From Gates to Guardrails: Alternate Approaches to Product Security

1,404
-1

Published on

P

Published in: Technology, Business

From Gates to Guardrails: Alternate Approaches to Product Security

  1. 1. From Gates to Guardrails: Alternate Approaches to Product Security LASCON 2013 Jason Chan chan@netflix.com
  2. 2. About Me •  Engineering Director @ Netflix: –  Security: Product, App, Ops, IR, etc. •  Previously: –  Led security team @ VMware –  Consultant - @stake, iSEC Partners
  3. 3. About Netflix
  4. 4. AGILE/CD/CLOUD/DEVOPS CHARACTERISTICS
  5. 5. SAFELY HANDLING SPEED & SCALE
  6. 6. Netflix Environment •  •  •  •  •  •  ~200 production pushes/day 40m+ subscribers Support for 1000+ devices Service in 40+ countries Concurrent delivery from 3 AWS regions ~1/3 of US download bandwidth at peak
  7. 7. CULTURE
  8. 8. Recruiting Infrastructure/Systems/ Cloud AppSec Development Monitoring & Response Online Operations
  9. 9. Waiting, working, Easy planning and complete reporting Per-user filters
  10. 10. VISIBILITY
  11. 11. Dashboards for Security Data Sub- Services and Dashboards Dashboards for Regional SecurityDrill-down Relevant Events for Key Services and Lookback
  12. 12. Meaningful subject Alert configuration What to do? Useful links for more data Embedded graph
  13. 13. Access to changes by app, region, environment, etc. Lookback in time as needed
  14. 14. Chat integration lets engineers easily access info
  15. 15. App name Jenkins (CI) job Currently running clusters by region/ environment
  16. 16. Cluster ID Deployment details AMI version SCM commit
  17. 17. Link to relevant JIRA(s) Modified files Source diffs
  18. 18. AUTOMATION
  19. 19. 1000+ tests to compare proposed vs. existing
  20. 20. AWS components
  21. 21. Configuration history Details (rules)
  22. 22. ImmutableServer Pattern •  “ . . . a server that once deployed, is never modified, merely replaced with a new updated instance.” –  http://martinfowler.com/bliki/ ImmutableServer.html
  23. 23. Wrapping Up •  Cloud/DevOps/Agile/CD are transformative (for org & security) •  Orgs embracing tend to deal in speed and scale •  Look to culture, visibility, and automation as security enablers in these environments
  24. 24. Summary Meeting’s Over – Questions?
  25. 25. Netflix Links •  http://techblog.netflix.com •  http://netflix.github.io/#repo •  http://www.slideshare.net/netflix
  26. 26. Photo Credits •  •  •  •  •  •  •  •  Conzelman Road: http://www.california-travels.com/2012/05/04/pointbonita-lighthouse/ Canary: http://www.lafebervet.com/avian-medicine-list/basicinformation-sheets-for-the-canary/ Visibility: http://photography.nationalgeographic.com/wallpaper/ photography/photo-tips/city-photos/golden-gate-bridge-fog/ Scale: http://www.livestockscales.info/ Guinea fowl: http://danrouthphotography.blogspot.com/2009/07/ running-bird.html Culture Club: http://www.last.fm/music/Culture+Club/This+Time:+The +First+Four+Years Babou: http://wildstar-central.com/index.php?threads/extaticaswallpapers-post-my-1200-post-_.4400/ Derek: http://www.fastcocreate.com/3016905/kindness-is-the-newirony-ricky-gervais-on-bringing-an-unlikely-hero-to-netflix-with-derek

×