• Save
From Gates to Guardrails: Alternate Approaches to Product Security
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

From Gates to Guardrails: Alternate Approaches to Product Security

  • 1,220 views
Uploaded on

P

P

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,220
On Slideshare
1,220
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
8

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. From Gates to Guardrails: Alternate Approaches to Product Security LASCON 2013 Jason Chan chan@netflix.com
  • 2. About Me •  Engineering Director @ Netflix: –  Security: Product, App, Ops, IR, etc. •  Previously: –  Led security team @ VMware –  Consultant - @stake, iSEC Partners
  • 3. About Netflix
  • 4. AGILE/CD/CLOUD/DEVOPS CHARACTERISTICS
  • 5. SAFELY HANDLING SPEED & SCALE
  • 6. Netflix Environment •  •  •  •  •  •  ~200 production pushes/day 40m+ subscribers Support for 1000+ devices Service in 40+ countries Concurrent delivery from 3 AWS regions ~1/3 of US download bandwidth at peak
  • 7. CULTURE
  • 8. Recruiting Infrastructure/Systems/ Cloud AppSec Development Monitoring & Response Online Operations
  • 9. Waiting, working, Easy planning and complete reporting Per-user filters
  • 10. VISIBILITY
  • 11. Dashboards for Security Data Sub- Services and Dashboards Dashboards for Regional SecurityDrill-down Relevant Events for Key Services and Lookback
  • 12. Meaningful subject Alert configuration What to do? Useful links for more data Embedded graph
  • 13. Access to changes by app, region, environment, etc. Lookback in time as needed
  • 14. Chat integration lets engineers easily access info
  • 15. App name Jenkins (CI) job Currently running clusters by region/ environment
  • 16. Cluster ID Deployment details AMI version SCM commit
  • 17. Link to relevant JIRA(s) Modified files Source diffs
  • 18. AUTOMATION
  • 19. 1000+ tests to compare proposed vs. existing
  • 20. AWS components
  • 21. Configuration history Details (rules)
  • 22. ImmutableServer Pattern •  “ . . . a server that once deployed, is never modified, merely replaced with a new updated instance.” –  http://martinfowler.com/bliki/ ImmutableServer.html
  • 23. Wrapping Up •  Cloud/DevOps/Agile/CD are transformative (for org & security) •  Orgs embracing tend to deal in speed and scale •  Look to culture, visibility, and automation as security enablers in these environments
  • 24. Summary Meeting’s Over – Questions?
  • 25. Netflix Links •  http://techblog.netflix.com •  http://netflix.github.io/#repo •  http://www.slideshare.net/netflix
  • 26. Photo Credits •  •  •  •  •  •  •  •  Conzelman Road: http://www.california-travels.com/2012/05/04/pointbonita-lighthouse/ Canary: http://www.lafebervet.com/avian-medicine-list/basicinformation-sheets-for-the-canary/ Visibility: http://photography.nationalgeographic.com/wallpaper/ photography/photo-tips/city-photos/golden-gate-bridge-fog/ Scale: http://www.livestockscales.info/ Guinea fowl: http://danrouthphotography.blogspot.com/2009/07/ running-bird.html Culture Club: http://www.last.fm/music/Culture+Club/This+Time:+The +First+Four+Years Babou: http://wildstar-central.com/index.php?threads/extaticaswallpapers-post-my-1200-post-_.4400/ Derek: http://www.fastcocreate.com/3016905/kindness-is-the-newirony-ricky-gervais-on-bringing-an-unlikely-hero-to-netflix-with-derek