPEED & SCALE
  • 6. Netflix Environment •  •  •  •  •  •  ~200 production pushes/day 40m+ subscribers Support for 1000+ devices Service in 40+ countries Concurrent delivery from 3 AWS regions ~1/3 of US download bandwidth at peak
  • 7. CULTURE
  • 8. Recruiting Infrastructure/Systems/ Cloud AppSec Development Monitoring & Response Online Operations
  • 9. Waiting, working, Easy planning and complete reporting Per-user filters
  • 10. VISIBILITY
  • 11. Dashboards for Security Data Sub- Services and Dashboards Dashboards for Regional SecurityDrill-down Relevant Events for Key Services and Lookback
  • 12. Meaningful subject Alert configuration What to do? Useful links for more data Embedded graph
  • 13. Access to changes by app, region, environment, etc. Lookback in time as needed
  • 14. Chat integration lets engineers easily access info
  • 15. App name Jenkins (CI) job Currently running clusters by region/ environment
  • 16. Cluster ID Deployment details AMI version SCM commit
  • 17. Link to relevant JIRA(s) Modified files Source diffs
  • 18. AUTOMATION
  • 19. 1000+ tests to compare proposed vs. existing
  • 20. AWS components
  • 21. Configuration history Details (rules)
  • 22. ImmutableServer Pattern •  “ . . . a server that once deployed, is never modified, merely replaced with a new updated instance.” –  http://martinfowler.com/bliki/ ImmutableServer.html
  • 23. Wrapping Up •  Cloud/DevOps/Agile/CD are transformative (for org & security) •  Orgs embracing tend to deal in speed and scale •  Look to culture, visibility, and automation as security enablers in these environments
  • 24. Summary Meeting’s Over – Questions?
  • 25. Netflix Links •  http://techblog.netflix.com •  http://netflix.github.io/#repo •  http://www.slideshare.net/netflix
  • 26. Photo Credits •  •  •  •  •  •  •  •  Conzelman Road: http://www.california-travels.com/2012/05/04/pointbonita-lighthouse/ Canary: http://www.lafebervet.com/avian-medicine-list/basicinformation-sheets-for-the-canary/ Visibility: http://photography.nationalgeographic.com/wallpaper/ photography/photo-tips/city-photos/golden-gate-bridge-fog/ Scale: http://www.livestockscales.info/ Guinea fowl: http://danrouthphotography.blogspot.com/2009/07/ running-bird.html Culture Club: http://www.last.fm/music/Culture+Club/This+Time:+The +First+Four+Years Babou: http://wildstar-central.com/index.php?threads/extaticaswallpapers-post-my-1200-post-_.4400/ Derek: http://www.fastcocreate.com/3016905/kindness-is-the-newirony-ricky-gervais-on-bringing-an-unlikely-hero-to-netflix-with-derek