• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
From Gates to Guardrails: Alternate Approaches to Product Security
 

From Gates to Guardrails: Alternate Approaches to Product Security

on

  • 949 views

P

P

Statistics

Views

Total Views
949
Views on SlideShare
949
Embed Views
0

Actions

Likes
7
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

From Gates to Guardrails: Alternate Approaches to Product Security From Gates to Guardrails: Alternate Approaches to Product Security Presentation Transcript

  • From Gates to Guardrails: Alternate Approaches to Product Security LASCON 2013 Jason Chan chan@netflix.com
  • About Me •  Engineering Director @ Netflix: –  Security: Product, App, Ops, IR, etc. •  Previously: –  Led security team @ VMware –  Consultant - @stake, iSEC Partners
  • About Netflix
  • AGILE/CD/CLOUD/DEVOPS CHARACTERISTICS
  • SAFELY HANDLING SPEED & SCALE
  • Netflix Environment •  •  •  •  •  •  ~200 production pushes/day 40m+ subscribers Support for 1000+ devices Service in 40+ countries Concurrent delivery from 3 AWS regions ~1/3 of US download bandwidth at peak
  • CULTURE
  • Recruiting Infrastructure/Systems/ Cloud AppSec Development Monitoring & Response Online Operations
  • Waiting, working, Easy planning and complete reporting Per-user filters
  • VISIBILITY
  • Dashboards for Security Data Sub- Services and Dashboards Dashboards for Regional SecurityDrill-down Relevant Events for Key Services and Lookback
  • Meaningful subject Alert configuration What to do? Useful links for more data Embedded graph
  • Access to changes by app, region, environment, etc. Lookback in time as needed
  • Chat integration lets engineers easily access info
  • App name Jenkins (CI) job Currently running clusters by region/ environment
  • Cluster ID Deployment details AMI version SCM commit
  • Link to relevant JIRA(s) Modified files Source diffs
  • AUTOMATION
  • 1000+ tests to compare proposed vs. existing
  • AWS components
  • Configuration history Details (rules)
  • ImmutableServer Pattern •  “ . . . a server that once deployed, is never modified, merely replaced with a new updated instance.” –  http://martinfowler.com/bliki/ ImmutableServer.html
  • Wrapping Up •  Cloud/DevOps/Agile/CD are transformative (for org & security) •  Orgs embracing tend to deal in speed and scale •  Look to culture, visibility, and automation as security enablers in these environments
  • Summary Meeting’s Over – Questions?
  • Netflix Links •  http://techblog.netflix.com •  http://netflix.github.io/#repo •  http://www.slideshare.net/netflix
  • Photo Credits •  •  •  •  •  •  •  •  Conzelman Road: http://www.california-travels.com/2012/05/04/pointbonita-lighthouse/ Canary: http://www.lafebervet.com/avian-medicine-list/basicinformation-sheets-for-the-canary/ Visibility: http://photography.nationalgeographic.com/wallpaper/ photography/photo-tips/city-photos/golden-gate-bridge-fog/ Scale: http://www.livestockscales.info/ Guinea fowl: http://danrouthphotography.blogspot.com/2009/07/ running-bird.html Culture Club: http://www.last.fm/music/Culture+Club/This+Time:+The +First+Four+Years Babou: http://wildstar-central.com/index.php?threads/extaticaswallpapers-post-my-1200-post-_.4400/ Derek: http://www.fastcocreate.com/3016905/kindness-is-the-newirony-ricky-gervais-on-bringing-an-unlikely-hero-to-netflix-with-derek