• Save
From Gates to Guardrails: Alternate Approaches to Product Security
Upcoming SlideShare
Loading in...5
×
 

From Gates to Guardrails: Alternate Approaches to Product Security

on

  • 1,058 views

P

P

Statistics

Views

Total Views
1,058
Views on SlideShare
1,058
Embed Views
0

Actions

Likes
7
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    From Gates to Guardrails: Alternate Approaches to Product Security From Gates to Guardrails: Alternate Approaches to Product Security Presentation Transcript

    • From Gates to Guardrails: Alternate Approaches to Product Security LASCON 2013 Jason Chan chan@netflix.com
    • About Me •  Engineering Director @ Netflix: –  Security: Product, App, Ops, IR, etc. •  Previously: –  Led security team @ VMware –  Consultant - @stake, iSEC Partners
    • About Netflix
    • AGILE/CD/CLOUD/DEVOPS CHARACTERISTICS
    • SAFELY HANDLING SPEED & SCALE
    • Netflix Environment •  •  •  •  •  •  ~200 production pushes/day 40m+ subscribers Support for 1000+ devices Service in 40+ countries Concurrent delivery from 3 AWS regions ~1/3 of US download bandwidth at peak
    • CULTURE
    • Recruiting Infrastructure/Systems/ Cloud AppSec Development Monitoring & Response Online Operations
    • Waiting, working, Easy planning and complete reporting Per-user filters
    • VISIBILITY
    • Dashboards for Security Data Sub- Services and Dashboards Dashboards for Regional SecurityDrill-down Relevant Events for Key Services and Lookback
    • Meaningful subject Alert configuration What to do? Useful links for more data Embedded graph
    • Access to changes by app, region, environment, etc. Lookback in time as needed
    • Chat integration lets engineers easily access info
    • App name Jenkins (CI) job Currently running clusters by region/ environment
    • Cluster ID Deployment details AMI version SCM commit
    • Link to relevant JIRA(s) Modified files Source diffs
    • AUTOMATION
    • 1000+ tests to compare proposed vs. existing
    • AWS components
    • Configuration history Details (rules)
    • ImmutableServer Pattern •  “ . . . a server that once deployed, is never modified, merely replaced with a new updated instance.” –  http://martinfowler.com/bliki/ ImmutableServer.html
    • Wrapping Up •  Cloud/DevOps/Agile/CD are transformative (for org & security) •  Orgs embracing tend to deal in speed and scale •  Look to culture, visibility, and automation as security enablers in these environments
    • Summary Meeting’s Over – Questions?
    • Netflix Links •  http://techblog.netflix.com •  http://netflix.github.io/#repo •  http://www.slideshare.net/netflix
    • Photo Credits •  •  •  •  •  •  •  •  Conzelman Road: http://www.california-travels.com/2012/05/04/pointbonita-lighthouse/ Canary: http://www.lafebervet.com/avian-medicine-list/basicinformation-sheets-for-the-canary/ Visibility: http://photography.nationalgeographic.com/wallpaper/ photography/photo-tips/city-photos/golden-gate-bridge-fog/ Scale: http://www.livestockscales.info/ Guinea fowl: http://danrouthphotography.blogspot.com/2009/07/ running-bird.html Culture Club: http://www.last.fm/music/Culture+Club/This+Time:+The +First+Four+Years Babou: http://wildstar-central.com/index.php?threads/extaticaswallpapers-post-my-1200-post-_.4400/ Derek: http://www.fastcocreate.com/3016905/kindness-is-the-newirony-ricky-gervais-on-bringing-an-unlikely-hero-to-netflix-with-derek